Needle - OWASP AppSec USA 2016

Needle - OWASP AppSec USA 2016

I delivered a talk based on this presentation at OWASP AppSec USA 2016 (https://appsecusa2016.sched.org/event/7tAm/needle-finding-issues-within-ios-applications) in Washington DC (October 14th, 2016).

Abstract:

Assessing the security of an iOS application typically requires a plethora of tools, each developed for a specific need and all with different modes of operation and syntax. The Android ecosystem has tools like "drozer" that have solved this problem and aim to be a ‘one stop shop’ for the majority of use cases, however iOS does not have an equivalent.

"Needle" is an open source modular framework which aims to streamline the entire process of conducting security assessments of iOS applications, and acts as a central point from which to do so. Given its modular approach, Needle is easily extensible and new modules can be added in the form of python scripts. Needle is intended to be useful not only for security professionals, but also for developers looking to secure their code. A few examples of testing areas covered by Needle include: data storage, inter-process communication, network communications, static code analysis, hooking and binary protections.​ The only requirement in order to run Needle effectively is a jailbroken device.

We will be describing the tool's architecture, capabilities and roadmap. We will also demonstrate how Needle can be used to find vulnerabilities in iOS applications from both a black-box and white-box perspective (if source code is provided).

A87dd450496fa9c95cc16f7d77c340a3?s=128

Marco Lancini

October 14, 2016
Tweet

Transcript

  1. Needle Finding Issues within iOS Applications Marco Lancini

  2. Whoami Me: Marco Lancini – Security Consultant at MWR InfoSecurity

    – @lancinimarco MWR InfoSecurity – Research-led Security Consultancy – Offices in the UK, USA, Singapore, South Africa, Germany, Poland…
  3. What is this talk about? Current State of Mobile (in)Security

    iOS Pentesting (the current state) Needle (idea, architecture, features, etc.) Demo Roadmap
  4. CURRENT STATE OF MOBILE (IN)SECURITY

  5. My Life as a Pentester Scoping Testing Reporting Testing

  6. Mobile app lifecycle Idea Execution Public Release

  7. Mobile app lifecycle

  8. Some real life examples…

  9. Where to focus

  10. OWASP Mobile Top 10 (2014)

  11. Server Side Security

  12. Client Side Security

  13. Attacker’s Perspective • Physical access – Stolen device – Unattended

    device – Shared environment • Malware – JB devices – Non-JB devices • Exploitation – Outdated software – 0day
  14. Attacker’s Perspective • Network communications – Man-in-the-Middle (MitM) – Clear

    text / Weak encryption – Client-side attacks • The web server – Web application security
  15. IOS PENTESTING (the current state)

  16. Assessment Scenarios Source Code Review Mobile App Test Device Review

    Mobile Device Management
  17. Types of Applications

  18. Analysing iOS Applications Run the app on a jailbroken device

    MiTM all the network communications Inspect the app via instrumentation Manipulate the runtime Review the codebase
  19. Techniques / 1 Static Analysis • Reverse engineer the binary

    • Perform code review Data Security • Look for insecure storage • Assess data sources (keychain, plist files, cookies) • Check presence of caching
  20. Techniques / 2 Runtime Analysis • Bypass integrity checks •

    [Patch the binary] • Instrument the app (hooking) Transport Security • Proxy the traffic • [Bypass TLS pinning] • Asses WebViews / exploit JS bridges
  21. iOS Testing Environment

  22. Testing Tools • Jailbroken device – Weaken the sandbox –

    Emulate attackers’ perspective • Alternate Market (Cydia) – Common unix tools (BigBoss) – OpenSSH • Hooking framework – Cycript/Frida/Theos • Intercepting proxy (Burp)
  23. Testing Tools

  24. Common problems • Need to rely on a multitude of

    different tools – each one developed for a specific need – each one with its own mode of operation (and syntax) • Issues – steep learning curve – time wasted in configuring many different tools – a “drozer for iOS” was missing
  25. INTRODUCING: NEEDLE (a new format)

  26. What is Needle? • A tool for auditing iOS Application

    Security • An open source, modular framework – streamline the entire process – acts as a central hub
  27. What it’s *not* • Not a “drozer” for iOS –

    does not require an agent installed on the device (for now) – does require a jailbroken device • Not a vuln scanner – knowledge (and intuition) of the tester is still required
  28. Motivation Beginners: easy to use Professionals: save time during assessments

    Developers: quickly test their products
  29. The Architecture

  30. Architecture • Decoupled components • Entirely written in Python Framework

    Core Helpers UI API Device Manager Modules
  31. UI

  32. Device Manager • Manage connections with the iDevice – SSH

    over Wi-Fi – SSH over USB • Device setup, port forwarding, cleanup… • Basic commands – shell, push/pull • App management – metadata, open, decrypt, data protection…
  33. DEMO Basic Usage

  34. Framework Core • Initialize and manage all the other components

    • Load/execute modules/jobs • Maintain status – global options, loaded modules, running jobs, device status… – pointers to instantiated objects – constants
  35. Helpers • Common functionalities offered both to the Core and

    APIs • Sanitization, logging, printing…
  36. API • The framework core exposes APIs to interact with

    the local and remote OS • These wraps common functionalities – file and data access – command execution – networking • Speed-up creation of new modules
  37. API

  38. Modules • Heart of Needle’s functionalities • Collection of python

    scripts
  39. Modules / Sample

  40. DEMO Modules

  41. Currently Supported Modules Binary • App Metadata • Compilation Checks

    • Shared Libraries • Strings • Class Dump • Install IPA • Pull IPA Storage • Binary Cookies • Cache.db Files • Plist Files • SQL Files • Dump Keychain • Screenshot Caching • Keyboard Autocomplete Caching
  42. Currently Supported Modules Dynamic • Jailbreak Detection • URI Handler

    • Heap Dump • Monitor File changes • Monitor OS Pasteboard • Syslog Monitor • Syslog Watch Hooking • Cycript shell • Frida shell • Frida trace • Frida launcher • Enumerate Classes (script) • Enumerate Methods (script) • Enumerate All Methods (script)
  43. Currently Supported Modules Comms • List Installed Certificates • Export

    Installed Certificates • Import Installed Certificates • Delete Installed Certificates • Install MitmProxy CA Certificate • Intercepting Proxy Static • Code Checks
  44. ACTION TIME

  45. DVIA

  46. DEMO Binary Analysis

  47. DEMO Storage

  48. DEMO Dynamic Analysis

  49. DEMO Hooking

  50. DEMO Network Comms

  51. DEMO Static Analysis

  52. ROADMAP

  53. Roadmap • Replace all the dependencies Agent to deploy on

    device Support for non-jailbroken devices • Substrate integration • WebView scanner • Hook Swift methods • URI handlers fuzzer • Pinning detection/bypass • Obfuscation detection New modules … community based
  54. Wanna help?

  55. Want to know more? mwr.to/needle @mwrneedle