Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Needle - OWASP AppSec USA 2016

Needle - OWASP AppSec USA 2016

I delivered a talk based on this presentation at OWASP AppSec USA 2016 (https://appsecusa2016.sched.org/event/7tAm/needle-finding-issues-within-ios-applications) in Washington DC (October 14th, 2016).

Abstract:

Assessing the security of an iOS application typically requires a plethora of tools, each developed for a specific need and all with different modes of operation and syntax. The Android ecosystem has tools like "drozer" that have solved this problem and aim to be a ‘one stop shop’ for the majority of use cases, however iOS does not have an equivalent.

"Needle" is an open source modular framework which aims to streamline the entire process of conducting security assessments of iOS applications, and acts as a central point from which to do so. Given its modular approach, Needle is easily extensible and new modules can be added in the form of python scripts. Needle is intended to be useful not only for security professionals, but also for developers looking to secure their code. A few examples of testing areas covered by Needle include: data storage, inter-process communication, network communications, static code analysis, hooking and binary protections.​ The only requirement in order to run Needle effectively is a jailbroken device.

We will be describing the tool's architecture, capabilities and roadmap. We will also demonstrate how Needle can be used to find vulnerabilities in iOS applications from both a black-box and white-box perspective (if source code is provided).

Marco Lancini

October 14, 2016
Tweet

More Decks by Marco Lancini

Other Decks in Technology

Transcript

  1. Needle
    Finding Issues within iOS Applications
    Marco Lancini

    View Slide

  2. Whoami
    Me: Marco Lancini
    – Security Consultant at MWR InfoSecurity
    – @lancinimarco
    MWR InfoSecurity
    – Research-led Security Consultancy
    – Offices in the UK, USA, Singapore, South Africa,
    Germany, Poland…

    View Slide

  3. What is this talk about?
    Current State of Mobile (in)Security
    iOS Pentesting (the current state)
    Needle (idea, architecture, features, etc.)
    Demo
    Roadmap

    View Slide

  4. CURRENT STATE OF MOBILE
    (IN)SECURITY

    View Slide

  5. My Life as a Pentester
    Scoping Testing Reporting
    Testing

    View Slide

  6. Mobile app lifecycle
    Idea
    Execution
    Public Release

    View Slide

  7. Mobile app lifecycle

    View Slide

  8. Some real life examples…

    View Slide

  9. Where to focus

    View Slide

  10. OWASP Mobile Top 10 (2014)

    View Slide

  11. Server Side Security

    View Slide

  12. Client Side Security

    View Slide

  13. Attacker’s Perspective
    • Physical access
    – Stolen device
    – Unattended device
    – Shared environment
    • Malware
    – JB devices
    – Non-JB devices
    • Exploitation
    – Outdated software
    – 0day

    View Slide

  14. Attacker’s Perspective
    • Network communications
    – Man-in-the-Middle (MitM)
    – Clear text / Weak encryption
    – Client-side attacks
    • The web server
    – Web application security

    View Slide

  15. IOS PENTESTING
    (the current state)

    View Slide

  16. Assessment Scenarios
    Source Code
    Review
    Mobile App
    Test
    Device
    Review
    Mobile
    Device
    Management

    View Slide

  17. Types of Applications

    View Slide

  18. Analysing iOS Applications
    Run the app on a jailbroken device
    MiTM all the network communications
    Inspect the app via instrumentation
    Manipulate the runtime
    Review the codebase

    View Slide

  19. Techniques / 1
    Static Analysis
    • Reverse engineer the binary
    • Perform code review
    Data Security
    • Look for insecure storage
    • Assess data sources (keychain, plist files, cookies)
    • Check presence of caching

    View Slide

  20. Techniques / 2
    Runtime Analysis
    • Bypass integrity checks
    • [Patch the binary]
    • Instrument the app (hooking)
    Transport Security
    • Proxy the traffic
    • [Bypass TLS pinning]
    • Asses WebViews / exploit JS bridges

    View Slide

  21. iOS Testing Environment

    View Slide

  22. Testing Tools
    • Jailbroken device
    – Weaken the sandbox
    – Emulate attackers’ perspective
    • Alternate Market (Cydia)
    – Common unix tools (BigBoss)
    – OpenSSH
    • Hooking framework
    – Cycript/Frida/Theos
    • Intercepting proxy (Burp)

    View Slide

  23. Testing Tools

    View Slide

  24. Common problems
    • Need to rely on a multitude of different tools
    – each one developed for a specific need
    – each one with its own mode of operation (and
    syntax)
    • Issues
    – steep learning curve
    – time wasted in configuring many different tools
    – a “drozer for iOS” was missing

    View Slide

  25. INTRODUCING: NEEDLE
    (a new format)

    View Slide

  26. What is Needle?
    • A tool for auditing iOS Application Security
    • An open source, modular framework
    – streamline the entire process
    – acts as a central hub

    View Slide

  27. What it’s *not*
    • Not a “drozer” for iOS
    – does not require an agent installed on the device
    (for now)
    – does require a jailbroken device
    • Not a vuln scanner
    – knowledge (and intuition) of the tester is still
    required

    View Slide

  28. Motivation
    Beginners: easy to use
    Professionals: save time during assessments
    Developers: quickly test their products

    View Slide

  29. The Architecture

    View Slide

  30. Architecture
    • Decoupled components
    • Entirely written in Python
    Framework
    Core
    Helpers
    UI
    API
    Device
    Manager
    Modules

    View Slide

  31. UI

    View Slide

  32. Device Manager
    • Manage connections with
    the iDevice
    – SSH over Wi-Fi
    – SSH over USB
    • Device setup, port forwarding, cleanup…
    • Basic commands
    – shell, push/pull
    • App management
    – metadata, open, decrypt, data protection…

    View Slide

  33. DEMO
    Basic Usage

    View Slide

  34. Framework Core
    • Initialize and manage
    all the other components
    • Load/execute modules/jobs
    • Maintain status
    – global options, loaded modules, running jobs,
    device status…
    – pointers to instantiated objects
    – constants

    View Slide

  35. Helpers
    • Common functionalities
    offered both to the Core and APIs
    • Sanitization, logging, printing…

    View Slide

  36. API
    • The framework core exposes
    APIs to interact with the local
    and remote OS
    • These wraps common functionalities
    – file and data access
    – command execution
    – networking
    • Speed-up creation of new modules

    View Slide

  37. API

    View Slide

  38. Modules
    • Heart of Needle’s functionalities
    • Collection of python scripts

    View Slide

  39. Modules / Sample

    View Slide

  40. DEMO
    Modules

    View Slide

  41. Currently Supported Modules
    Binary
    • App Metadata
    • Compilation Checks
    • Shared Libraries
    • Strings
    • Class Dump
    • Install IPA
    • Pull IPA
    Storage
    • Binary Cookies
    • Cache.db Files
    • Plist Files
    • SQL Files
    • Dump Keychain
    • Screenshot Caching
    • Keyboard Autocomplete
    Caching

    View Slide

  42. Currently Supported Modules
    Dynamic
    • Jailbreak Detection
    • URI Handler
    • Heap Dump
    • Monitor File changes
    • Monitor OS Pasteboard
    • Syslog Monitor
    • Syslog Watch
    Hooking
    • Cycript shell
    • Frida shell
    • Frida trace
    • Frida launcher
    • Enumerate Classes (script)
    • Enumerate Methods (script)
    • Enumerate All Methods
    (script)

    View Slide

  43. Currently Supported Modules
    Comms
    • List Installed Certificates
    • Export Installed Certificates
    • Import Installed Certificates
    • Delete Installed Certificates
    • Install MitmProxy CA
    Certificate
    • Intercepting Proxy
    Static
    • Code Checks

    View Slide

  44. ACTION TIME

    View Slide

  45. DVIA

    View Slide

  46. DEMO
    Binary Analysis

    View Slide

  47. DEMO
    Storage

    View Slide

  48. DEMO
    Dynamic Analysis

    View Slide

  49. DEMO
    Hooking

    View Slide

  50. DEMO
    Network Comms

    View Slide

  51. DEMO
    Static Analysis

    View Slide

  52. ROADMAP

    View Slide

  53. Roadmap
    • Replace all the dependencies
    Agent to deploy on device
    Support for non-jailbroken devices
    • Substrate integration
    • WebView scanner
    • Hook Swift methods
    • URI handlers fuzzer
    • Pinning detection/bypass
    • Obfuscation detection
    New modules
    … community based

    View Slide

  54. Wanna help?

    View Slide

  55. Want to know more?
    mwr.to/needle
    @mwrneedle

    View Slide