iOS App Vulnerabilities
Julia Potapenko
and how to fix them
Slide 2
Slide 2 text
Security Software Engineer
@julepka
We help companies to protect their
sensitive and valuable data.
Slide 3
Slide 3 text
How do we know the vulnerability is common?
OWASP Mobile Top 10
CVE-List by MITRE
Security tools/services vendors
News and Twitter π
Our own experience π
Slide 4
Slide 4 text
OWASP Mobile Top 10
M1: Improper Platform Usage
M2: Insecure Data Storage
M3: Insecure Communication
M4: Insecure Authentication
M5: Insufficient Cryptography
M6: Insecure Authorization
M7: Client Code Quality
M8: Code Tampering
M9: Reverse Engineering
M10: Extraneous Functionality
https://owasp.org/www-project-mobile-top-10/
Slide 5
Slide 5 text
OWASP Mobile Top 10
M1: Improper Platform Usage
M2: Insecure Data Storage
M3: Insecure Communication
M4: Insecure Authentication
M5: Insufficient Cryptography
M6: Insecure Authorization
M7: Client Code Quality
M8: Code Tampering
M9: Reverse Engineering
M10: Extraneous Functionality
https://owasp.org/www-project-mobile-top-10/
Slide 6
Slide 6 text
2016
M1: Improper Platform Usage
M2: Insecure Data Storage
M3: Insecure Communication
M4: Insecure Authentication
M5: Insufficient Cryptography
M6: Insecure Authorization
M7: Client Code Quality
M8: Code Tampering
M9: Reverse Engineering
M10: Extraneous Functionality
M1: Weak Server Side Controls
M2: Insecure Data Storage
M3: Insufficient Transport Layer Protection
M4: Unintended Data Leakage
M5: Poor Authorization and Authentication
M6: Broken Cryptography
M7: Client Side Injection
M8: Security Decisions Via Untrusted Inputs
M9: Improper Session Handling
M10: Lack of Binary Protection
2014
OWASP Mobile Top 10
Slide 7
Slide 7 text
2016
M1: Improper Platform Usage
M2: Insecure Data Storage
M3: Insecure Communication
M4: Insecure Authentication
M5: Insufficient Cryptography
M6: Insecure Authorization
M7: Client Code Quality
M8: Code Tampering
M9: Reverse Engineering
M10: Extraneous Functionality
M1: Weak Server Side Controls
M2: Insecure Data Storage
M3: Insufficient Transport Layer Protection
M4: Unintended Data Leakage
M5: Poor Authorization and Authentication
M6: Broken Cryptography
M7: Client Side Injection
M8: Security Decisions Via Untrusted Inputs
M9: Improper Session Handling
M10: Lack of Binary Protection
2014
OWASP Mobile Top 10
Slide 8
Slide 8 text
CVE List
https://cve.mitre.org/cve/search_cve_list.html
Search: iOS app
Common Vulnerabilities and Exposures List
Slide 9
Slide 9 text
NVD
National Vulnerability Database
Common Vulnerability
Scoring System
Slide 10
Slide 10 text
Security tools/services vendors
Databases, reports, statistics, blog posts
https://snyk.io/vuln/
Slide 11
Slide 11 text
Security tools/services vendors
Databases, reports, statistics, blog posts
https://www.guardsquare.com/state-of-mobile-application-security-report
Improper Platform Usage
If I want to store some dataβ¦
Slide 15
Slide 15 text
Improper Platform Usage
UserDefaults
Not encrypted,
accessible on a
locked device.
If I want to store some dataβ¦
Slide 16
Slide 16 text
Improper Platform Usage
UserDefaults
Not encrypted,
accessible on a
locked device.
Keychain
Encrypted storage,
becomes decrypted
on unlock.
If I want to store some dataβ¦
Slide 17
Slide 17 text
Improper Platform Usage
UserDefaults
Not encrypted,
accessible on a
locked device.
Keychain
Encrypted storage,
becomes decrypted
on unlock.
Secure Enclave
Stores keys that can be
used to encrypt
Keychain entries.
If I want to store some dataβ¦
Slide 18
Slide 18 text
Improper Platform Usage
Not strict Keychain access policy
==
Attacker can easily access Keychain data
Improper Platform Usage
kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly
kSecAttrAccessibleWhenUnlockedThisDeviceOnly
kSecAttrAccessibleWhenUnlocked
kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly
kSecAttrAccessibleAfterFirstUnlock
Or encrypt and decrypt on your own
π Secure Enclave π CryptoKit π Themis π
Slide 26
Slide 26 text
Improper Platform Usage
kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly
kSecAttrAccessibleWhenUnlockedThisDeviceOnly
kSecAttrAccessibleWhenUnlocked
kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly
kSecAttrAccessibleAfterFirstUnlock
Or encrypt and decrypt on your own
π Secure Enclave π CryptoKit π Themis π
AND!
Insecure Data Storage
Data generated by the app:
πΉ Logs
πΉ Databases
πΉ Caches
πΉ Other saved files
Slide 39
Slide 39 text
Insecure Data Storage
Data generated by the app:
πΉ Logs
πΉ Databases
πΉ Caches
πΉ Other saved files
Check if any sensitive
data may appear there!
Slide 40
Slide 40 text
Insecure Data Storage
Data generated by the app:
πΉ Logs
πΉ Databases
πΉ Caches
πΉ Other saved files
Check if any sensitive
data may appear there!
(check the code, not the files)
Slide 41
Slide 41 text
Insecure Data Storage
Data stored inside the .ipa:
πΉ Configuration files
πΉ Executables
Slide 42
Slide 42 text
Insecure Data Storage
Data stored inside the .ipa:
πΉ Configuration files
πΉ Executables
Look for testing credentials
and endpoints!
Slide 43
Slide 43 text
Insecure Data Storage
Data stored inside the .ipa:
πΉ Configuration files
πΉ Executables
Look for testing credentials
and endpoints!
(actually, any credentials and endpoints)
Slide 44
Slide 44 text
Insecure Data Storage
Data stored inside the .ipa:
πΉ Configuration files
πΉ Executables
Look for testing credentials
and endpoints!
(actually, any credentials and endpoints)
(config comments may not be removed)
Slide 45
Slide 45 text
Insecure Data Storage
Data stored inside the .ipa:
πΉ Configuration files
πΉ Executables
[22:05:16] juliapotapenko:MyAwesomeAppl.app $ strings MyAwesomeApp | grep "https://"
Slide 46
Slide 46 text
Insecure Communication App
Transport
Security
Do not
allow
HTTP
Slide 47
Slide 47 text
Insecure Communication App
Transport
Security
Do not
allow
HTTP
HTTP allowed for all endpoints
HTTP allowed for localhost
Slide 48
Slide 48 text
Insecure Communication TLS
Pinning
Prevent
MiTM
SERVER iOS APP
TLS Certificate
Slide 49
Slide 49 text
Insecure Communication
SERVER iOS APP
ATTACKER
TLS
Pinning
Prevent
MiTM
TLS Cert MiTM Cert
Slide 50
Slide 50 text
Insecure Communication
SERVER iOS APP
ATTACKER
TLS
Pinning
Prevent
MiTM
TLS Cert MiTM Cert
β Is trusted CA?
β Not expired?
Slide 51
Slide 51 text
Insecure Communication
SERVER iOS APP
ATTACKER
TLS
Pinning
Prevent
MiTM
TLS Cert MiTM Cert
β Is trusted CA?
β Not expired?
β Is it our serverβs cert?
Slide 52
Slide 52 text
Insecure Communication TLS
Pinning
Prevent
MiTM
https://developer.apple.com/news/?id=g9ejcf8y
Slide 53
Slide 53 text
Insecure Communication TLS
Pinning
Prevent
MiTM
https://developer.apple.com/news/?id=g9ejcf8y
Slide 54
Slide 54 text
Insecure Communication TLS
Pinning
Prevent
MiTM
It is just an Info.plist entry. I can bypass pinning by
removing or changing it.
Correct. But the main goal is to protect against MiTM
when the attacked doesnβt have access to a physical
device.
Slide 55
Slide 55 text
Insecure Communication TLS
Pinning
Prevent
MiTM
It is just an Info.plist entry. I can bypass pinning by
removing or changing it.
Correct. But the main goal is to protect against MiTM
when the attacked doesnβt have access to a physical
device.
Slide 56
Slide 56 text
Insecure Communication TLS
Pinning
Prevent
MiTM
https://developer.android.com/training/articles/security-ssl#Pinning
Android docs
Slide 57
Slide 57 text
Unintended Data Leakage
Application Backgrounding
Slide 58
Slide 58 text
Unintended Data Leakage
Application Backgrounding
What to protect? * * * * *
Think of accidental sharing
Sensitive data
Slide 59
Slide 59 text
Unintended Data Leakage
Application Backgrounding
What to protect? * * * * *
Think of accidental sharing
Sensitive data
How to protect? Screen overlay
Remove entered data
Return to previous screen
Slide 60
Slide 60 text
Unintended Data Leakage
Screen overlay when app moved to background
Slide 61
Slide 61 text
Summary
Weβve learned
- where we can read about common vulnerabilities
- examples of top vulnerabilities
- keychain - app generated content - allowing HTTP
- biometrics - data stored in .ipa - TLS pinning
- backgrounging - screen overlay