Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Common iOS Vulnerabilities and How to Fix Them

Common iOS Vulnerabilities and How to Fix Them

Julia Potapenko

May 17, 2021
Tweet

More Decks by Julia Potapenko

Other Decks in Programming

Transcript

  1. iOS App Vulnerabilities
    Julia Potapenko
    and how to fix them

    View Slide

  2. Security Software Engineer
    @julepka
    We help companies to protect their
    sensitive and valuable data.

    View Slide

  3. How do we know the vulnerability is common?
    OWASP Mobile Top 10
    CVE-List by MITRE
    Security tools/services vendors
    News and Twitter 🙂
    Our own experience 😎

    View Slide

  4. OWASP Mobile Top 10
    M1: Improper Platform Usage
    M2: Insecure Data Storage
    M3: Insecure Communication
    M4: Insecure Authentication
    M5: Insufficient Cryptography
    M6: Insecure Authorization
    M7: Client Code Quality
    M8: Code Tampering
    M9: Reverse Engineering
    M10: Extraneous Functionality
    https://owasp.org/www-project-mobile-top-10/

    View Slide

  5. OWASP Mobile Top 10
    M1: Improper Platform Usage
    M2: Insecure Data Storage
    M3: Insecure Communication
    M4: Insecure Authentication
    M5: Insufficient Cryptography
    M6: Insecure Authorization
    M7: Client Code Quality
    M8: Code Tampering
    M9: Reverse Engineering
    M10: Extraneous Functionality
    https://owasp.org/www-project-mobile-top-10/

    View Slide

  6. 2016
    M1: Improper Platform Usage
    M2: Insecure Data Storage
    M3: Insecure Communication
    M4: Insecure Authentication
    M5: Insufficient Cryptography
    M6: Insecure Authorization
    M7: Client Code Quality
    M8: Code Tampering
    M9: Reverse Engineering
    M10: Extraneous Functionality
    M1: Weak Server Side Controls
    M2: Insecure Data Storage
    M3: Insufficient Transport Layer Protection
    M4: Unintended Data Leakage
    M5: Poor Authorization and Authentication
    M6: Broken Cryptography
    M7: Client Side Injection
    M8: Security Decisions Via Untrusted Inputs
    M9: Improper Session Handling
    M10: Lack of Binary Protection
    2014
    OWASP Mobile Top 10

    View Slide

  7. 2016
    M1: Improper Platform Usage
    M2: Insecure Data Storage
    M3: Insecure Communication
    M4: Insecure Authentication
    M5: Insufficient Cryptography
    M6: Insecure Authorization
    M7: Client Code Quality
    M8: Code Tampering
    M9: Reverse Engineering
    M10: Extraneous Functionality
    M1: Weak Server Side Controls
    M2: Insecure Data Storage
    M3: Insufficient Transport Layer Protection
    M4: Unintended Data Leakage
    M5: Poor Authorization and Authentication
    M6: Broken Cryptography
    M7: Client Side Injection
    M8: Security Decisions Via Untrusted Inputs
    M9: Improper Session Handling
    M10: Lack of Binary Protection
    2014
    OWASP Mobile Top 10

    View Slide

  8. CVE List
    https://cve.mitre.org/cve/search_cve_list.html
    Search: iOS app
    Common Vulnerabilities and Exposures List

    View Slide

  9. NVD
    National Vulnerability Database
    Common Vulnerability
    Scoring System

    View Slide

  10. Security tools/services vendors
    Databases, reports, statistics, blog posts
    https://snyk.io/vuln/

    View Slide

  11. Security tools/services vendors
    Databases, reports, statistics, blog posts
    https://www.guardsquare.com/state-of-mobile-application-security-report

    View Slide

  12. Improper Platform Usage

    View Slide

  13. Improper Platform Usage
    Permissions
    TouchID / FaceID
    Keychain
    Secure Enclave
    URL Schemas
    WebView
    Autocorrection

    View Slide

  14. Improper Platform Usage
    If I want to store some data…

    View Slide

  15. Improper Platform Usage
    UserDefaults
    Not encrypted,
    accessible on a
    locked device.
    If I want to store some data…

    View Slide

  16. Improper Platform Usage
    UserDefaults
    Not encrypted,
    accessible on a
    locked device.
    Keychain
    Encrypted storage,
    becomes decrypted
    on unlock.
    If I want to store some data…

    View Slide

  17. Improper Platform Usage
    UserDefaults
    Not encrypted,
    accessible on a
    locked device.
    Keychain
    Encrypted storage,
    becomes decrypted
    on unlock.
    Secure Enclave
    Stores keys that can be
    used to encrypt
    Keychain entries.
    If I want to store some data…

    View Slide

  18. Improper Platform Usage
    Not strict Keychain access policy
    ==
    Attacker can easily access Keychain data

    View Slide

  19. Improper Platform Usage

    View Slide

  20. Improper Platform Usage

    View Slide

  21. Improper Platform Usage

    View Slide

  22. Improper Platform Usage

    View Slide

  23. Improper Platform Usage
    kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly
    kSecAttrAccessibleWhenUnlockedThisDeviceOnly
    kSecAttrAccessibleWhenUnlocked
    kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly
    kSecAttrAccessibleAfterFirstUnlock

    View Slide

  24. Improper Platform Usage
    kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly
    kSecAttrAccessibleWhenUnlockedThisDeviceOnly
    kSecAttrAccessibleWhenUnlocked
    kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly
    kSecAttrAccessibleAfterFirstUnlock

    View Slide

  25. Improper Platform Usage
    kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly
    kSecAttrAccessibleWhenUnlockedThisDeviceOnly
    kSecAttrAccessibleWhenUnlocked
    kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly
    kSecAttrAccessibleAfterFirstUnlock
    Or encrypt and decrypt on your own
    🔐 Secure Enclave 🔐 CryptoKit 🔐 Themis 🔐

    View Slide

  26. Improper Platform Usage
    kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly
    kSecAttrAccessibleWhenUnlockedThisDeviceOnly
    kSecAttrAccessibleWhenUnlocked
    kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly
    kSecAttrAccessibleAfterFirstUnlock
    Or encrypt and decrypt on your own
    🔐 Secure Enclave 🔐 CryptoKit 🔐 Themis 🔐
    AND!

    View Slide

  27. Improper Platform Usage
    kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly
    kSecAttrAccessibleWhenUnlockedThisDeviceOnly
    kSecAttrAccessibleWhenUnlocked
    kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly
    kSecAttrAccessibleAfterFirstUnlock
    Watch your backups!

    View Slide

  28. Improper Platform Usage
    TouchID / FaceID

    View Slide

  29. Improper Platform Usage
    https://developer.apple.com/documentation/localauthentication/
    logging_a_user_into_your_app_with_face_id_or_touch_id

    View Slide

  30. Improper Platform Usage
    https://developer.apple.com/documentation/localauthentication/
    logging_a_user_into_your_app_with_face_id_or_touch_id

    View Slide

  31. Improper Platform Usage
    🔥 🔥
    🔥
    🤯
    🔥

    View Slide

  32. Improper Platform Usage
    🔥 🔥
    🔥
    🤯
    🔥
    Returns boolean
    = easy to bypass

    View Slide

  33. Improper Platform Usage https://github.com/sensepost/objection
    https://frida.re/docs/home/
    Example source: http://highaltitudehacks.com/2018/07/29/ios-application-security-part-53-objection-continued/

    View Slide

  34. Improper Platform Usage
    🍀 🍀
    🍀 🍀

    View Slide

  35. Improper Platform Usage
    🍀 🍀
    🍀 🍀

    View Slide

  36. Improper Platform Usage
    🍀 🍀
    🍀 🍀

    Specific attributes

    View Slide

  37. Improper Platform Usage
    🍀 🍀
    🍀 🍀

    Triggers biometry
    check automatically
    Specific attributes

    View Slide

  38. Insecure Data Storage
    Data generated by the app:
    🔹 Logs
    🔹 Databases
    🔹 Caches
    🔹 Other saved files

    View Slide

  39. Insecure Data Storage
    Data generated by the app:
    🔹 Logs
    🔹 Databases
    🔹 Caches
    🔹 Other saved files
    Check if any sensitive
    data may appear there!

    View Slide

  40. Insecure Data Storage
    Data generated by the app:
    🔹 Logs
    🔹 Databases
    🔹 Caches
    🔹 Other saved files
    Check if any sensitive
    data may appear there!
    (check the code, not the files)

    View Slide

  41. Insecure Data Storage
    Data stored inside the .ipa:
    🔹 Configuration files
    🔹 Executables

    View Slide

  42. Insecure Data Storage
    Data stored inside the .ipa:
    🔹 Configuration files
    🔹 Executables
    Look for testing credentials
    and endpoints!

    View Slide

  43. Insecure Data Storage
    Data stored inside the .ipa:
    🔹 Configuration files
    🔹 Executables
    Look for testing credentials
    and endpoints!
    (actually, any credentials and endpoints)

    View Slide

  44. Insecure Data Storage
    Data stored inside the .ipa:
    🔹 Configuration files
    🔹 Executables
    Look for testing credentials
    and endpoints!
    (actually, any credentials and endpoints)
    (config comments may not be removed)

    View Slide

  45. Insecure Data Storage
    Data stored inside the .ipa:
    🔹 Configuration files
    🔹 Executables
    [22:05:16] juliapotapenko:MyAwesomeAppl.app $ strings MyAwesomeApp | grep "https://"

    View Slide

  46. Insecure Communication App
    Transport
    Security
    Do not
    allow
    HTTP

    View Slide

  47. Insecure Communication App
    Transport
    Security
    Do not
    allow
    HTTP
    HTTP allowed for all endpoints
    HTTP allowed for localhost

    View Slide

  48. Insecure Communication TLS
    Pinning
    Prevent
    MiTM
    SERVER iOS APP
    TLS Certificate

    View Slide

  49. Insecure Communication
    SERVER iOS APP
    ATTACKER
    TLS
    Pinning
    Prevent
    MiTM
    TLS Cert MiTM Cert

    View Slide

  50. Insecure Communication
    SERVER iOS APP
    ATTACKER
    TLS
    Pinning
    Prevent
    MiTM
    TLS Cert MiTM Cert
    ✅ Is trusted CA?
    ✅ Not expired?

    View Slide

  51. Insecure Communication
    SERVER iOS APP
    ATTACKER
    TLS
    Pinning
    Prevent
    MiTM
    TLS Cert MiTM Cert
    ✅ Is trusted CA?
    ✅ Not expired?
    ❓ Is it our server’s cert?

    View Slide

  52. Insecure Communication TLS
    Pinning
    Prevent
    MiTM
    https://developer.apple.com/news/?id=g9ejcf8y

    View Slide

  53. Insecure Communication TLS
    Pinning
    Prevent
    MiTM
    https://developer.apple.com/news/?id=g9ejcf8y

    View Slide

  54. Insecure Communication TLS
    Pinning
    Prevent
    MiTM
    It is just an Info.plist entry. I can bypass pinning by
    removing or changing it.
    Correct. But the main goal is to protect against MiTM
    when the attacked doesn’t have access to a physical
    device.

    View Slide

  55. Insecure Communication TLS
    Pinning
    Prevent
    MiTM
    It is just an Info.plist entry. I can bypass pinning by
    removing or changing it.
    Correct. But the main goal is to protect against MiTM
    when the attacked doesn’t have access to a physical
    device.

    View Slide

  56. Insecure Communication TLS
    Pinning
    Prevent
    MiTM
    https://developer.android.com/training/articles/security-ssl#Pinning
    Android docs

    View Slide

  57. Unintended Data Leakage
    Application Backgrounding

    View Slide

  58. Unintended Data Leakage
    Application Backgrounding
    What to protect? * * * * *
    Think of accidental sharing
    Sensitive data

    View Slide

  59. Unintended Data Leakage
    Application Backgrounding
    What to protect? * * * * *
    Think of accidental sharing
    Sensitive data
    How to protect? Screen overlay
    Remove entered data
    Return to previous screen

    View Slide

  60. Unintended Data Leakage
    Screen overlay when app moved to background

    View Slide

  61. Summary
    We’ve learned
    - where we can read about common vulnerabilities
    - examples of top vulnerabilities
    - keychain - app generated content - allowing HTTP
    - biometrics - data stored in .ipa - TLS pinning
    - backgrounging - screen overlay

    View Slide

  62. View Slide

  63. Thank you!
    @julepka

    View Slide