checkerios6.1.3越狱
ios6.1.3越狱 时间:2021-05-24 阅读:()
Copyright2015KRvWAssociates,LLCKenvanWyk,ken@krvw.
com,@KRvWPenTestingiOSAppsFIRST2015KenvanWyk,@KRvWBerlin,Germany14-19June2015Copyright2015KRvWAssociates,LLCTopicswe'llcoverWe'llfocusonhowtobreaktypicaliOSapps–iOStopics–ApplicationtopicsSimpleanalysis–Surfaceofapp–Staticanalysis–DynamicanalysisDeeperanalysis–Exploreappbinary–Run-timeexplorationandexploitation3Copyright2015KRvWAssociates,LLCToolsMosttoolswe'lluseareeitheropensourceorinexpensive–iExplorerforexploringfilesystemonaniOSdevice–iOSdeviceandaUSBcablePreferablyjailbrokenCydiaCycript4Copyright2015KRvWAssociates,LLCClearupsomemisconceptionsApple'siOShasbeenahugesuccessforApple–TogetherwithAndroid,theyhavere-definedmobiletelephonyApplehasmadegreatadvancesinsecurity–Theyarestillfarfromreallygood–Notevensureifthey'reprettygoodSoftwaredevelopersstillmakesillymistakes5Copyright2015KRvWAssociates,LLCSystemHardeningFeaturesAttacksurfacereductionStrippeddownOS–No/bin/shPrivilegeseparationCodesigningDataexecutionprevention(DEP)–Vitalforreturnorientedprogramming–NoarchitecturalseparationofdataandcodesegmentsAddressspacelayoutrandomization(ASLR)6Copyright2015KRvWAssociates,LLCApplicationsandboxingBypolicy,appsareonlypermittedtoaccessresourcesintheirsandbox–Inter-appcommsarebyestablishedAPIsonlyURLs,keychains(limited)–Filei/oin~/DocumentsonlyTheserulesdon'talwaysapplytoApple'sownapps7Copyright2015KRvWAssociates,LLCHardwareencryptionEachiOSdevice(asof3GS)hashardwarecryptomodule–UniqueAES-256keyforeveryiOSdevice–SensitivedatahardwareencryptedSoundsbrilliant,right–Well.
.
.
8Copyright2015KRvWAssociates,LLCiOScryptokeysGIDkey-GroupIDkeyUIDkey-UniqueperdevDkey-DefaultfilekeyEMF!
-EncryptsentirefilesystemandHFSjournalClasskeys-Oneperprotectionclass–SomederivedfromUID+Passcode9Copyright2015KRvWAssociates,LLCiOSNAND(SSD)mappingBlock0-LowlevelbootloaderBlock1-Effaceablestorage–Lockerforcryptokeys,includingDkeyandEMF!
Blocks2-7-NVRAMparametersBlocks8-15-FirmwareBlocks8-(N-15)-FilesystemBlocks(N-15)-N-Last15blocksreservedbyApple10Copyright2015KRvWAssociates,LLCBuilt-infileprotectionclassesiOS(since4)supportsfileprotectionclasses–NSFileProtectionComplete–NSFileProtectionCompleteUnlessOpen–NSFileProtectionCompleteUntilFirstUserAuthentication–NSFileProtectionNoneAllbutNonearederived11Copyright2015KRvWAssociates,LLCBuilt-infileprotectionlimitationsPros–Easytouse,withkeymanagementdonebyiOS–Powerfulfunctionality–Alwaysavailable–ZeroperformancehitCons–ForComplete,cryptokeyingincludesUDID+Passcode4digitPINproblem12Copyright2015KRvWAssociates,LLCKeychainsKeychainAPIprovidedforstorageofsmallamountsofsensitivedata–Logincredentials,passwords,etc.
–CreditcarddataoftenfoundhereStoredinaSQLitedatabase–EncryptedusinghardwareAESwithderivedkey13Copyright2015KRvWAssociates,LLCJailbreaksApple'sprotectionarchitectureisbasedonamassivedigitalsignaturehierarchy–Startingfrombootloader–ThroughapploaderJailbreaksoftwarebreaksthathierarchy–Currentbreaksupto8.
1.
2DFUmodeallowsUSBvectorforbootloader–OlderiPhonesmostly,but…14Copyright2015KRvWAssociates,LLCKeyboarddataAll"keystrokes"arestored–Usedforauto-correctfeature–NicespellcheckerKeydatacanbeharvestedusingforensicsprocedures–Passwords,creditcards.
.
.
–Needleinhaystack15Copyright2015KRvWAssociates,LLCScreensnapshotsDevicesroutinelygrabscreensnapshotsandstoreinJPG–Usedforminimizingappanimation–ItlooksprettyWHAT!
–It'saproblem–Requireslocalaccesstodevice,butstill.
.
.
16Copyright2015KRvWAssociates,LLCLet'sconsiderthebasicsWe'llcoverthese(fromthemobiletop10)–ProtectingsecretsAtrestIntransit–Input/outputvalidation–Authentication–Sessionmanagement–Accesscontrol–Privacyconcerns17Copyright2015KRvWAssociates,LLCExamplesAirlineapp–StoresfrequentflyerdatainplaintextXMLfileHealthcareapp–StorespatientdatainplistfileButit'sbase64encodedforyourprotection…Bankingapp–FrameworkcacherevealedsensitiveaccountdataConsumerticketapp–AcceptedSSLfromselfsignedkey–Exposedcreditcarddata18Copyright2015KRvWAssociates,LLCSQLliteexampleLet'slookatadatabaseappthatstoressensitivedataintoaSQLitedb–We'llrecoverittriviallybylookingattheunencrypteddatabasefile19Copyright2015KRvWAssociates,LLCProtectingsecretsatrestEncryptionistheanswer,butit'snotquitesosimple–Wheredidyouputthatkey–Surelyyoudidn'thardcodeitintoyourapp–Surelyyou'renotcountingontheusertogenerateandrememberastrongkeyKeymanagementisanon-triviallysolvedproblem20Copyright2015KRvWAssociates,LLCStaticanalysisofanappExplorefolders–.
/Documents–.
/Library/Caches/*–.
/Library/Cookies–.
/Library/PreferencesAppbundle–Hexdumpofbinary–plistfilesWhatelse21Copyright2015KRvWAssociates,LLCToolstouseMactools–Finder–iExplorer–hexdump–strings–otool–otx(otx.
osxninja.
com)–class-dump(iphone.
freecoder.
org/classdump_en.
html)–Emacs(editor)Xcodeadditionaltools–Clang(buildandanalyze)Findsmemoryleaksandothers22Copyright2015KRvWAssociates,LLCExercise-coffeeshopattackThisoneistrivial,butlet'stakealookInthisiGoatexercise,theuser'scredentialsaresentplaintext–SimplewebserverrunningonMacresponds–IfthiswereonapublicWiFi,anetworksnifferwouldbepainlesstolaunch23Copyright2015KRvWAssociates,LLCMostcommonSSLmistakeWe'veallheardofCAsbeingattacked–That'sallimportant,but.
.
.
–(Certificatepinningcanhelp.
)FailingtoproperlyverifyCAsignaturechain–BiggestSSLproblembyfar–Studyshowed1/3ofAndroidappsfelltothis24Copyright2015KRvWAssociates,LLCTestingforSSLproblemsGoalistoensureclientperformsstrongcertificateverificationMITMonthenetsetup–Appproxyonlaptop(e.
g.
,Burpsuite)–GenerateSSLcertsignedbyyourownCA–PutyourCAcertontestiOSdeviceRemembertoremovefakeCAbeforeleavinglabenvironment!
25Copyright2015KRvWAssociates,LLCButthat'snotenough26Copyright2015KRvWAssociates,LLCObjCRun-timeisflawedUnlikeinC,"functions"arenotcalled–Messagesarepassed–ObjectsdynamicallyallocatedWithinprocessspace,dynamictamperingalsopossible–Messagetraffic–Objects27Copyright2015KRvWAssociates,LLCReverseengineeringAttackerwantstolearnhowyourappworks–DeepinternaldetailsAttackerwantstoattempttotrickyourappintomisbehaving–TamperwithruntimeHowJailbrokendeviceandsomefreetools–Andalotoftime28Copyright2015KRvWAssociates,LLCPrerequisitetoolsandenvMacwithOSXandXcodeJailbrokendevice–evasi0nworksgreatCydiaandfriends–Cydiainstalledwithevasi0n–ShellaccessOpenSSH-installwithCydia–Debuggergdb-installwithCydiaBareminimumessentials29Copyright2015KRvWAssociates,LLCAnalysistechniquesStaticanalysis–Observeattributesoftheexecutable,appfiles–Yes,encrypted(appstore)appstooDynamicanalysis–RuntheappandlearnhowitworksTampering–Tricktherun-timeenv30Copyright2015KRvWAssociates,LLCStaticanalysisAnybinarycanbeexamined–Usuallyrevealamaptoclasses,objects,text,symbols,etc.
Commontools–otool–class-dump-z–nmExamples–Linkedlibs,methodsotool-Lappnameotool-lappname–Listofclassesclass-dump-zappname–Symboltablenmappname31Copyright2015KRvWAssociates,LLCIt'sCunderneaththehoodBeneaththatniceOOPObjClayerliesaCfoundation–PrettymucheverythinginObjCcanbedoneinCPrimitivesfordoingalltheOOstuffobjc_msgSend(),objc_getClass()areprimeexamplesThismatterstouswhenanalyzingstaticallyordynamically32Copyright2015KRvWAssociates,LLCEncryptedbinariestooBasicprocess–Useapploadertodecrypt–Calculatememoryoffsets–StoreprocesstodiskddisyourfriendWillalsoneedplutilandgdbHOWTOavailable–http://www.
mandalorian.
com/2013/05/decrypting-ios-binaries/33Copyright2015KRvWAssociates,LLCLet'stakealook34Copyright2015KRvWAssociates,LLCDynamicanalysisWhatcanwelearnfromobservingitrunning–Alot–Allthosemessages–Memorycontents–CPUregistersYoudon'thaveanythingtohide,right35Copyright2015KRvWAssociates,LLCAttackingarunningappManintheapp(MITA)–Themostdangerousformofon-hostdynamicattack–InternalaccesstoeverythingThatObjCrun-timemessagingarchitectureisgoingtohauntus36Copyright2015KRvWAssociates,LLCAfewmoretoolsForthese,you'llwant–gdb–Cycript(seeslide)–Networkproxy(e.
g.
,Burpsuite)–SSLstrip(optional)37Copyright2015KRvWAssociates,LLCMessageeavesdroppingUsegdbtobuildasimplebuteffectivemessageeavesdropper–Examplegdb-q-pPIDbreakobj_msgSendcommandsx/a$r0x/s$r1c38Copyright2015KRvWAssociates,LLCCycript"CycriptallowsdeveloperstoexploreandmodifyrunningapplicationsoneitheriOSorMacOSXusingahybridofObjective-C++andJavaScriptsyntaxthroughaninteractiveconsolethatfeaturessyntaxhighlightingandtabcompletion"—Fromhttp://www.
cycript.
orgItisanamazingutilityfordynamicallyprobingarunningapp39Copyright2015KRvWAssociates,LLCFunwithCycriptBasics#cycriptcy#varmyString=[[NSStringalloc]cy>initWithString:@"Helloworld"];"Helloworld"cy#[myStringlength];11CombinationofJavaScriptandObjCsyntaxgivesamazingcapabilities40Copyright2015KRvWAssociates,LLCCycript(2)Safariexample#cycript-pPIDcy#varapp=[UIApplicationsharedApplication];""cy#[appopenURL:[NSURLURLWithString:cy>@"http://www.
first.
org"]];1cy#app.
networkActivityIndicatorVisible=YES41Copyright2015KRvWAssociates,LLCCycriptingforfunandprofitBreakclient-sidelogic–AlterPINs,booleans,semaphores–ReplacemethodsProberunningappdata–Canbeverbose,butyougeteverythinginanobjectcy#functionappls(a){varx={};for(iin*a){try{x[i]=(*a)[i];}catch(e){}}returnx;}cy#appls(object);42Copyright2015KRvWAssociates,LLCClient-sidelogicYoudidn'tthinkyoucouldtrustclient-sidelogic,didyou43Copyright2015KRvWAssociates,LLCTamperingNowlet'sgobeyondmereobservationReplaceexistingmethods–Changeaddressingdb–DynamiclinkerattackPutyourlibraryinDYLD_INSERT_LIBRARIESAutomatedynamiclinking–MobileSubstrate44Copyright2015KRvWAssociates,LLCNothingiswhatitappearsNowwecanchangetheentireuniverseyourapprunsin(Ifthisdoesn'tseembad,gowatchTheMatrix)45Copyright2015KRvWAssociates,LLCCopyright2013KRvWAssociates,LLCResourcesHackingandSecuringiOSApplications,JonathanZdziarski,O'Reilly,2012Evasi0n,popularjailbreakingtool,http://www.
evad3rs.
com/46Copyright2015KRvWAssociates,LLCHardeningUseractionsandclientconfigurationsArchitecturalconsiderationsHardeningtipsButremember,nothingisperfect.
47Copyright2015KRvWAssociates,LLCUseractionsandconfigurationsStrongpasscodeshelpMDMscanmanageconfigurationsofentirefleets48Copyright2015KRvWAssociates,LLCArchitecturalconsiderationsDesignchoicesmakeahugedifference–ClientcannotbetrustedSensitivedataSensitivefunctionsSecuritycontrols–ClientshouldprovidepresentationlayerMinimalfunctionalityProcessingshouldbeserver49Copyright2015KRvWAssociates,LLCHardeningtipsNon-obviousnames–ObfuscatefunctionalpurposeDisabledebugging#defineDENY_DEBUG31ptrace(DENY_DEBUG,0,0,0);Complicatedisassembly–Compileroptimizer–Stripsymbols50Copyright2015KRvWAssociates,LLCHardeningtips(2)Sensitivecode–Onserver,but…–WriteinCorASM–Compile+linkin-line–ExpandloopsmanuallyForceyourattackertosinglestepthroughDon'tgiveawayanything51Copyright2015KRvWAssociates,LLCHardening(3)Datastorage–EncryptDataProtectionAPIforconsumergradeKeysonserver–CommonCryptoLibSecurefilewipingSQLitedatawiping–Updatebeforedelete52Copyright2015KRvWAssociates,LLCTamperdetectionHowdoweknow–Run-timeintegritychecksMemoryoffsetsofsensitiveobjects–SandboxintegrityAttempttoforkSizeandchecksumof/etc/fstabSymboliclinksin/ApplicationsCommonjailbreakfilesandapps–/Applications/Cydia.
app–HoneypotsinappThereain'tahorsethatcan'tberodeoramanthatcan'tbethrowed.
53Copyright2015KRvWAssociates,LLCTamperresponseWhattodo–Remotewipe–Phonehome–Logeverything–Wipeuserdata,keys–Disablenetworkaccess–Etcetera54Copyright2015KRvWAssociates,LLCCopyright2014KRvWAssociates,LLCCopyright2015KRvWAssociates,LLCKennethR.
vanWykKRvWAssociates,LLCKen@KRvW.
comhttp://www.
KRvW.
com@KRvW55
com,@KRvWPenTestingiOSAppsFIRST2015KenvanWyk,@KRvWBerlin,Germany14-19June2015Copyright2015KRvWAssociates,LLCTopicswe'llcoverWe'llfocusonhowtobreaktypicaliOSapps–iOStopics–ApplicationtopicsSimpleanalysis–Surfaceofapp–Staticanalysis–DynamicanalysisDeeperanalysis–Exploreappbinary–Run-timeexplorationandexploitation3Copyright2015KRvWAssociates,LLCToolsMosttoolswe'lluseareeitheropensourceorinexpensive–iExplorerforexploringfilesystemonaniOSdevice–iOSdeviceandaUSBcablePreferablyjailbrokenCydiaCycript4Copyright2015KRvWAssociates,LLCClearupsomemisconceptionsApple'siOShasbeenahugesuccessforApple–TogetherwithAndroid,theyhavere-definedmobiletelephonyApplehasmadegreatadvancesinsecurity–Theyarestillfarfromreallygood–Notevensureifthey'reprettygoodSoftwaredevelopersstillmakesillymistakes5Copyright2015KRvWAssociates,LLCSystemHardeningFeaturesAttacksurfacereductionStrippeddownOS–No/bin/shPrivilegeseparationCodesigningDataexecutionprevention(DEP)–Vitalforreturnorientedprogramming–NoarchitecturalseparationofdataandcodesegmentsAddressspacelayoutrandomization(ASLR)6Copyright2015KRvWAssociates,LLCApplicationsandboxingBypolicy,appsareonlypermittedtoaccessresourcesintheirsandbox–Inter-appcommsarebyestablishedAPIsonlyURLs,keychains(limited)–Filei/oin~/DocumentsonlyTheserulesdon'talwaysapplytoApple'sownapps7Copyright2015KRvWAssociates,LLCHardwareencryptionEachiOSdevice(asof3GS)hashardwarecryptomodule–UniqueAES-256keyforeveryiOSdevice–SensitivedatahardwareencryptedSoundsbrilliant,right–Well.
.
.
8Copyright2015KRvWAssociates,LLCiOScryptokeysGIDkey-GroupIDkeyUIDkey-UniqueperdevDkey-DefaultfilekeyEMF!
-EncryptsentirefilesystemandHFSjournalClasskeys-Oneperprotectionclass–SomederivedfromUID+Passcode9Copyright2015KRvWAssociates,LLCiOSNAND(SSD)mappingBlock0-LowlevelbootloaderBlock1-Effaceablestorage–Lockerforcryptokeys,includingDkeyandEMF!
Blocks2-7-NVRAMparametersBlocks8-15-FirmwareBlocks8-(N-15)-FilesystemBlocks(N-15)-N-Last15blocksreservedbyApple10Copyright2015KRvWAssociates,LLCBuilt-infileprotectionclassesiOS(since4)supportsfileprotectionclasses–NSFileProtectionComplete–NSFileProtectionCompleteUnlessOpen–NSFileProtectionCompleteUntilFirstUserAuthentication–NSFileProtectionNoneAllbutNonearederived11Copyright2015KRvWAssociates,LLCBuilt-infileprotectionlimitationsPros–Easytouse,withkeymanagementdonebyiOS–Powerfulfunctionality–Alwaysavailable–ZeroperformancehitCons–ForComplete,cryptokeyingincludesUDID+Passcode4digitPINproblem12Copyright2015KRvWAssociates,LLCKeychainsKeychainAPIprovidedforstorageofsmallamountsofsensitivedata–Logincredentials,passwords,etc.
–CreditcarddataoftenfoundhereStoredinaSQLitedatabase–EncryptedusinghardwareAESwithderivedkey13Copyright2015KRvWAssociates,LLCJailbreaksApple'sprotectionarchitectureisbasedonamassivedigitalsignaturehierarchy–Startingfrombootloader–ThroughapploaderJailbreaksoftwarebreaksthathierarchy–Currentbreaksupto8.
1.
2DFUmodeallowsUSBvectorforbootloader–OlderiPhonesmostly,but…14Copyright2015KRvWAssociates,LLCKeyboarddataAll"keystrokes"arestored–Usedforauto-correctfeature–NicespellcheckerKeydatacanbeharvestedusingforensicsprocedures–Passwords,creditcards.
.
.
–Needleinhaystack15Copyright2015KRvWAssociates,LLCScreensnapshotsDevicesroutinelygrabscreensnapshotsandstoreinJPG–Usedforminimizingappanimation–ItlooksprettyWHAT!
–It'saproblem–Requireslocalaccesstodevice,butstill.
.
.
16Copyright2015KRvWAssociates,LLCLet'sconsiderthebasicsWe'llcoverthese(fromthemobiletop10)–ProtectingsecretsAtrestIntransit–Input/outputvalidation–Authentication–Sessionmanagement–Accesscontrol–Privacyconcerns17Copyright2015KRvWAssociates,LLCExamplesAirlineapp–StoresfrequentflyerdatainplaintextXMLfileHealthcareapp–StorespatientdatainplistfileButit'sbase64encodedforyourprotection…Bankingapp–FrameworkcacherevealedsensitiveaccountdataConsumerticketapp–AcceptedSSLfromselfsignedkey–Exposedcreditcarddata18Copyright2015KRvWAssociates,LLCSQLliteexampleLet'slookatadatabaseappthatstoressensitivedataintoaSQLitedb–We'llrecoverittriviallybylookingattheunencrypteddatabasefile19Copyright2015KRvWAssociates,LLCProtectingsecretsatrestEncryptionistheanswer,butit'snotquitesosimple–Wheredidyouputthatkey–Surelyyoudidn'thardcodeitintoyourapp–Surelyyou'renotcountingontheusertogenerateandrememberastrongkeyKeymanagementisanon-triviallysolvedproblem20Copyright2015KRvWAssociates,LLCStaticanalysisofanappExplorefolders–.
/Documents–.
/Library/Caches/*–.
/Library/Cookies–.
/Library/PreferencesAppbundle–Hexdumpofbinary–plistfilesWhatelse21Copyright2015KRvWAssociates,LLCToolstouseMactools–Finder–iExplorer–hexdump–strings–otool–otx(otx.
osxninja.
com)–class-dump(iphone.
freecoder.
org/classdump_en.
html)–Emacs(editor)Xcodeadditionaltools–Clang(buildandanalyze)Findsmemoryleaksandothers22Copyright2015KRvWAssociates,LLCExercise-coffeeshopattackThisoneistrivial,butlet'stakealookInthisiGoatexercise,theuser'scredentialsaresentplaintext–SimplewebserverrunningonMacresponds–IfthiswereonapublicWiFi,anetworksnifferwouldbepainlesstolaunch23Copyright2015KRvWAssociates,LLCMostcommonSSLmistakeWe'veallheardofCAsbeingattacked–That'sallimportant,but.
.
.
–(Certificatepinningcanhelp.
)FailingtoproperlyverifyCAsignaturechain–BiggestSSLproblembyfar–Studyshowed1/3ofAndroidappsfelltothis24Copyright2015KRvWAssociates,LLCTestingforSSLproblemsGoalistoensureclientperformsstrongcertificateverificationMITMonthenetsetup–Appproxyonlaptop(e.
g.
,Burpsuite)–GenerateSSLcertsignedbyyourownCA–PutyourCAcertontestiOSdeviceRemembertoremovefakeCAbeforeleavinglabenvironment!
25Copyright2015KRvWAssociates,LLCButthat'snotenough26Copyright2015KRvWAssociates,LLCObjCRun-timeisflawedUnlikeinC,"functions"arenotcalled–Messagesarepassed–ObjectsdynamicallyallocatedWithinprocessspace,dynamictamperingalsopossible–Messagetraffic–Objects27Copyright2015KRvWAssociates,LLCReverseengineeringAttackerwantstolearnhowyourappworks–DeepinternaldetailsAttackerwantstoattempttotrickyourappintomisbehaving–TamperwithruntimeHowJailbrokendeviceandsomefreetools–Andalotoftime28Copyright2015KRvWAssociates,LLCPrerequisitetoolsandenvMacwithOSXandXcodeJailbrokendevice–evasi0nworksgreatCydiaandfriends–Cydiainstalledwithevasi0n–ShellaccessOpenSSH-installwithCydia–Debuggergdb-installwithCydiaBareminimumessentials29Copyright2015KRvWAssociates,LLCAnalysistechniquesStaticanalysis–Observeattributesoftheexecutable,appfiles–Yes,encrypted(appstore)appstooDynamicanalysis–RuntheappandlearnhowitworksTampering–Tricktherun-timeenv30Copyright2015KRvWAssociates,LLCStaticanalysisAnybinarycanbeexamined–Usuallyrevealamaptoclasses,objects,text,symbols,etc.
Commontools–otool–class-dump-z–nmExamples–Linkedlibs,methodsotool-Lappnameotool-lappname–Listofclassesclass-dump-zappname–Symboltablenmappname31Copyright2015KRvWAssociates,LLCIt'sCunderneaththehoodBeneaththatniceOOPObjClayerliesaCfoundation–PrettymucheverythinginObjCcanbedoneinCPrimitivesfordoingalltheOOstuffobjc_msgSend(),objc_getClass()areprimeexamplesThismatterstouswhenanalyzingstaticallyordynamically32Copyright2015KRvWAssociates,LLCEncryptedbinariestooBasicprocess–Useapploadertodecrypt–Calculatememoryoffsets–StoreprocesstodiskddisyourfriendWillalsoneedplutilandgdbHOWTOavailable–http://www.
mandalorian.
com/2013/05/decrypting-ios-binaries/33Copyright2015KRvWAssociates,LLCLet'stakealook34Copyright2015KRvWAssociates,LLCDynamicanalysisWhatcanwelearnfromobservingitrunning–Alot–Allthosemessages–Memorycontents–CPUregistersYoudon'thaveanythingtohide,right35Copyright2015KRvWAssociates,LLCAttackingarunningappManintheapp(MITA)–Themostdangerousformofon-hostdynamicattack–InternalaccesstoeverythingThatObjCrun-timemessagingarchitectureisgoingtohauntus36Copyright2015KRvWAssociates,LLCAfewmoretoolsForthese,you'llwant–gdb–Cycript(seeslide)–Networkproxy(e.
g.
,Burpsuite)–SSLstrip(optional)37Copyright2015KRvWAssociates,LLCMessageeavesdroppingUsegdbtobuildasimplebuteffectivemessageeavesdropper–Examplegdb-q-pPIDbreakobj_msgSendcommandsx/a$r0x/s$r1c38Copyright2015KRvWAssociates,LLCCycript"CycriptallowsdeveloperstoexploreandmodifyrunningapplicationsoneitheriOSorMacOSXusingahybridofObjective-C++andJavaScriptsyntaxthroughaninteractiveconsolethatfeaturessyntaxhighlightingandtabcompletion"—Fromhttp://www.
cycript.
orgItisanamazingutilityfordynamicallyprobingarunningapp39Copyright2015KRvWAssociates,LLCFunwithCycriptBasics#cycriptcy#varmyString=[[NSStringalloc]cy>initWithString:@"Helloworld"];"Helloworld"cy#[myStringlength];11CombinationofJavaScriptandObjCsyntaxgivesamazingcapabilities40Copyright2015KRvWAssociates,LLCCycript(2)Safariexample#cycript-pPIDcy#varapp=[UIApplicationsharedApplication];""cy#[appopenURL:[NSURLURLWithString:cy>@"http://www.
first.
org"]];1cy#app.
networkActivityIndicatorVisible=YES41Copyright2015KRvWAssociates,LLCCycriptingforfunandprofitBreakclient-sidelogic–AlterPINs,booleans,semaphores–ReplacemethodsProberunningappdata–Canbeverbose,butyougeteverythinginanobjectcy#functionappls(a){varx={};for(iin*a){try{x[i]=(*a)[i];}catch(e){}}returnx;}cy#appls(object);42Copyright2015KRvWAssociates,LLCClient-sidelogicYoudidn'tthinkyoucouldtrustclient-sidelogic,didyou43Copyright2015KRvWAssociates,LLCTamperingNowlet'sgobeyondmereobservationReplaceexistingmethods–Changeaddressingdb–DynamiclinkerattackPutyourlibraryinDYLD_INSERT_LIBRARIESAutomatedynamiclinking–MobileSubstrate44Copyright2015KRvWAssociates,LLCNothingiswhatitappearsNowwecanchangetheentireuniverseyourapprunsin(Ifthisdoesn'tseembad,gowatchTheMatrix)45Copyright2015KRvWAssociates,LLCCopyright2013KRvWAssociates,LLCResourcesHackingandSecuringiOSApplications,JonathanZdziarski,O'Reilly,2012Evasi0n,popularjailbreakingtool,http://www.
evad3rs.
com/46Copyright2015KRvWAssociates,LLCHardeningUseractionsandclientconfigurationsArchitecturalconsiderationsHardeningtipsButremember,nothingisperfect.
47Copyright2015KRvWAssociates,LLCUseractionsandconfigurationsStrongpasscodeshelpMDMscanmanageconfigurationsofentirefleets48Copyright2015KRvWAssociates,LLCArchitecturalconsiderationsDesignchoicesmakeahugedifference–ClientcannotbetrustedSensitivedataSensitivefunctionsSecuritycontrols–ClientshouldprovidepresentationlayerMinimalfunctionalityProcessingshouldbeserver49Copyright2015KRvWAssociates,LLCHardeningtipsNon-obviousnames–ObfuscatefunctionalpurposeDisabledebugging#defineDENY_DEBUG31ptrace(DENY_DEBUG,0,0,0);Complicatedisassembly–Compileroptimizer–Stripsymbols50Copyright2015KRvWAssociates,LLCHardeningtips(2)Sensitivecode–Onserver,but…–WriteinCorASM–Compile+linkin-line–ExpandloopsmanuallyForceyourattackertosinglestepthroughDon'tgiveawayanything51Copyright2015KRvWAssociates,LLCHardening(3)Datastorage–EncryptDataProtectionAPIforconsumergradeKeysonserver–CommonCryptoLibSecurefilewipingSQLitedatawiping–Updatebeforedelete52Copyright2015KRvWAssociates,LLCTamperdetectionHowdoweknow–Run-timeintegritychecksMemoryoffsetsofsensitiveobjects–SandboxintegrityAttempttoforkSizeandchecksumof/etc/fstabSymboliclinksin/ApplicationsCommonjailbreakfilesandapps–/Applications/Cydia.
app–HoneypotsinappThereain'tahorsethatcan'tberodeoramanthatcan'tbethrowed.
53Copyright2015KRvWAssociates,LLCTamperresponseWhattodo–Remotewipe–Phonehome–Logeverything–Wipeuserdata,keys–Disablenetworkaccess–Etcetera54Copyright2015KRvWAssociates,LLCCopyright2014KRvWAssociates,LLCCopyright2015KRvWAssociates,LLCKennethR.
vanWykKRvWAssociates,LLCKen@KRvW.
comhttp://www.
KRvW.
com@KRvW55
- checkerios6.1.3越狱相关文档
- slowios6.1.3越狱
- x001a54e8ios6.1.3越狱
- 支持ios6.1.3越狱
- 支持ios6.1.3越狱
- 连接ios6.1.3越狱
- 编码ios6.1.3越狱
vpsdime7美元/月,美国达拉斯Windows VPS,2核4G/50GB SSD/2TB流量/Hyper-V虚拟化
vpsdime怎么样?vpsdime是2013年成立的国外VPS主机商,以大内存闻名业界,主营基于OpenVZ和KVM虚拟化的Linux套餐,大内存、10Gbps大带宽、大硬盘,有美国西雅图、达拉斯、新泽西、英国、荷兰机房可选。在上个月搞了一款达拉斯Linux系统VPS促销,详情查看:vpsdime夏日促销活动,美国达拉斯vps,2G内存/2核/20gSSD/1T流量,$20/年,此次推出一款Wi...
极光KVM(限时16元),洛杉矶三网CN2,cera机房,香港cn2
极光KVM创立于2018年,主要经营美国洛杉矶CN2机房、CeRaNetworks机房、中国香港CeraNetworks机房、香港CMI机房等产品。其中,洛杉矶提供CN2 GIA、CN2 GT以及常规BGP直连线路接入。从名字也可以看到,VPS产品全部是基于KVM架构的。极光KVM也有明确的更换IP政策,下单时选择“IP保险计划”多支付10块钱,可以在服务周期内免费更换一次IP,当然也可以不选择,...
ParkinHost:俄罗斯离岸主机,抗投诉VPS,200Mbps带宽/莫斯科CN2线路/不限流量/无视DMCA/55折促销26.4欧元 /年起
外贸主机哪家好?抗投诉VPS哪家好?无视DMCA。ParkinHost今年还没有搞过促销,这次parkinhost俄罗斯机房上新服务器,母机采用2个E5-2680v3处理器、128G内存、RAID10硬盘、2Gbps上行线路。具体到VPS全部200Mbps带宽,除了最便宜的套餐限制流量之外,其他的全部是无限流量VPS。ParkinHost,成立于 2013 年,印度主机商,隶属于 DiggDigi...
ios6.1.3越狱为你推荐
-
互联网周鸿祎菏泽市牡丹区实验小学followgoogleAssumegraph支持ipadpublicationethics.org孩子appleeacceleratoreaccelerator.shm_size设置多少合适呢?itunes备份itunes就是备份不了怎么办啊ipad上网ipad上网速度很慢怎么回事?