Slide 1
Slide 1 text
Learning About Vulnerabilities from OWASP Mobile Top 10
Start Securing Your iOS Apps from Zero
Soh Satoh (@soh_satoh) - STORES, Inc.
Slide 2
Slide 2 text
Who am I?
• 2018? - 2021
• iOS Tweak Developer (Independent)
• 2021 - 2023
• Security Engineer @ Security Vendor
• 2023 -
• Security Engineer @ STORES Inc
2
@soh_satoh
Slide 3
Slide 3 text
Introduction - What’s MASVS/MASTG?
• MASVS
The industry standard for mobile app
security
• MASTG
A comprehensive manual for mobile app
security testing and reverse engineering
スマホアプリの脆弱性診断って何するの?(iOS
編
)- STORES Product Blog
3
Reference: OWASP
Slide 4
Slide 4 text
Introduction - What’s OWASP Mobile TOP10?
A standard awareness document for developers and mobile
application security
• M1: Improper Credential Usage
• M2: Inadequate Supply Chain Security
• M3: Insecure Authentication/Authorization
• M4: Insu
ffi
cient Input/Output Validation
• M5: Insecure Communication
• M6: Inadequate Privacy Controls
• M7: Insu
ffi
cient Binary Protections
• M8: Security Miscon
fi
guration
• M9: Insecure Data Storage
• M10: Insu
ff i
cient Cryptography
4
Reference: OWASP
(https://owasp.org/www-project-mobile-top-10/)
Slide 5
Slide 5 text
M9: Insecure Data Storage
Slide 6
Slide 6 text
M9: Insecure Data Storage
Examples
• Storing passwords in plain text
• Unprotected logging
• Unsecured local storage
Attack Vectors
• Sandbox escaping
• Data leak from iOS backups
• (Code injection)
6
Impacts
• Leak of sensitive information
• Leak of credentials
• Compromised user accounts
• Reputational damage
Vulnerabilities caused by improper implementations for
storing sensitive information
Slide 7
Slide 7 text
M9: Insecure Data Storage - App Sandbox
App Sandbox
A security mechanism for separating
running programs
• Restricting access to resources of
other apps (e.g. UserDefaults)
• Restricting access to system
fi
les
↓
Super Secure!
7
Slide 8
Slide 8 text
M9: Insecure Data Storage - App Sandbox
🤔
8
… Really?
Slide 9
Slide 9 text
M9: Insecure Data Storage - App Sandbox
9
Security 101
Do Not Overtrust Anyone!
Slide 10
Slide 10 text
M9: Insecure Data Storage - UserDefaults vs. Keychain
• UserDefaults
• NOT encrypted
• Saved to “/var/mobile/Containers/Data/Application/{UUID}/
Library/Preferences” (mobile)
• Can be backed up w/o encryption
• Keychain
• Encrypted (AES-128 / Hardware-based encryption)
• Saved to “/var/Keychains/keychain-2.db” (_securityd)
• Backed up with encryption
10
Slide 11
Slide 11 text
M9: Insecure Data Storage - Best Practices
Best Practices
• Do NOT store credentials in plaintext
• Refresh token
• Passwords (Never!)
• Use Keychain as possible
• Storing sensitive information in Keychain
• Storing encryption keys in Keychain
11
Slide 12
Slide 12 text
M1: Improper Credential Usage
Slide 13
Slide 13 text
M1: Improper Credential Usage
Examples
• Hardcoded credentials
• Insecure credential storage
Attack Vectors
• Sandbox escaping
• Data leak from iOS backups
• (Code injection)
13
Impacts
• Leak of sensitive information
• Leak of credentials
• Compromised user accounts
• Reputational damage
Vulnerabilities caused by improper credential usage for
storing sensitive information
Slide 14
Slide 14 text
M1: Improper Credential Usage - Hardcoded Credentials
Hardcoded Credentials
Examples
• Encrypt sensitive information using hardcoded keys
• Login to API using hardcoded password
Attack Vectors
• Reversing
14
Slide 15
Slide 15 text
M1: Improper Credential Usage - Obfuscation
Obfuscation
the act of creating source or machine code that is di
ff i
cult for humans or
computers to understand
Advantage
It can delay the process of reverse engineering.
Disadvantage
While obfuscation can make reading, writing, and reverse-engineering a
program di
ff
i
cult and time-consuming, it will not necessarily make it impossible.
15
Slide 16
Slide 16 text
M1: Improper Credential Usage - Obfuscation
16
Encryption Flow (Example)
Slide 17
Slide 17 text
M1: Improper Credential Usage - Obfuscation
17
Static Analysis (with Ghidra)
Disassembly Pseudocode
Slide 18
Slide 18 text
M1: Improper Credential Usage - Obfuscation
18
Dynamic Analysis (with LLDB)
Slide 19
Slide 19 text
M1: Improper Credential Usage - Obfuscation
19
Dynamic Analysis (with LLDB)
Slide 20
Slide 20 text
M1: Improper Credential Usage - Obfuscation
20
Dynamic Analysis (with LLDB)
Ref: https://stackoverflow.com/a/78014359/26676166
Slide 21
Slide 21 text
M1: Improper Credential Usage - Best Practices
Best Practices
• Do NOT hardcode secrets
• API keys
• Encryption keys
• Passwords
• If secrets must be hardcoded,
• Consider the importance of the information
• Evaluate the e
ff
ectiveness of obfuscation
21
Slide 22
Slide 22 text
Summary
Steps You Should Take for Mobile Application Security
1. Understand the common vulnerabilities in mobile apps
2. Consider whether each vulnerability could realistically have
an impact, and assess the need for remediation
3. Develop the application with careful consideration of
whether it could introduce vulnerabilities that might impact
the business
22
Slide 23
Slide 23 text
23