Save 37% off PRO during our Black Friday Sale! »

iOS App Security

iOS App Security

A brief introduction to hacking iOS applications. This covers:

- Network security.
- Static analysis.
- Runtime analysis and manipulation.
- Decompilation and reverse-engineering.

To get a better understanding of the topic, check out DVIA:
http://damnvulnerableiosapp.com/#learn

B2a2a371cb03f52a74a3813c22de8b2d?s=128

Kiran Panesar

June 22, 2015
Tweet

Transcript

  1. iOS App Security. if (user.isAdmin) { // You're doing this

    very wrong. }
  2. Hey, I’m Kiran Panesar. k_panesar /kiranpanesar k@nativ.com We make an

    app building platform over at nativ.com.
  3. “iOS is so secure” - Lots of people

  4. “iOS is so insecure” - Lots of people

  5. None
  6. None
  7. None
  8. Goals

  9. To give an introductory insight into security systems, exploits and

    tools available for iOS. Goal #1
  10. Goal #2 Walk away with the ability to further secure

    your apps and networks.
  11. Read up further. Goal #3

  12. What we’ll cover - Network security. - Static analysis. -

    Runtime analysis & manipulation. - Decompilation and reverse engineering. - Walkthrough of an exploit.
  13. Network Security Intercepting traffic using mitmproxy

  14. Network Security - No API is safe! - Intercept network

    traffic. - Self-sign SSL certificates - Replay attacks, request forgery, etc.
  15. Network Security - No API is safe! - Intercept network

    traffic. - Self-sign SSL certificates - Replay attacks, request forgery, etc.
  16. “Wait, I don’t see any real data! ”

  17. Network Security - Configure your device’s proxy settings. - Install

    the self-signed SSL certificate. - Boom. Intercept any HTTPS call made from the device.
  18. Network Security - Configure your device’s proxy settings. - Install

    the self-signed SSL certificate. - Boom. Intercept any HTTPS call made from the device.
  19. Static Analysis. Decryption with clutch, analysis with iNalyzer

  20. Before we get started…

  21. ~ ssh root@192.168.1.161 Make sure you change your default password…

  22. iNalyzer - The ultimate static analysis tool for iOS apps.

    - Dumps headers. - Creates a full set of documentation for an app. - Full class hierarchy, interaction diagrams, string analysis. - Uses Doxygen. - By default it’ll only work with system apps. - Use clutch to decrypt any app.
  23. iNalyzer ~ root# clutch Anywall ~ root# mv Anywall.ipa Anywall.zip

    ~ root# unzip Anywall.zip ~ root# iNalyzer5 --direct Anywall.app/ iNalyzer [1/9] Dumping Headers:Done ... iNalyzer [9/9] Patching Headers:Done iNalyzer done, file saved at:/var/root/Documents/ iNalyzer/Anywall-direct.ipa
  24. None
  25. None
  26. None
  27. Runtime analysis/manipulation Inject into any application using cycript

  28. Cycript ~ root# cycript -p Instagram cy# UIApp.delegate.window.rootViewController #"<IGRootViewController: 0x155cead0>"

    cy# UIApp.delegate.window.rootViewController.view.subviews[0] @[#"<UIImageView: 0x157b2850;, #"<UIButton: 0x165c8f90; frame = (12 512; 296 44);] cy# var logInButton = new Instance(0x165c8f90); cy# welcomeLabel.text = "Hello Mobile Mondays!"
  29. Cycript Before

  30. Cycript After

  31. Who cares?!

  32. Cycript ~ root# cycript -p VulnerableApp cy# User.messages[‘isAdmin’] = function()

    { return True; } function() { return True;} cy# [APIManager privateKey]; “2EqecahatHaMUphetRUvaTrus-YesPeopleActuallyDoThis”
  33. Introspy - A method tracing tool. - Allows us to

    set up tracers on anything we want. - Hooks into methods, prints out values, and continues. - Doesn’t disturb the execution of the program, it just quietly scrapes all the data.
  34. None
  35. None
  36. Decompilation Generate assembler and Pseudocode with Hopper Disassembler

  37. Parse is a MBaaS product by Facebook.

  38. Parse is secure if configured correctly.

  39. Parse is rarely configured correctly.

  40. What we’ll do - Steal a Parse app’s API key/secret

    credentials. - Access restricted user posts.
  41. Anywall - An official Parse demo app. - Allows you

    to see messages posted by users within 4000 ft.
  42. Step #1 Acquiring the API keys using Hopper.

  43. None
  44. None
  45. None
  46. None
  47. Step #2 Using iNalyzer and Cycript to access restricted data.

  48. None
  49. None
  50. Loading all posts ~ root# cycript -p Anywall cy# var

    query = [PFQuery queryWithClassName:@"Posts"]; #"<PFQuery: 0x156e43b0>" cy# var objects = [query findObjects]; cy# [objects[0] objectForKey:@"location"][@"latitude"] 22.36REDACTED cy# [objects[0] objectForKey:@"location"][@"longitude"] 114.10REDACTED
  51. None
  52. Defence - Use PT_DENY_ATTACH to disable debugging tracing. - Obfuscation.

    - Secure programming. - Distractions and false flags. - Disable the app if jailbroken or cracked. - Exit the app if suspicious activity is detected.
  53. Where next? DamnVulnerableiOSApp.com/#learn