Common iOS Vulnerabilities and How to Fix Them

Transcript

1. iOS App Vulnerabilities Julia Potapenko and how to fix them

2. Security Software Engineer @julepka We help companies to protect their

   sensitive and valuable data.

3. How do we know the vulnerability is common? OWASP Mobile

   Top 10 CVE-List by MITRE Security tools/services vendors News and Twitter 🙂 Our own experience 😎

4. OWASP Mobile Top 10 M1: Improper Platform Usage M2: Insecure

   Data Storage M3: Insecure Communication M4: Insecure Authentication M5: Insufficient Cryptography M6: Insecure Authorization M7: Client Code Quality M8: Code Tampering M9: Reverse Engineering M10: Extraneous Functionality https://owasp.org/www-project-mobile-top-10/

5. OWASP Mobile Top 10 M1: Improper Platform Usage M2: Insecure

   Data Storage M3: Insecure Communication M4: Insecure Authentication M5: Insufficient Cryptography M6: Insecure Authorization M7: Client Code Quality M8: Code Tampering M9: Reverse Engineering M10: Extraneous Functionality https://owasp.org/www-project-mobile-top-10/

6. 2016 M1: Improper Platform Usage M2: Insecure Data Storage M3:

   Insecure Communication M4: Insecure Authentication M5: Insufficient Cryptography M6: Insecure Authorization M7: Client Code Quality M8: Code Tampering M9: Reverse Engineering M10: Extraneous Functionality M1: Weak Server Side Controls M2: Insecure Data Storage M3: Insufficient Transport Layer Protection M4: Unintended Data Leakage M5: Poor Authorization and Authentication M6: Broken Cryptography M7: Client Side Injection M8: Security Decisions Via Untrusted Inputs M9: Improper Session Handling M10: Lack of Binary Protection 2014 OWASP Mobile Top 10

7. 2016 M1: Improper Platform Usage M2: Insecure Data Storage M3:

   Insecure Communication M4: Insecure Authentication M5: Insufficient Cryptography M6: Insecure Authorization M7: Client Code Quality M8: Code Tampering M9: Reverse Engineering M10: Extraneous Functionality M1: Weak Server Side Controls M2: Insecure Data Storage M3: Insufficient Transport Layer Protection M4: Unintended Data Leakage M5: Poor Authorization and Authentication M6: Broken Cryptography M7: Client Side Injection M8: Security Decisions Via Untrusted Inputs M9: Improper Session Handling M10: Lack of Binary Protection 2014 OWASP Mobile Top 10

8. CVE List https://cve.mitre.org/cve/search_cve_list.html Search: iOS app Common Vulnerabilities and Exposures

   List

9. NVD National Vulnerability Database Common Vulnerability Scoring System

10. Security tools/services vendors Databases, reports, statistics, blog posts https://snyk.io/vuln/

11. Security tools/services vendors Databases, reports, statistics, blog posts https://www.guardsquare.com/state-of-mobile-application-security-report

12. Improper Platform Usage

13. Improper Platform Usage Permissions TouchID / FaceID Keychain Secure Enclave

    URL Schemas WebView Autocorrection

14. Improper Platform Usage If I want to store some data…

15. Improper Platform Usage UserDefaults Not encrypted, accessible on a locked

    device. If I want to store some data…

16. Improper Platform Usage UserDefaults Not encrypted, accessible on a locked

    device. Keychain Encrypted storage, becomes decrypted on unlock. If I want to store some data…

17. Improper Platform Usage UserDefaults Not encrypted, accessible on a locked

    device. Keychain Encrypted storage, becomes decrypted on unlock. Secure Enclave Stores keys that can be used to encrypt Keychain entries. If I want to store some data…

18. Improper Platform Usage Not strict Keychain access policy == Attacker

    can easily access Keychain data

19. Improper Platform Usage

20. Improper Platform Usage

21. Improper Platform Usage

22. Improper Platform Usage

23. Improper Platform Usage kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly kSecAttrAccessibleWhenUnlockedThisDeviceOnly kSecAttrAccessibleWhenUnlocked kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly kSecAttrAccessibleAfterFirstUnlock

24. Improper Platform Usage kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly kSecAttrAccessibleWhenUnlockedThisDeviceOnly kSecAttrAccessibleWhenUnlocked kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly kSecAttrAccessibleAfterFirstUnlock

25. Improper Platform Usage kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly kSecAttrAccessibleWhenUnlockedThisDeviceOnly kSecAttrAccessibleWhenUnlocked kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly kSecAttrAccessibleAfterFirstUnlock Or encrypt

    and decrypt on your own 🔐 Secure Enclave 🔐 CryptoKit 🔐 Themis 🔐

26. Improper Platform Usage kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly kSecAttrAccessibleWhenUnlockedThisDeviceOnly kSecAttrAccessibleWhenUnlocked kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly kSecAttrAccessibleAfterFirstUnlock Or encrypt

    and decrypt on your own 🔐 Secure Enclave 🔐 CryptoKit 🔐 Themis 🔐 AND!

27. Improper Platform Usage kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly kSecAttrAccessibleWhenUnlockedThisDeviceOnly kSecAttrAccessibleWhenUnlocked kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly kSecAttrAccessibleAfterFirstUnlock Watch your

    backups!

28. Improper Platform Usage TouchID / FaceID

29. Improper Platform Usage https://developer.apple.com/documentation/localauthentication/ logging_a_user_into_your_app_with_face_id_or_touch_id

30. Improper Platform Usage https://developer.apple.com/documentation/localauthentication/ logging_a_user_into_your_app_with_face_id_or_touch_id

31. Improper Platform Usage 🔥 🔥 🔥 🤯 🔥

32. Improper Platform Usage 🔥 🔥 🔥 🤯 🔥 Returns boolean

    = easy to bypass

33. Improper Platform Usage https://github.com/sensepost/objection https://frida.re/docs/home/ Example source: http://highaltitudehacks.com/2018/07/29/ios-application-security-part-53-objection-continued/

34. Improper Platform Usage 🍀 🍀 🍀 🍀 ☺

35. Improper Platform Usage 🍀 🍀 🍀 🍀 ☺

36. Improper Platform Usage 🍀 🍀 🍀 🍀 ☺ Specific attributes

37. Improper Platform Usage 🍀 🍀 🍀 🍀 ☺ Triggers biometry

    check automatically Specific attributes

38. Insecure Data Storage Data generated by the app: 🔹 Logs

    🔹 Databases 🔹 Caches 🔹 Other saved files

39. Insecure Data Storage Data generated by the app: 🔹 Logs

    🔹 Databases 🔹 Caches 🔹 Other saved files Check if any sensitive data may appear there!

40. Insecure Data Storage Data generated by the app: 🔹 Logs

    🔹 Databases 🔹 Caches 🔹 Other saved files Check if any sensitive data may appear there! (check the code, not the files)

41. Insecure Data Storage Data stored inside the .ipa: 🔹 Configuration

    files 🔹 Executables

42. Insecure Data Storage Data stored inside the .ipa: 🔹 Configuration

    files 🔹 Executables Look for testing credentials and endpoints!

43. Insecure Data Storage Data stored inside the .ipa: 🔹 Configuration

    files 🔹 Executables Look for testing credentials and endpoints! (actually, any credentials and endpoints)

44. Insecure Data Storage Data stored inside the .ipa: 🔹 Configuration

    files 🔹 Executables Look for testing credentials and endpoints! (actually, any credentials and endpoints) (config comments may not be removed)

45. Insecure Data Storage Data stored inside the .ipa: 🔹 Configuration

    files 🔹 Executables [22:05:16] juliapotapenko:MyAwesomeAppl.app $ strings MyAwesomeApp | grep "https://"

46. Insecure Communication App Transport Security Do not allow HTTP

47. Insecure Communication App Transport Security Do not allow HTTP HTTP

    allowed for all endpoints HTTP allowed for localhost

48. Insecure Communication TLS Pinning Prevent MiTM SERVER iOS APP TLS

    Certificate

49. Insecure Communication SERVER iOS APP ATTACKER TLS Pinning Prevent MiTM

    TLS Cert MiTM Cert

50. Insecure Communication SERVER iOS APP ATTACKER TLS Pinning Prevent MiTM

    TLS Cert MiTM Cert ✅ Is trusted CA? ✅ Not expired?

51. Insecure Communication SERVER iOS APP ATTACKER TLS Pinning Prevent MiTM

    TLS Cert MiTM Cert ✅ Is trusted CA? ✅ Not expired? ❓ Is it our server’s cert?

52. Insecure Communication TLS Pinning Prevent MiTM https://developer.apple.com/news/?id=g9ejcf8y

53. Insecure Communication TLS Pinning Prevent MiTM https://developer.apple.com/news/?id=g9ejcf8y

54. Insecure Communication TLS Pinning Prevent MiTM It is just an

    Info.plist entry. I can bypass pinning by removing or changing it. Correct. But the main goal is to protect against MiTM when the attacked doesn’t have access to a physical device.

55. Insecure Communication TLS Pinning Prevent MiTM It is just an

    Info.plist entry. I can bypass pinning by removing or changing it. Correct. But the main goal is to protect against MiTM when the attacked doesn’t have access to a physical device.

56. Insecure Communication TLS Pinning Prevent MiTM https://developer.android.com/training/articles/security-ssl#Pinning Android docs

57. Unintended Data Leakage Application Backgrounding

58. Unintended Data Leakage Application Backgrounding What to protect? * *

    * * * Think of accidental sharing Sensitive data

59. Unintended Data Leakage Application Backgrounding What to protect? * *

    * * * Think of accidental sharing Sensitive data How to protect? Screen overlay Remove entered data Return to previous screen

60. Unintended Data Leakage Screen overlay when app moved to background

61. Summary We’ve learned - where we can read about common

    vulnerabilities - examples of top vulnerabilities - keychain - app generated content - allowing HTTP - biometrics - data stored in .ipa - TLS pinning - backgrounging - screen overlay
62. None

63. Thank you! @julepka