[PPT] - Mobile Application Security Testing ASSES SESSMENT NT & CODE PowerPoint Presentation

SLIDE 1

Mobile Application Security Testing

ASSES SESSMENT NT & CODE REVIEW EW

Sept.

t. 31

31st

st 2014

SLIDE 2

2

Bishop Fox

Francis Brown

Partner

Joe DeMesy

Security Associate

ITAC 2014

Presenters

2

SLIDE 3

3

Hi, I’m Fran
Partner at Bishop Fox
You may remember me

from such hacks as:

RFID Thief
Diggity Search Tool

Suite

Sharepoint

Hacking

FRANCIS CIS BROW OWN

Int ntrodu roductions ctions

SLIDE 4

4

Hi, I’m Joe
Associate at Bishop

Fox

I like computers
That run a POSIX OS*
Phones are cool too
Open source projects:
Root the Box
iSpy

JOE DEME MESY

Int ntrodu roductions ctions

SLIDE 5

5

Breaking eaking iOS App pps s –

Static analysis
Dynamic analysis
The future of iOS assessments
Protections & counter-measures

Breaking eaking Andro droid id App pps s –

Static Analysis
Dynamic Analysis
Protections & counter-measures

COVERED RED TODAY AY

Age gend nda

SLIDE 6

6

Scenar narios ios

Online Finance
Point of Sale
Streaming Media
Mobile Device

Management (MDM)

Games (cheating, etc.)

OUR TARG RGETS TS

App Se Secur curity ity Requir equiremen ements ts

SLIDE 7

THE GO GOLDEN DEN RULE

APPL PLICATION ICATION SECURITY URITY

SLIDE 8

8

They have complete

control

Do not trust them
Design applications

and APIs accordingly

EVERY LAST ONE OF ‘EM EM

Us User ers s are e Evil

SLIDE 9

IOS OS DYNAMIC YNAMIC ANALYSIS ALYSIS

BREAKING REAKING IOS APPL PLICATIONS ICATIONS

SLIDE 10

10 10

Mac & Xcode
HTTP Proxy
Burp Suite Pro ($300)
MitM Proxy ($0)
ARM Disassembler (optional)
Hopper ($90)
IDA Pro ($600+)
Jailbroken iOS Device
SSH access

WHAT T YOU NEED TO START ART

iOS OS Prerequisites erequisites

SLIDE 11

INTERCEP TERCEPTIN TING G HTTP TP TRAFFIC AFFIC

BREAKING REAKING MOBIL ILE APPL PLICATIONS ICATIONS

SLIDE 12

12 12

PROXY XY SETT TTIN INGS

HT HTTP TP Proxy xy Se Setup tup

SLIDE 13

13 13

INTE TERCE RCEPT PTIN ING HTTP TPS TRAFFIC IC

HT HTTP TP Proxy xy Se Setup tup

SLIDE 14

14 14

INTE TERCE RCEPT PTIN ING HTTP TPS TRAFFIC IC

HT HTTP TP Proxy xy Se Setup tup

SLIDE 15

15 15

Root Intermediate Leaf

CERTIF RTIFICATE ICATE VALI LIDAT DATION ION

Th The e SS SSL L Ce Certi tificat ficate e Ch Chain ain

SLIDE 16

16 16

Root Intermediate #1 Intermediate #2 Intermediate #3 Leaf

CERTIF RTIFICATE ICATE VALI LIDAT DATION ION

SS SSL Ce Certi tificat ficate e Ch Chain in

SLIDE 17

17 17

ADDING DING A TRUS USTE TED ROOT CERTI RTIFICATE ICATE

Bur urp p Su Suite te Pro

SLIDE 18

18 18

ADDING DING A TRUS USTE TED ROOT CERTI RTIFICATE ICATE

Bur urp p Su Suite te Pro

SLIDE 19

19 19

ADDING DING A TRUS USTE TED ROOT CERTI RTIFICATE ICATE

Bur urp p Su Suite te Pro

SLIDE 20

20 20

ADDING DING A TRUS USTE TED ROOT CERTI RTIFICATE ICATE

Bur urp p Su Suite te Pro

SLIDE 21

21 21

INTE TERCE RCEPT PTIN ING HTTP TPS TRAFFIC IC

HT HTTP TP Proxy xy Se Setup tup

SLIDE 22

22 22

SECURE URE TRAF AFFIC IC INTE TERCEP CEPTION TION

HT HTTP TP Proxy xy Se Setup tup

SLIDE 23

23 23

INTE TERCE RCEPT PTIN ING HTTP TPS TRAFFIC IC

HT HTTP TP Proxy xy Se Setup tup

SLIDE 24

24 24

ACME Root ACME Intermediate Application Leaf

NON-BROWS ROWSER R CERTIF TIFICATE ICATE VALID IDATI ATION

ACM CME E Ce Certificate tificate Pinning nning

SLIDE 25

IOS OS DYNAMIC YNAMIC ANALYSIS ALYSIS

BREAKING REAKING IOS APPL PLICATIONS ICATIONS

SLIDE 26

26 26

Signed Binaries
Modifying binaries
Code injection
Runtime modification
App Sandbox
Debugging
Filesystem access

WHY WE NEED TO JAIL ILBRE REAK AK

Op Operating erating Sy System stem Se Secur curity ity Model del

SLIDE 27

DEMONST MONSTRATION RATION

CODE INJ NJECTION CTION TECHN HNIQ IQUE UES

SLIDE 28

APP P ST STOR ORE E ENCRYP CRYPTION TION

BREAKING REAKING IOS APPL PLICATIONS ICATIONS

SLIDE 29

29 29

Encrypted Binaries
AppStore
Clutch
Rasticrac
No Encryption
Provisioned Device
Test Flight, etc.

GETT TTIN ING G PLAIN AINTEXT XT BIN INS

Binary nary Enc ncryption yption

SLIDE 30

30 30

Open source (GitHub)
Decrypts iOS applications and repackages them
Saves apps in:
/var/root/Documents/Cracked
Saves apps as .ipa files (they’re just ZIPs)
Use: clutch <app name>

DECRY CRYPT PTIN ING G IOS BINARIE INARIES

Cl Clut utch ch Us Usage ge

SLIDE 31

31 31

Foobar.ipa
iTunesMetadata.

plist

iTunesArtwork
Payload/
Foobar.app
Foobar
…

NOT DELI LICIO CIOUS US BEER

Th The e IPA PA Arch chiv ive e Fo Format mat

SLIDE 32

32 32

SOFTWARE WARE VERSION ION BUNDLE ID

iTu Tune nes s Metadat etadata

SLIDE 33

33 33

I AM IN YOUR BIN INARIES ARIES CHANGING GING YOUR CODE

ARM M Disass sassemb embly ly

SLIDE 34

34 34

I AM IN UR BINARIES MODIF’IN UR UR CODE DEZ

ARM M Dec ecompiler

mpiler

SLIDE 35

35 35

JAIL ILBREAK AK DETEC TECTION TION BYPAS YPASSES

XO XOR is s Not t Ob Obfusc uscation ation

SLIDE 36

36 36

ASSEMBLE INSTRUCT TRUCTION ION

Modify difying ing ARM M Ass ssem embly bly

SLIDE 37

37 37

PRODU ODUCE CE NEW W EXECUT UTAB ABLE

Modify difying ing ARM M Ass ssem embly bly

SLIDE 38

OB OBJECTIVE ECTIVE-C HEADER ADERS

STATI ATIC C ANAL ALYSIS YSIS

SLIDE 39

39 39

OBJECTIVE CTIVE-C CLAS ASS INTE TERF RFACES ACES

Cl Class ss Dum ump

SLIDE 40

#import <XXUnknownSuperclass.h> // Unknown library @class NSString; @interface XXasymEncryptor : XXUnknownSuperclass { NSString* _publicKeyID; NSString* _privateKeyID; } @property(copy, nonatomic) NSString* privateKeyID; @property(copy, nonatomic) NSString* publicKeyID;

(id)privateQueryDict;
(id)publicQueryDict;
(void)decryptWithPrivateKey;
(void)encryptWithPublicKey;
(void)KeysPlease;
(id)decryptData:(id)data;
(id)encryptData:(id)data;
(id)init;

@end

SLIDE 41

#import <XXUnknownSuperclass.h> // Unknown library @class NSString; @interface XXasymEncryptor : XXUnknownSuperclass { NSString* _publicKeyID; NSString* _privateKeyID; } @property(copy, nonatomic) NSString* privateKeyID; @property(copy, nonatomic) NSString* publicKeyID;

(id)privateQueryDict;
(id)publicQueryDict;
(void)decryptWithPrivateKey;
(void)encryptWithPublicKey;
(void)KeysPlease;
(id)decryptData:(id)data;
(id)encryptData:(id)data;
(id)init;

@end

Hmmmm…

SLIDE 42

MOB OBILE ILE SU SUBSTRAT STRATE

CODE INJ NJECTION CTION TECHN HNIQ IQUE UES

SLIDE 43

43 43

MESSAGE AGE PASSIN ING

Th The e Ob Objective ective-C C Runtime untime

iOS App Call Type? Native C Obj C

bjc_msgSend

Execute Code

SLIDE 44

44 44

MESSAGE AGE PASSIN ING

Th The e Ob Objective ective-C C Runtime untime

iOS App Call Type? Native C Execute Code Obj C

bjc_msgSend

Mobile Substrate

(Our code runs here)

SLIDE 45

45 45

BYPASSIN PASSING G COMMON ON DETE TECTION CTION METH THOD ODS

Jailbr break eak Det etec ection tion Co Code de

Fork()
Stat() / Lstat()
Cydia
/apt/
Etc
dyld_count()
dyld_get_image_name()

SLIDE 46

46 46

BYPASSING COMMON DETECTION METHODS

Jailbr break eak Det etec ection tion Co Code de

@class NSString; @interface DeviceSecurity: { BOOL _jbstatus; } @property(assign, nonatomic) BOOL jbstatus; +(BOOL)isJailbroken; @end

SLIDE 47

47 47

CLASS AND METHOD HOOKING

Th Theos eos + Lo + Logos gos + Mo + Mobi bile le Su Substrat bstrate

#import "substrate.h" %hook DeviceSecurity

(BOOL) isJailbroken {

%log; // Logos built-in logging return NO; // Return FALSE } %end

SLIDE 48

48 48

“TRUST ME” BYPASS

Ce Certifi tificat cate e Bypasse passes

#import "substrate.h" /* New function definition */ OSStatus new_SecTrustEvaluate(SecTrustRef trust, SecTrustResultType *result) { *result = kSecTrustResultProceed; return errSecSuccess; } %ctor { /* Hook the function */ MSHookFunction((void *)SecTrustEvaluate, (void *)new_SecTrustEvaluate, (void **)&original_SecTrustEvaluate); }

SLIDE 49

CY CYCR CRIPT PT

RUNT NTIM IME MODI DIFICATION ICATION

SLIDE 50

50 50

JavaScript REPL
JavaScript + Cycript

language extensions

Objective-C runtime

is merged into the REPL

Attach to running

apps

RUNTIM TIME MODI DIFICATION ICATION TECHNIQUE HNIQUES

Cy Cycr cript pt is s Black ck Magic gic

SLIDE 51

51 51

ATTACHING TO A PROCESS

Cy Cycr cript pt Basics sics

iphone:~root# cycript –p AlienBlue cy# UIApp @"<UIApplication: 0x8ba2c0>" cy# UIApp.keyWindow.delegate @"<CustomNavigationController: 0x836900>" cy# ui(UIApp.keyWindow, "Foobar") <UILabel: 0x82f0d0; frame = (132 12; 55 21); text = 'Foobar'; clipsToBounds = YES; userInteractionEnabled = NO; layer = <CALayer: 0x82f190>>

SLIDE 52

52 52

ATTACHING TO A PROCESS

Cy Cycr cript pt Basics sics

cy# var label = new Instance(0x82f0d0) @"<UILabel: 0x82f0d0; frame = (132 12; 55 21); text = 'Reddits'; clipsToBounds = YES; userInteractionEnabled = NO; layer = <CALayer: 0x82f190>>” cy# label.text @"Foobar" cy# label.text = @"Barfoo" @"Barfoo"

SLIDE 53

DEMONST MONSTRATION RATION

CYCRIPT RIPT IN ACTIO ION

SLIDE 54

SLIDE 55

ISP SPY

WELCO LCOME ME TO THE FUTURE RE

SLIDE 56

56 56

Under Activ tive Develo lopme pment nt

Easy to use Web GUI
Class dumps / Instance

tracking

Automatic jailbreak-detection

bypasses

Automatic SSL certificate

pinning bypasses

Re-implemented
bjc_msgSend
Automatic detection of

vulnerable function calls

Easy to use soft-breakpoints
More on the way!

YOUR ONE-STOP-SHO HOP P FOR IOS HACKIN ING

iSp Spy Ass ssess essmen ent t Fr Framework mework

SLIDE 57

DEMONST MONSTRATION RATION

ISPY IN ACTIO ION

SLIDE 58

58 58

GITHUB REPOS

iSp Spy

https://github.com/BishopFox

SLIDE 59

CO COUNTER NTER- MEASURES SURES

PROTEC TECTIN TING IOS APPL PLICATIONS ICATIONS

SLIDE 60

60 60

1. Security code

1. Assembly and/or C 2. Inline functions 3. Objective-C obfuscation

2. Certificate pinning

1. Whitelist root authorities

3. Change release

Metaforic – Commercial
AppMinder – BSD Licensed

a) http://appminder.nesolabs.de/

ON DISK K & IN MEMORY RY

Defense efense Aga gains inst t th the e Dark rk Arts ts

SLIDE 61

61 61

FREE ‘N EASY OBFUSCATION

AppMind Minder er

SLIDE 62

ANDROID DROID APP P SE SECU CURITY RITY

JAVA VA JAVA VA JAVA A JAVA VA JAVA VA JAVA

SLIDE 63

63 63

Linux / Mac / Windows
HTTP Proxy
Burp Suite Pro ($300)
MitM Proxy ($0)
ADT Eclipse Bundle
Substrate plug-in
Procyon (Java decompiler)
Dex2jar (bytecode converter)
Rooted Device
Cydia Substrate

WHAT T YOU NEED TO START ART

And ndroid

id Prerequisites

erequisites

SLIDE 64

64 64

APKs are signed
Not encrypted
APK Extractor
Direct Download

GOOGLE LE PLAY AY STORE RE

And ndroid

id Applicat

ication

n Package

ckages

SLIDE 65

65 65

GETT TTIN ING G SOURCE CE CODE DE

Dec ecompili

mpiling

ng Dalvi lvik Bytecode tecode

SLIDE 66

66 66

TWO STEP DECO COMP MPIL ILATI ATION

Dex ex2jar 2jar + + Procyon cyon

$ dex2jar Foobar.apk dex2jar foobar.apk -> Foobar-dex2jar.jar $ procyon –jar Foobar-dex2jar.jar –o src/ Decompiling com/foobar/Parser... Decompiling com/foobar/XMLWriter...

SLIDE 67

67 67

SOURCE RCE SORTA TA

Dec ecompiled

mpiled And

ndroid

id Co

Code de

SLIDE 68

DYNAMIC NAMIC ANALYS ALYSIS IS

ON ANDRO DROID ID

SLIDE 69

69 69

APPL PLICATION ICATION INSTANTIAT TANTIATION ION

Th The e And ndroi roid d Zy Zygot gote

SLIDE 70

70 70