checkerios6.1.3越狱
ios6.1.3越狱 时间:2021-05-24 阅读:()
Copyright2015KRvWAssociates,LLCKenvanWyk,ken@krvw.
com,@KRvWPenTestingiOSAppsFIRST2015KenvanWyk,@KRvWBerlin,Germany14-19June2015Copyright2015KRvWAssociates,LLCTopicswe'llcoverWe'llfocusonhowtobreaktypicaliOSapps–iOStopics–ApplicationtopicsSimpleanalysis–Surfaceofapp–Staticanalysis–DynamicanalysisDeeperanalysis–Exploreappbinary–Run-timeexplorationandexploitation3Copyright2015KRvWAssociates,LLCToolsMosttoolswe'lluseareeitheropensourceorinexpensive–iExplorerforexploringfilesystemonaniOSdevice–iOSdeviceandaUSBcablePreferablyjailbrokenCydiaCycript4Copyright2015KRvWAssociates,LLCClearupsomemisconceptionsApple'siOShasbeenahugesuccessforApple–TogetherwithAndroid,theyhavere-definedmobiletelephonyApplehasmadegreatadvancesinsecurity–Theyarestillfarfromreallygood–Notevensureifthey'reprettygoodSoftwaredevelopersstillmakesillymistakes5Copyright2015KRvWAssociates,LLCSystemHardeningFeaturesAttacksurfacereductionStrippeddownOS–No/bin/shPrivilegeseparationCodesigningDataexecutionprevention(DEP)–Vitalforreturnorientedprogramming–NoarchitecturalseparationofdataandcodesegmentsAddressspacelayoutrandomization(ASLR)6Copyright2015KRvWAssociates,LLCApplicationsandboxingBypolicy,appsareonlypermittedtoaccessresourcesintheirsandbox–Inter-appcommsarebyestablishedAPIsonlyURLs,keychains(limited)–Filei/oin~/DocumentsonlyTheserulesdon'talwaysapplytoApple'sownapps7Copyright2015KRvWAssociates,LLCHardwareencryptionEachiOSdevice(asof3GS)hashardwarecryptomodule–UniqueAES-256keyforeveryiOSdevice–SensitivedatahardwareencryptedSoundsbrilliant,right–Well.
.
.
8Copyright2015KRvWAssociates,LLCiOScryptokeysGIDkey-GroupIDkeyUIDkey-UniqueperdevDkey-DefaultfilekeyEMF!
-EncryptsentirefilesystemandHFSjournalClasskeys-Oneperprotectionclass–SomederivedfromUID+Passcode9Copyright2015KRvWAssociates,LLCiOSNAND(SSD)mappingBlock0-LowlevelbootloaderBlock1-Effaceablestorage–Lockerforcryptokeys,includingDkeyandEMF!
Blocks2-7-NVRAMparametersBlocks8-15-FirmwareBlocks8-(N-15)-FilesystemBlocks(N-15)-N-Last15blocksreservedbyApple10Copyright2015KRvWAssociates,LLCBuilt-infileprotectionclassesiOS(since4)supportsfileprotectionclasses–NSFileProtectionComplete–NSFileProtectionCompleteUnlessOpen–NSFileProtectionCompleteUntilFirstUserAuthentication–NSFileProtectionNoneAllbutNonearederived11Copyright2015KRvWAssociates,LLCBuilt-infileprotectionlimitationsPros–Easytouse,withkeymanagementdonebyiOS–Powerfulfunctionality–Alwaysavailable–ZeroperformancehitCons–ForComplete,cryptokeyingincludesUDID+Passcode4digitPINproblem12Copyright2015KRvWAssociates,LLCKeychainsKeychainAPIprovidedforstorageofsmallamountsofsensitivedata–Logincredentials,passwords,etc.
–CreditcarddataoftenfoundhereStoredinaSQLitedatabase–EncryptedusinghardwareAESwithderivedkey13Copyright2015KRvWAssociates,LLCJailbreaksApple'sprotectionarchitectureisbasedonamassivedigitalsignaturehierarchy–Startingfrombootloader–ThroughapploaderJailbreaksoftwarebreaksthathierarchy–Currentbreaksupto8.
1.
2DFUmodeallowsUSBvectorforbootloader–OlderiPhonesmostly,but…14Copyright2015KRvWAssociates,LLCKeyboarddataAll"keystrokes"arestored–Usedforauto-correctfeature–NicespellcheckerKeydatacanbeharvestedusingforensicsprocedures–Passwords,creditcards.
.
.
–Needleinhaystack15Copyright2015KRvWAssociates,LLCScreensnapshotsDevicesroutinelygrabscreensnapshotsandstoreinJPG–Usedforminimizingappanimation–ItlooksprettyWHAT!
–It'saproblem–Requireslocalaccesstodevice,butstill.
.
.
16Copyright2015KRvWAssociates,LLCLet'sconsiderthebasicsWe'llcoverthese(fromthemobiletop10)–ProtectingsecretsAtrestIntransit–Input/outputvalidation–Authentication–Sessionmanagement–Accesscontrol–Privacyconcerns17Copyright2015KRvWAssociates,LLCExamplesAirlineapp–StoresfrequentflyerdatainplaintextXMLfileHealthcareapp–StorespatientdatainplistfileButit'sbase64encodedforyourprotection…Bankingapp–FrameworkcacherevealedsensitiveaccountdataConsumerticketapp–AcceptedSSLfromselfsignedkey–Exposedcreditcarddata18Copyright2015KRvWAssociates,LLCSQLliteexampleLet'slookatadatabaseappthatstoressensitivedataintoaSQLitedb–We'llrecoverittriviallybylookingattheunencrypteddatabasefile19Copyright2015KRvWAssociates,LLCProtectingsecretsatrestEncryptionistheanswer,butit'snotquitesosimple–Wheredidyouputthatkey–Surelyyoudidn'thardcodeitintoyourapp–Surelyyou'renotcountingontheusertogenerateandrememberastrongkeyKeymanagementisanon-triviallysolvedproblem20Copyright2015KRvWAssociates,LLCStaticanalysisofanappExplorefolders–.
/Documents–.
/Library/Caches/*–.
/Library/Cookies–.
/Library/PreferencesAppbundle–Hexdumpofbinary–plistfilesWhatelse21Copyright2015KRvWAssociates,LLCToolstouseMactools–Finder–iExplorer–hexdump–strings–otool–otx(otx.
osxninja.
com)–class-dump(iphone.
freecoder.
org/classdump_en.
html)–Emacs(editor)Xcodeadditionaltools–Clang(buildandanalyze)Findsmemoryleaksandothers22Copyright2015KRvWAssociates,LLCExercise-coffeeshopattackThisoneistrivial,butlet'stakealookInthisiGoatexercise,theuser'scredentialsaresentplaintext–SimplewebserverrunningonMacresponds–IfthiswereonapublicWiFi,anetworksnifferwouldbepainlesstolaunch23Copyright2015KRvWAssociates,LLCMostcommonSSLmistakeWe'veallheardofCAsbeingattacked–That'sallimportant,but.
.
.
–(Certificatepinningcanhelp.
)FailingtoproperlyverifyCAsignaturechain–BiggestSSLproblembyfar–Studyshowed1/3ofAndroidappsfelltothis24Copyright2015KRvWAssociates,LLCTestingforSSLproblemsGoalistoensureclientperformsstrongcertificateverificationMITMonthenetsetup–Appproxyonlaptop(e.
g.
,Burpsuite)–GenerateSSLcertsignedbyyourownCA–PutyourCAcertontestiOSdeviceRemembertoremovefakeCAbeforeleavinglabenvironment!
25Copyright2015KRvWAssociates,LLCButthat'snotenough26Copyright2015KRvWAssociates,LLCObjCRun-timeisflawedUnlikeinC,"functions"arenotcalled–Messagesarepassed–ObjectsdynamicallyallocatedWithinprocessspace,dynamictamperingalsopossible–Messagetraffic–Objects27Copyright2015KRvWAssociates,LLCReverseengineeringAttackerwantstolearnhowyourappworks–DeepinternaldetailsAttackerwantstoattempttotrickyourappintomisbehaving–TamperwithruntimeHowJailbrokendeviceandsomefreetools–Andalotoftime28Copyright2015KRvWAssociates,LLCPrerequisitetoolsandenvMacwithOSXandXcodeJailbrokendevice–evasi0nworksgreatCydiaandfriends–Cydiainstalledwithevasi0n–ShellaccessOpenSSH-installwithCydia–Debuggergdb-installwithCydiaBareminimumessentials29Copyright2015KRvWAssociates,LLCAnalysistechniquesStaticanalysis–Observeattributesoftheexecutable,appfiles–Yes,encrypted(appstore)appstooDynamicanalysis–RuntheappandlearnhowitworksTampering–Tricktherun-timeenv30Copyright2015KRvWAssociates,LLCStaticanalysisAnybinarycanbeexamined–Usuallyrevealamaptoclasses,objects,text,symbols,etc.
Commontools–otool–class-dump-z–nmExamples–Linkedlibs,methodsotool-Lappnameotool-lappname–Listofclassesclass-dump-zappname–Symboltablenmappname31Copyright2015KRvWAssociates,LLCIt'sCunderneaththehoodBeneaththatniceOOPObjClayerliesaCfoundation–PrettymucheverythinginObjCcanbedoneinCPrimitivesfordoingalltheOOstuffobjc_msgSend(),objc_getClass()areprimeexamplesThismatterstouswhenanalyzingstaticallyordynamically32Copyright2015KRvWAssociates,LLCEncryptedbinariestooBasicprocess–Useapploadertodecrypt–Calculatememoryoffsets–StoreprocesstodiskddisyourfriendWillalsoneedplutilandgdbHOWTOavailable–http://www.
mandalorian.
com/2013/05/decrypting-ios-binaries/33Copyright2015KRvWAssociates,LLCLet'stakealook34Copyright2015KRvWAssociates,LLCDynamicanalysisWhatcanwelearnfromobservingitrunning–Alot–Allthosemessages–Memorycontents–CPUregistersYoudon'thaveanythingtohide,right35Copyright2015KRvWAssociates,LLCAttackingarunningappManintheapp(MITA)–Themostdangerousformofon-hostdynamicattack–InternalaccesstoeverythingThatObjCrun-timemessagingarchitectureisgoingtohauntus36Copyright2015KRvWAssociates,LLCAfewmoretoolsForthese,you'llwant–gdb–Cycript(seeslide)–Networkproxy(e.
g.
,Burpsuite)–SSLstrip(optional)37Copyright2015KRvWAssociates,LLCMessageeavesdroppingUsegdbtobuildasimplebuteffectivemessageeavesdropper–Examplegdb-q-pPIDbreakobj_msgSendcommandsx/a$r0x/s$r1c38Copyright2015KRvWAssociates,LLCCycript"CycriptallowsdeveloperstoexploreandmodifyrunningapplicationsoneitheriOSorMacOSXusingahybridofObjective-C++andJavaScriptsyntaxthroughaninteractiveconsolethatfeaturessyntaxhighlightingandtabcompletion"—Fromhttp://www.
cycript.
orgItisanamazingutilityfordynamicallyprobingarunningapp39Copyright2015KRvWAssociates,LLCFunwithCycriptBasics#cycriptcy#varmyString=[[NSStringalloc]cy>initWithString:@"Helloworld"];"Helloworld"cy#[myStringlength];11CombinationofJavaScriptandObjCsyntaxgivesamazingcapabilities40Copyright2015KRvWAssociates,LLCCycript(2)Safariexample#cycript-pPIDcy#varapp=[UIApplicationsharedApplication];""cy#[appopenURL:[NSURLURLWithString:cy>@"http://www.
first.
org"]];1cy#app.
networkActivityIndicatorVisible=YES41Copyright2015KRvWAssociates,LLCCycriptingforfunandprofitBreakclient-sidelogic–AlterPINs,booleans,semaphores–ReplacemethodsProberunningappdata–Canbeverbose,butyougeteverythinginanobjectcy#functionappls(a){varx={};for(iin*a){try{x[i]=(*a)[i];}catch(e){}}returnx;}cy#appls(object);42Copyright2015KRvWAssociates,LLCClient-sidelogicYoudidn'tthinkyoucouldtrustclient-sidelogic,didyou43Copyright2015KRvWAssociates,LLCTamperingNowlet'sgobeyondmereobservationReplaceexistingmethods–Changeaddressingdb–DynamiclinkerattackPutyourlibraryinDYLD_INSERT_LIBRARIESAutomatedynamiclinking–MobileSubstrate44Copyright2015KRvWAssociates,LLCNothingiswhatitappearsNowwecanchangetheentireuniverseyourapprunsin(Ifthisdoesn'tseembad,gowatchTheMatrix)45Copyright2015KRvWAssociates,LLCCopyright2013KRvWAssociates,LLCResourcesHackingandSecuringiOSApplications,JonathanZdziarski,O'Reilly,2012Evasi0n,popularjailbreakingtool,http://www.
evad3rs.
com/46Copyright2015KRvWAssociates,LLCHardeningUseractionsandclientconfigurationsArchitecturalconsiderationsHardeningtipsButremember,nothingisperfect.
47Copyright2015KRvWAssociates,LLCUseractionsandconfigurationsStrongpasscodeshelpMDMscanmanageconfigurationsofentirefleets48Copyright2015KRvWAssociates,LLCArchitecturalconsiderationsDesignchoicesmakeahugedifference–ClientcannotbetrustedSensitivedataSensitivefunctionsSecuritycontrols–ClientshouldprovidepresentationlayerMinimalfunctionalityProcessingshouldbeserver49Copyright2015KRvWAssociates,LLCHardeningtipsNon-obviousnames–ObfuscatefunctionalpurposeDisabledebugging#defineDENY_DEBUG31ptrace(DENY_DEBUG,0,0,0);Complicatedisassembly–Compileroptimizer–Stripsymbols50Copyright2015KRvWAssociates,LLCHardeningtips(2)Sensitivecode–Onserver,but…–WriteinCorASM–Compile+linkin-line–ExpandloopsmanuallyForceyourattackertosinglestepthroughDon'tgiveawayanything51Copyright2015KRvWAssociates,LLCHardening(3)Datastorage–EncryptDataProtectionAPIforconsumergradeKeysonserver–CommonCryptoLibSecurefilewipingSQLitedatawiping–Updatebeforedelete52Copyright2015KRvWAssociates,LLCTamperdetectionHowdoweknow–Run-timeintegritychecksMemoryoffsetsofsensitiveobjects–SandboxintegrityAttempttoforkSizeandchecksumof/etc/fstabSymboliclinksin/ApplicationsCommonjailbreakfilesandapps–/Applications/Cydia.
app–HoneypotsinappThereain'tahorsethatcan'tberodeoramanthatcan'tbethrowed.
53Copyright2015KRvWAssociates,LLCTamperresponseWhattodo–Remotewipe–Phonehome–Logeverything–Wipeuserdata,keys–Disablenetworkaccess–Etcetera54Copyright2015KRvWAssociates,LLCCopyright2014KRvWAssociates,LLCCopyright2015KRvWAssociates,LLCKennethR.
vanWykKRvWAssociates,LLCKen@KRvW.
comhttp://www.
KRvW.
com@KRvW55
com,@KRvWPenTestingiOSAppsFIRST2015KenvanWyk,@KRvWBerlin,Germany14-19June2015Copyright2015KRvWAssociates,LLCTopicswe'llcoverWe'llfocusonhowtobreaktypicaliOSapps–iOStopics–ApplicationtopicsSimpleanalysis–Surfaceofapp–Staticanalysis–DynamicanalysisDeeperanalysis–Exploreappbinary–Run-timeexplorationandexploitation3Copyright2015KRvWAssociates,LLCToolsMosttoolswe'lluseareeitheropensourceorinexpensive–iExplorerforexploringfilesystemonaniOSdevice–iOSdeviceandaUSBcablePreferablyjailbrokenCydiaCycript4Copyright2015KRvWAssociates,LLCClearupsomemisconceptionsApple'siOShasbeenahugesuccessforApple–TogetherwithAndroid,theyhavere-definedmobiletelephonyApplehasmadegreatadvancesinsecurity–Theyarestillfarfromreallygood–Notevensureifthey'reprettygoodSoftwaredevelopersstillmakesillymistakes5Copyright2015KRvWAssociates,LLCSystemHardeningFeaturesAttacksurfacereductionStrippeddownOS–No/bin/shPrivilegeseparationCodesigningDataexecutionprevention(DEP)–Vitalforreturnorientedprogramming–NoarchitecturalseparationofdataandcodesegmentsAddressspacelayoutrandomization(ASLR)6Copyright2015KRvWAssociates,LLCApplicationsandboxingBypolicy,appsareonlypermittedtoaccessresourcesintheirsandbox–Inter-appcommsarebyestablishedAPIsonlyURLs,keychains(limited)–Filei/oin~/DocumentsonlyTheserulesdon'talwaysapplytoApple'sownapps7Copyright2015KRvWAssociates,LLCHardwareencryptionEachiOSdevice(asof3GS)hashardwarecryptomodule–UniqueAES-256keyforeveryiOSdevice–SensitivedatahardwareencryptedSoundsbrilliant,right–Well.
.
.
8Copyright2015KRvWAssociates,LLCiOScryptokeysGIDkey-GroupIDkeyUIDkey-UniqueperdevDkey-DefaultfilekeyEMF!
-EncryptsentirefilesystemandHFSjournalClasskeys-Oneperprotectionclass–SomederivedfromUID+Passcode9Copyright2015KRvWAssociates,LLCiOSNAND(SSD)mappingBlock0-LowlevelbootloaderBlock1-Effaceablestorage–Lockerforcryptokeys,includingDkeyandEMF!
Blocks2-7-NVRAMparametersBlocks8-15-FirmwareBlocks8-(N-15)-FilesystemBlocks(N-15)-N-Last15blocksreservedbyApple10Copyright2015KRvWAssociates,LLCBuilt-infileprotectionclassesiOS(since4)supportsfileprotectionclasses–NSFileProtectionComplete–NSFileProtectionCompleteUnlessOpen–NSFileProtectionCompleteUntilFirstUserAuthentication–NSFileProtectionNoneAllbutNonearederived11Copyright2015KRvWAssociates,LLCBuilt-infileprotectionlimitationsPros–Easytouse,withkeymanagementdonebyiOS–Powerfulfunctionality–Alwaysavailable–ZeroperformancehitCons–ForComplete,cryptokeyingincludesUDID+Passcode4digitPINproblem12Copyright2015KRvWAssociates,LLCKeychainsKeychainAPIprovidedforstorageofsmallamountsofsensitivedata–Logincredentials,passwords,etc.
–CreditcarddataoftenfoundhereStoredinaSQLitedatabase–EncryptedusinghardwareAESwithderivedkey13Copyright2015KRvWAssociates,LLCJailbreaksApple'sprotectionarchitectureisbasedonamassivedigitalsignaturehierarchy–Startingfrombootloader–ThroughapploaderJailbreaksoftwarebreaksthathierarchy–Currentbreaksupto8.
1.
2DFUmodeallowsUSBvectorforbootloader–OlderiPhonesmostly,but…14Copyright2015KRvWAssociates,LLCKeyboarddataAll"keystrokes"arestored–Usedforauto-correctfeature–NicespellcheckerKeydatacanbeharvestedusingforensicsprocedures–Passwords,creditcards.
.
.
–Needleinhaystack15Copyright2015KRvWAssociates,LLCScreensnapshotsDevicesroutinelygrabscreensnapshotsandstoreinJPG–Usedforminimizingappanimation–ItlooksprettyWHAT!
–It'saproblem–Requireslocalaccesstodevice,butstill.
.
.
16Copyright2015KRvWAssociates,LLCLet'sconsiderthebasicsWe'llcoverthese(fromthemobiletop10)–ProtectingsecretsAtrestIntransit–Input/outputvalidation–Authentication–Sessionmanagement–Accesscontrol–Privacyconcerns17Copyright2015KRvWAssociates,LLCExamplesAirlineapp–StoresfrequentflyerdatainplaintextXMLfileHealthcareapp–StorespatientdatainplistfileButit'sbase64encodedforyourprotection…Bankingapp–FrameworkcacherevealedsensitiveaccountdataConsumerticketapp–AcceptedSSLfromselfsignedkey–Exposedcreditcarddata18Copyright2015KRvWAssociates,LLCSQLliteexampleLet'slookatadatabaseappthatstoressensitivedataintoaSQLitedb–We'llrecoverittriviallybylookingattheunencrypteddatabasefile19Copyright2015KRvWAssociates,LLCProtectingsecretsatrestEncryptionistheanswer,butit'snotquitesosimple–Wheredidyouputthatkey–Surelyyoudidn'thardcodeitintoyourapp–Surelyyou'renotcountingontheusertogenerateandrememberastrongkeyKeymanagementisanon-triviallysolvedproblem20Copyright2015KRvWAssociates,LLCStaticanalysisofanappExplorefolders–.
/Documents–.
/Library/Caches/*–.
/Library/Cookies–.
/Library/PreferencesAppbundle–Hexdumpofbinary–plistfilesWhatelse21Copyright2015KRvWAssociates,LLCToolstouseMactools–Finder–iExplorer–hexdump–strings–otool–otx(otx.
osxninja.
com)–class-dump(iphone.
freecoder.
org/classdump_en.
html)–Emacs(editor)Xcodeadditionaltools–Clang(buildandanalyze)Findsmemoryleaksandothers22Copyright2015KRvWAssociates,LLCExercise-coffeeshopattackThisoneistrivial,butlet'stakealookInthisiGoatexercise,theuser'scredentialsaresentplaintext–SimplewebserverrunningonMacresponds–IfthiswereonapublicWiFi,anetworksnifferwouldbepainlesstolaunch23Copyright2015KRvWAssociates,LLCMostcommonSSLmistakeWe'veallheardofCAsbeingattacked–That'sallimportant,but.
.
.
–(Certificatepinningcanhelp.
)FailingtoproperlyverifyCAsignaturechain–BiggestSSLproblembyfar–Studyshowed1/3ofAndroidappsfelltothis24Copyright2015KRvWAssociates,LLCTestingforSSLproblemsGoalistoensureclientperformsstrongcertificateverificationMITMonthenetsetup–Appproxyonlaptop(e.
g.
,Burpsuite)–GenerateSSLcertsignedbyyourownCA–PutyourCAcertontestiOSdeviceRemembertoremovefakeCAbeforeleavinglabenvironment!
25Copyright2015KRvWAssociates,LLCButthat'snotenough26Copyright2015KRvWAssociates,LLCObjCRun-timeisflawedUnlikeinC,"functions"arenotcalled–Messagesarepassed–ObjectsdynamicallyallocatedWithinprocessspace,dynamictamperingalsopossible–Messagetraffic–Objects27Copyright2015KRvWAssociates,LLCReverseengineeringAttackerwantstolearnhowyourappworks–DeepinternaldetailsAttackerwantstoattempttotrickyourappintomisbehaving–TamperwithruntimeHowJailbrokendeviceandsomefreetools–Andalotoftime28Copyright2015KRvWAssociates,LLCPrerequisitetoolsandenvMacwithOSXandXcodeJailbrokendevice–evasi0nworksgreatCydiaandfriends–Cydiainstalledwithevasi0n–ShellaccessOpenSSH-installwithCydia–Debuggergdb-installwithCydiaBareminimumessentials29Copyright2015KRvWAssociates,LLCAnalysistechniquesStaticanalysis–Observeattributesoftheexecutable,appfiles–Yes,encrypted(appstore)appstooDynamicanalysis–RuntheappandlearnhowitworksTampering–Tricktherun-timeenv30Copyright2015KRvWAssociates,LLCStaticanalysisAnybinarycanbeexamined–Usuallyrevealamaptoclasses,objects,text,symbols,etc.
Commontools–otool–class-dump-z–nmExamples–Linkedlibs,methodsotool-Lappnameotool-lappname–Listofclassesclass-dump-zappname–Symboltablenmappname31Copyright2015KRvWAssociates,LLCIt'sCunderneaththehoodBeneaththatniceOOPObjClayerliesaCfoundation–PrettymucheverythinginObjCcanbedoneinCPrimitivesfordoingalltheOOstuffobjc_msgSend(),objc_getClass()areprimeexamplesThismatterstouswhenanalyzingstaticallyordynamically32Copyright2015KRvWAssociates,LLCEncryptedbinariestooBasicprocess–Useapploadertodecrypt–Calculatememoryoffsets–StoreprocesstodiskddisyourfriendWillalsoneedplutilandgdbHOWTOavailable–http://www.
mandalorian.
com/2013/05/decrypting-ios-binaries/33Copyright2015KRvWAssociates,LLCLet'stakealook34Copyright2015KRvWAssociates,LLCDynamicanalysisWhatcanwelearnfromobservingitrunning–Alot–Allthosemessages–Memorycontents–CPUregistersYoudon'thaveanythingtohide,right35Copyright2015KRvWAssociates,LLCAttackingarunningappManintheapp(MITA)–Themostdangerousformofon-hostdynamicattack–InternalaccesstoeverythingThatObjCrun-timemessagingarchitectureisgoingtohauntus36Copyright2015KRvWAssociates,LLCAfewmoretoolsForthese,you'llwant–gdb–Cycript(seeslide)–Networkproxy(e.
g.
,Burpsuite)–SSLstrip(optional)37Copyright2015KRvWAssociates,LLCMessageeavesdroppingUsegdbtobuildasimplebuteffectivemessageeavesdropper–Examplegdb-q-pPIDbreakobj_msgSendcommandsx/a$r0x/s$r1c38Copyright2015KRvWAssociates,LLCCycript"CycriptallowsdeveloperstoexploreandmodifyrunningapplicationsoneitheriOSorMacOSXusingahybridofObjective-C++andJavaScriptsyntaxthroughaninteractiveconsolethatfeaturessyntaxhighlightingandtabcompletion"—Fromhttp://www.
cycript.
orgItisanamazingutilityfordynamicallyprobingarunningapp39Copyright2015KRvWAssociates,LLCFunwithCycriptBasics#cycriptcy#varmyString=[[NSStringalloc]cy>initWithString:@"Helloworld"];"Helloworld"cy#[myStringlength];11CombinationofJavaScriptandObjCsyntaxgivesamazingcapabilities40Copyright2015KRvWAssociates,LLCCycript(2)Safariexample#cycript-pPIDcy#varapp=[UIApplicationsharedApplication];""cy#[appopenURL:[NSURLURLWithString:cy>@"http://www.
first.
org"]];1cy#app.
networkActivityIndicatorVisible=YES41Copyright2015KRvWAssociates,LLCCycriptingforfunandprofitBreakclient-sidelogic–AlterPINs,booleans,semaphores–ReplacemethodsProberunningappdata–Canbeverbose,butyougeteverythinginanobjectcy#functionappls(a){varx={};for(iin*a){try{x[i]=(*a)[i];}catch(e){}}returnx;}cy#appls(object);42Copyright2015KRvWAssociates,LLCClient-sidelogicYoudidn'tthinkyoucouldtrustclient-sidelogic,didyou43Copyright2015KRvWAssociates,LLCTamperingNowlet'sgobeyondmereobservationReplaceexistingmethods–Changeaddressingdb–DynamiclinkerattackPutyourlibraryinDYLD_INSERT_LIBRARIESAutomatedynamiclinking–MobileSubstrate44Copyright2015KRvWAssociates,LLCNothingiswhatitappearsNowwecanchangetheentireuniverseyourapprunsin(Ifthisdoesn'tseembad,gowatchTheMatrix)45Copyright2015KRvWAssociates,LLCCopyright2013KRvWAssociates,LLCResourcesHackingandSecuringiOSApplications,JonathanZdziarski,O'Reilly,2012Evasi0n,popularjailbreakingtool,http://www.
evad3rs.
com/46Copyright2015KRvWAssociates,LLCHardeningUseractionsandclientconfigurationsArchitecturalconsiderationsHardeningtipsButremember,nothingisperfect.
47Copyright2015KRvWAssociates,LLCUseractionsandconfigurationsStrongpasscodeshelpMDMscanmanageconfigurationsofentirefleets48Copyright2015KRvWAssociates,LLCArchitecturalconsiderationsDesignchoicesmakeahugedifference–ClientcannotbetrustedSensitivedataSensitivefunctionsSecuritycontrols–ClientshouldprovidepresentationlayerMinimalfunctionalityProcessingshouldbeserver49Copyright2015KRvWAssociates,LLCHardeningtipsNon-obviousnames–ObfuscatefunctionalpurposeDisabledebugging#defineDENY_DEBUG31ptrace(DENY_DEBUG,0,0,0);Complicatedisassembly–Compileroptimizer–Stripsymbols50Copyright2015KRvWAssociates,LLCHardeningtips(2)Sensitivecode–Onserver,but…–WriteinCorASM–Compile+linkin-line–ExpandloopsmanuallyForceyourattackertosinglestepthroughDon'tgiveawayanything51Copyright2015KRvWAssociates,LLCHardening(3)Datastorage–EncryptDataProtectionAPIforconsumergradeKeysonserver–CommonCryptoLibSecurefilewipingSQLitedatawiping–Updatebeforedelete52Copyright2015KRvWAssociates,LLCTamperdetectionHowdoweknow–Run-timeintegritychecksMemoryoffsetsofsensitiveobjects–SandboxintegrityAttempttoforkSizeandchecksumof/etc/fstabSymboliclinksin/ApplicationsCommonjailbreakfilesandapps–/Applications/Cydia.
app–HoneypotsinappThereain'tahorsethatcan'tberodeoramanthatcan'tbethrowed.
53Copyright2015KRvWAssociates,LLCTamperresponseWhattodo–Remotewipe–Phonehome–Logeverything–Wipeuserdata,keys–Disablenetworkaccess–Etcetera54Copyright2015KRvWAssociates,LLCCopyright2014KRvWAssociates,LLCCopyright2015KRvWAssociates,LLCKennethR.
vanWykKRvWAssociates,LLCKen@KRvW.
comhttp://www.
KRvW.
com@KRvW55
- checkerios6.1.3越狱相关文档
- slowios6.1.3越狱
- x001a54e8ios6.1.3越狱
- 支持ios6.1.3越狱
- 支持ios6.1.3越狱
- 连接ios6.1.3越狱
- 编码ios6.1.3越狱
腾讯云2核4GB内存8M带宽 年74元
一般大厂都是通过首年才有可以享受爆款活动,然后吸引我们注册他们商家达到持续续费和购买的目的。一般只有大厂才能有这样的魄力和能力首年亏本,但是对于一般的公司和个人厂家确实难过,这几年确实看到不少的同类商家难以生存。这里我们可以看到有对应的套餐方案。不过这两个套餐都是100%CPU独享的,不是有某云商家限制CPU的。但是轻量服务器有个不好的就是带宽是较大且流量是限制的额,分别是1GB和1.2TB月流量...
FlashFXP FTP工具无法连接主机常见原因及解决办法
目前,我们都在用哪个FTP软件?喜欢用的是WinSCP,是一款免费的FTP/SFTP软件。今天在帮助一个网友远程解决问题的时候看到他用的是FlashFXP FTP工具,这个工具以前我也用过,不过正版是需要付费的,但是网上有很多的绿色版本和破解版本。考虑到安全的问题,个人不建议选择破解版。但是这款软件还是比较好用的。今天主要是遇到他的虚拟主机无法通过FTP连接主机,这里我就帮忙看看到底是什么问题。一...
青云互联-洛杉矶CN2弹性云限时五折,9.5元/月起,三网CN2gia回程,可选Windows,可自定义配置
官方网站:点击访问青云互联官网优惠码:五折优惠码:5LHbEhaS (一次性五折,可月付、季付、半年付、年付)活动方案:的套餐分为大带宽限流和小带宽不限流两种套餐,全部为KVM虚拟架构,而且配置都可以弹性设置1、洛杉矶cera机房三网回程cn2gia 洛杉矶cera机房 ...
ios6.1.3越狱为你推荐
-
unityios10Assumegraph机动车diandian步骤iosipadwifiipad插卡版和wifi版有什么区别,价格差的多么?win10445端口怎么样打开电脑10800端口迅雷快鸟迅雷快鸟是做什么用的,,,win7关闭135端口如何关闭135端口,关闭它有什么影响么?chromeframe谷歌浏览器(Chrome) 与(Chromium) 有什么区别?哪个更快?苹果5.1完美越狱iOS5.1.1完美越狱教程