Building&Hacking modern iOS apps Wojciech Regua @_r3ggi - - PowerPoint PPT Presentation

building hacking modern ios apps
SMART_READER_LITE
LIVE PREVIEW

Building&Hacking modern iOS apps Wojciech Regua @_r3ggi - - PowerPoint PPT Presentation

Aug 31, 2022 321 likes •1k views

www.securing.pl Building&Hacking modern iOS apps Wojciech Regua @_r3ggi wojciech.regula@securing.pl @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl WHOAMI -Senior IT Security Consultant @ SecuRing -Focused on

slide-1
SLIDE 1

www.securing.pl

Wojciech Reguła

Building&Hacking modern iOS apps

@_r3ggi wojciech.regula@securing.pl

slide-2
SLIDE 2

www.securing.pl www.securing.pl

WHOAMI

  • Senior IT Security Consultant @ SecuRing
  • Focused on iOS apps security
  • Blogger https://wojciechregula.blog/
  • OWASP SKF contributor

@_r3ggi wojciech.regula@securing.pl

slide-3
SLIDE 3

www.securing.pl www.securing.pl

INTRODUCTION

@_r3ggi wojciech.regula@securing.pl

slide-4
SLIDE 4

www.securing.pl www.securing.pl

AGENDA

  • 1. iOS platform myths and reality
  • 2. securityProblemsInMASVSCategories.forEach { problem in

2.1 Discuss problem 2.2 Show solution 2.3 Present new Apple WWDC feature }

  • 3. My new library – iOS Security Suite 🚁
  • 4. Short and long term things to implement in your code

@_r3ggi wojciech.regula@securing.pl

slide-5
SLIDE 5

www.securing.pl www.securing.pl

PART I PLATFORM MYTHS AND REALITY

@_r3ggi wojciech.regula@securing.pl

slide-6
SLIDE 6

www.securing.pl www.securing.pl

MYTH #1 APPLE’S REVIEW IS 100% RELIABLE

https://twitter.com/orhaneee/status/1076147994574184449

@_r3ggi wojciech.regula@securing.pl

slide-7
SLIDE 7

www.securing.pl www.securing.pl

MYTH #2 THERE IS NO JAILBREAK FOR IOS 11+

https://github.com/pwn20wndstuff/Undecimus

@_r3ggi wojciech.regula@securing.pl

slide-8
SLIDE 8

www.securing.pl www.securing.pl

MYTH #3 NO JAILBREAK MEANS NO REVERSING APPS

@_r3ggi wojciech.regula@securing.pl

slide-9
SLIDE 9

www.securing.pl www.securing.pl

PART II SECURE DEVELOPMENT

@_r3ggi wojciech.regula@securing.pl

slide-10
SLIDE 10

www.securing.pl www.securing.pl

V1 ARCHITECTURE

@_r3ggi wojciech.regula@securing.pl

slide-11
SLIDE 11

www.securing.pl www.securing.pl

SWIFT VS OBJECTIVE-C

  • Integer overflow -> Runtime error
  • No direct memory access (unless

usage of UnsafePointer)

  • Format string mitigated through

string interpolation

@_r3ggi wojciech.regula@securing.pl

slide-12
SLIDE 12

www.securing.pl www.securing.pl

MYTH – SWIFT AUTOOBFUSCATES ITSELF

  • There is no obfuscation
  • Swift uses ”name mangling”

@_r3ggi wojciech.regula@securing.pl

slide-13
SLIDE 13

www.securing.pl www.securing.pl

MYTH – SWIFT AUTOOBFUSCATES ITSELF

  • Class TestClass
  • 1 Instance variable
  • Constructor
  • 2 Methods

@_r3ggi wojciech.regula@securing.pl

slide-14
SLIDE 14

www.securing.pl www.securing.pl

MYTH – SWIFT AUTOOBFUSCATES ITSELF

  • _$ Swift Symbol
  • Length and module name
  • Length and class name
  • C function of class (method)
  • Length and method name
  • Parameters and return type

www.securing.pl www.securing.pl

MYTH – SWIFT AUTOOBFUSCATES ITSELF

  • _$ Swift Symbol
  • Length and module name
  • Length and class name
  • C function of class (method)
  • Length and method name
  • Parameters and return type

@_r3ggi wojciech.regula@securing.pl

slide-15
SLIDE 15

www.securing.pl www.securing.pl

@_r3ggi wojciech.regula@securing.pl

slide-16
SLIDE 16

www.securing.pl www.securing.pl

MYTH – SWIFT METHODS CANNOT BE DYNAMICALLY CHANGED

  • They can, using for example Frida
  • You just need to hook the symbol

@_r3ggi wojciech.regula@securing.pl

slide-17
SLIDE 17

www.securing.pl www.securing.pl

MYTH – SWIFT METHODS CANNOT BE DYNAMICALLY CHANGED

@_r3ggi wojciech.regula@securing.pl

slide-18
SLIDE 18

www.securing.pl www.securing.pl

DEMO HTTPS://VIMEO.COM/334861122

@_r3ggi wojciech.regula@securing.pl

slide-19
SLIDE 19

www.securing.pl www.securing.pl

TAKEAWAYS

  • Binary vulnerabilities mitigated
  • Mostly no memory access
  • Obufscation ⬇

https://github.com/rockbruno/swiftshield

@_r3ggi wojciech.regula@securing.pl

slide-20
SLIDE 20

www.securing.pl www.securing.pl

AUTOMATED SMS CODES INPUT (WWDC 2018)

  • Controversial feature since
  • ther app may have access

to the one time password

  • Low risk but there is

possibility to do social engineering

@_r3ggi wojciech.regula@securing.pl

slide-21
SLIDE 21

www.securing.pl www.securing.pl

DEMO HTTPS://VIMEO.COM/334861389

@_r3ggi wojciech.regula@securing.pl

slide-22
SLIDE 22

www.securing.pl www.securing.pl

V2 DATA STORAGE

@_r3ggi wojciech.regula@securing.pl

slide-23
SLIDE 23

www.securing.pl www.securing.pl

ON-DEVICE DATA STORAGE

  • Most common issue is storing sensitive data on the

device that should not be there:

  • API Keys
  • SSH Keys
  • Cloud credentials
  • Test env credentials

@_r3ggi wojciech.regula@securing.pl

slide-24
SLIDE 24

www.securing.pl www.securing.pl

ON-DEVICE DATA STORAGE

  • Sensitive data may be insecurely stored in:
  • Info.plist
  • User defaults
  • Regular files
  • Hardcoded into the binary
  • Even in Keychain (as they shouldn’t be

stored client-side)

@_r3ggi wojciech.regula@securing.pl

slide-25
SLIDE 25

www.securing.pl www.securing.pl

ON-DEVICE DATA STORAGE

@_r3ggi wojciech.regula@securing.pl

slide-26
SLIDE 26

www.securing.pl www.securing.pl

ON-DEVICE DATA STORAGE

  • Directories that are backed up:
  • Documents/
  • Library/Application Support/
  • Library/Preferences/
  • Library/*
  • Directories not backed up:
  • Library/Caches/
  • tmp/

@_r3ggi wojciech.regula@securing.pl

slide-27
SLIDE 27

www.securing.pl www.securing.pl

CREDENTIAL PROVIDER EXTENSION (WWDC 2018)

  • Password managers in native apps
  • Add UITextContentType

@_r3ggi wojciech.regula@securing.pl

slide-28
SLIDE 28

www.securing.pl www.securing.pl

TAKEAWAYS

  • No sensitive data in IPA
  • kSecAttrAccessibleWhen with

ThisDeviceOnly

  • UIKit DataProtection
  • Credential Providers

@_r3ggi wojciech.regula@securing.pl

slide-29
SLIDE 29

www.securing.pl www.securing.pl

V3 CRYPTOGRAPHY

@_r3ggi wojciech.regula@securing.pl

slide-30
SLIDE 30

www.securing.pl www.securing.pl

CRYPTOGRAPHY

  • Insecure token generation
  • Bear case

@_r3ggi wojciech.regula@securing.pl

slide-31
SLIDE 31

www.securing.pl www.securing.pl

@_r3ggi wojciech.regula@securing.pl

slide-32
SLIDE 32

www.securing.pl www.securing.pl

@_r3ggi wojciech.regula@securing.pl

slide-33
SLIDE 33

www.securing.pl www.securing.pl

@_r3ggi wojciech.regula@securing.pl

slide-34
SLIDE 34

www.securing.pl www.securing.pl

@_r3ggi wojciech.regula@securing.pl

https://wojciechregula.blog/post/stealing-bear-notes-with-url-schemes/

slide-35
SLIDE 35

www.securing.pl www.securing.pl

AUTOMATIC STRONG PASSWORDS (WWDC 2018)

  • Mentioned before Autofill can create new passwords

connected with your domain

  • You are able to set the password policy that will be applied

@_r3ggi wojciech.regula@securing.pl

slide-36
SLIDE 36

www.securing.pl www.securing.pl

TAKEAWAYS

  • No home-made ciphers
  • Everything in IPA is public
  • SecKeyCreateEncryptedData

instead of 3rd party AES/RSA

  • Native password policy

@_r3ggi wojciech.regula@securing.pl

slide-37
SLIDE 37

www.securing.pl www.securing.pl

V4 SESSION MANAGEMENT

@_r3ggi wojciech.regula@securing.pl

slide-38
SLIDE 38

www.securing.pl www.securing.pl

SESSION MANAGEMENT

  • Local access control…
  • JWT -> sign the token!

@_r3ggi wojciech.regula@securing.pl

slide-39
SLIDE 39

www.securing.pl www.securing.pl

V5 NETWORK COMMUNICATION

@_r3ggi wojciech.regula@securing.pl

slide-40
SLIDE 40

www.securing.pl www.securing.pl

NETWORK COMMUNICATION

  • Avoid HTTP
  • Use HTTPS ✅
  • App Transport Security
  • HTTPS -> make sure if

cert is trusted

@_r3ggi wojciech.regula@securing.pl

slide-41
SLIDE 41

www.securing.pl www.securing.pl

@_r3ggi wojciech.regula@securing.pl

slide-42
SLIDE 42

www.securing.pl www.securing.pl

V6 PLATFORM INTERACTION

@_r3ggi wojciech.regula@securing.pl

slide-43
SLIDE 43

www.securing.pl www.securing.pl

INTER-PROCESS (APPLICATION) COMMUNICATION

  • XPC (macOS, iOS not allowed)
  • Mach messages (macOS, iOS not allowed)
  • URL Schemes
  • AirDrop
  • Clipboard (please, do not do that)

@_r3ggi wojciech.regula@securing.pl

slide-44
SLIDE 44

www.securing.pl www.securing.pl

@_r3ggi wojciech.regula@securing.pl

slide-45
SLIDE 45

www.securing.pl www.securing.pl

@_r3ggi wojciech.regula@securing.pl

slide-46
SLIDE 46

www.securing.pl www.securing.pl

TAKEAWAYS

  • Verify sender
  • Check parameters
  • If WebView -> check

permissions

@_r3ggi wojciech.regula@securing.pl

slide-47
SLIDE 47

www.securing.pl www.securing.pl

V7 CODE QUALITY

@_r3ggi wojciech.regula@securing.pl

slide-48
SLIDE 48

www.securing.pl www.securing.pl

CODE QUALITY

  • No deprecated APIs
  • Vulnerable libraries
  • CocoaPods/Carthage -> no

fixed versions please

@_r3ggi wojciech.regula@securing.pl

slide-49
SLIDE 49

www.securing.pl www.securing.pl

AFNetworking 2.5.1 allowed to perform Man in the Middle attack when app did not use SSL pinning

@_r3ggi wojciech.regula@securing.pl

slide-50
SLIDE 50

www.securing.pl www.securing.pl

DEPRECATED UIWEBVIEW (WWDC 2018)

  • UIWebView has access to local files via file://

handler BY DEFAULT

  • WKWebView also has if you turn some flags on

btw

  • XSS ☠

@_r3ggi wojciech.regula@securing.pl

slide-51
SLIDE 51

www.securing.pl www.securing.pl

DICTIONARY THAT LOOKS YOU UP

@_r3ggi wojciech.regula@securing.pl

slide-52
SLIDE 52

www.securing.pl www.securing.pl

@_r3ggi wojciech.regula@securing.pl

slide-53
SLIDE 53

www.securing.pl www.securing.pl

@_r3ggi wojciech.regula@securing.pl

slide-54
SLIDE 54

www.securing.pl www.securing.pl

DEMO HTTPS://VIMEO.COM/334862417

@_r3ggi wojciech.regula@securing.pl

slide-55
SLIDE 55

www.securing.pl www.securing.pl

HELP VIEWER PROBLEMS

@_r3ggi wojciech.regula@securing.pl

slide-56
SLIDE 56

www.securing.pl www.securing.pl

DEMO HTTPS://VIMEO.COM/334861507

@_r3ggi wojciech.regula@securing.pl

slide-57
SLIDE 57

www.securing.pl www.securing.pl

YAHOO IOS XSS EXAMPLE BY @OMESPINO

@_r3ggi wojciech.regula@securing.pl

slide-58
SLIDE 58

www.securing.pl www.securing.pl

V8 RESILIENCY REQUIREMENTS

@_r3ggi wojciech.regula@securing.pl

slide-59
SLIDE 59

www.securing.pl www.securing.pl

ANTI TAMPERING

For those who:

  • Don’t want their app to be

tampered with

  • Consider malware as a risk
  • Have to be complaint with

OWASP MASVS

@_r3ggi wojciech.regula@securing.pl

slide-60
SLIDE 60

www.securing.pl www.securing.pl

IOS SECURITY SUITE V1.0 LIBRARY

  • What it detects:
  • Jailbreaks with new

indicators

  • Attached debuggers
  • Tampering tools (e.g. Frida)
  • If your app is run in

emulator

@_r3ggi wojciech.regula@securing.pl

slide-61
SLIDE 61

www.securing.pl www.securing.pl

@_r3ggi wojciech.regula@securing.pl

IOS SECURITY SUITE V1.0 LIBRARY

h"ps://github.com/securing/IOSSecuritySuite

slide-62
SLIDE 62

www.securing.pl www.securing.pl

PART III SUMMARY

@_r3ggi wojciech.regula@securing.pl

slide-63
SLIDE 63

www.securing.pl www.securing.pl

COMMON VULNERABILTIES SUMMARY

  • Backed up sensitive data
  • Keys/accounts in IPA
  • Network issues
  • Vulnerable URL schemes
  • Fixed lib versions

@_r3ggi wojciech.regula@securing.pl

slide-64
SLIDE 64

www.securing.pl www.securing.pl

RECOMMENDATIONS

  • Short term
  • Password managers & autofill
  • Anti-tampering for high-risk apps
  • Long term
  • WKWebView
  • Native password policy
  • Swift > Objective-C

@_r3ggi wojciech.regula@securing.pl

slide-65
SLIDE 65

www.securing.pl www.securing.pl

Security Aware Developers Pentesters

SECURITY ISSUES

@_r3ggi wojciech.regula@securing.pl

slide-66
SLIDE 66

www.securing.pl www.securing.pl

MOBILE APPLICATION SECURITY BEST PRACTICES

https://www.securing.biz/en/mobile-application-security-best-practices/index.html @_r3ggi wojciech.regula@securing.pl

slide-67
SLIDE 67

www.securing.pl

SecuRing Kalwaryjska 65/6 30-504 Kraków, Poland info@securing.pl

  • tel. +48 124252575

http://www.securing.biz/en

Contact Wojciech Reguła

wojciech.regula@securing.pl @_r3ggi wojciech-regula