Copyright2015KRvWAssociates,LLCKenvanWyk,ken@krvw.
com,@KRvWPenTestingiOSAppsFIRST2015KenvanWyk,@KRvWBerlin,Germany14-19June2015Copyright2015KRvWAssociates,LLCTopicswe'llcoverWe'llfocusonhowtobreaktypicaliOSapps–iOStopics–ApplicationtopicsSimpleanalysis–Surfaceofapp–Staticanalysis–DynamicanalysisDeeperanalysis–Exploreappbinary–Run-timeexplorationandexploitation3Copyright2015KRvWAssociates,LLCToolsMosttoolswe'lluseareeitheropensourceorinexpensive–iExplorerforexploringfilesystemonaniOSdevice–iOSdeviceandaUSBcablePreferablyjailbrokenCydiaCycript4Copyright2015KRvWAssociates,LLCClearupsomemisconceptionsApple'siOShasbeenahugesuccessforApple–TogetherwithAndroid,theyhavere-definedmobiletelephonyApplehasmadegreatadvancesinsecurity–Theyarestillfarfromreallygood–Notevensureifthey'reprettygoodSoftwaredevelopersstillmakesillymistakes5Copyright2015KRvWAssociates,LLCSystemHardeningFeaturesAttacksurfacereductionStrippeddownOS–No/bin/shPrivilegeseparationCodesigningDataexecutionprevention(DEP)–Vitalforreturnorientedprogramming–NoarchitecturalseparationofdataandcodesegmentsAddressspacelayoutrandomization(ASLR)6Copyright2015KRvWAssociates,LLCApplicationsandboxingBypolicy,appsareonlypermittedtoaccessresourcesintheirsandbox–Inter-appcommsarebyestablishedAPIsonlyURLs,keychains(limited)–Filei/oin~/DocumentsonlyTheserulesdon'talwaysapplytoApple'sownapps7Copyright2015KRvWAssociates,LLCHardwareencryptionEachiOSdevice(asof3GS)hashardwarecryptomodule–UniqueAES-256keyforeveryiOSdevice–SensitivedatahardwareencryptedSoundsbrilliant,right–Well.
.
.
8Copyright2015KRvWAssociates,LLCiOScryptokeysGIDkey-GroupIDkeyUIDkey-UniqueperdevDkey-DefaultfilekeyEMF!
-EncryptsentirefilesystemandHFSjournalClasskeys-Oneperprotectionclass–SomederivedfromUID+Passcode9Copyright2015KRvWAssociates,LLCiOSNAND(SSD)mappingBlock0-LowlevelbootloaderBlock1-Effaceablestorage–Lockerforcryptokeys,includingDkeyandEMF!
Blocks2-7-NVRAMparametersBlocks8-15-FirmwareBlocks8-(N-15)-FilesystemBlocks(N-15)-N-Last15blocksreservedbyApple10Copyright2015KRvWAssociates,LLCBuilt-infileprotectionclassesiOS(since4)supportsfileprotectionclasses–NSFileProtectionComplete–NSFileProtectionCompleteUnlessOpen–NSFileProtectionCompleteUntilFirstUserAuthentication–NSFileProtectionNoneAllbutNonearederived11Copyright2015KRvWAssociates,LLCBuilt-infileprotectionlimitationsPros–Easytouse,withkeymanagementdonebyiOS–Powerfulfunctionality–Alwaysavailable–ZeroperformancehitCons–ForComplete,cryptokeyingincludesUDID+Passcode4digitPINproblem12Copyright2015KRvWAssociates,LLCKeychainsKeychainAPIprovidedforstorageofsmallamountsofsensitivedata–Logincredentials,passwords,etc.
–CreditcarddataoftenfoundhereStoredinaSQLitedatabase–EncryptedusinghardwareAESwithderivedkey13Copyright2015KRvWAssociates,LLCJailbreaksApple'sprotectionarchitectureisbasedonamassivedigitalsignaturehierarchy–Startingfrombootloader–ThroughapploaderJailbreaksoftwarebreaksthathierarchy–Currentbreaksupto8.
1.
2DFUmodeallowsUSBvectorforbootloader–OlderiPhonesmostly,but…14Copyright2015KRvWAssociates,LLCKeyboarddataAll"keystrokes"arestored–Usedforauto-correctfeature–NicespellcheckerKeydatacanbeharvestedusingforensicsprocedures–Passwords,creditcards.
.
.
–Needleinhaystack15Copyright2015KRvWAssociates,LLCScreensnapshotsDevicesroutinelygrabscreensnapshotsandstoreinJPG–Usedforminimizingappanimation–ItlooksprettyWHAT!
–It'saproblem–Requireslocalaccesstodevice,butstill.
.
.
16Copyright2015KRvWAssociates,LLCLet'sconsiderthebasicsWe'llcoverthese(fromthemobiletop10)–ProtectingsecretsAtrestIntransit–Input/outputvalidation–Authentication–Sessionmanagement–Accesscontrol–Privacyconcerns17Copyright2015KRvWAssociates,LLCExamplesAirlineapp–StoresfrequentflyerdatainplaintextXMLfileHealthcareapp–StorespatientdatainplistfileButit'sbase64encodedforyourprotection…Bankingapp–FrameworkcacherevealedsensitiveaccountdataConsumerticketapp–AcceptedSSLfromselfsignedkey–Exposedcreditcarddata18Copyright2015KRvWAssociates,LLCSQLliteexampleLet'slookatadatabaseappthatstoressensitivedataintoaSQLitedb–We'llrecoverittriviallybylookingattheunencrypteddatabasefile19Copyright2015KRvWAssociates,LLCProtectingsecretsatrestEncryptionistheanswer,butit'snotquitesosimple–Wheredidyouputthatkey–Surelyyoudidn'thardcodeitintoyourapp–Surelyyou'renotcountingontheusertogenerateandrememberastrongkeyKeymanagementisanon-triviallysolvedproblem20Copyright2015KRvWAssociates,LLCStaticanalysisofanappExplorefolders–.
/Documents–.
/Library/Caches/*–.
/Library/Cookies–.
/Library/PreferencesAppbundle–Hexdumpofbinary–plistfilesWhatelse21Copyright2015KRvWAssociates,LLCToolstouseMactools–Finder–iExplorer–hexdump–strings–otool–otx(otx.
osxninja.
com)–class-dump(iphone.
freecoder.
org/classdump_en.
html)–Emacs(editor)Xcodeadditionaltools–Clang(buildandanalyze)Findsmemoryleaksandothers22Copyright2015KRvWAssociates,LLCExercise-coffeeshopattackThisoneistrivial,butlet'stakealookInthisiGoatexercise,theuser'scredentialsaresentplaintext–SimplewebserverrunningonMacresponds–IfthiswereonapublicWiFi,anetworksnifferwouldbepainlesstolaunch23Copyright2015KRvWAssociates,LLCMostcommonSSLmistakeWe'veallheardofCAsbeingattacked–That'sallimportant,but.
.
.
–(Certificatepinningcanhelp.
)FailingtoproperlyverifyCAsignaturechain–BiggestSSLproblembyfar–Studyshowed1/3ofAndroidappsfelltothis24Copyright2015KRvWAssociates,LLCTestingforSSLproblemsGoalistoensureclientperformsstrongcertificateverificationMITMonthenetsetup–Appproxyonlaptop(e.
g.
,Burpsuite)–GenerateSSLcertsignedbyyourownCA–PutyourCAcertontestiOSdeviceRemembertoremovefakeCAbeforeleavinglabenvironment!
25Copyright2015KRvWAssociates,LLCButthat'snotenough26Copyright2015KRvWAssociates,LLCObjCRun-timeisflawedUnlikeinC,"functions"arenotcalled–Messagesarepassed–ObjectsdynamicallyallocatedWithinprocessspace,dynamictamperingalsopossible–Messagetraffic–Objects27Copyright2015KRvWAssociates,LLCReverseengineeringAttackerwantstolearnhowyourappworks–DeepinternaldetailsAttackerwantstoattempttotrickyourappintomisbehaving–TamperwithruntimeHowJailbrokendeviceandsomefreetools–Andalotoftime28Copyright2015KRvWAssociates,LLCPrerequisitetoolsandenvMacwithOSXandXcodeJailbrokendevice–evasi0nworksgreatCydiaandfriends–Cydiainstalledwithevasi0n–ShellaccessOpenSSH-installwithCydia–Debuggergdb-installwithCydiaBareminimumessentials29Copyright2015KRvWAssociates,LLCAnalysistechniquesStaticanalysis–Observeattributesoftheexecutable,appfiles–Yes,encrypted(appstore)appstooDynamicanalysis–RuntheappandlearnhowitworksTampering–Tricktherun-timeenv30Copyright2015KRvWAssociates,LLCStaticanalysisAnybinarycanbeexamined–Usuallyrevealamaptoclasses,objects,text,symbols,etc.
Commontools–otool–class-dump-z–nmExamples–Linkedlibs,methodsotool-Lappnameotool-lappname–Listofclassesclass-dump-zappname–Symboltablenmappname31Copyright2015KRvWAssociates,LLCIt'sCunderneaththehoodBeneaththatniceOOPObjClayerliesaCfoundation–PrettymucheverythinginObjCcanbedoneinCPrimitivesfordoingalltheOOstuffobjc_msgSend(),objc_getClass()areprimeexamplesThismatterstouswhenanalyzingstaticallyordynamically32Copyright2015KRvWAssociates,LLCEncryptedbinariestooBasicprocess–Useapploadertodecrypt–Calculatememoryoffsets–StoreprocesstodiskddisyourfriendWillalsoneedplutilandgdbHOWTOavailable–http://www.
mandalorian.
com/2013/05/decrypting-ios-binaries/33Copyright2015KRvWAssociates,LLCLet'stakealook34Copyright2015KRvWAssociates,LLCDynamicanalysisWhatcanwelearnfromobservingitrunning–Alot–Allthosemessages–Memorycontents–CPUregistersYoudon'thaveanythingtohide,right35Copyright2015KRvWAssociates,LLCAttackingarunningappManintheapp(MITA)–Themostdangerousformofon-hostdynamicattack–InternalaccesstoeverythingThatObjCrun-timemessagingarchitectureisgoingtohauntus36Copyright2015KRvWAssociates,LLCAfewmoretoolsForthese,you'llwant–gdb–Cycript(seeslide)–Networkproxy(e.
g.
,Burpsuite)–SSLstrip(optional)37Copyright2015KRvWAssociates,LLCMessageeavesdroppingUsegdbtobuildasimplebuteffectivemessageeavesdropper–Examplegdb-q-pPIDbreakobj_msgSendcommandsx/a$r0x/s$r1c38Copyright2015KRvWAssociates,LLCCycript"CycriptallowsdeveloperstoexploreandmodifyrunningapplicationsoneitheriOSorMacOSXusingahybridofObjective-C++andJavaScriptsyntaxthroughaninteractiveconsolethatfeaturessyntaxhighlightingandtabcompletion"—Fromhttp://www.
cycript.
orgItisanamazingutilityfordynamicallyprobingarunningapp39Copyright2015KRvWAssociates,LLCFunwithCycriptBasics#cycriptcy#varmyString=[[NSStringalloc]cy>initWithString:@"Helloworld"];"Helloworld"cy#[myStringlength];11CombinationofJavaScriptandObjCsyntaxgivesamazingcapabilities40Copyright2015KRvWAssociates,LLCCycript(2)Safariexample#cycript-pPIDcy#varapp=[UIApplicationsharedApplication];""cy#[appopenURL:[NSURLURLWithString:cy>@"http://www.
first.
org"]];1cy#app.
networkActivityIndicatorVisible=YES41Copyright2015KRvWAssociates,LLCCycriptingforfunandprofitBreakclient-sidelogic–AlterPINs,booleans,semaphores–ReplacemethodsProberunningappdata–Canbeverbose,butyougeteverythinginanobjectcy#functionappls(a){varx={};for(iin*a){try{x[i]=(*a)[i];}catch(e){}}returnx;}cy#appls(object);42Copyright2015KRvWAssociates,LLCClient-sidelogicYoudidn'tthinkyoucouldtrustclient-sidelogic,didyou43Copyright2015KRvWAssociates,LLCTamperingNowlet'sgobeyondmereobservationReplaceexistingmethods–Changeaddressingdb–DynamiclinkerattackPutyourlibraryinDYLD_INSERT_LIBRARIESAutomatedynamiclinking–MobileSubstrate44Copyright2015KRvWAssociates,LLCNothingiswhatitappearsNowwecanchangetheentireuniverseyourapprunsin(Ifthisdoesn'tseembad,gowatchTheMatrix)45Copyright2015KRvWAssociates,LLCCopyright2013KRvWAssociates,LLCResourcesHackingandSecuringiOSApplications,JonathanZdziarski,O'Reilly,2012Evasi0n,popularjailbreakingtool,http://www.
evad3rs.
com/46Copyright2015KRvWAssociates,LLCHardeningUseractionsandclientconfigurationsArchitecturalconsiderationsHardeningtipsButremember,nothingisperfect.
47Copyright2015KRvWAssociates,LLCUseractionsandconfigurationsStrongpasscodeshelpMDMscanmanageconfigurationsofentirefleets48Copyright2015KRvWAssociates,LLCArchitecturalconsiderationsDesignchoicesmakeahugedifference–ClientcannotbetrustedSensitivedataSensitivefunctionsSecuritycontrols–ClientshouldprovidepresentationlayerMinimalfunctionalityProcessingshouldbeserver49Copyright2015KRvWAssociates,LLCHardeningtipsNon-obviousnames–ObfuscatefunctionalpurposeDisabledebugging#defineDENY_DEBUG31ptrace(DENY_DEBUG,0,0,0);Complicatedisassembly–Compileroptimizer–Stripsymbols50Copyright2015KRvWAssociates,LLCHardeningtips(2)Sensitivecode–Onserver,but…–WriteinCorASM–Compile+linkin-line–ExpandloopsmanuallyForceyourattackertosinglestepthroughDon'tgiveawayanything51Copyright2015KRvWAssociates,LLCHardening(3)Datastorage–EncryptDataProtectionAPIforconsumergradeKeysonserver–CommonCryptoLibSecurefilewipingSQLitedatawiping–Updatebeforedelete52Copyright2015KRvWAssociates,LLCTamperdetectionHowdoweknow–Run-timeintegritychecksMemoryoffsetsofsensitiveobjects–SandboxintegrityAttempttoforkSizeandchecksumof/etc/fstabSymboliclinksin/ApplicationsCommonjailbreakfilesandapps–/Applications/Cydia.
app–HoneypotsinappThereain'tahorsethatcan'tberodeoramanthatcan'tbethrowed.
53Copyright2015KRvWAssociates,LLCTamperresponseWhattodo–Remotewipe–Phonehome–Logeverything–Wipeuserdata,keys–Disablenetworkaccess–Etcetera54Copyright2015KRvWAssociates,LLCCopyright2014KRvWAssociates,LLCCopyright2015KRvWAssociates,LLCKennethR.
vanWykKRvWAssociates,LLCKen@KRvW.
comhttp://www.
KRvW.
com@KRvW55
A2Hosting主机,A2Hosting怎么样?A2Hosting是UK2集团下属公司,成立于2003年的老牌国外主机商,产品包括虚拟主机、VPS和独立服务器等,数据中心提供包括美国、新加坡softlayer和荷兰三个地区机房。A2Hosting在国外是一家非常大非常有名气的终合型主机商,拥有几百万的客户,非常值得信赖,国外主机论坛对它家的虚拟主机评价非常不错,当前,A2Hosting主机庆祝1...
轻云互联怎么样?轻云互联,广州轻云网络科技有限公司旗下品牌,2018年5月成立以来,轻云互联以性价比的价格一直为提供个人,中大小型企业/团队云上解决方案。本次轻云互联送上的是美国圣何塞cn2 vps(免费50G集群防御)及香港沙田cn2 vps(免费10G集群防御)促销活动,促销产品均为cn2直连中国大陆线路、采用kvm虚拟技术架构及静态内存。目前,轻云互联推出美国硅谷、圣何塞CN2GIA云服务器...
公司成立于2021年,专注为用户提供低价高性能云计算产品,致力于云计算应用的易用性开发,面向全球客户提供基于云计算的IT解决方案与客户服务,拥有丰富的国内BGP、三线高防、香港等优质的IDC资源。公司一直秉承”以人为本、客户为尊、永续创新”的价值观,坚持”以微笑收获友善, 以尊重收获理解,以责任收获支持,以谦卑收获成长”的行为观向客户提供全面优质的互...
ios6.1.3越狱为你推荐
在线考试系统要求及使用说明政协晋城市委员会主办legraph支持ipad支持ipad支持ipad支持ipad支持ipad张女士苹果5photoshop技术PS技术是干什么的,如何使用PS技术?
什么是域名 cn域名注册 备案域名出售 hostmonster 国外服务器 英文简历模板word win8升级win10正式版 php免费空间 浙江独立 免费个人网站申请 华为网络硬盘 isp服务商 昆明蜗牛家 国外ip加速器 美国独立日 登陆空间 smtp服务器地址 什么是web服务器 数据库空间 阿里云邮箱登陆地址 更多