x001a54e8ios6.1.3越狱
ios6.1.3越狱 时间:2021-05-24 阅读:()
.
.
.
.
.
.
.
SecureDevelopmentoniOSAdvicefordevelopersandpenetrationtestersDavidThielSOURCEBoston2011DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston20111/68Outline.
.
.
1IntrotoiOS.
.
.
2Objective-CPrimer.
.
.
3TestingSetup.
.
.
4Security-RelevantAPIsTLSandNetworkingDataStorageTheKeychainBackgroundingIPCAppURLsCopy/Paste.
.
.
5UDIDs.
.
.
6CommonAttackScenariosOldCStuNewObjective-CStu.
.
.
7SecurecodingchecklistDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston20112/68IntroMyperspectiveisthatofapenetrationtester(notdeveloper)InfohereisideallyofusetobothtestersanddevelopersAssumeslittletonoiOSknowledgeFocusisappsecurity,notOSsecurityTakeaways:beablexorbreakyourownorothers'iOSappsDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston20113/68IntrotoiOSIntrotoiPhoneiPhoneConceptualDesignDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston20114/68IntrotoiOSIntrotoiOSIt'sanOS,butwithaniHigh-levelAPI,"CocoaTouch"DevelopmentinXCodeSoyes,youneedaMaciOSSimulator(notemulator)CompilesiOSappstonativecodetorunlocallyApplicationswrittenprimarilyinObjective-CDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston20115/68Objective-CPrimerObjective-CHowtospotitfromaverylongwayawayC+Smalltalk…ishUses"inx"notation:[ObjectmessagePassedToObject:argument];Itisnottoeveryone'stastesSomeofushaveveryrenedtastesDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston20116/68Objective-CPrimerObjective-Cin1slideDeningInterfaces@interfaceClassname:NSParentObject{SomeTypeaThing;//instancevariables}+(type)classMethod:(vartype)myVariable;-(type)instanceMethod:(vartype)myVariable;@endThesegoin.
hles,anddenethestructureofobjects(likeCstructs).
DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston20117/68Objective-CPrimerObjective-Cin2slidesAlternativeinterfacedeclaration#import"NSParentClass.
h"@interfaceClassname:NSParentClass{@publicNSURL*blorg;@privateNSString*gurgle;}@property(readonly)NSURL*blorg;@property(copy)NSString*gurgle;Thisisthe"2.
0"waytodeclareinterfaces.
DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston20118/68Objective-CPrimerObjective-Cin3slidesorsoInxanddotnotation@implementationClassname@synthesizeblorg;//generatesset/getmethods@synthesizegurgle;Instance*myInstance=[[Instancealloc]init];[myInstancesetGurgle:@"eep"];//infixnotationmyInstance.
gurgle=@"eep";//dotnotationThisisthe"implementation",storedin.
mles.
@synthesizecreatesgetter/settermethodsforproperties.
DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston20119/68Objective-CPrimerObjective-CNotsubclassingCategoriesSimplemethodforaddingfunctionalitytoclasseswithoutsubclassingJustdeneanew@interfaceandimplementationwithnewmethods@implementationNSURL(CategoryName)-(BOOL)isPurple;{if([selfisColor:@"purple"])returnYES;elsereturnNO;}@endDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201110/68Objective-CPrimerMemoryManagementRetain/ReleaseNogarbagecollectioniniOSMusttrackwith"retain"and"release"methodsClassname*myClass=[[Classnamealloc]init];//Retaincount:1.
.
.
//Canbeshortenedto//[Classnamenew];[myClassrelease];DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201111/68TestingSetupXCodeDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201112/68TestingSetupTestingSetupInterceptingsecurecommunicationsStandardproxyinterceptwon'tworkCerterrorsareahardfailureOptions:ChangesourcetouseHTTPUsedevice+certforproxyUsesimulatorwith→proxy→realsiteDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201113/68TestingSetupStunnelcong;SSLclientmodeclient=yes;service-levelconfiguration[https]accept=127.
0.
0.
1:80connect=10.
10.
1.
50:443TIMEOUTclose=0DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201114/68TestingSetupProxyCongDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201115/68TestingSetupTheSandboxMechanismSeatbeltaka"Seatbelt"BaseduponTrustedBSDMACframeworkUnlikeAndroid'sUID-basedsegregation,appsrunasoneuserSeatbeltpoliciesprovideneededsegregation.
Probably.
SandboxpoliciesnowcompiledandrolledintothekernelOnjailbrokendevices,sandboxnolongerappliesDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201116/68TestingSetupTheSandboxMechanismJailbreakingOnjailbrokendevices,sandboxnolongerappliesHowever,devsforsideloadedappscanvoluntarilyhopintoone1DocumentedprolesforOSX:kSBXProfileNoNetwork(="nonet")kSBXProfileNoInternet(="nointernet")kSBXProfilePureComputation(="pure-computation")kSBXProfileNoWriteExceptTemporary(="write-tmp-only")kSBXProfileNoWrite(="nowrite")1http://iphonedevwiki.
net/index.
php/SeatbeltDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201117/68TestingSetupTheSandboxMechanismJailbreakDetectionNomoreocialApplejailbreakdetectionAPIIfyoumustdeterminewhetheradeviceisjailbroken,somepossiblechecks:/bin/bash/bin/ssh/private/var/lib/aptButdiscriminatingagainstjailbrokendevicesisnotnecessarilyagreatideaAndAppleappreviewmayagitDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201118/68TestingSetupBinaryAnalysisUsefulforblackboxtestingorself-testingDisassemblyofMach-ObinaryformatquitecleanSeveralusefultools:otool,otx,class-dumpUseforreversingotherapplications,orndingwhatinfowouldbeavailabletoathirdpartyObfuscationisgenerallyprettyfutile,butespeciallyinObjCEncryptedbinarieseasilydumped22http://www.
246tnt.
com/iPhone/DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201119/68TestingSetupBinaryAnalysisotoolotool-toV/Applications/iCal.
app/Contents/MacOS/iCal/Applications/iCal.
app/Contents/MacOS/iCalObjective-CsegmentModule0x22b52c.
.
.
ClassDefinitionsdefs[0]0x00204360isa0x0020a560super_class0x001a5f44CALCanvasItemname0x001c6574CALCanvasAttributedText.
.
.
ivars0x00224300ivar_count13ivar_name0x001a54e2_textivar_type0x001a53d0@"NSMutableAttributedString"ivar_offset0x0000012civar_name0x001a54e8DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201120/68TestingSetupBinaryAnalysisotxhttp://otx.
osxninja.
com/-(BOOL)[NSString(NSStringExtras)isFeedURLString]+00000348855pushl%ebp+10000348989e5movl%esp,%ebp+30000348b53pushl%ebx+40000348c83ec14subl$0x14,%esp+70000348f8b5d08movl0x08(%ebp),%ebx+1000003492c744240844430700movl$0x00074344,0x08(%esp)feed:+180000349aa180a00700movl0x0007a080,%eax_web_hasCaseInsensitivePrefix:+230000349f89442404movl%eax,0x04(%esp)+27000034a3891c24movl%ebx,(%esp)+30000034a6e850420800calll0x000876fb-[(%esp,1)_web_hasCaseInsensitivePrefix:]DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201121/68TestingSetupBinaryAnalysisclass-dumphttp://iphone.
freecoder.
org/classdump_en.
html(orviaCydia)class-dump-x/Developer/Platforms/iPhoneSimulator.
platform/Developer/SDKs/iPhoneSimulator3.
0.
sdk/Applications/MobileSafari.
app@protocolCALCanvasTextProtocol-(id)attributes;-(id)foregroundColor;-(float)fontSize;@end@protocolCALDetachmentDelegate-(int)decideDetachmentFor:(id)fp8withOccurrence:(id)fp12;@endDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201122/68TestingSetupStaticAnalysisXCode&ClangClanganalyzermergedintoXCode"Build&Analyze"optionIdentiesmemoryleakage,use-after-free,etc.
Note:insomerecentXCodeversions,AnalyzerresultsonlyshowfordeviceSDKbuilds.
MehDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201123/68TestingSetupStaticAnalysisOutputDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201124/68AppStructureLocalStorageKeyboardCachingKeyboardcacheusedforformautocompletion/root/Library/Keyboard/dynamic-text.
datAlreadydisabledforpasswordeldsShouldbedisabledforanypotentiallysensitiveeldsSetUITextFieldpropertyautocorrectionType=UITextAutocorrectionNoDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201125/68Security-RelevantAPIsTLSandNetworkingNetworkingTLSandNSURLHandlingStandardmethodforworkingwithURLsSSL/TLShandledproperly!
Bypassingfailedvericationnotallowedbydefault.
So,ofcourse,peopleturnitoDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201126/68Security-RelevantAPIsTLSandNetworkingNetworkingTLSandNSURLHandlingCheckforNSURLRequestvericationbypassviasetAllowsAnyHTTPSCertificateSSLvericationbypassviaNSURLConnectiondelegationSearchforcontinueWithoutCredentialForAuthenticationChallenge3Extrabonusstupid:DenecategorymethodtoslipbyApple'sprivateAPIchecks43http://stackoverflow.
com/questions/933331/4http://stackoverflow.
com/questions/2001565/DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201127/68Security-RelevantAPIsTLSandNetworkingNetworkingNSStreamsGoodfornon-HTTPtracorgoingslightlylower-level//FirstwedefinethehosttobecontactedNSHost*myhost=[NSHosthostWithName:[@"www.
conglomco.
com"]];//Thenwecreate[NSStreamgetStreamsToHost:myhostport:443inputStream:&MyInputStreamoutputStream:&MyOutputStream];[MyInputStreamsetProperty:NSStreamSocketSecurityLevelTLSv1//NoteforKey:NSStreamSocketSecurityLevelKey];DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201128/68Security-RelevantAPIsTLSandNetworkingNetworkingCFStreamsSlightlylower-levelstillSecuritydenedbykCFStreamPropertySSLSettingsHassadsetofconstants¨CFStringRefkCFStreamSSLLevel;CFStringRefkCFStreamSSLAllowsExpiredCertificates;CFStringRefkCFStreamSSLAllowsExpiredRoots;CFStringRefkCFStreamSSLAllowsAnyRoot;CFStringRefkCFStreamSSLValidatesCertificateChain;CFStringRefkCFStreamSSLPeerName;DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201129/68Security-RelevantAPIsDataStorageLocalDataStorageTheVariousMechanismsAfewwaysdataisstored(andpotentiallyexposed):SQLiteCoreDataInternally,SQLiteCookiemanagementCachesplistsDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201130/68Security-RelevantAPIsAppLayoutAnatomyofanApp/Library/ApplicationSupport/iPhoneSimulator/Applications/(appID).
/Documents→properties,logs.
/Library/Caches→cacheythings.
/Library/Caches/Snapshots→screenshotsofyourapp.
/Library/Cookies→cookieplists.
/Library/Preferences→variouspreferenceplists.
/Library/WebKit→WebKitlocalstorage.
/Appname.
app→appresources:binary,graphics,nibs,Info.
plist.
/tmp→tmpDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201131/68Security-RelevantAPIsAppLayoutCookiesNSHTTPCookieAcceptPolicyOnlyFromMainDocumentDomainOrOtherAuthoritativeSoundingPeopleByAppManipulatedbytheURLloadingsystemCanaltercookieAcceptPolicyto:NSHTTPCookieAcceptPolicyNeverNSHTTPCookieAcceptPolicyOnlyFromMainDocumentDomainNotethatthismayaectotherrunningapplicationsInOSX,cookiesandcookiepolicyaresharedamongappsIniOS,onlycookiepolicyissharedDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201132/68Security-RelevantAPIsAppLayoutSQLiteandSQLinjectionDynamicSQLNSString*uid=[myHTTPConnectiongetUID];NSString*statement=[NSStringStringWithFormat:@"SELECTusernameFROMuserswhereuid='%@'",uid];constchar*sql=[statementUTF8String];DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201133/68Security-RelevantAPIsAppLayoutSQLiteandSQLinjectionParameterizedSQLconstchar*sql="SELECTusernameFROMuserswhereuid=";sqlite3_prepare_v2(db,sql,-1,&selectUid,NULL);sqlite3_bind_int(selectUid,1,uid);intstatus=sqlite3_step(selectUid);DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201134/68Security-RelevantAPIsAppLayoutCachingHTTP&HTTPSrequestscachedbydefaultCanbepreventedbyNSURLConnectiondelegate-(NSCachedURLResponse*)connection:(NSURLConnection*)connectionwillCacheResponse:(NSCachedURLResponse*)cachedResponse{NSCachedURLResponse*newCachedResponse=cachedResponse;if([[[[cachedResponseresponse]URL]scheme]isEqual:@"https"]){newCachedResponse=nil;}returnnewCachedResponse;}DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201135/68Security-RelevantAPIsAppLayoutGeolocationBestPracticesUseleastdegreeofaccuracynecessaryCheckforgracefulhandlingoflocationServicesEnabledandauthorizationStatusmethodresponsesIfyoudon'twanttohandlesubpoenasfromdivorcelawyers:Don'tloglocallyAnonymizeserver-sidedataPrunelogsDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201136/68Security-RelevantAPIsAppLayoutGeolocationAccuracySettingsSeveralaccuracyconstants:CLLocationAccuracykCLLocationAccuracyBestForNavigation;CLLocationAccuracykCLLocationAccuracyBest;CLLocationAccuracykCLLocationAccuracyNearestTenMeters;CLLocationAccuracykCLLocationAccuracyHundredMeters;CLLocationAccuracykCLLocationAccuracyKilometer;CLLocationAccuracykCLLocationAccuracyThreeKilometers;DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201137/68Security-RelevantAPIsTheKeychainTheKeychainKeychainiswheresecretstugoesArgh!
DonotstorethisdatainNSUserDefaults!
Encryptedwithdevice-specickeyApps"can'tread",notincludedinbackupsSimplerAPIthanOSX:SecItemAdd,SecItemUpdate,SecItemCopyMatchingNotavailableinsimulatorforpre-4.
0←causeit'sgotkeysinit,seeDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201138/68Security-RelevantAPIsTheKeychainTheKeychainKeyprotectionPassanappropriatekSecAttrAccessiblevaluetoSecItemAdd:CFTypeRefkSecAttrAccessibleWhenUnlocked;CFTypeRefkSecAttrAccessibleAfterFirstUnlock;CFTypeRefkSecAttrAccessibleAlways;CFTypeRefkSecAttrAccessibleWhenUnlockedThisDeviceOnly;CFTypeRefkSecAttrAccessibleAfterFirstUnlockThisDeviceOnly;CFTypeRefkSecAttrAccessibleAlwaysThisDeviceOnly;DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201139/68Security-RelevantAPIsTheKeychainTheKeychainSharedkeychainsForusingthesamekeychainamongdierentapps5UsedbysettingkSecAttrAccessGrouponinitAppsmusthavesamekeychain-access-groupsAppscanonlyhaveoneaccessgroupOnjailbrokenphone…allbetso5http://useyourloaf.
com/blog/2010/4/3/keychain-group-access.
htmlDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201140/68Security-RelevantAPIsTheKeychainTheKeychainCerticatesOndevice,canbeinstalledviae-mail,SafarioriTunessyncOnoldersimulators,nosuchluckCertsstillveried,butnowaytoinstallnewonesSincethey'restoredintheKeychainStubsnecessaryfordetectingsimulatorvs.
deviceDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201141/68Security-RelevantAPIsTheKeychainDataProtectionImprovingleandkeychainprotectionBydefault,dataencryptedwith"hardware"keyIniOS4,"hardware"keycansupplementedwithPINDeveloperscanalsomarklesas"protected"Filesencrypted,unreadablewhiledeviceislockedDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201142/68Security-RelevantAPIsTheKeychainDataProtectionUsage2methodsforenablingPassNSDataWritingFileProtectionCompletetowriteToFilemethodofNSDataobjectSetNSFileProtectionKeytoNSFileProtectionCompleteonNSFileManagerobjectAgain,datanotaccessiblewhendeviceislockedCheckfordataavailabilitybeforeuse6CleanupwhenUIApplicationProtectedDataWillBecomeUnavailable6http://developer.
apple.
com/library/ios/#documentation/iPhone/Conceptual/iPhoneOSProgrammingGuide/StandardBehaviors/StandardBehaviors.
htmlDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201143/68Security-RelevantAPIsTheKeychainEntropyHowdoesitworkUsingCocoa,not/dev/randomGatheredviaSecRandomCopyBytesAgain,doesnotworkinsimulatorObviously,rand(),random(),arc4random()areallnon-startersintresult=SecRandomCopyBytes(kSecRandomDefault,sizeof(int),(uint8_t*)&randomResult);DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201144/68Security-RelevantAPIsBackgroundingBackgroundingInitiatingBackgroundTasksProbablymostsecurity-relevantAPIiniOS4.
0UsebeginBackgroundTaskWithExpirationHandlermethodtoinitiatebackgroundtasksNeedsmatchingendBackgroundTaskmethodRemainingtasktimestoredinbackgroundTimeRemainingpropertyDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201145/68Security-RelevantAPIsBackgroundingBackgroundingConcernsNote:appissnapshotteduponbackgroundingPriortothis,applicationshouldremoveanysensitivedatafromviewUsesplashscreenorsethiddenoralphapropertiesofUIWindowDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201146/68Security-RelevantAPIsBackgroundingBackgroundingStateTransitionsDetectstatetransitionsKeystatetransitionmethods:application:didFinishLaunchingWithOptions:applicationDidBecomeActive:applicationWillResignActive:applicationDidEnterBackground:applicationWillEnterForeground:applicationWillTerminate:DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201147/68Security-RelevantAPIsIPCIPCApplicationURLSchemesAppscanregistertheirownURLhandlers—addedbyeditingtheplist,usuallyfromXCodeCalledjustlikeanyURL,withmultipleparameters,e.
g.
openURL:[NSURLURLWithString:@"myapp://foo=urb&blerg=gah"];CanbecalledbyapporwebpageWithoutuserconrmation…ParamsaccessibletoreceivingappviaadelegateDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201148/68Security-RelevantAPIsIPCIPCApplicationURLSchemesDeprecateddelegationmethod:-(BOOL)application:(UIApplication*)applicationhandleOpenURL:(NSURL*)urlNewmethod:-(BOOL)application:(UIApplication*)applicationopenURL:(NSURL*)urlsourceApplication:(NSString*)sourceApplicationannotation:(id)annotationAllowsfordeterminingcallingapplication,receivesdatainplistformObviously,sanitizationiskeyhere,especiallygiven…DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201149/68Security-RelevantAPIsIPCIPCURLhandlerconictsWhathappensiftwoappsusethesamehandlerIfanAppleappusesit:AppleapplaunchesThird-partyapps:"Undened""IfyourURLtypeincludesaschemethatisidenticaltoonedenedbyApple,theApple-providedapplicationthathandlesaURLwiththatscheme(forexample,"mailto")islaunchedinsteadofyourapplication.
IfaURLtyperegisteredbyyourapplicationincludesaschemethatconictswithaschemeregisteredbyanotherthird-partyapplication,theapplicationthatlaunchesforaURLwiththatschemeisundened.
"Maygotothelastclaimingapp…ew.
Hence:bewaryofpassingprivatedatainappURLsDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201150/68Security-RelevantAPIsIPCIPCPushNoticationsRegisteringfornotications:[[UIApplicationsharedApplication]registerForRemoteNotificationTypes:(UIRemoteNotificationTypeBadge|UIRemoteNotificationTypeSound)];Receivingnotications:-(void)application:(UIApplication*)applicationdidReceiveRemoteNotification:(NSDictionary*)userInfo-(BOOL)application:(UIApplication*)applicationdidFinishLaunchingWithOptions:(NSDictionary*)launchOptionsCheckforvalidationofuserInfoandlaunchOptionsDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201151/68Security-RelevantAPIsIPCCopy/PastePasteboardsObligatorydigatApplere:copy/pastedebacle2systemUIPasteboardaccessmethods:UIPasteboardNameGeneral&UIPasteboardNameFindPasteboardsmarked"persistent"willbekeptinlocalstorageDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201152/68Security-RelevantAPIsIPCCopy/PastePasteboardsAlso"private"applicationpasteboards,which(intrueObjective-Cform)arenotinanyway"private"OccasionallyusedasIPChackMigratingdatafromfree→paidappIsawonesuggestiontotransferprivatekeyswiththepasteboard¨Bottomline:avoidsensitivedatahere&cleanupafteryourselfClearpasteboardonapplicationWillTerminatepasteBoard.
items=nilDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201153/68Security-RelevantAPIsIPCCopy/PasteExampleAbuseHownottopasteboard:TwitterOAuthlibrary7-(void)pasteboardChanged:(NSNotification*)note{UIPasteboard*pb=[UIPasteboardgeneralPasteboard];if([note.
userInfoobjectForKey:UIPasteboardChangedTypesAddedKey]==nil)return;NSString*copied=pb.
string;if(copied.
length!
=7||!
copied.
oauthtwitter_isNumeric)return;[selfgotPin:copied];}73rd-partylibrary,notbyTwitterDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201154/68Security-RelevantAPIsIPCCopy/PasteDisablingitPossiblemitigation:Foreldswithsensitivedata,disablecopy/pastemenu-(BOOL)canPerformAction:(SEL)actionwithSender:(id)sender{UIMenuController*menuController=[UIMenuControllersharedMenuController];if(menuController){[UIMenuControllersharedMenuController].
menuVisible=NO;}returnNO;}Canalsodisablemenuitemsindividually88http://stackoverflow.
com/questions/1426731/DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201155/68UDIDsUDIDsUseandAbuseUniqueidentierderivedfromhardwareinformationOftenabusedasausertrackingmechanism9OccasionallyabusedasanauthenticatorSee:TapulousContrarytopopularbelief,thisismutable9http://www.
pskl.
us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.
pdfDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201156/68UDIDsUDIDsUDIDFakeravailableonCydiaDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201157/68UDIDsUDIDsDon'tusethem.
Summary:Don'trelyonUDIDforanythingeverDon'tuseitfortracking,itgetsyoubadpressIfyoureallyneedtotrackusers,usehashofUDID+saltCheckcodeforuseof[[UIDevicecurrentDevice]uniqueIdentifier]DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201158/68CommonAttackScenariosOldCStuClassicCAttacksNothingnewhereStillhasthesameclassicissuesBueroverowsIntegerissues,especiallywithmalloc()Whyareyoumalloc'ing,grandpaWeareinthefuturehereSanitizeintcalculationswithcheckint(3)Double-freesFormatstringsDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201159/68CommonAttackScenariosNewObjective-CStuObjectuseafterreleaseExploitable!
Undersomecircumstances.
10Procedure:ReleaseobjectReleasesomeotherobjectAllocatespaceofsamesizeasrstobjectWriteyourcodetothenewbuer…Sendmessageorreleasetooriginalobject10http://felinemenace.
org/~nemo/slides/eusecwest-STOP-objc-runtime-nmo.
pdfDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201160/68CommonAttackScenariosNewObjective-CStuiOS&FormatStringswithFormat/appendingFormatfamily%xworks—%ndoesnot¨%ndoesstillworkwithregularCcode…DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201161/68CommonAttackScenariosNewObjective-CStuFormatStringsFormatstringconfusionFoundonpentest:NSStringmyStuff=@"Hereismystuff.
";myStuff=[myStuffstringByAppendingFormat:[UtilityClassformatStuff:unformattedStuff.
text]];Bzzt.
NSStringobjectsaren'tmagicallysafe.
NSStringmyStuff=@"Hereismystuff.
";myStuff=[myStuffstringByAppendingFormat:UtilityClassformatStuff:unformattedStuff.
text]];DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201162/68CommonAttackScenariosNewObjective-CStuFormatStringsLikelyculprits[NSString*WithFormat][NSStringstringByAppendingFormat][NSMutableStringappendFormat][NSAlertalertWithMessageText][NSException][NSLog]DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201163/68SecurecodingchecklistSecurecodingchecklistOrpenetrationtester'shitlistHTTPSusedandcorrectlycongured(i.
e.
notbypassedbydelegationorsetAllowsAnyHTTPSCertificate)AllformatstringsproperlydeclaredGeneralCissues(malloc(),str*,etc.
)Anythird-partyC/C++codeissuspectEntropygatheredcorrectlySecurebackgroundingDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201164/68SecurecodingchecklistSecurecodingchecklistContinuedUIPasteBoardsnotleakingsensitivedataCorrectobjectdeallocation,nouse-after-releaseURLhandlerparameterssanitizedSecurekeychainusageNoinappropriatedatastoredonlocallesystemCFStream,NSStream,NSURLinputssanitized/encodedNodirectuseofUDIDDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201165/68QuestionsQ://.
.
DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201166/68AppendixForFurtherReadingForFurtherReadingIH.
Dwivedi,C.
Clark,D.
ThielMobileApplicationSecurity.
McGrawHill,2010NeilArchibaldSTOP!
!
!
Objective-CRun-TIME.
http://felinemenace.
org/~nemo/slides/eusecwest-STOP-objc-runtime-nmo.
pdfApple,Inc.
iOSApplicationProgrammingGuidehttp://developer.
apple.
com/library/ios/#documentation/iPhone/Conceptual/iPhoneOSProgrammingGuide/Introduction/Introduction.
htmlDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201167/68AppendixForFurtherReadingForFurtherReadingIIOtherresourceshttp://culater.
net/wiki/moin.
cgi/CocoaReverseEngineeringhttp://www.
musicalgeometry.
com/archives/872http://www.
pskl.
us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.
pdfDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201168/68
.
.
.
.
.
.
SecureDevelopmentoniOSAdvicefordevelopersandpenetrationtestersDavidThielSOURCEBoston2011DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston20111/68Outline.
.
.
1IntrotoiOS.
.
.
2Objective-CPrimer.
.
.
3TestingSetup.
.
.
4Security-RelevantAPIsTLSandNetworkingDataStorageTheKeychainBackgroundingIPCAppURLsCopy/Paste.
.
.
5UDIDs.
.
.
6CommonAttackScenariosOldCStuNewObjective-CStu.
.
.
7SecurecodingchecklistDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston20112/68IntroMyperspectiveisthatofapenetrationtester(notdeveloper)InfohereisideallyofusetobothtestersanddevelopersAssumeslittletonoiOSknowledgeFocusisappsecurity,notOSsecurityTakeaways:beablexorbreakyourownorothers'iOSappsDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston20113/68IntrotoiOSIntrotoiPhoneiPhoneConceptualDesignDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston20114/68IntrotoiOSIntrotoiOSIt'sanOS,butwithaniHigh-levelAPI,"CocoaTouch"DevelopmentinXCodeSoyes,youneedaMaciOSSimulator(notemulator)CompilesiOSappstonativecodetorunlocallyApplicationswrittenprimarilyinObjective-CDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston20115/68Objective-CPrimerObjective-CHowtospotitfromaverylongwayawayC+Smalltalk…ishUses"inx"notation:[ObjectmessagePassedToObject:argument];Itisnottoeveryone'stastesSomeofushaveveryrenedtastesDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston20116/68Objective-CPrimerObjective-Cin1slideDeningInterfaces@interfaceClassname:NSParentObject{SomeTypeaThing;//instancevariables}+(type)classMethod:(vartype)myVariable;-(type)instanceMethod:(vartype)myVariable;@endThesegoin.
hles,anddenethestructureofobjects(likeCstructs).
DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston20117/68Objective-CPrimerObjective-Cin2slidesAlternativeinterfacedeclaration#import"NSParentClass.
h"@interfaceClassname:NSParentClass{@publicNSURL*blorg;@privateNSString*gurgle;}@property(readonly)NSURL*blorg;@property(copy)NSString*gurgle;Thisisthe"2.
0"waytodeclareinterfaces.
DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston20118/68Objective-CPrimerObjective-Cin3slidesorsoInxanddotnotation@implementationClassname@synthesizeblorg;//generatesset/getmethods@synthesizegurgle;Instance*myInstance=[[Instancealloc]init];[myInstancesetGurgle:@"eep"];//infixnotationmyInstance.
gurgle=@"eep";//dotnotationThisisthe"implementation",storedin.
mles.
@synthesizecreatesgetter/settermethodsforproperties.
DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston20119/68Objective-CPrimerObjective-CNotsubclassingCategoriesSimplemethodforaddingfunctionalitytoclasseswithoutsubclassingJustdeneanew@interfaceandimplementationwithnewmethods@implementationNSURL(CategoryName)-(BOOL)isPurple;{if([selfisColor:@"purple"])returnYES;elsereturnNO;}@endDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201110/68Objective-CPrimerMemoryManagementRetain/ReleaseNogarbagecollectioniniOSMusttrackwith"retain"and"release"methodsClassname*myClass=[[Classnamealloc]init];//Retaincount:1.
.
.
//Canbeshortenedto//[Classnamenew];[myClassrelease];DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201111/68TestingSetupXCodeDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201112/68TestingSetupTestingSetupInterceptingsecurecommunicationsStandardproxyinterceptwon'tworkCerterrorsareahardfailureOptions:ChangesourcetouseHTTPUsedevice+certforproxyUsesimulatorwith→proxy→realsiteDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201113/68TestingSetupStunnelcong;SSLclientmodeclient=yes;service-levelconfiguration[https]accept=127.
0.
0.
1:80connect=10.
10.
1.
50:443TIMEOUTclose=0DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201114/68TestingSetupProxyCongDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201115/68TestingSetupTheSandboxMechanismSeatbeltaka"Seatbelt"BaseduponTrustedBSDMACframeworkUnlikeAndroid'sUID-basedsegregation,appsrunasoneuserSeatbeltpoliciesprovideneededsegregation.
Probably.
SandboxpoliciesnowcompiledandrolledintothekernelOnjailbrokendevices,sandboxnolongerappliesDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201116/68TestingSetupTheSandboxMechanismJailbreakingOnjailbrokendevices,sandboxnolongerappliesHowever,devsforsideloadedappscanvoluntarilyhopintoone1DocumentedprolesforOSX:kSBXProfileNoNetwork(="nonet")kSBXProfileNoInternet(="nointernet")kSBXProfilePureComputation(="pure-computation")kSBXProfileNoWriteExceptTemporary(="write-tmp-only")kSBXProfileNoWrite(="nowrite")1http://iphonedevwiki.
net/index.
php/SeatbeltDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201117/68TestingSetupTheSandboxMechanismJailbreakDetectionNomoreocialApplejailbreakdetectionAPIIfyoumustdeterminewhetheradeviceisjailbroken,somepossiblechecks:/bin/bash/bin/ssh/private/var/lib/aptButdiscriminatingagainstjailbrokendevicesisnotnecessarilyagreatideaAndAppleappreviewmayagitDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201118/68TestingSetupBinaryAnalysisUsefulforblackboxtestingorself-testingDisassemblyofMach-ObinaryformatquitecleanSeveralusefultools:otool,otx,class-dumpUseforreversingotherapplications,orndingwhatinfowouldbeavailabletoathirdpartyObfuscationisgenerallyprettyfutile,butespeciallyinObjCEncryptedbinarieseasilydumped22http://www.
246tnt.
com/iPhone/DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201119/68TestingSetupBinaryAnalysisotoolotool-toV/Applications/iCal.
app/Contents/MacOS/iCal/Applications/iCal.
app/Contents/MacOS/iCalObjective-CsegmentModule0x22b52c.
.
.
ClassDefinitionsdefs[0]0x00204360isa0x0020a560super_class0x001a5f44CALCanvasItemname0x001c6574CALCanvasAttributedText.
.
.
ivars0x00224300ivar_count13ivar_name0x001a54e2_textivar_type0x001a53d0@"NSMutableAttributedString"ivar_offset0x0000012civar_name0x001a54e8DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201120/68TestingSetupBinaryAnalysisotxhttp://otx.
osxninja.
com/-(BOOL)[NSString(NSStringExtras)isFeedURLString]+00000348855pushl%ebp+10000348989e5movl%esp,%ebp+30000348b53pushl%ebx+40000348c83ec14subl$0x14,%esp+70000348f8b5d08movl0x08(%ebp),%ebx+1000003492c744240844430700movl$0x00074344,0x08(%esp)feed:+180000349aa180a00700movl0x0007a080,%eax_web_hasCaseInsensitivePrefix:+230000349f89442404movl%eax,0x04(%esp)+27000034a3891c24movl%ebx,(%esp)+30000034a6e850420800calll0x000876fb-[(%esp,1)_web_hasCaseInsensitivePrefix:]DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201121/68TestingSetupBinaryAnalysisclass-dumphttp://iphone.
freecoder.
org/classdump_en.
html(orviaCydia)class-dump-x/Developer/Platforms/iPhoneSimulator.
platform/Developer/SDKs/iPhoneSimulator3.
0.
sdk/Applications/MobileSafari.
app@protocolCALCanvasTextProtocol-(id)attributes;-(id)foregroundColor;-(float)fontSize;@end@protocolCALDetachmentDelegate-(int)decideDetachmentFor:(id)fp8withOccurrence:(id)fp12;@endDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201122/68TestingSetupStaticAnalysisXCode&ClangClanganalyzermergedintoXCode"Build&Analyze"optionIdentiesmemoryleakage,use-after-free,etc.
Note:insomerecentXCodeversions,AnalyzerresultsonlyshowfordeviceSDKbuilds.
MehDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201123/68TestingSetupStaticAnalysisOutputDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201124/68AppStructureLocalStorageKeyboardCachingKeyboardcacheusedforformautocompletion/root/Library/Keyboard/dynamic-text.
datAlreadydisabledforpasswordeldsShouldbedisabledforanypotentiallysensitiveeldsSetUITextFieldpropertyautocorrectionType=UITextAutocorrectionNoDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201125/68Security-RelevantAPIsTLSandNetworkingNetworkingTLSandNSURLHandlingStandardmethodforworkingwithURLsSSL/TLShandledproperly!
Bypassingfailedvericationnotallowedbydefault.
So,ofcourse,peopleturnitoDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201126/68Security-RelevantAPIsTLSandNetworkingNetworkingTLSandNSURLHandlingCheckforNSURLRequestvericationbypassviasetAllowsAnyHTTPSCertificateSSLvericationbypassviaNSURLConnectiondelegationSearchforcontinueWithoutCredentialForAuthenticationChallenge3Extrabonusstupid:DenecategorymethodtoslipbyApple'sprivateAPIchecks43http://stackoverflow.
com/questions/933331/4http://stackoverflow.
com/questions/2001565/DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201127/68Security-RelevantAPIsTLSandNetworkingNetworkingNSStreamsGoodfornon-HTTPtracorgoingslightlylower-level//FirstwedefinethehosttobecontactedNSHost*myhost=[NSHosthostWithName:[@"www.
conglomco.
com"]];//Thenwecreate[NSStreamgetStreamsToHost:myhostport:443inputStream:&MyInputStreamoutputStream:&MyOutputStream];[MyInputStreamsetProperty:NSStreamSocketSecurityLevelTLSv1//NoteforKey:NSStreamSocketSecurityLevelKey];DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201128/68Security-RelevantAPIsTLSandNetworkingNetworkingCFStreamsSlightlylower-levelstillSecuritydenedbykCFStreamPropertySSLSettingsHassadsetofconstants¨CFStringRefkCFStreamSSLLevel;CFStringRefkCFStreamSSLAllowsExpiredCertificates;CFStringRefkCFStreamSSLAllowsExpiredRoots;CFStringRefkCFStreamSSLAllowsAnyRoot;CFStringRefkCFStreamSSLValidatesCertificateChain;CFStringRefkCFStreamSSLPeerName;DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201129/68Security-RelevantAPIsDataStorageLocalDataStorageTheVariousMechanismsAfewwaysdataisstored(andpotentiallyexposed):SQLiteCoreDataInternally,SQLiteCookiemanagementCachesplistsDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201130/68Security-RelevantAPIsAppLayoutAnatomyofanApp/Library/ApplicationSupport/iPhoneSimulator/Applications/(appID).
/Documents→properties,logs.
/Library/Caches→cacheythings.
/Library/Caches/Snapshots→screenshotsofyourapp.
/Library/Cookies→cookieplists.
/Library/Preferences→variouspreferenceplists.
/Library/WebKit→WebKitlocalstorage.
/Appname.
app→appresources:binary,graphics,nibs,Info.
plist.
/tmp→tmpDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201131/68Security-RelevantAPIsAppLayoutCookiesNSHTTPCookieAcceptPolicyOnlyFromMainDocumentDomainOrOtherAuthoritativeSoundingPeopleByAppManipulatedbytheURLloadingsystemCanaltercookieAcceptPolicyto:NSHTTPCookieAcceptPolicyNeverNSHTTPCookieAcceptPolicyOnlyFromMainDocumentDomainNotethatthismayaectotherrunningapplicationsInOSX,cookiesandcookiepolicyaresharedamongappsIniOS,onlycookiepolicyissharedDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201132/68Security-RelevantAPIsAppLayoutSQLiteandSQLinjectionDynamicSQLNSString*uid=[myHTTPConnectiongetUID];NSString*statement=[NSStringStringWithFormat:@"SELECTusernameFROMuserswhereuid='%@'",uid];constchar*sql=[statementUTF8String];DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201133/68Security-RelevantAPIsAppLayoutSQLiteandSQLinjectionParameterizedSQLconstchar*sql="SELECTusernameFROMuserswhereuid=";sqlite3_prepare_v2(db,sql,-1,&selectUid,NULL);sqlite3_bind_int(selectUid,1,uid);intstatus=sqlite3_step(selectUid);DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201134/68Security-RelevantAPIsAppLayoutCachingHTTP&HTTPSrequestscachedbydefaultCanbepreventedbyNSURLConnectiondelegate-(NSCachedURLResponse*)connection:(NSURLConnection*)connectionwillCacheResponse:(NSCachedURLResponse*)cachedResponse{NSCachedURLResponse*newCachedResponse=cachedResponse;if([[[[cachedResponseresponse]URL]scheme]isEqual:@"https"]){newCachedResponse=nil;}returnnewCachedResponse;}DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201135/68Security-RelevantAPIsAppLayoutGeolocationBestPracticesUseleastdegreeofaccuracynecessaryCheckforgracefulhandlingoflocationServicesEnabledandauthorizationStatusmethodresponsesIfyoudon'twanttohandlesubpoenasfromdivorcelawyers:Don'tloglocallyAnonymizeserver-sidedataPrunelogsDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201136/68Security-RelevantAPIsAppLayoutGeolocationAccuracySettingsSeveralaccuracyconstants:CLLocationAccuracykCLLocationAccuracyBestForNavigation;CLLocationAccuracykCLLocationAccuracyBest;CLLocationAccuracykCLLocationAccuracyNearestTenMeters;CLLocationAccuracykCLLocationAccuracyHundredMeters;CLLocationAccuracykCLLocationAccuracyKilometer;CLLocationAccuracykCLLocationAccuracyThreeKilometers;DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201137/68Security-RelevantAPIsTheKeychainTheKeychainKeychainiswheresecretstugoesArgh!
DonotstorethisdatainNSUserDefaults!
Encryptedwithdevice-specickeyApps"can'tread",notincludedinbackupsSimplerAPIthanOSX:SecItemAdd,SecItemUpdate,SecItemCopyMatchingNotavailableinsimulatorforpre-4.
0←causeit'sgotkeysinit,seeDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201138/68Security-RelevantAPIsTheKeychainTheKeychainKeyprotectionPassanappropriatekSecAttrAccessiblevaluetoSecItemAdd:CFTypeRefkSecAttrAccessibleWhenUnlocked;CFTypeRefkSecAttrAccessibleAfterFirstUnlock;CFTypeRefkSecAttrAccessibleAlways;CFTypeRefkSecAttrAccessibleWhenUnlockedThisDeviceOnly;CFTypeRefkSecAttrAccessibleAfterFirstUnlockThisDeviceOnly;CFTypeRefkSecAttrAccessibleAlwaysThisDeviceOnly;DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201139/68Security-RelevantAPIsTheKeychainTheKeychainSharedkeychainsForusingthesamekeychainamongdierentapps5UsedbysettingkSecAttrAccessGrouponinitAppsmusthavesamekeychain-access-groupsAppscanonlyhaveoneaccessgroupOnjailbrokenphone…allbetso5http://useyourloaf.
com/blog/2010/4/3/keychain-group-access.
htmlDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201140/68Security-RelevantAPIsTheKeychainTheKeychainCerticatesOndevice,canbeinstalledviae-mail,SafarioriTunessyncOnoldersimulators,nosuchluckCertsstillveried,butnowaytoinstallnewonesSincethey'restoredintheKeychainStubsnecessaryfordetectingsimulatorvs.
deviceDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201141/68Security-RelevantAPIsTheKeychainDataProtectionImprovingleandkeychainprotectionBydefault,dataencryptedwith"hardware"keyIniOS4,"hardware"keycansupplementedwithPINDeveloperscanalsomarklesas"protected"Filesencrypted,unreadablewhiledeviceislockedDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201142/68Security-RelevantAPIsTheKeychainDataProtectionUsage2methodsforenablingPassNSDataWritingFileProtectionCompletetowriteToFilemethodofNSDataobjectSetNSFileProtectionKeytoNSFileProtectionCompleteonNSFileManagerobjectAgain,datanotaccessiblewhendeviceislockedCheckfordataavailabilitybeforeuse6CleanupwhenUIApplicationProtectedDataWillBecomeUnavailable6http://developer.
apple.
com/library/ios/#documentation/iPhone/Conceptual/iPhoneOSProgrammingGuide/StandardBehaviors/StandardBehaviors.
htmlDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201143/68Security-RelevantAPIsTheKeychainEntropyHowdoesitworkUsingCocoa,not/dev/randomGatheredviaSecRandomCopyBytesAgain,doesnotworkinsimulatorObviously,rand(),random(),arc4random()areallnon-startersintresult=SecRandomCopyBytes(kSecRandomDefault,sizeof(int),(uint8_t*)&randomResult);DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201144/68Security-RelevantAPIsBackgroundingBackgroundingInitiatingBackgroundTasksProbablymostsecurity-relevantAPIiniOS4.
0UsebeginBackgroundTaskWithExpirationHandlermethodtoinitiatebackgroundtasksNeedsmatchingendBackgroundTaskmethodRemainingtasktimestoredinbackgroundTimeRemainingpropertyDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201145/68Security-RelevantAPIsBackgroundingBackgroundingConcernsNote:appissnapshotteduponbackgroundingPriortothis,applicationshouldremoveanysensitivedatafromviewUsesplashscreenorsethiddenoralphapropertiesofUIWindowDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201146/68Security-RelevantAPIsBackgroundingBackgroundingStateTransitionsDetectstatetransitionsKeystatetransitionmethods:application:didFinishLaunchingWithOptions:applicationDidBecomeActive:applicationWillResignActive:applicationDidEnterBackground:applicationWillEnterForeground:applicationWillTerminate:DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201147/68Security-RelevantAPIsIPCIPCApplicationURLSchemesAppscanregistertheirownURLhandlers—addedbyeditingtheplist,usuallyfromXCodeCalledjustlikeanyURL,withmultipleparameters,e.
g.
openURL:[NSURLURLWithString:@"myapp://foo=urb&blerg=gah"];CanbecalledbyapporwebpageWithoutuserconrmation…ParamsaccessibletoreceivingappviaadelegateDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201148/68Security-RelevantAPIsIPCIPCApplicationURLSchemesDeprecateddelegationmethod:-(BOOL)application:(UIApplication*)applicationhandleOpenURL:(NSURL*)urlNewmethod:-(BOOL)application:(UIApplication*)applicationopenURL:(NSURL*)urlsourceApplication:(NSString*)sourceApplicationannotation:(id)annotationAllowsfordeterminingcallingapplication,receivesdatainplistformObviously,sanitizationiskeyhere,especiallygiven…DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201149/68Security-RelevantAPIsIPCIPCURLhandlerconictsWhathappensiftwoappsusethesamehandlerIfanAppleappusesit:AppleapplaunchesThird-partyapps:"Undened""IfyourURLtypeincludesaschemethatisidenticaltoonedenedbyApple,theApple-providedapplicationthathandlesaURLwiththatscheme(forexample,"mailto")islaunchedinsteadofyourapplication.
IfaURLtyperegisteredbyyourapplicationincludesaschemethatconictswithaschemeregisteredbyanotherthird-partyapplication,theapplicationthatlaunchesforaURLwiththatschemeisundened.
"Maygotothelastclaimingapp…ew.
Hence:bewaryofpassingprivatedatainappURLsDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201150/68Security-RelevantAPIsIPCIPCPushNoticationsRegisteringfornotications:[[UIApplicationsharedApplication]registerForRemoteNotificationTypes:(UIRemoteNotificationTypeBadge|UIRemoteNotificationTypeSound)];Receivingnotications:-(void)application:(UIApplication*)applicationdidReceiveRemoteNotification:(NSDictionary*)userInfo-(BOOL)application:(UIApplication*)applicationdidFinishLaunchingWithOptions:(NSDictionary*)launchOptionsCheckforvalidationofuserInfoandlaunchOptionsDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201151/68Security-RelevantAPIsIPCCopy/PastePasteboardsObligatorydigatApplere:copy/pastedebacle2systemUIPasteboardaccessmethods:UIPasteboardNameGeneral&UIPasteboardNameFindPasteboardsmarked"persistent"willbekeptinlocalstorageDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201152/68Security-RelevantAPIsIPCCopy/PastePasteboardsAlso"private"applicationpasteboards,which(intrueObjective-Cform)arenotinanyway"private"OccasionallyusedasIPChackMigratingdatafromfree→paidappIsawonesuggestiontotransferprivatekeyswiththepasteboard¨Bottomline:avoidsensitivedatahere&cleanupafteryourselfClearpasteboardonapplicationWillTerminatepasteBoard.
items=nilDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201153/68Security-RelevantAPIsIPCCopy/PasteExampleAbuseHownottopasteboard:TwitterOAuthlibrary7-(void)pasteboardChanged:(NSNotification*)note{UIPasteboard*pb=[UIPasteboardgeneralPasteboard];if([note.
userInfoobjectForKey:UIPasteboardChangedTypesAddedKey]==nil)return;NSString*copied=pb.
string;if(copied.
length!
=7||!
copied.
oauthtwitter_isNumeric)return;[selfgotPin:copied];}73rd-partylibrary,notbyTwitterDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201154/68Security-RelevantAPIsIPCCopy/PasteDisablingitPossiblemitigation:Foreldswithsensitivedata,disablecopy/pastemenu-(BOOL)canPerformAction:(SEL)actionwithSender:(id)sender{UIMenuController*menuController=[UIMenuControllersharedMenuController];if(menuController){[UIMenuControllersharedMenuController].
menuVisible=NO;}returnNO;}Canalsodisablemenuitemsindividually88http://stackoverflow.
com/questions/1426731/DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201155/68UDIDsUDIDsUseandAbuseUniqueidentierderivedfromhardwareinformationOftenabusedasausertrackingmechanism9OccasionallyabusedasanauthenticatorSee:TapulousContrarytopopularbelief,thisismutable9http://www.
pskl.
us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.
pdfDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201156/68UDIDsUDIDsUDIDFakeravailableonCydiaDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201157/68UDIDsUDIDsDon'tusethem.
Summary:Don'trelyonUDIDforanythingeverDon'tuseitfortracking,itgetsyoubadpressIfyoureallyneedtotrackusers,usehashofUDID+saltCheckcodeforuseof[[UIDevicecurrentDevice]uniqueIdentifier]DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201158/68CommonAttackScenariosOldCStuClassicCAttacksNothingnewhereStillhasthesameclassicissuesBueroverowsIntegerissues,especiallywithmalloc()Whyareyoumalloc'ing,grandpaWeareinthefuturehereSanitizeintcalculationswithcheckint(3)Double-freesFormatstringsDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201159/68CommonAttackScenariosNewObjective-CStuObjectuseafterreleaseExploitable!
Undersomecircumstances.
10Procedure:ReleaseobjectReleasesomeotherobjectAllocatespaceofsamesizeasrstobjectWriteyourcodetothenewbuer…Sendmessageorreleasetooriginalobject10http://felinemenace.
org/~nemo/slides/eusecwest-STOP-objc-runtime-nmo.
pdfDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201160/68CommonAttackScenariosNewObjective-CStuiOS&FormatStringswithFormat/appendingFormatfamily%xworks—%ndoesnot¨%ndoesstillworkwithregularCcode…DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201161/68CommonAttackScenariosNewObjective-CStuFormatStringsFormatstringconfusionFoundonpentest:NSStringmyStuff=@"Hereismystuff.
";myStuff=[myStuffstringByAppendingFormat:[UtilityClassformatStuff:unformattedStuff.
text]];Bzzt.
NSStringobjectsaren'tmagicallysafe.
NSStringmyStuff=@"Hereismystuff.
";myStuff=[myStuffstringByAppendingFormat:UtilityClassformatStuff:unformattedStuff.
text]];DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201162/68CommonAttackScenariosNewObjective-CStuFormatStringsLikelyculprits[NSString*WithFormat][NSStringstringByAppendingFormat][NSMutableStringappendFormat][NSAlertalertWithMessageText][NSException][NSLog]DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201163/68SecurecodingchecklistSecurecodingchecklistOrpenetrationtester'shitlistHTTPSusedandcorrectlycongured(i.
e.
notbypassedbydelegationorsetAllowsAnyHTTPSCertificate)AllformatstringsproperlydeclaredGeneralCissues(malloc(),str*,etc.
)Anythird-partyC/C++codeissuspectEntropygatheredcorrectlySecurebackgroundingDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201164/68SecurecodingchecklistSecurecodingchecklistContinuedUIPasteBoardsnotleakingsensitivedataCorrectobjectdeallocation,nouse-after-releaseURLhandlerparameterssanitizedSecurekeychainusageNoinappropriatedatastoredonlocallesystemCFStream,NSStream,NSURLinputssanitized/encodedNodirectuseofUDIDDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201165/68QuestionsQ://.
.
DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201166/68AppendixForFurtherReadingForFurtherReadingIH.
Dwivedi,C.
Clark,D.
ThielMobileApplicationSecurity.
McGrawHill,2010NeilArchibaldSTOP!
!
!
Objective-CRun-TIME.
http://felinemenace.
org/~nemo/slides/eusecwest-STOP-objc-runtime-nmo.
pdfApple,Inc.
iOSApplicationProgrammingGuidehttp://developer.
apple.
com/library/ios/#documentation/iPhone/Conceptual/iPhoneOSProgrammingGuide/Introduction/Introduction.
htmlDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201167/68AppendixForFurtherReadingForFurtherReadingIIOtherresourceshttp://culater.
net/wiki/moin.
cgi/CocoaReverseEngineeringhttp://www.
musicalgeometry.
com/archives/872http://www.
pskl.
us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.
pdfDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201168/68
- x001a54e8ios6.1.3越狱相关文档
- slowios6.1.3越狱
- 支持ios6.1.3越狱
- checkerios6.1.3越狱
- 支持ios6.1.3越狱
- 连接ios6.1.3越狱
- 编码ios6.1.3越狱
ThomasHost(月付5美元)美国/法国/英国/加拿大KVM,支持Windows
ThomasHost域名注册自2012年,部落最早分享始于2016年,还算成立了有几年了,商家提供基于KVM架构的VPS,数据中心包括美国、法国、英国、加拿大和爱尔兰等6个地区机房,VPS主机套餐最低2GB内存起步,支持Windows或者Linux操作系统,1Gbps端口不限制流量。最近商家提供了一个5折优惠码,优惠后最低套餐月付5美元起。下面列出部分套餐配置信息。CPU:1core内存:2GB硬...
百纵科技(19元/月),美国洛杉矶10G防御服务器/洛杉矶C3机房 带金盾高防
百纵科技官网:https://www.baizon.cn/百纵科技:美国云服务器活动重磅来袭,洛杉矶C3机房 带金盾高防,会员后台可自助管理防火墙,添加黑白名单 CC策略开启低中高.CPU全系列E52680v3 DDR4内存 三星固态盘列阵。另有高防清洗!美国洛杉矶 CN2 云服务器CPU内存带宽数据盘防御价格1H1G10M10G10G19元/月 购买地址2H1G10M10G10G29元/月 购买...
RAKsmart便宜美国/日本/中国香港VPS主机 低至月$1.99 可安装Windows
RAKsmart 商家这几年还是在做事情的,虽然他们家顺带做的VPS主机并不是主营业务,毕竟当下的基础云服务器竞争过于激烈,他们家主营业务的独立服务器。包括在去年开始有新增多个数据中心独立服务器,包括有10G带宽的不限流量的独立服务器。当然,如果有需要便宜VPS主机的他们家也是有的,比如有最低月付1.99美元的美国VPS主机,而且可选安装Windows系统。这里商家有提供下面六款六月份的活动便宜V...
ios6.1.3越狱为你推荐
-
支持ipadeacceleratorW3S是什么意思netbios端口netbios ssn是什么意思?勒索病毒win7补丁由于电脑没连接网络,所以成功躲过了勒索病毒,但最近要联网,要提前装什么补丁吗?我电脑断网好久了联通版iphone4s苹果4S移动版和联通版有什么不同google中国地图强大的谷歌地图,为什么中国不用起来google中国地图谷歌中国地图用的是什么投影,什么坐标系google分析google分析打不开了?ios5.1.1完美越狱我的苹果手机版本显示的是5.1.1,怎么才知道是不是ios啊?我现在想越狱ios10.0.3iOS10.0.3可以越狱吗