Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Common iOS Vulnerabilities and How to Fix Them

Common iOS Vulnerabilities and How to Fix Them

Dee939e8aa52d13793b2f0c5e463777b?s=128

Julia Potapenko

May 17, 2021
Tweet

Transcript

  1. iOS App Vulnerabilities Julia Potapenko and how to fix them

  2. Security Software Engineer @julepka We help companies to protect their

    sensitive and valuable data.
  3. How do we know the vulnerability is common? OWASP Mobile

    Top 10 CVE-List by MITRE Security tools/services vendors News and Twitter 🙂 Our own experience 😎
  4. OWASP Mobile Top 10 M1: Improper Platform Usage M2: Insecure

    Data Storage M3: Insecure Communication M4: Insecure Authentication M5: Insufficient Cryptography M6: Insecure Authorization M7: Client Code Quality M8: Code Tampering M9: Reverse Engineering M10: Extraneous Functionality https://owasp.org/www-project-mobile-top-10/
  5. OWASP Mobile Top 10 M1: Improper Platform Usage M2: Insecure

    Data Storage M3: Insecure Communication M4: Insecure Authentication M5: Insufficient Cryptography M6: Insecure Authorization M7: Client Code Quality M8: Code Tampering M9: Reverse Engineering M10: Extraneous Functionality https://owasp.org/www-project-mobile-top-10/
  6. 2016 M1: Improper Platform Usage M2: Insecure Data Storage M3:

    Insecure Communication M4: Insecure Authentication M5: Insufficient Cryptography M6: Insecure Authorization M7: Client Code Quality M8: Code Tampering M9: Reverse Engineering M10: Extraneous Functionality M1: Weak Server Side Controls M2: Insecure Data Storage M3: Insufficient Transport Layer Protection M4: Unintended Data Leakage M5: Poor Authorization and Authentication M6: Broken Cryptography M7: Client Side Injection M8: Security Decisions Via Untrusted Inputs M9: Improper Session Handling M10: Lack of Binary Protection 2014 OWASP Mobile Top 10
  7. 2016 M1: Improper Platform Usage M2: Insecure Data Storage M3:

    Insecure Communication M4: Insecure Authentication M5: Insufficient Cryptography M6: Insecure Authorization M7: Client Code Quality M8: Code Tampering M9: Reverse Engineering M10: Extraneous Functionality M1: Weak Server Side Controls M2: Insecure Data Storage M3: Insufficient Transport Layer Protection M4: Unintended Data Leakage M5: Poor Authorization and Authentication M6: Broken Cryptography M7: Client Side Injection M8: Security Decisions Via Untrusted Inputs M9: Improper Session Handling M10: Lack of Binary Protection 2014 OWASP Mobile Top 10
  8. CVE List https://cve.mitre.org/cve/search_cve_list.html Search: iOS app Common Vulnerabilities and Exposures

    List
  9. NVD National Vulnerability Database Common Vulnerability Scoring System

  10. Security tools/services vendors Databases, reports, statistics, blog posts https://snyk.io/vuln/

  11. Security tools/services vendors Databases, reports, statistics, blog posts https://www.guardsquare.com/state-of-mobile-application-security-report

  12. Improper Platform Usage

  13. Improper Platform Usage Permissions TouchID / FaceID Keychain Secure Enclave

    URL Schemas WebView Autocorrection
  14. Improper Platform Usage If I want to store some data…

  15. Improper Platform Usage UserDefaults Not encrypted, accessible on a locked

    device. If I want to store some data…
  16. Improper Platform Usage UserDefaults Not encrypted, accessible on a locked

    device. Keychain Encrypted storage, becomes decrypted on unlock. If I want to store some data…
  17. Improper Platform Usage UserDefaults Not encrypted, accessible on a locked

    device. Keychain Encrypted storage, becomes decrypted on unlock. Secure Enclave Stores keys that can be used to encrypt Keychain entries. If I want to store some data…
  18. Improper Platform Usage Not strict Keychain access policy == Attacker

    can easily access Keychain data
  19. Improper Platform Usage

  20. Improper Platform Usage

  21. Improper Platform Usage

  22. Improper Platform Usage

  23. Improper Platform Usage kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly kSecAttrAccessibleWhenUnlockedThisDeviceOnly kSecAttrAccessibleWhenUnlocked kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly kSecAttrAccessibleAfterFirstUnlock

  24. Improper Platform Usage kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly kSecAttrAccessibleWhenUnlockedThisDeviceOnly kSecAttrAccessibleWhenUnlocked kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly kSecAttrAccessibleAfterFirstUnlock

  25. Improper Platform Usage kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly kSecAttrAccessibleWhenUnlockedThisDeviceOnly kSecAttrAccessibleWhenUnlocked kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly kSecAttrAccessibleAfterFirstUnlock Or encrypt

    and decrypt on your own 🔐 Secure Enclave 🔐 CryptoKit 🔐 Themis 🔐
  26. Improper Platform Usage kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly kSecAttrAccessibleWhenUnlockedThisDeviceOnly kSecAttrAccessibleWhenUnlocked kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly kSecAttrAccessibleAfterFirstUnlock Or encrypt

    and decrypt on your own 🔐 Secure Enclave 🔐 CryptoKit 🔐 Themis 🔐 AND!
  27. Improper Platform Usage kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly kSecAttrAccessibleWhenUnlockedThisDeviceOnly kSecAttrAccessibleWhenUnlocked kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly kSecAttrAccessibleAfterFirstUnlock Watch your

    backups!
  28. Improper Platform Usage TouchID / FaceID

  29. Improper Platform Usage https://developer.apple.com/documentation/localauthentication/ logging_a_user_into_your_app_with_face_id_or_touch_id

  30. Improper Platform Usage https://developer.apple.com/documentation/localauthentication/ logging_a_user_into_your_app_with_face_id_or_touch_id

  31. Improper Platform Usage 🔥 🔥 🔥 🤯 🔥

  32. Improper Platform Usage 🔥 🔥 🔥 🤯 🔥 Returns boolean

    = easy to bypass
  33. Improper Platform Usage https://github.com/sensepost/objection https://frida.re/docs/home/ Example source: http://highaltitudehacks.com/2018/07/29/ios-application-security-part-53-objection-continued/

  34. Improper Platform Usage 🍀 🍀 🍀 🍀 ☺

  35. Improper Platform Usage 🍀 🍀 🍀 🍀 ☺

  36. Improper Platform Usage 🍀 🍀 🍀 🍀 ☺ Specific attributes

  37. Improper Platform Usage 🍀 🍀 🍀 🍀 ☺ Triggers biometry

    check automatically Specific attributes
  38. Insecure Data Storage Data generated by the app: 🔹 Logs

    🔹 Databases 🔹 Caches 🔹 Other saved files
  39. Insecure Data Storage Data generated by the app: 🔹 Logs

    🔹 Databases 🔹 Caches 🔹 Other saved files Check if any sensitive data may appear there!
  40. Insecure Data Storage Data generated by the app: 🔹 Logs

    🔹 Databases 🔹 Caches 🔹 Other saved files Check if any sensitive data may appear there! (check the code, not the files)
  41. Insecure Data Storage Data stored inside the .ipa: 🔹 Configuration

    files 🔹 Executables
  42. Insecure Data Storage Data stored inside the .ipa: 🔹 Configuration

    files 🔹 Executables Look for testing credentials and endpoints!
  43. Insecure Data Storage Data stored inside the .ipa: 🔹 Configuration

    files 🔹 Executables Look for testing credentials and endpoints! (actually, any credentials and endpoints)
  44. Insecure Data Storage Data stored inside the .ipa: 🔹 Configuration

    files 🔹 Executables Look for testing credentials and endpoints! (actually, any credentials and endpoints) (config comments may not be removed)
  45. Insecure Data Storage Data stored inside the .ipa: 🔹 Configuration

    files 🔹 Executables [22:05:16] juliapotapenko:MyAwesomeAppl.app $ strings MyAwesomeApp | grep "https://"
  46. Insecure Communication App Transport Security Do not allow HTTP

  47. Insecure Communication App Transport Security Do not allow HTTP HTTP

    allowed for all endpoints HTTP allowed for localhost
  48. Insecure Communication TLS Pinning Prevent MiTM SERVER iOS APP TLS

    Certificate
  49. Insecure Communication SERVER iOS APP ATTACKER TLS Pinning Prevent MiTM

    TLS Cert MiTM Cert
  50. Insecure Communication SERVER iOS APP ATTACKER TLS Pinning Prevent MiTM

    TLS Cert MiTM Cert ✅ Is trusted CA? ✅ Not expired?
  51. Insecure Communication SERVER iOS APP ATTACKER TLS Pinning Prevent MiTM

    TLS Cert MiTM Cert ✅ Is trusted CA? ✅ Not expired? ❓ Is it our server’s cert?
  52. Insecure Communication TLS Pinning Prevent MiTM https://developer.apple.com/news/?id=g9ejcf8y

  53. Insecure Communication TLS Pinning Prevent MiTM https://developer.apple.com/news/?id=g9ejcf8y

  54. Insecure Communication TLS Pinning Prevent MiTM It is just an

    Info.plist entry. I can bypass pinning by removing or changing it. Correct. But the main goal is to protect against MiTM when the attacked doesn’t have access to a physical device.
  55. Insecure Communication TLS Pinning Prevent MiTM It is just an

    Info.plist entry. I can bypass pinning by removing or changing it. Correct. But the main goal is to protect against MiTM when the attacked doesn’t have access to a physical device.
  56. Insecure Communication TLS Pinning Prevent MiTM https://developer.android.com/training/articles/security-ssl#Pinning Android docs

  57. Unintended Data Leakage Application Backgrounding

  58. Unintended Data Leakage Application Backgrounding What to protect? * *

    * * * Think of accidental sharing Sensitive data
  59. Unintended Data Leakage Application Backgrounding What to protect? * *

    * * * Think of accidental sharing Sensitive data How to protect? Screen overlay Remove entered data Return to previous screen
  60. Unintended Data Leakage Screen overlay when app moved to background

  61. Summary We’ve learned - where we can read about common

    vulnerabilities - examples of top vulnerabilities - keychain - app generated content - allowing HTTP - biometrics - data stored in .ipa - TLS pinning - backgrounging - screen overlay
  62. None
  63. Thank you! @julepka