Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Basic iOS Security Analysis

Basic iOS Security Analysis

John Downey

January 11, 2013
Tweet

More Decks by John Downey

Other Decks in Programming

Transcript

  1. Basic iOS Security Analysis
    John Downey | @jtdowney

    View Slide

  2. View Slide

  3. http://www.flickr.com/photos/kev_bite/3756381893/
    Walled
    Garden

    View Slide

  4. http://www.flickr.com/photos/12394349@N06/318947809
    Structure
    of an App

    View Slide

  5. IPA FILES
    • Mac OS X
    • /Users/[user]/Music/iTunes/iTunes Media/Mobile Applications
    • Just a zip file

    View Slide

  6. $ unzip -l "Mobile Menus 1.0.ipa"
    Archive: Mobile Menus 1.0.ipa
    Length Date Time Name
    -------- ---- ---- ----
    0 08-10-11 19:01 Payload/
    0 08-16-11 17:19 Payload/Menus.app/
    102 08-10-11 16:58 Payload/Menus.app/Data.plist
    1241 08-10-11 16:58 Payload/Menus.app/datebar.png
    1475 08-10-11 16:58 Payload/Menus.app/[email protected]
    1422 08-10-11 16:58 Payload/Menus.app/datebar_leftarrow.png
    1815 08-10-11 16:58 Payload/Menus.app/[email protected]
    1185 08-10-11 16:58 Payload/Menus.app/Info.plist
    1417 08-10-11 16:58 Payload/Menus.app/information_icon.png
    1720 08-10-11 16:58 Payload/Menus.app/[email protected]
    68192 08-10-11 16:58 Payload/Menus.app/iTunesArtwork
    229792 08-10-11 16:58 Payload/Menus.app/Menus
    2041 01-08-13 05:36 iTunesMetadata.plist
    30204 01-08-13 05:36 iTunesArtwork

    View Slide

  7. $ plutil -p Menus.app/Info.plist
    {
    "CFBundleName" => "Menus"
    "DTSDKName" => "iphoneos4.3"
    "NSMainNibFile" => "MainWindow_iPhone"
    "CFBundleShortVersionString" => "1.0"
    "CFBundleSupportedPlatforms" => [
    0 => "iPhoneOS"
    ]
    "DTPlatformName" => "iphoneos"
    "CFBundleExecutable" => "Menus"
    "DTCompiler" => "com.apple.compilers.llvmgcc42"
    "MinimumOSVersion" => "4.0"
    "CFBundleDisplayName" => "Mobile Menus"
    "CFBundleIdentifier" => "edu.purdue.hfs.Menus"
    }

    View Slide

  8. $ unzip -l "Mobile Menus 1.0.ipa"
    Archive: Mobile Menus 1.0.ipa
    Length Date Time Name
    -------- ---- ---- ----
    0 08-10-11 19:01 Payload/
    0 08-16-11 17:19 Payload/Menus.app/
    102 08-10-11 16:58 Payload/Menus.app/Data.plist
    1241 08-10-11 16:58 Payload/Menus.app/datebar.png
    1475 08-10-11 16:58 Payload/Menus.app/[email protected]
    1422 08-10-11 16:58 Payload/Menus.app/datebar_leftarrow.png
    1815 08-10-11 16:58 Payload/Menus.app/[email protected]
    1185 08-10-11 16:58 Payload/Menus.app/Info.plist
    1417 08-10-11 16:58 Payload/Menus.app/information_icon.png
    1720 08-10-11 16:58 Payload/Menus.app/[email protected]
    68192 08-10-11 16:58 Payload/Menus.app/iTunesArtwork
    229792 08-10-11 16:58 Payload/Menus.app/Menus
    2041 01-08-13 05:36 iTunesMetadata.plist
    30204 01-08-13 05:36 iTunesArtwork

    View Slide

  9. $ file Menus.app/Menus
    Menus.app/Menus: Mach-O universal binary with 2 architectures
    Menus.app/Menus (for architecture armv6): Mach-O executable arm
    Menus.app/Menus (for architecture armv7): Mach-O executable arm

    View Slide

  10. $ otool -l Menus.app/Menus | grep -B2 crypt
    cmd LC_ENCRYPTION_INFO
    cmdsize 20
    cryptoff 4096
    cryptsize 69632
    cryptid 1
    --
    cmd LC_ENCRYPTION_INFO
    cmdsize 20
    cryptoff 4096
    cryptsize 69632
    cryptid 1

    View Slide

  11. http://www.flickr.com/photos/marcusramberg/71281972/
    Exploring
    an App

    View Slide

  12. View Slide

  13. View Slide

  14. APPLICATION DATA
    • Property List files (.plist)
    • Apple configuration file
    • Basically a key/value store
    • SQLite Database (.db/.sqlite)
    • Embedded relational database
    • CoreData abstraction layer

    View Slide

  15. $ sqlite3 Model.sqlite
    SQLite version 3.7.12 2012-04-03 19:43:07
    Enter ".help" for instructions
    Enter SQL statements terminated with a ";"
    sqlite> .schema
    CREATE TABLE ZPATTERN ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTE...
    CREATE TABLE ZROUTE ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGE...
    CREATE TABLE ZSAVED ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGE...
    CREATE TABLE ZSTOP ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER...
    CREATE TABLE Z_METADATA (Z_VERSION INTEGER PRIMARY KEY, Z_UU...
    CREATE TABLE Z_PRIMARYKEY (Z_ENT INTEGER PRIMARY KEY, Z_NAME...
    CREATE INDEX ZPATTERN_ZROUTE_INDEX ON ZPATTERN (ZROUTE);
    CREATE INDEX ZSTOP_ZROUTE_INDEX ON ZSTOP (ZROUTE);

    View Slide

  16. KEYCHAIN
    • Secure storage on device
    • Protection
    • kSecAttrAccessibleWhenUnlocked
    • Just the passcode
    • kSecAttrAccessibleWhenUnlockedThisDeviceOnly
    • Device specific key and passcode

    View Slide

  17. http://www.flickr.com/photos/adrianblack/3358661327/
    Network
    Traffic

    View Slide

  18. View Slide

  19. View Slide

  20. TLS/SSL VERIFICATION
    • Apps
    • Rackspace iOS client
    • Facebook Camera
    • LinkedIn
    • The Most Dangerous Code in the World

    View Slide

  21. View Slide

  22. View Slide

  23. View Slide

  24. View Slide

  25. View Slide

  26. View Slide

  27. http://www.flickr.com/photos/gsi-r/5213626727/
    Decrypting
    an App

    View Slide

  28. View Slide

  29. iPod-touch:~ root#

    View Slide

  30. View Slide

  31. # apt-get install gdb
    Reading package lists... Done
    Building dependency tree
    Reading state information... Done
    The following NEW packages will be installed:
    gdb
    0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
    Need to get 3585kB of archives.
    After this operation, 33.0MB of additional disk space will be used.
    Get:1 http://apt.saurik.com ios/550.52/main gdb 1518-12 [3585kB]
    Fetched 3585kB in 2s (1502kB/s)
    Selecting previously deselected package gdb.
    (Reading database ... 2499 files and directories currently
    installed.)
    Unpacking gdb (from .../gdb_1518-12_iphoneos-arm.deb) ...
    Setting up gdb (1518-12) ...

    View Slide

  32. $ otool -l Menus.app/Menus | grep -B2 crypt
    cmd LC_ENCRYPTION_INFO
    cmdsize 20
    cryptoff 4096
    cryptsize 69632
    cryptid 1
    --
    cmd LC_ENCRYPTION_INFO
    cmdsize 20
    cryptoff 4096
    cryptsize 69632
    cryptid 1

    View Slide

  33. # cd /tmp
    # mkdir apps
    # cd apps/
    # cp -r /var/mobile/Applications/[UDID]/Menus.app/ .
    # gdb ./Menus.app/Menus
    GNU gdb 6.3.50.20050815-cvs (Fri May 20 08:08:42 UTC 2011)
    Copyright 2004 Free Software Foundation, Inc.
    GDB is free software, covered by the GNU General Public License, and you are
    welcome to change it and/or distribute copies of it under certain conditions.
    Type "show copying" to see the conditions.
    There is absolutely no warranty for GDB. Type "show warranty" for details.
    This GDB was configured as "--host=arm-apple-darwin9 --target="...Reading
    symbols for shared libraries . done
    (gdb)

    View Slide

  34. (gdb) set sharedlibrary load-rules ".*" ".*" none
    (gdb) set inferior-auto-start-dyld off
    (gdb) set sharedlibrary preload-libraries off
    (gdb) set sharedlibrary load-dyld-symbols off
    (gdb) rb doModInitFunctions
    Breakpoint 1 at 0x2fe0c1fa

    __dyld__ZN16ImageLoaderMachO18doModInitFunctionsERKN11ImageLoader11LinkContextE;
    (gdb) r
    Starting program: /private/var/tmp/apps/Menus.app/Menus
    Breakpoint 1, 0x2fe0c1fa in
    __dyld__ZN16ImageLoaderMachO18doModInitFunctionsERKN11ImageLoader11LinkContextE ()

    View Slide

  35. (gdb) bt
    #0 0x2fe0c1fa in __dyld__ZN16ImageLoaderMachO18doModInitFunctionsERK...
    #1 0x2fe0c454 in __dyld__ZN16ImageLoaderMachO16doInitializationERKN1...
    #2 0x2fe0a034 in __dyld__ZN11ImageLoader23recursiveInitializationERK...
    #3 0x2fe09fd4 in __dyld__ZN11ImageLoader23recursiveInitializationERK...
    #4 0x2fe01780 in __dyld__ZN4dyldL11imageSorterEPKvS1_ ()

    View Slide

  36. (gdb) dump memory /tmp/dump.bin 0x2000 0x13000

    View Slide

  37. (gdb) dump memory /tmp/dump.bin 0x2000 0x13000

    View Slide

  38. (gdb) dump memory /tmp/dump.bin 0x2000 0x13000
    0x1000 + 0x1000 (4096) = 0x2000
    cryptoff

    View Slide

  39. (gdb) dump memory /tmp/dump.bin 0x2000 0x13000
    0x2000 + 0x11000 (69632) = 0x13000
    cryptsize

    View Slide

  40. $ otool -f Menus.app/Menus
    Fat headers
    fat_magic 0xcafebabe
    nfat_arch 2
    architecture 0
    cputype 12
    cpusubtype 6
    capabilities 0x0
    offset 4096
    size 111344
    align 2^12 (4096)
    architecture 1
    cputype 12
    cpusubtype 9
    capabilities 0x0
    offset 118784
    size 111008
    align 2^12 (4096)

    View Slide

  41. $ dd if=dump.bin of=Menus bs=1 seek=8192 conv=notrunc
    69632+0 records in
    69632+0 records out
    69632 bytes transferred in 0.085575 secs (813697 bytes/sec)

    View Slide

  42. $ dd if=dump.bin of=Menus bs=1 seek=8192 conv=notrunc
    69632+0 records in
    69632+0 records out
    69632 bytes transferred in 0.085575 secs (813697 bytes/sec)

    View Slide

  43. $ dd if=dump.bin of=Menus bs=1 seek=8192 conv=notrunc
    69632+0 records in
    69632+0 records out
    69632 bytes transferred in 0.085575 secs (813697 bytes/sec)

    View Slide

  44. $ dd if=dump.bin of=Menus bs=1 seek=8192 conv=notrunc
    69632+0 records in
    69632+0 records out
    69632 bytes transferred in 0.085575 secs (813697 bytes/sec)
    4096 + 4096 = 8192
    offset cryptoff

    View Slide

  45. $ dd if=dump.bin of=Menus bs=1 seek=8192 conv=notrunc
    69632+0 records in
    69632+0 records out
    69632 bytes transferred in 0.085575 secs (813697 bytes/sec)
    cryptsize

    View Slide

  46. $ otool -l Menus.app/Menus | grep -B2 crypt
    cmd LC_ENCRYPTION_INFO
    cmdsize 20
    cryptoff 4096
    cryptsize 69632
    cryptid 1
    --
    cmd LC_ENCRYPTION_INFO
    cmdsize 20
    cryptoff 4096
    cryptsize 69632
    cryptid 1

    View Slide

  47. 01 => 00

    View Slide

  48. $ otool -l Menus.app/Menus | grep -B2 crypt
    cmd LC_ENCRYPTION_INFO
    cmdsize 20
    cryptoff 4096
    cryptsize 69632
    cryptid 0
    --
    cmd LC_ENCRYPTION_INFO
    cmdsize 20
    cryptoff 4096
    cryptsize 69632
    cryptid 1

    View Slide

  49. $ lipo -thin armv6 -output Menus.armv6 Menus

    View Slide

  50. $ strings Menus.armv6
    release
    init
    alloc
    dealloc
    description
    retainCount
    autorelease
    retain
    respondsToSelector:
    conformsToProtocol:
    isMemberOfClass:
    isKindOfClass:
    isProxy
    performSelector:withObject:withObject:
    performSelector:withObject:

    View Slide

  51. $ class-dump-z Menus.armv6
    @protocol UIApplicationDelegate
    @optional
    -(void)applicationDidFinishLaunching:(id)application;
    -(BOOL)application:(id)application didFinishLaunchingW...
    -(void)applicationDidBecomeActive:(id)application;
    -(void)applicationWillResignActive:(id)application;
    -(BOOL)application:(id)application handleOpenURL:(id)url;
    -(BOOL)application:(id)application openURL:(id)url sou...
    -(void)applicationDidReceiveMemoryWarning:(id)applicatio.
    -(void)applicationWillTerminate:(id)application;
    -(void)applicationSignificantTimeChange:(id)change;
    -(void)application:(id)application willChangeStatusBar...

    View Slide

  52. REFERENCES
    • http://www.neglectedpotential.com/
    • http://media.hacking-lab.com/scs3/scs3_pdf/
    SCS3_2011_Bachmann.pdf
    • http://sit.sit.fraunhofer.de/studies/en/sc-iphone-passwords.pdf
    • Hacking and Securing iOS Applications by Jonathan Zdziarski

    View Slide