building hacking modern ios apps
play

Building&Hacking modern iOS apps Wojciech Regua @_r3ggi - PowerPoint PPT Presentation

Aug 31, 2022 •321 likes •998 views

www.securing.pl Building&Hacking modern iOS apps Wojciech Regua @_r3ggi wojciech.regula@securing.pl @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl WHOAMI -Senior IT Security Consultant @ SecuRing -Focused on

  1. www.securing.pl Building&Hacking modern iOS apps Wojciech Reguła @_r3ggi wojciech.regula@securing.pl

  2. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl WHOAMI -Senior IT Security Consultant @ SecuRing -Focused on iOS apps security -Blogger https://wojciechregula.blog/ -OWASP SKF contributor

  3. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl INTRODUCTION

  4. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl AGENDA 1. iOS platform myths and reality 2. securityProblemsInMASVSCategories.forEach { problem in 2.1 Discuss problem 2.2 Show solution 2.3 Present new Apple WWDC feature } 3. My new library – iOS Security Suite 🚁 4. Short and long term things to implement in your code

  5. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl PART I PLATFORM MYTHS AND REALITY

  6. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl MYTH #1 APPLE’S REVIEW IS 100% RELIABLE https://twitter.com/orhaneee/status/1076147994574184449

  7. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl MYTH #2 THERE IS NO JAILBREAK FOR IOS 11+ https://github.com/pwn20wndstuff/Undecimus

  8. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl MYTH #3 NO JAILBREAK MEANS NO REVERSING APPS

  9. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl PART II SECURE DEVELOPMENT

  10. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl V1 ARCHITECTURE

  11. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl SWIFT VS OBJECTIVE-C -Integer overflow -> Runtime error -No direct memory access (unless usage of UnsafePointer) -Format string mitigated through string interpolation

  12. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl MYTH – SWIFT AUTOOBFUSCATES ITSELF -There is no obfuscation -Swift uses ”name mangling”

  13. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl MYTH – SWIFT AUTOOBFUSCATES ITSELF -Class TestClass -1 Instance variable -Constructor -2 Methods

  14. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl www.securing.pl www.securing.pl MYTH – SWIFT MYTH – SWIFT AUTOOBFUSCATES AUTOOBFUSCATES ITSELF ITSELF - _$ Swift Symbol - _$ Swift Symbol - Length and module name - Length and module name - Length and class name - Length and class name - C function of class (method) - C function of class (method) - Length and method name - Length and method name - Parameters and return type - Parameters and return type

  15. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl

  16. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl MYTH – SWIFT METHODS CANNOT BE DYNAMICALLY CHANGED -They can, using for example Frida -You just need to hook the symbol

  17. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl MYTH – SWIFT METHODS CANNOT BE DYNAMICALLY CHANGED

  18. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl DEMO HTTPS://VIMEO.COM/334861122

  19. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl TAKEAWAYS -Binary vulnerabilities mitigated -Mostly no memory access -Obufscation ⬇ https://github.com/rockbruno/swiftshield

  20. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl AUTOMATED SMS CODES INPUT (WWDC 2018) -Controversial feature since other app may have access to the one time password -Low risk but there is possibility to do social engineering

  21. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl DEMO HTTPS://VIMEO.COM/334861389

  22. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl V2 DATA STORAGE

  23. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl ON-DEVICE DATA STORAGE -Most common issue is storing sensitive data on the device that should not be there: • API Keys • SSH Keys • Cloud credentials • Test env credentials

  24. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl ON-DEVICE DATA STORAGE -Sensitive data may be insecurely stored in: • Info.plist • User defaults • Regular files • Hardcoded into the binary • Even in Keychain (as they shouldn’t be stored client-side)

  25. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl ON-DEVICE DATA STORAGE

  26. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl ON-DEVICE DATA STORAGE -Directories that are backed up: • Documents/ • Library/Application Support/ • Library/Preferences/ • Library/* -Directories not backed up: • Library/Caches/ • tmp/

  27. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl CREDENTIAL PROVIDER EXTENSION (WWDC 2018) -Password managers in native apps -Add UITextContentType

  28. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl TAKEAWAYS -No sensitive data in IPA -kSecAttrAccessibleWhen with ThisDeviceOnly -UIKit DataProtection -Credential Providers

  29. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl V3 CRYPTOGRAPHY

  30. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl CRYPTOGRAPHY - Insecure token generation - Bear case

  31. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl

  32. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl

  33. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl

  34. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl https://wojciechregula.blog/post/stealing-bear-notes-with-url-schemes/

  35. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl AUTOMATIC STRONG PASSWORDS (WWDC 2018) - Mentioned before Autofill can create new passwords connected with your domain - You are able to set the password policy that will be applied

  36. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl TAKEAWAYS -No home-made ciphers -Everything in IPA is public -SecKeyCreateEncryptedData instead of 3 rd party AES/RSA -Native password policy

  37. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl V4 SESSION MANAGEMENT

  38. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl SESSION MANAGEMENT -Local access control… -JWT -> sign the token!

  39. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl V5 NETWORK COMMUNICATION

  40. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl NETWORK COMMUNICATION -Avoid HTTP -Use HTTPS ✅ -App Transport Security -HTTPS -> make sure if cert is trusted

  41. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl

  42. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl V6 PLATFORM INTERACTION

  43. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl INTER-PROCESS (APPLICATION) COMMUNICATION -XPC (macOS, iOS not allowed) -Mach messages (macOS, iOS not allowed) -URL Schemes -AirDrop -Clipboard (please, do not do that)

  44. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl

  45. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl

  46. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl TAKEAWAYS -Verify sender -Check parameters -If WebView -> check permissions

  47. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl V7 CODE QUALITY

  48. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl CODE QUALITY -No deprecated APIs -Vulnerable libraries -CocoaPods/Carthage -> no fixed versions please

  49. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl AFNetworking 2.5.1 allowed to perform Man in the Middle attack when app did not use SSL pinning

  50. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl DEPRECATED UIWEBVIEW (WWDC 2018) -UIWebView has access to local files via file:// handler BY DEFAULT -WKWebView also has if you turn some flags on btw -XSS ☠

  51. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl DICTIONARY THAT LOOKS YOU UP

  52. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl

  53. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl

  54. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl DEMO HTTPS://VIMEO.COM/334862417

  55. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl HELP VIEWER PROBLEMS

  56. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl DEMO HTTPS://VIMEO.COM/334861507

  57. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl YAHOO IOS XSS EXAMPLE BY @OMESPINO

  58. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl V8 RESILIENCY REQUIREMENTS

  59. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl ANTI TAMPERING For those who: • Don’t want their app to be tampered with • Consider malware as a risk • Have to be complaint with OWASP MASVS

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Hacking Your Own Virtual and Augmented Hacking Your Own Virtual and Augmented Reality Apps for

Hacking Your Own Virtual and Augmented Hacking Your Own Virtual and Augmented Reality Apps for

Hacking Your Own Virtual and Augmented Hacking Your Own Virtual and Augmented Reality Apps for Fun and Profit! Reality Apps for Fun and Profit! Tutorial Presentation Tutorial Presentation Linux Conf Au - Adelaide, SA Linux Conf Au - Adelaide,

621 views • 61 slides
ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical?

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical?

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical? Legality VS Ethics State Sanctioned hacking BLACK HAT - Stereotypical Hacker -Stealing data for personal gain -Obviously not ethical -Using

1.17k views • 10 slides
Building Beautiful Apps Ahmed Abu Eldahab GDE Flutuer & Daru @dahabdev Tell me about you?

Building Beautiful Apps Ahmed Abu Eldahab GDE Flutuer & Daru @dahabdev Tell me about you?

Building Beautiful Apps Ahmed Abu Eldahab GDE Flutuer & Daru @dahabdev Tell me about you? Developers , Designers , Mac , Linux , Windows , Web , Mobile , Android , ios ? @dahabdev Agenda Context about Apps Native apps

693 views • 53 slides
Running Apps at the Edge with AWS IoT Greengrass Machine Intelligence Modern Infrastructure

Running Apps at the Edge with AWS IoT Greengrass Machine Intelligence Modern Infrastructure

Running Apps at the Edge with AWS IoT Greengrass Machine Intelligence Modern Infrastructure http://mi2.live What is MI2? MI2 Webinars focus on the convergence of machine intelligence and modern infrastructure . Every alternate week, I deliver

335 views • 17 slides
Small Business Apps WHAT ARE MOBI LE APPS ? W h a t are mob i le apps ? A little bit of

Small Business Apps WHAT ARE MOBI LE APPS ? W h a t are mob i le apps ? A little bit of

WELCOME Small Business Apps WHAT ARE MOBI LE APPS ? W h a t are mob i le apps ? A little bit of information An App is a piece of so ware (a program) that needs to be installed on Mobile Apps are device specific, meaning that an App that runs

268 views • 12 slides
Building Pinterests Mobile Apps Mike Beltzner Product Manager Garrett Moon Mobile Team

Building Pinterests Mobile Apps Mike Beltzner Product Manager Garrett Moon Mobile Team

Building Pinterests Mobile Apps Mike Beltzner Product Manager Garrett Moon Mobile Team (iOS) Discover Pinterest Engineers Building Pinterests Mobile Apps Pinterest and mobile Launched iPhone app in 2011 Summer of Apps in

625 views • 36 slides
#UCLH_wired Building apps & getting mobile Sean Gilchrist Systems Development Manager Saduf

#UCLH_wired Building apps & getting mobile Sean Gilchrist Systems Development Manager Saduf

#UCLH_wired Building apps & getting mobile Sean Gilchrist Systems Development Manager Saduf Ali-Drakesmith Imaging Systems Manager Adam Bradley Mobile App Developer Agenda Getting mobile Device s MDM WiFi Building apps Web

468 views • 11 slides
Boxing them in Buggy apps can crash other apps The Kernel App 1 App 2 App 3 Buggy apps can

Boxing them in Buggy apps can crash other apps The Kernel App 1 App 2 App 3 Buggy apps can

Boxing them in Buggy apps can crash other apps The Kernel App 1 App 2 App 3 Buggy apps can crash OS wants to be your friend Buggy apps can hog all resources Operating System Malicious apps can violate Reading and writing memory, privacy

548 views • 17 slides
MODERN 1 MODERN 2 MODERN 3 MODERN 4 MODERN A peep at some distant orb has power to raise

MODERN 1 MODERN 2 MODERN 3 MODERN 4 MODERN A peep at some distant orb has power to raise

MODERN 1 MODERN 2 MODERN 3 MODERN 4 MODERN A peep at some distant orb has power to raise and purify our thoughts like a strain picture, or a passage from the grander poets. It always does one good. 5 MODERN 6 MODERN 7 MODERN 8

524 views • 24 slides
Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking

Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking

Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking AI-Corp Hacking RL 1. Information gathering 2. Scanning 3. Exploitation & privilege escalation 4. Maintaining access & covering tracks

960 views • 62 slides
JavaScript on TV Building full screen apps with Vue.js Welcome to multiplatform hell. Theres

JavaScript on TV Building full screen apps with Vue.js Welcome to multiplatform hell. Theres

JavaScript on TV Building full screen apps with Vue.js Welcome to multiplatform hell. Theres so many of them! LG Netcast LG WebOS Samsung Tizen Android TV Firefox OS (srsly.) Roku TV Fire TV tvOS and the

307 views • 18 slides
F ROM WEBSITES TO APPS , AND NOW FROM APPS TO CHATBOTS ? A NTNIO B RANCO FROM APPS TO CHATBOTS

F ROM WEBSITES TO APPS , AND NOW FROM APPS TO CHATBOTS ? A NTNIO B RANCO FROM APPS TO CHATBOTS

F ROM WEBSITES TO APPS , AND NOW FROM APPS TO CHATBOTS ? A NTNIO B RANCO FROM APPS TO CHATBOTS CEO of large social network in annual development conference 2 months ago Shared vision for next 2 decades: past : with advent of PCs, companies

498 views • 14 slides
The Kernel wants to be your friend Boxing them in Buggy apps can crash other apps App 1 App 2

The Kernel wants to be your friend Boxing them in Buggy apps can crash other apps App 1 App 2

The Kernel wants to be your friend Boxing them in Buggy apps can crash other apps App 1 App 2 App 3 Buggy apps can crash OS Buggy apps can hog all resources Operating System Malicious apps can violate Reading and writing memory, privacy

1.15k views • 67 slides
MODERN SYSTEMS: SECURITY Hakim Weatherspoon CS6410 Slides borrowed liberally from past

MODERN SYSTEMS: SECURITY Hakim Weatherspoon CS6410 Slides borrowed liberally from past

1 MODERN SYSTEMS: SECURITY Hakim Weatherspoon CS6410 Slides borrowed liberally from past presentations from Sai Krishna Deepak Maram Move to a Cloud-based model User apps User apps PaaS Software Software Cloud Provider manages the

474 views • 31 slides
Hacking SecondLife Michael Thumann Hacking SecondLife by Michael Thumann 2/24/08 1

Hacking SecondLife Michael Thumann Hacking SecondLife by Michael Thumann 2/24/08 1

Hacking SecondLife Michael Thumann Hacking SecondLife by Michael Thumann 2/24/08 1 Disclaimer Everything you are about to see, hear, read and experience is for educational purposes only. No warranties or guarantees implied or

692 views • 47 slides
Building scalable IoT apps using OSS technologies Pavel Hardak Basho Technologies Disclaimer:

Building scalable IoT apps using OSS technologies Pavel Hardak Basho Technologies Disclaimer:

Building scalable IoT apps using OSS technologies Pavel Hardak Basho Technologies Disclaimer: some of the opinions expressed here are mine and might not fully agree with those of my employer IOT & INDUSTRY VERTICALS IOT MARKET GROWTH

523 views • 50 slides
Federal Advocacy and Policy Updates: What's New for HCBS and Self-Direction Alison Barkoff Dan

Federal Advocacy and Policy Updates: What's New for HCBS and Self-Direction Alison Barkoff Dan

Federal Advocacy and Policy Updates: What's New for HCBS and Self-Direction Alison Barkoff Dan Berland Director of Advocacy Director of Federal Policy Center for Public Representation NASDDDS abarkoff@cpr-us.org dberland@nasddds.org

817 views • 59 slides
YURY CHEMERKIN I have 10+ years of experience in information security. Im a multi-skilled

YURY CHEMERKIN I have 10+ years of experience in information security. Im a multi-skilled

S TILL S ECURE . W E E MPOWER W HAT W E H ARDEN B ECAUSE W E C AN C ONCEAL YURY CHEMERKIN MULTI-SKILLED SECURITY EXPERT CJSC ADVANCED MONITORING YURY CHEMERKIN I have 10+ years of experience in information security. Im a multi-skilled

1.43k views • 76 slides
Enterprise desktop at home with FreeIPA and GNOME Alexander Bokovoy ( abokovoy@redhat.com )

Enterprise desktop at home with FreeIPA and GNOME Alexander Bokovoy ( abokovoy@redhat.com )

January 30th, 2016 FOSDEM16 Enterprise desktop at home with FreeIPA and GNOME Alexander Bokovoy ( abokovoy@redhat.com ) Enterprise desktop at home with FreeIPA and GNOME 2 Enterprise? Enterprise desktop at home with FreeIPA and GNOME 3 *

978 views • 71 slides
OTP Kerberos Kerberos Working Group IETF, Montreal July 2006 WORKING DRAFT: 30 June 2006

OTP Kerberos Kerberos Working Group IETF, Montreal July 2006 WORKING DRAFT: 30 June 2006

OTP Kerberos Kerberos Working Group IETF, Montreal July 2006 WORKING DRAFT: 30 June 2006 Background Proposal is to define extensions to Kerberos V5 (rfc4120) to support pre-authentication using an OTP Three main aims: Allow an OTP

180 views • 14 slides
Use of NSF Supercomputers Rob Gardner, University of Chicago OSG Council, Indianapolis, October

Use of NSF Supercomputers Rob Gardner, University of Chicago OSG Council, Indianapolis, October

Use of NSF Supercomputers Rob Gardner, University of Chicago OSG Council, Indianapolis, October 3, 2017 1 Acknoweledgements !! Frank Wuerthwein Edgar Fajardo Mark Neubauer, Dave Lesny & Peter Onyisi Mats Rynge Rob Quick 2 Goal

676 views • 28 slides
Governance, Risk Management and Compliance Lect. Dr. Ana-Maria Ghiran Prof. Dr. Robert Buchmann

Governance, Risk Management and Compliance Lect. Dr. Ana-Maria Ghiran Prof. Dr. Robert Buchmann

24th International Working Conference, REFSQ 2018, Utrecht, The Netherlands, March 19-22, 2018 Security Requirements Elicitation from Engineering Governance, Risk Management and Compliance Lect. Dr. Ana-Maria Ghiran Prof. Dr. Robert Buchmann

305 views • 14 slides
Enterprise desktop: improving client side in the age of Samba AD and FreeIPA Alexander Bokovoy

Enterprise desktop: improving client side in the age of Samba AD and FreeIPA Alexander Bokovoy

Principal Software Engineer, Red Hat // Samba Team SambaXP16 Enterprise desktop: improving client side in the age of Samba AD and FreeIPA Alexander Bokovoy Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 2

1.33k views • 106 slides
Classification: Public 1 Protect Y Your User Accounts Like Its 2019 Thomas Konrad, SBA

Classification: Public 1 Protect Y Your User Accounts Like Its 2019 Thomas Konrad, SBA

Classification: Public 1 Protect Y Your User Accounts Like Its 2019 Thomas Konrad, SBA Research sec4dev, Feb 27 th , 2019 SBA Research gGmbH, 2019 Classification: Public 2 $ whoami Thomas Konrad $ id uid=123(tom) gid=0(SBA Research)

733 views • 52 slides

More recommend