Introduction into iOS security testing COCOAHEADS FEBRUARI 2017 JEROEN WILLEMSEN 

About me u Jeroen Willemsen u @commjoenie u [email protected] ”Full stack developer”, “risk management” & “security” Security 

Agenda u Introduction u DVIA, MASVS & MSTG u Getting started u Your secure connection u Your storage 

Why would you care? You … Therefore … Create a banking app You need to secure transactions, PII Create a game You want to prevent cheaters to spoil the fun Create an app using personal information (email, gps-location, phone number, …) You need to take care of securing PII or you can get a fine Create an app for a shop You want to prevent stealing items / financial information / get wrong transactions Create a notebook app You need to secure the notebooks of your customers Create an app that costs money You want to prevent it being pirated Create an app with in-app charges You do not want people to bypass them 

DVIA u Damn Vulnerable iOS App u Open source vulnerable app, u maintained by @prateekg147 

OWASP MASVS & MSTG u Mobile Application Security Verification Standard (MASVS) u https://github.com/OWASP/ow asp-masvs u Mobile Security Testing Guide (MSTG) u https://github.com/OWASP/o wasp-mstg 

Before we get started u Get a 64 bit iOS device running ios 9.2 – 9.3.3 and use the Pangu jailbreak u Get an iPhone 7 with iOS 10.1.1 or any other iOS 64 bit device with iOS 10.2 and use the Yalu jailbreak. 

WARNING! Many junior mistakes ahead! 

Before we get started u Install on your iDevice: openSSH, Erica utilities, iOS toolchain, stashing for ios 9.2-10.2 BigBoss Recommended tools , MobileTerminal u iFunbox for app instalation u mobSF for quick analysis. u Update the DVIA app to be compatible with the latest version of iOS and Xcode. u Setup your favorite proxy, such as ZAP 

Your secure connection u App Transport Security (ATS) u To pin or not to pin? u Workarounds at SSL pinning! u Payload encryption? 

“ ” Application Transport Security 

Source: https://developer.apple.com 

No content

Your secure connection: To pin or not to pin? u You can pin to the certificate (or keep a list of certificates) u Or use an intermediate certificate u You can pin to the public key (or keep a list of public keys) u Much to say about this…. Is another presentation! 

Your secure connection: To pin or not to pin? u Trustkit, u Alamofire (or AF-Networking), u use NSUrlSessoin and configure connection:canAuthenticateAgainstProtectionSpace: & con nection:didReceiveAuthenticationChallenge: 

To pin or not to pin? Assume not jailbroken or… The more standard pinner you use, the most likely there is a killswitch for cydia… (disclaimer: don’t read this as a motivator to create a DIY pinner!) 

Your secure connection: workarounds at SSL pinning! Let’s play 

Your secure connection: before we begin u Install preference loader u Install SSL Killswitch 2 u Get your favorite proxy: OWASP ZAP, Burp, Charles proxy u Pick an app and try it out J 

How does this work? OS DVIA app Network + SSL killswitch 

Your secure connection Demo time! 

Your secure connection 

Payload encryption u If you want to prevent your data being read or injected after SSL compromise u Was removed from the MASVS u Can be very error-prone: please follow standards & DO NOT INVENT YOUR OWN! u Note that there are a few cases when you might want to consider it: loads of PII, Financial data. 

Your storage u NSUserdefaults & Plist u CoreData & Realm u Keychain u Filesystem protection 

Your storage: NSUserDefaults “The NSUserDefaults class provides a programmatic interface for interacting with the defaults system. The defaults system allows an application to customize its behavior to match a user’s preferences” 

Your storage: NSUserDefaults “The NSUserDefaults class provides a programmatic interface for interacting with the defaults system. The defaults system allows an application to customize its behavior to match a user’s preferences” 

Your storage: Plists in general u You can store: u Application preferences u Small amounts of data: primarily strings and numbers u Inefficient with large blocks of binary data 

Your storage: Plist & NsUserDefaults Let’s play 

Your storage: Before we begin u Install openSSH on your iDevice u Install FileZilla on your Mac for file extraction u Install Dvia u Easy way out: try iExplorer to edit plist files (will skip for now) 

Your storage: Plist & NsUserDefaults Demo time! 

Your storage 

Your Storage plist & NSUserDefaults Don’t put secrets or PII in plists! 

Your storage: CoreData u “Core Data is a framework that you use to manage the model layer objects in your application” (Apple developer) u Well integrated into iOS u You can use the Data Model editor & inspector u Uses predicates 

Your storage: Realm u “Realm Swift enables you to efficiently write your app’s model layer in a safe, persisted and fast way. ” (realm website) u Uses its own persistence engine u Is fast 

Your storage: CoreData & Realm Let’s play 

Your storage: Before we begin u Install openSSH on your iDevice u Install FileZilla on your Mac for file extraction u Install “DB browser for SQLite” for CoreData u Install “Realm browser” for Realm file u Install Dvia 

Your storage: CoreData & Realm Demo time! 

u Insert movie here (realm & coredata) 

u Insert movie here on Realm 

Your storage: CoreData & Realm u CoreData: u Consider trying out encrypted-core-data from project-imas u DIY using NSValueTransformer together with RNCrypto or CommonCrypto u Use filesystem protection / ios-level data protection when setting up the database. u Effective security requires a passcode. 

Your storage: CoreData & Realm u Realm: Encrypt the data at rest: u Use filesystem protection / ios-level data protection let configuration = Realm.Configuration(encryptionKey: getKey() as Data) let realm = try! Realm(configuration: configuration) // Add an object try! realm.write { let obj = EncryptionObject() obj.stringProp = "abcd" realm.add(obj) } 

Your storage: Keychain u An Sqlite database controlled by securityd daemon. u Access is based on “keychain-access-groups,” “application- identifier,” and “applicationgroup” entitlements. u Security implementation nicely explained in https://www.apple.com/business/docs/iOS_Security_Guide.p df u You specify an Access Control object on how the keychain entry should be secured. 

You storage: keychain u You specify a protection class: u Don’t use: kSecAttrAccessibleAlways or kSecAttrAccessibleAlwaysThisDeviceOnly u To force a passcode: kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly, u No background processing > 10 seconds, No backup u Default = kSecAttrAccessibleWhenUnlocked u You specify flags: userPresence, touchIDAny, touchIDCurrentSet, devicePasscode, …. 

Your storage: Keychain u Want to dump keychains? Use https://github.com/ptoomey3 /Keychain-Dumper u Or work your way through /private/var/Keychains/key chain-2.db 

Your storage: Keychain u Dumping keys /passwords still requires to provide your touch-ID or passcode depending on the Access Control objects created. u You can use the secure enclave for signing using ECDSA, u kSecAttrTokenID = kSecAttrTokenIDSecureEnclave . u Keys and operations reside in the SE: we did not extract the private key. u Interesting project: Valet from Square 

Your storage: Filesystem protection u Files are encrypted by iOS. u https://www.apple.com/business/docs/iOS_Security_Guide.pdf u See FileProtectionType (swift) or NSFileProtectionType (obj-c) for more details. u Similar to keychain protection class u Default is already pretty usefull in iOS 9: unlock after first unlock. u Use iExplorer or iFunbox to check whether files are encrypted while the device is locked. 

One gentle reminder…. ENCRYPTION of the data does NOT help you in protecting the INTEGRITY of the data. For this you SIGN or HMAC the data. - Or you use AES-GCM, which is only a private API - 

Other analysis tools for quick warnings u MobSF u Needle u iRet u introSpy-iOS 

There’s way more! u Circumventing anti-piracy methods u Circumventing jailbreak detection u Using Cycript to bypass controls in your Objective-C application u ….. u Check the DVIA u Check the Owasp Mobile Application Security Verification Standard u Check the Owasp Mobile Security Testing Guide u Check ios Secure coding guide and iOS Security guide. 

Need help in studying security? Coming soon: an iOS security training for developers! 

Need help in studying security? http://pages.xebia.com/ios-hacking-foundation-training 

Wrap up u Your secure connection: u Always have a secure connection u Pin if possible & needed u Use payload encryption if really necessary u Your storage: u Don’t use plists or NSUserdefaults for sensitive information u Encypt data at rest u Use static analyzers 

Questions? u @commjoenie u [email protected]