iOS App Security

Transcript

1. iOS App Security. if (user.isAdmin) { // You're doing this

   very wrong. }

2. Hey, I’m Kiran Panesar. k_panesar /kiranpanesar [email protected] We make an

   app building platform over at nativ.com.

3. “iOS is so secure” - Lots of people

4. “iOS is so not secure” - [the truth]

5. None

6. What we’ll cover - Network security. - Static analysis. -

   Runtime analysis & manipulation. - Decompilation and reverse engineering. - A fun demo.

7. Network Security mitmproxy

8. Network Security - No API is safe! - Intercept network

   traffic. - Self-sign SSL certificates - Replay attacks, request forgery, etc.

9. Network Security - No API is safe! - Intercept network

   traffic. - Self-sign SSL certificates - Replay attacks, request forgery, etc.

10. Static Analysis. clutch and iNalyzer.

11. iNalyzer - The ultimate static analysis tool for iOS apps.

    - Dumps headers. - Creates a full set of documentation for an app. - Full class hierarchy, interaction diagrams, string analysis. - Uses Doxygen. - By default it’ll only work with system apps. - Use clutch to decrypt any app.

12. iNalyzer ~ root# clutch Anywall ~ root# mv Anywall.ipa Anywall.zip

    ~ root# unzip Anywall.zip ~ root# iNalyzer5 --direct Anywall.app/ iNalyzer [1/9] Dumping Headers:Done ... iNalyzer [9/9] Patching Headers:Done iNalyzer done, file saved at:/var/root/Documents/ iNalyzer/Anywall-direct.ipa
13. None
14. None
15. None

16. Runtime analysis/manipulation Cycript

17. Cycript ~ root# cycript -p Instagram cy# UIApp.delegate.window.rootViewController #"<IGRootViewController: 0x155cead0>"

    cy# UIApp.delegate.window.rootViewController.view.subviews[0] @[#"<UIImageView: 0x157b2850;, #"<UILabel: 0x157b2f40; text = 'Log in to...';] cy# var welcomeLabel = new Instance(0x157b2f40); cy# welcomeLabel.text = "Hello code & cans!"

18. Cycript

19. Cycript ~ root# cycript -p VulnerableApp cy# User.messages[‘isAdmin’] = function()

    { return True; } function() { return True;} cy# [APIManager privateKey]; “2EqecahatHaMUphetRUvaTrus”

20. Introspy - A method tracing tool. - Allows us to

    set up tracers on anything we want. - Hooks into methods, prints out values, and continues. - Doesn’t disturb the execution of the program, it just quietly scrapes all the data.
21. None
22. None

23. Decompilation Hopper Disassembler

24. Parse is a MBaaS product by Facebook.

25. Parse is secure if configured correctly.

26. Parse is rarely configured correctly.

27. What we’ll do - Steal a Parse app’s API key/secret

    credentials. - Access restricted data. - Make the app crash for every single user (not really).

28. Defence - Use PT_DENY_ATTACH to disable debugging tracing. - Obfuscation.

    - Secure programming. - Distractions and false flags. - Disable the app if jailbroken or cracked. - Exit the app if suspicious activity is detected.

29. Where next? DamnVulnerableiOSApp.com/#learn