February 6, 2015 Mobile Central Europe Agenda 1 2 3 4 5 6 7 8 9 10 11 12 o iOS security mechanisms o Security from attacker’s perspective o Reverse engineering tools detection o Security coding practices o Advanced practices
February 6, 2015 Mobile Central Europe o Secured boot process o Privilege separation o Code signing o Memory protection o Sandbox o Encryption 1 2 3 4 5 6 7 8 9 10 11 12 iOS security mechanisms
February 6, 2015 Mobile Central Europe Privilege separation 1 2 3 4 5 6 7 8 9 10 11 12 o Users (root, mobile, …) o Groups o File permissions o Safari, Mail run as mobile o Most important system processes as root
February 6, 2015 Mobile Central Europe Code signing 1 2 3 4 5 6 7 8 9 10 11 12 o Implemented in kernel o Every executable should be signed o Stored in LC_CODE_SIGNATURE o Superblob, entitlements, signature o SHA1 check of memory pages o Superblob is signed
February 6, 2015 Mobile Central Europe Memory protection 1 2 3 4 5 6 7 8 9 10 11 12 o R ^ W policy o Non executable stack and heap o Implemented in kernel o Vulnerable to ROP o (K)ASLR o No dynamic code generation
February 6, 2015 Mobile Central Europe Sandbox (Seatbelt) 1 2 3 4 5 6 7 8 9 10 11 12 o Based upon TrustedBSD MAC framework o Implemented in kernel o Profiles (nointernet, container…) o Operations (read, write, search…) o System & user partition
February 6, 2015 Mobile Central Europe Encryption 1 2 3 4 5 6 7 8 9 10 11 12 o Hardware AES and SHA modules o 7 derivative keys from UID and GID o Everything is encrypted (iBoot, filesystem, …) o Data protection API o Passcode \ TouchID key o Remote device wiping
February 6, 2015 Mobile Central Europe o Code injection o Function hooking o ObjC logger o Jailbreak detection o Security checks 1 2 3 4 5 6 7 8 9 10 11 12 Security from attacker’s perspective
February 6, 2015 Mobile Central Europe Code injection 1 2 3 4 5 6 7 8 9 10 11 12 o .dylib injection o DYLD_INSERT_LIBRARIES o LLDB o Cycript o LD_LOAD_DYLIB o Mobile Substrate
February 6, 2015 Mobile Central Europe 13 14 15 16 17 18 19 20 21 22 23 24 New load command LC_LOAD_DYLIB or LC_LOAD_WEAK_DYLIB o Wrap LC_LOAD, update sizeof commands o optool o insert_dylib o yololib
February 6, 2015 Mobile Central Europe 13 14 15 16 17 18 19 20 21 22 23 24 Mobile Substrate o Most popular code patching framework o Hook C, C++, Objective C, Java code o Trampoline for C hooks o Swizzling for Objective C o Dynamic code injection o Filter support
February 6, 2015 Mobile Central Europe 25 26 27 28 29 30 31 32 33 34 35 36 const char* hook_dyld_get_image_name(uint32_t image_index) {! if (image_index >= dyld_skipimage)! return orig_get_image_name(image_index + 1);! else! return orig_get_image_name(image_index);! }! ! MSHookFunction(_dyld_image_count,hooked_image_count,&orig_image_count)! MSHookFunction(_dyld_get_image_name,hooked_get_image_name,&orig_get_image_name) uint32_t dyld_skipimage = 0;! ! uint32_t hooked_dyld_image_count(void) {! return orig_image_count() - 1;! }! “Calling functions like _dyld_image_count() and _dyld_get_image_name() to see which dylibs are currently loaded. Very difficult to patch, as patches are themselves part of dylibs.” – theiphonewiki.com
February 6, 2015 Mobile Central Europe o Debugger detection o Hooks detection o Code injection detection 25 26 27 28 29 30 31 32 33 34 35 36 Reverse engineering tools detection
February 6, 2015 Mobile Central Europe o Functions replacement o System calls o Device anomalies o Assembler code obfuscation 49 50 51 52 53 54 55 56 57 58 59 60 Advanced practices
February 6, 2015 Mobile Central Europe 49 50 51 52 53 54 55 56 57 58 59 60 System calls o Syscall function as wrapper o Implemented as svc 0x80 o Syscall number in r12 or x16 o Arguments in registers o Listed in syscall.h
February 6, 2015 Mobile Central Europe 61 62 63 64 65 66 67 68 69 70 71 72 How to obfuscate syscall ? o ARM – 4 bytes o Thumb - 2 bytes o Thumb2 - 2/4 bytes o ARM64 - 4 bytes
February 6, 2015 Mobile Central Europe 61 62 63 64 65 66 67 68 69 70 71 72 Summary o Do not rely on iOS security and ObjC\Swift o ‘Everything is hooked’ environment o Detect hooks and code injection o Detect debuggers and device anomalies o Re implement standard functions o Love and use syscalls o Obfuscate your code