Common iOS Vulnerabilities and How to Fix Them

Transcript

1. iOS App Vulnerabilities
   Julia Potapenko
   and how to fix them
   

   View Slide

2. Security Software Engineer
   @julepka
   We help companies to protect their
   sensitive and valuable data.
   

   View Slide

3. How do we know the vulnerability is common?
   OWASP Mobile Top 10
   CVE-List by MITRE
   Security tools/services vendors
   News and Twitter 🙂
   Our own experience 😎
   

   View Slide

4. OWASP Mobile Top 10
   M1: Improper Platform Usage
   M2: Insecure Data Storage
   M3: Insecure Communication
   M4: Insecure Authentication
   M5: Insufficient Cryptography
   M6: Insecure Authorization
   M7: Client Code Quality
   M8: Code Tampering
   M9: Reverse Engineering
   M10: Extraneous Functionality
   https://owasp.org/www-project-mobile-top-10/
   

   View Slide

5. OWASP Mobile Top 10
   M1: Improper Platform Usage
   M2: Insecure Data Storage
   M3: Insecure Communication
   M4: Insecure Authentication
   M5: Insufficient Cryptography
   M6: Insecure Authorization
   M7: Client Code Quality
   M8: Code Tampering
   M9: Reverse Engineering
   M10: Extraneous Functionality
   https://owasp.org/www-project-mobile-top-10/
   

   View Slide

6. 2016
   M1: Improper Platform Usage
   M2: Insecure Data Storage
   M3: Insecure Communication
   M4: Insecure Authentication
   M5: Insufficient Cryptography
   M6: Insecure Authorization
   M7: Client Code Quality
   M8: Code Tampering
   M9: Reverse Engineering
   M10: Extraneous Functionality
   M1: Weak Server Side Controls
   M2: Insecure Data Storage
   M3: Insufficient Transport Layer Protection
   M4: Unintended Data Leakage
   M5: Poor Authorization and Authentication
   M6: Broken Cryptography
   M7: Client Side Injection
   M8: Security Decisions Via Untrusted Inputs
   M9: Improper Session Handling
   M10: Lack of Binary Protection
   2014
   OWASP Mobile Top 10
   

   View Slide

7. 2016
   M1: Improper Platform Usage
   M2: Insecure Data Storage
   M3: Insecure Communication
   M4: Insecure Authentication
   M5: Insufficient Cryptography
   M6: Insecure Authorization
   M7: Client Code Quality
   M8: Code Tampering
   M9: Reverse Engineering
   M10: Extraneous Functionality
   M1: Weak Server Side Controls
   M2: Insecure Data Storage
   M3: Insufficient Transport Layer Protection
   M4: Unintended Data Leakage
   M5: Poor Authorization and Authentication
   M6: Broken Cryptography
   M7: Client Side Injection
   M8: Security Decisions Via Untrusted Inputs
   M9: Improper Session Handling
   M10: Lack of Binary Protection
   2014
   OWASP Mobile Top 10
   

   View Slide

8. CVE List
   https://cve.mitre.org/cve/search_cve_list.html
   Search: iOS app
   Common Vulnerabilities and Exposures List
   

   View Slide

9. NVD
   National Vulnerability Database
   Common Vulnerability
   Scoring System
   

   View Slide

10. Security tools/services vendors
    Databases, reports, statistics, blog posts
    https://snyk.io/vuln/
    

    View Slide

11. Security tools/services vendors
    Databases, reports, statistics, blog posts
    https://www.guardsquare.com/state-of-mobile-application-security-report
    

    View Slide

12. Improper Platform Usage
    

    View Slide

13. Improper Platform Usage
    Permissions
    TouchID / FaceID
    Keychain
    Secure Enclave
    URL Schemas
    WebView
    Autocorrection
    

    View Slide

14. Improper Platform Usage
    If I want to store some data…
    

    View Slide

15. Improper Platform Usage
    UserDefaults
    Not encrypted,
    accessible on a
    locked device.
    If I want to store some data…
    

    View Slide

16. Improper Platform Usage
    UserDefaults
    Not encrypted,
    accessible on a
    locked device.
    Keychain
    Encrypted storage,
    becomes decrypted
    on unlock.
    If I want to store some data…
    

    View Slide

17. Improper Platform Usage
    UserDefaults
    Not encrypted,
    accessible on a
    locked device.
    Keychain
    Encrypted storage,
    becomes decrypted
    on unlock.
    Secure Enclave
    Stores keys that can be
    used to encrypt
    Keychain entries.
    If I want to store some data…
    

    View Slide

18. Improper Platform Usage
    Not strict Keychain access policy
    ==
    Attacker can easily access Keychain data
    

    View Slide

19. Improper Platform Usage
    

    View Slide

20. Improper Platform Usage
    

    View Slide

21. Improper Platform Usage
    

    View Slide

22. Improper Platform Usage
    

    View Slide

23. Improper Platform Usage
    kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly
    kSecAttrAccessibleWhenUnlockedThisDeviceOnly
    kSecAttrAccessibleWhenUnlocked
    kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly
    kSecAttrAccessibleAfterFirstUnlock
    

    View Slide

24. Improper Platform Usage
    kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly
    kSecAttrAccessibleWhenUnlockedThisDeviceOnly
    kSecAttrAccessibleWhenUnlocked
    kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly
    kSecAttrAccessibleAfterFirstUnlock
    

    View Slide

25. Improper Platform Usage
    kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly
    kSecAttrAccessibleWhenUnlockedThisDeviceOnly
    kSecAttrAccessibleWhenUnlocked
    kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly
    kSecAttrAccessibleAfterFirstUnlock
    Or encrypt and decrypt on your own
    🔐 Secure Enclave 🔐 CryptoKit 🔐 Themis 🔐
    

    View Slide

26. Improper Platform Usage
    kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly
    kSecAttrAccessibleWhenUnlockedThisDeviceOnly
    kSecAttrAccessibleWhenUnlocked
    kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly
    kSecAttrAccessibleAfterFirstUnlock
    Or encrypt and decrypt on your own
    🔐 Secure Enclave 🔐 CryptoKit 🔐 Themis 🔐
    AND!
    

    View Slide

27. Improper Platform Usage
    kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly
    kSecAttrAccessibleWhenUnlockedThisDeviceOnly
    kSecAttrAccessibleWhenUnlocked
    kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly
    kSecAttrAccessibleAfterFirstUnlock
    Watch your backups!
    

    View Slide

28. Improper Platform Usage
    TouchID / FaceID
    

    View Slide

29. Improper Platform Usage
    https://developer.apple.com/documentation/localauthentication/
    logging_a_user_into_your_app_with_face_id_or_touch_id
    

    View Slide

30. Improper Platform Usage
    https://developer.apple.com/documentation/localauthentication/
    logging_a_user_into_your_app_with_face_id_or_touch_id
    

    View Slide

31. Improper Platform Usage
    🔥 🔥
    🔥
    🤯
    🔥
    

    View Slide

32. Improper Platform Usage
    🔥 🔥
    🔥
    🤯
    🔥
    Returns boolean
    = easy to bypass
    

    View Slide

33. Improper Platform Usage https://github.com/sensepost/objection
    https://frida.re/docs/home/
    Example source: http://highaltitudehacks.com/2018/07/29/ios-application-security-part-53-objection-continued/
    

    View Slide

34. Improper Platform Usage
    🍀 🍀
    🍀 🍀
    ☺
    

    View Slide

35. Improper Platform Usage
    🍀 🍀
    🍀 🍀
    ☺
    

    View Slide

36. Improper Platform Usage
    🍀 🍀
    🍀 🍀
    ☺
    Specific attributes
    

    View Slide

37. Improper Platform Usage
    🍀 🍀
    🍀 🍀
    ☺
    Triggers biometry
    check automatically
    Specific attributes
    

    View Slide

38. Insecure Data Storage
    Data generated by the app:
    🔹 Logs
    🔹 Databases
    🔹 Caches
    🔹 Other saved files
    

    View Slide

39. Insecure Data Storage
    Data generated by the app:
    🔹 Logs
    🔹 Databases
    🔹 Caches
    🔹 Other saved files
    Check if any sensitive
    data may appear there!
    

    View Slide

40. Insecure Data Storage
    Data generated by the app:
    🔹 Logs
    🔹 Databases
    🔹 Caches
    🔹 Other saved files
    Check if any sensitive
    data may appear there!
    (check the code, not the files)
    

    View Slide

41. Insecure Data Storage
    Data stored inside the .ipa:
    🔹 Configuration files
    🔹 Executables
    

    View Slide

42. Insecure Data Storage
    Data stored inside the .ipa:
    🔹 Configuration files
    🔹 Executables
    Look for testing credentials
    and endpoints!
    

    View Slide

43. Insecure Data Storage
    Data stored inside the .ipa:
    🔹 Configuration files
    🔹 Executables
    Look for testing credentials
    and endpoints!
    (actually, any credentials and endpoints)
    

    View Slide

44. Insecure Data Storage
    Data stored inside the .ipa:
    🔹 Configuration files
    🔹 Executables
    Look for testing credentials
    and endpoints!
    (actually, any credentials and endpoints)
    (config comments may not be removed)
    

    View Slide

45. Insecure Data Storage
    Data stored inside the .ipa:
    🔹 Configuration files
    🔹 Executables
    [22:05:16] juliapotapenko:MyAwesomeAppl.app $ strings MyAwesomeApp | grep "https://"
    

    View Slide

46. Insecure Communication App
    Transport
    Security
    Do not
    allow
    HTTP
    

    View Slide

47. Insecure Communication App
    Transport
    Security
    Do not
    allow
    HTTP
    HTTP allowed for all endpoints
    HTTP allowed for localhost
    

    View Slide

48. Insecure Communication TLS
    Pinning
    Prevent
    MiTM
    SERVER iOS APP
    TLS Certificate
    

    View Slide

49. Insecure Communication
    SERVER iOS APP
    ATTACKER
    TLS
    Pinning
    Prevent
    MiTM
    TLS Cert MiTM Cert
    

    View Slide

50. Insecure Communication
    SERVER iOS APP
    ATTACKER
    TLS
    Pinning
    Prevent
    MiTM
    TLS Cert MiTM Cert
    ✅ Is trusted CA?
    ✅ Not expired?
    

    View Slide

51. Insecure Communication
    SERVER iOS APP
    ATTACKER
    TLS
    Pinning
    Prevent
    MiTM
    TLS Cert MiTM Cert
    ✅ Is trusted CA?
    ✅ Not expired?
    ❓ Is it our server’s cert?
    

    View Slide

52. Insecure Communication TLS
    Pinning
    Prevent
    MiTM
    https://developer.apple.com/news/?id=g9ejcf8y
    

    View Slide

53. Insecure Communication TLS
    Pinning
    Prevent
    MiTM
    https://developer.apple.com/news/?id=g9ejcf8y
    

    View Slide

54. Insecure Communication TLS
    Pinning
    Prevent
    MiTM
    It is just an Info.plist entry. I can bypass pinning by
    removing or changing it.
    Correct. But the main goal is to protect against MiTM
    when the attacked doesn’t have access to a physical
    device.
    

    View Slide

55. Insecure Communication TLS
    Pinning
    Prevent
    MiTM
    It is just an Info.plist entry. I can bypass pinning by
    removing or changing it.
    Correct. But the main goal is to protect against MiTM
    when the attacked doesn’t have access to a physical
    device.
    

    View Slide

56. Insecure Communication TLS
    Pinning
    Prevent
    MiTM
    https://developer.android.com/training/articles/security-ssl#Pinning
    Android docs
    

    View Slide

57. Unintended Data Leakage
    Application Backgrounding
    

    View Slide

58. Unintended Data Leakage
    Application Backgrounding
    What to protect? * * * * *
    Think of accidental sharing
    Sensitive data
    

    View Slide

59. Unintended Data Leakage
    Application Backgrounding
    What to protect? * * * * *
    Think of accidental sharing
    Sensitive data
    How to protect? Screen overlay
    Remove entered data
    Return to previous screen
    

    View Slide

60. Unintended Data Leakage
    Screen overlay when app moved to background
    

    View Slide

61. Summary
    We’ve learned
    - where we can read about common vulnerabilities
    - examples of top vulnerabilities
    - keychain - app generated content - allowing HTTP
    - biometrics - data stored in .ipa - TLS pinning
    - backgrounging - screen overlay
    

    View Slide

62. View Slide

63. Thank you!
    @julepka
    

    View Slide