x001a54e8ios6.1.3越狱
ios6.1.3越狱 时间:2021-05-24 阅读:()
.
.
.
.
.
.
.
SecureDevelopmentoniOSAdvicefordevelopersandpenetrationtestersDavidThielSOURCEBoston2011DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston20111/68Outline.
.
.
1IntrotoiOS.
.
.
2Objective-CPrimer.
.
.
3TestingSetup.
.
.
4Security-RelevantAPIsTLSandNetworkingDataStorageTheKeychainBackgroundingIPCAppURLsCopy/Paste.
.
.
5UDIDs.
.
.
6CommonAttackScenariosOldCStuNewObjective-CStu.
.
.
7SecurecodingchecklistDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston20112/68IntroMyperspectiveisthatofapenetrationtester(notdeveloper)InfohereisideallyofusetobothtestersanddevelopersAssumeslittletonoiOSknowledgeFocusisappsecurity,notOSsecurityTakeaways:beablexorbreakyourownorothers'iOSappsDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston20113/68IntrotoiOSIntrotoiPhoneiPhoneConceptualDesignDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston20114/68IntrotoiOSIntrotoiOSIt'sanOS,butwithaniHigh-levelAPI,"CocoaTouch"DevelopmentinXCodeSoyes,youneedaMaciOSSimulator(notemulator)CompilesiOSappstonativecodetorunlocallyApplicationswrittenprimarilyinObjective-CDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston20115/68Objective-CPrimerObjective-CHowtospotitfromaverylongwayawayC+Smalltalk…ishUses"inx"notation:[ObjectmessagePassedToObject:argument];Itisnottoeveryone'stastesSomeofushaveveryrenedtastesDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston20116/68Objective-CPrimerObjective-Cin1slideDeningInterfaces@interfaceClassname:NSParentObject{SomeTypeaThing;//instancevariables}+(type)classMethod:(vartype)myVariable;-(type)instanceMethod:(vartype)myVariable;@endThesegoin.
hles,anddenethestructureofobjects(likeCstructs).
DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston20117/68Objective-CPrimerObjective-Cin2slidesAlternativeinterfacedeclaration#import"NSParentClass.
h"@interfaceClassname:NSParentClass{@publicNSURL*blorg;@privateNSString*gurgle;}@property(readonly)NSURL*blorg;@property(copy)NSString*gurgle;Thisisthe"2.
0"waytodeclareinterfaces.
DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston20118/68Objective-CPrimerObjective-Cin3slidesorsoInxanddotnotation@implementationClassname@synthesizeblorg;//generatesset/getmethods@synthesizegurgle;Instance*myInstance=[[Instancealloc]init];[myInstancesetGurgle:@"eep"];//infixnotationmyInstance.
gurgle=@"eep";//dotnotationThisisthe"implementation",storedin.
mles.
@synthesizecreatesgetter/settermethodsforproperties.
DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston20119/68Objective-CPrimerObjective-CNotsubclassingCategoriesSimplemethodforaddingfunctionalitytoclasseswithoutsubclassingJustdeneanew@interfaceandimplementationwithnewmethods@implementationNSURL(CategoryName)-(BOOL)isPurple;{if([selfisColor:@"purple"])returnYES;elsereturnNO;}@endDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201110/68Objective-CPrimerMemoryManagementRetain/ReleaseNogarbagecollectioniniOSMusttrackwith"retain"and"release"methodsClassname*myClass=[[Classnamealloc]init];//Retaincount:1.
.
.
//Canbeshortenedto//[Classnamenew];[myClassrelease];DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201111/68TestingSetupXCodeDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201112/68TestingSetupTestingSetupInterceptingsecurecommunicationsStandardproxyinterceptwon'tworkCerterrorsareahardfailureOptions:ChangesourcetouseHTTPUsedevice+certforproxyUsesimulatorwith→proxy→realsiteDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201113/68TestingSetupStunnelcong;SSLclientmodeclient=yes;service-levelconfiguration[https]accept=127.
0.
0.
1:80connect=10.
10.
1.
50:443TIMEOUTclose=0DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201114/68TestingSetupProxyCongDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201115/68TestingSetupTheSandboxMechanismSeatbeltaka"Seatbelt"BaseduponTrustedBSDMACframeworkUnlikeAndroid'sUID-basedsegregation,appsrunasoneuserSeatbeltpoliciesprovideneededsegregation.
Probably.
SandboxpoliciesnowcompiledandrolledintothekernelOnjailbrokendevices,sandboxnolongerappliesDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201116/68TestingSetupTheSandboxMechanismJailbreakingOnjailbrokendevices,sandboxnolongerappliesHowever,devsforsideloadedappscanvoluntarilyhopintoone1DocumentedprolesforOSX:kSBXProfileNoNetwork(="nonet")kSBXProfileNoInternet(="nointernet")kSBXProfilePureComputation(="pure-computation")kSBXProfileNoWriteExceptTemporary(="write-tmp-only")kSBXProfileNoWrite(="nowrite")1http://iphonedevwiki.
net/index.
php/SeatbeltDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201117/68TestingSetupTheSandboxMechanismJailbreakDetectionNomoreocialApplejailbreakdetectionAPIIfyoumustdeterminewhetheradeviceisjailbroken,somepossiblechecks:/bin/bash/bin/ssh/private/var/lib/aptButdiscriminatingagainstjailbrokendevicesisnotnecessarilyagreatideaAndAppleappreviewmayagitDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201118/68TestingSetupBinaryAnalysisUsefulforblackboxtestingorself-testingDisassemblyofMach-ObinaryformatquitecleanSeveralusefultools:otool,otx,class-dumpUseforreversingotherapplications,orndingwhatinfowouldbeavailabletoathirdpartyObfuscationisgenerallyprettyfutile,butespeciallyinObjCEncryptedbinarieseasilydumped22http://www.
246tnt.
com/iPhone/DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201119/68TestingSetupBinaryAnalysisotoolotool-toV/Applications/iCal.
app/Contents/MacOS/iCal/Applications/iCal.
app/Contents/MacOS/iCalObjective-CsegmentModule0x22b52c.
.
.
ClassDefinitionsdefs[0]0x00204360isa0x0020a560super_class0x001a5f44CALCanvasItemname0x001c6574CALCanvasAttributedText.
.
.
ivars0x00224300ivar_count13ivar_name0x001a54e2_textivar_type0x001a53d0@"NSMutableAttributedString"ivar_offset0x0000012civar_name0x001a54e8DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201120/68TestingSetupBinaryAnalysisotxhttp://otx.
osxninja.
com/-(BOOL)[NSString(NSStringExtras)isFeedURLString]+00000348855pushl%ebp+10000348989e5movl%esp,%ebp+30000348b53pushl%ebx+40000348c83ec14subl$0x14,%esp+70000348f8b5d08movl0x08(%ebp),%ebx+1000003492c744240844430700movl$0x00074344,0x08(%esp)feed:+180000349aa180a00700movl0x0007a080,%eax_web_hasCaseInsensitivePrefix:+230000349f89442404movl%eax,0x04(%esp)+27000034a3891c24movl%ebx,(%esp)+30000034a6e850420800calll0x000876fb-[(%esp,1)_web_hasCaseInsensitivePrefix:]DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201121/68TestingSetupBinaryAnalysisclass-dumphttp://iphone.
freecoder.
org/classdump_en.
html(orviaCydia)class-dump-x/Developer/Platforms/iPhoneSimulator.
platform/Developer/SDKs/iPhoneSimulator3.
0.
sdk/Applications/MobileSafari.
app@protocolCALCanvasTextProtocol-(id)attributes;-(id)foregroundColor;-(float)fontSize;@end@protocolCALDetachmentDelegate-(int)decideDetachmentFor:(id)fp8withOccurrence:(id)fp12;@endDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201122/68TestingSetupStaticAnalysisXCode&ClangClanganalyzermergedintoXCode"Build&Analyze"optionIdentiesmemoryleakage,use-after-free,etc.
Note:insomerecentXCodeversions,AnalyzerresultsonlyshowfordeviceSDKbuilds.
MehDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201123/68TestingSetupStaticAnalysisOutputDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201124/68AppStructureLocalStorageKeyboardCachingKeyboardcacheusedforformautocompletion/root/Library/Keyboard/dynamic-text.
datAlreadydisabledforpasswordeldsShouldbedisabledforanypotentiallysensitiveeldsSetUITextFieldpropertyautocorrectionType=UITextAutocorrectionNoDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201125/68Security-RelevantAPIsTLSandNetworkingNetworkingTLSandNSURLHandlingStandardmethodforworkingwithURLsSSL/TLShandledproperly!
Bypassingfailedvericationnotallowedbydefault.
So,ofcourse,peopleturnitoDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201126/68Security-RelevantAPIsTLSandNetworkingNetworkingTLSandNSURLHandlingCheckforNSURLRequestvericationbypassviasetAllowsAnyHTTPSCertificateSSLvericationbypassviaNSURLConnectiondelegationSearchforcontinueWithoutCredentialForAuthenticationChallenge3Extrabonusstupid:DenecategorymethodtoslipbyApple'sprivateAPIchecks43http://stackoverflow.
com/questions/933331/4http://stackoverflow.
com/questions/2001565/DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201127/68Security-RelevantAPIsTLSandNetworkingNetworkingNSStreamsGoodfornon-HTTPtracorgoingslightlylower-level//FirstwedefinethehosttobecontactedNSHost*myhost=[NSHosthostWithName:[@"www.
conglomco.
com"]];//Thenwecreate[NSStreamgetStreamsToHost:myhostport:443inputStream:&MyInputStreamoutputStream:&MyOutputStream];[MyInputStreamsetProperty:NSStreamSocketSecurityLevelTLSv1//NoteforKey:NSStreamSocketSecurityLevelKey];DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201128/68Security-RelevantAPIsTLSandNetworkingNetworkingCFStreamsSlightlylower-levelstillSecuritydenedbykCFStreamPropertySSLSettingsHassadsetofconstants¨CFStringRefkCFStreamSSLLevel;CFStringRefkCFStreamSSLAllowsExpiredCertificates;CFStringRefkCFStreamSSLAllowsExpiredRoots;CFStringRefkCFStreamSSLAllowsAnyRoot;CFStringRefkCFStreamSSLValidatesCertificateChain;CFStringRefkCFStreamSSLPeerName;DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201129/68Security-RelevantAPIsDataStorageLocalDataStorageTheVariousMechanismsAfewwaysdataisstored(andpotentiallyexposed):SQLiteCoreDataInternally,SQLiteCookiemanagementCachesplistsDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201130/68Security-RelevantAPIsAppLayoutAnatomyofanApp/Library/ApplicationSupport/iPhoneSimulator/Applications/(appID).
/Documents→properties,logs.
/Library/Caches→cacheythings.
/Library/Caches/Snapshots→screenshotsofyourapp.
/Library/Cookies→cookieplists.
/Library/Preferences→variouspreferenceplists.
/Library/WebKit→WebKitlocalstorage.
/Appname.
app→appresources:binary,graphics,nibs,Info.
plist.
/tmp→tmpDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201131/68Security-RelevantAPIsAppLayoutCookiesNSHTTPCookieAcceptPolicyOnlyFromMainDocumentDomainOrOtherAuthoritativeSoundingPeopleByAppManipulatedbytheURLloadingsystemCanaltercookieAcceptPolicyto:NSHTTPCookieAcceptPolicyNeverNSHTTPCookieAcceptPolicyOnlyFromMainDocumentDomainNotethatthismayaectotherrunningapplicationsInOSX,cookiesandcookiepolicyaresharedamongappsIniOS,onlycookiepolicyissharedDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201132/68Security-RelevantAPIsAppLayoutSQLiteandSQLinjectionDynamicSQLNSString*uid=[myHTTPConnectiongetUID];NSString*statement=[NSStringStringWithFormat:@"SELECTusernameFROMuserswhereuid='%@'",uid];constchar*sql=[statementUTF8String];DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201133/68Security-RelevantAPIsAppLayoutSQLiteandSQLinjectionParameterizedSQLconstchar*sql="SELECTusernameFROMuserswhereuid=";sqlite3_prepare_v2(db,sql,-1,&selectUid,NULL);sqlite3_bind_int(selectUid,1,uid);intstatus=sqlite3_step(selectUid);DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201134/68Security-RelevantAPIsAppLayoutCachingHTTP&HTTPSrequestscachedbydefaultCanbepreventedbyNSURLConnectiondelegate-(NSCachedURLResponse*)connection:(NSURLConnection*)connectionwillCacheResponse:(NSCachedURLResponse*)cachedResponse{NSCachedURLResponse*newCachedResponse=cachedResponse;if([[[[cachedResponseresponse]URL]scheme]isEqual:@"https"]){newCachedResponse=nil;}returnnewCachedResponse;}DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201135/68Security-RelevantAPIsAppLayoutGeolocationBestPracticesUseleastdegreeofaccuracynecessaryCheckforgracefulhandlingoflocationServicesEnabledandauthorizationStatusmethodresponsesIfyoudon'twanttohandlesubpoenasfromdivorcelawyers:Don'tloglocallyAnonymizeserver-sidedataPrunelogsDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201136/68Security-RelevantAPIsAppLayoutGeolocationAccuracySettingsSeveralaccuracyconstants:CLLocationAccuracykCLLocationAccuracyBestForNavigation;CLLocationAccuracykCLLocationAccuracyBest;CLLocationAccuracykCLLocationAccuracyNearestTenMeters;CLLocationAccuracykCLLocationAccuracyHundredMeters;CLLocationAccuracykCLLocationAccuracyKilometer;CLLocationAccuracykCLLocationAccuracyThreeKilometers;DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201137/68Security-RelevantAPIsTheKeychainTheKeychainKeychainiswheresecretstugoesArgh!
DonotstorethisdatainNSUserDefaults!
Encryptedwithdevice-specickeyApps"can'tread",notincludedinbackupsSimplerAPIthanOSX:SecItemAdd,SecItemUpdate,SecItemCopyMatchingNotavailableinsimulatorforpre-4.
0←causeit'sgotkeysinit,seeDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201138/68Security-RelevantAPIsTheKeychainTheKeychainKeyprotectionPassanappropriatekSecAttrAccessiblevaluetoSecItemAdd:CFTypeRefkSecAttrAccessibleWhenUnlocked;CFTypeRefkSecAttrAccessibleAfterFirstUnlock;CFTypeRefkSecAttrAccessibleAlways;CFTypeRefkSecAttrAccessibleWhenUnlockedThisDeviceOnly;CFTypeRefkSecAttrAccessibleAfterFirstUnlockThisDeviceOnly;CFTypeRefkSecAttrAccessibleAlwaysThisDeviceOnly;DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201139/68Security-RelevantAPIsTheKeychainTheKeychainSharedkeychainsForusingthesamekeychainamongdierentapps5UsedbysettingkSecAttrAccessGrouponinitAppsmusthavesamekeychain-access-groupsAppscanonlyhaveoneaccessgroupOnjailbrokenphone…allbetso5http://useyourloaf.
com/blog/2010/4/3/keychain-group-access.
htmlDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201140/68Security-RelevantAPIsTheKeychainTheKeychainCerticatesOndevice,canbeinstalledviae-mail,SafarioriTunessyncOnoldersimulators,nosuchluckCertsstillveried,butnowaytoinstallnewonesSincethey'restoredintheKeychainStubsnecessaryfordetectingsimulatorvs.
deviceDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201141/68Security-RelevantAPIsTheKeychainDataProtectionImprovingleandkeychainprotectionBydefault,dataencryptedwith"hardware"keyIniOS4,"hardware"keycansupplementedwithPINDeveloperscanalsomarklesas"protected"Filesencrypted,unreadablewhiledeviceislockedDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201142/68Security-RelevantAPIsTheKeychainDataProtectionUsage2methodsforenablingPassNSDataWritingFileProtectionCompletetowriteToFilemethodofNSDataobjectSetNSFileProtectionKeytoNSFileProtectionCompleteonNSFileManagerobjectAgain,datanotaccessiblewhendeviceislockedCheckfordataavailabilitybeforeuse6CleanupwhenUIApplicationProtectedDataWillBecomeUnavailable6http://developer.
apple.
com/library/ios/#documentation/iPhone/Conceptual/iPhoneOSProgrammingGuide/StandardBehaviors/StandardBehaviors.
htmlDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201143/68Security-RelevantAPIsTheKeychainEntropyHowdoesitworkUsingCocoa,not/dev/randomGatheredviaSecRandomCopyBytesAgain,doesnotworkinsimulatorObviously,rand(),random(),arc4random()areallnon-startersintresult=SecRandomCopyBytes(kSecRandomDefault,sizeof(int),(uint8_t*)&randomResult);DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201144/68Security-RelevantAPIsBackgroundingBackgroundingInitiatingBackgroundTasksProbablymostsecurity-relevantAPIiniOS4.
0UsebeginBackgroundTaskWithExpirationHandlermethodtoinitiatebackgroundtasksNeedsmatchingendBackgroundTaskmethodRemainingtasktimestoredinbackgroundTimeRemainingpropertyDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201145/68Security-RelevantAPIsBackgroundingBackgroundingConcernsNote:appissnapshotteduponbackgroundingPriortothis,applicationshouldremoveanysensitivedatafromviewUsesplashscreenorsethiddenoralphapropertiesofUIWindowDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201146/68Security-RelevantAPIsBackgroundingBackgroundingStateTransitionsDetectstatetransitionsKeystatetransitionmethods:application:didFinishLaunchingWithOptions:applicationDidBecomeActive:applicationWillResignActive:applicationDidEnterBackground:applicationWillEnterForeground:applicationWillTerminate:DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201147/68Security-RelevantAPIsIPCIPCApplicationURLSchemesAppscanregistertheirownURLhandlers—addedbyeditingtheplist,usuallyfromXCodeCalledjustlikeanyURL,withmultipleparameters,e.
g.
openURL:[NSURLURLWithString:@"myapp://foo=urb&blerg=gah"];CanbecalledbyapporwebpageWithoutuserconrmation…ParamsaccessibletoreceivingappviaadelegateDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201148/68Security-RelevantAPIsIPCIPCApplicationURLSchemesDeprecateddelegationmethod:-(BOOL)application:(UIApplication*)applicationhandleOpenURL:(NSURL*)urlNewmethod:-(BOOL)application:(UIApplication*)applicationopenURL:(NSURL*)urlsourceApplication:(NSString*)sourceApplicationannotation:(id)annotationAllowsfordeterminingcallingapplication,receivesdatainplistformObviously,sanitizationiskeyhere,especiallygiven…DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201149/68Security-RelevantAPIsIPCIPCURLhandlerconictsWhathappensiftwoappsusethesamehandlerIfanAppleappusesit:AppleapplaunchesThird-partyapps:"Undened""IfyourURLtypeincludesaschemethatisidenticaltoonedenedbyApple,theApple-providedapplicationthathandlesaURLwiththatscheme(forexample,"mailto")islaunchedinsteadofyourapplication.
IfaURLtyperegisteredbyyourapplicationincludesaschemethatconictswithaschemeregisteredbyanotherthird-partyapplication,theapplicationthatlaunchesforaURLwiththatschemeisundened.
"Maygotothelastclaimingapp…ew.
Hence:bewaryofpassingprivatedatainappURLsDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201150/68Security-RelevantAPIsIPCIPCPushNoticationsRegisteringfornotications:[[UIApplicationsharedApplication]registerForRemoteNotificationTypes:(UIRemoteNotificationTypeBadge|UIRemoteNotificationTypeSound)];Receivingnotications:-(void)application:(UIApplication*)applicationdidReceiveRemoteNotification:(NSDictionary*)userInfo-(BOOL)application:(UIApplication*)applicationdidFinishLaunchingWithOptions:(NSDictionary*)launchOptionsCheckforvalidationofuserInfoandlaunchOptionsDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201151/68Security-RelevantAPIsIPCCopy/PastePasteboardsObligatorydigatApplere:copy/pastedebacle2systemUIPasteboardaccessmethods:UIPasteboardNameGeneral&UIPasteboardNameFindPasteboardsmarked"persistent"willbekeptinlocalstorageDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201152/68Security-RelevantAPIsIPCCopy/PastePasteboardsAlso"private"applicationpasteboards,which(intrueObjective-Cform)arenotinanyway"private"OccasionallyusedasIPChackMigratingdatafromfree→paidappIsawonesuggestiontotransferprivatekeyswiththepasteboard¨Bottomline:avoidsensitivedatahere&cleanupafteryourselfClearpasteboardonapplicationWillTerminatepasteBoard.
items=nilDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201153/68Security-RelevantAPIsIPCCopy/PasteExampleAbuseHownottopasteboard:TwitterOAuthlibrary7-(void)pasteboardChanged:(NSNotification*)note{UIPasteboard*pb=[UIPasteboardgeneralPasteboard];if([note.
userInfoobjectForKey:UIPasteboardChangedTypesAddedKey]==nil)return;NSString*copied=pb.
string;if(copied.
length!
=7||!
copied.
oauthtwitter_isNumeric)return;[selfgotPin:copied];}73rd-partylibrary,notbyTwitterDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201154/68Security-RelevantAPIsIPCCopy/PasteDisablingitPossiblemitigation:Foreldswithsensitivedata,disablecopy/pastemenu-(BOOL)canPerformAction:(SEL)actionwithSender:(id)sender{UIMenuController*menuController=[UIMenuControllersharedMenuController];if(menuController){[UIMenuControllersharedMenuController].
menuVisible=NO;}returnNO;}Canalsodisablemenuitemsindividually88http://stackoverflow.
com/questions/1426731/DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201155/68UDIDsUDIDsUseandAbuseUniqueidentierderivedfromhardwareinformationOftenabusedasausertrackingmechanism9OccasionallyabusedasanauthenticatorSee:TapulousContrarytopopularbelief,thisismutable9http://www.
pskl.
us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.
pdfDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201156/68UDIDsUDIDsUDIDFakeravailableonCydiaDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201157/68UDIDsUDIDsDon'tusethem.
Summary:Don'trelyonUDIDforanythingeverDon'tuseitfortracking,itgetsyoubadpressIfyoureallyneedtotrackusers,usehashofUDID+saltCheckcodeforuseof[[UIDevicecurrentDevice]uniqueIdentifier]DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201158/68CommonAttackScenariosOldCStuClassicCAttacksNothingnewhereStillhasthesameclassicissuesBueroverowsIntegerissues,especiallywithmalloc()Whyareyoumalloc'ing,grandpaWeareinthefuturehereSanitizeintcalculationswithcheckint(3)Double-freesFormatstringsDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201159/68CommonAttackScenariosNewObjective-CStuObjectuseafterreleaseExploitable!
Undersomecircumstances.
10Procedure:ReleaseobjectReleasesomeotherobjectAllocatespaceofsamesizeasrstobjectWriteyourcodetothenewbuer…Sendmessageorreleasetooriginalobject10http://felinemenace.
org/~nemo/slides/eusecwest-STOP-objc-runtime-nmo.
pdfDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201160/68CommonAttackScenariosNewObjective-CStuiOS&FormatStringswithFormat/appendingFormatfamily%xworks—%ndoesnot¨%ndoesstillworkwithregularCcode…DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201161/68CommonAttackScenariosNewObjective-CStuFormatStringsFormatstringconfusionFoundonpentest:NSStringmyStuff=@"Hereismystuff.
";myStuff=[myStuffstringByAppendingFormat:[UtilityClassformatStuff:unformattedStuff.
text]];Bzzt.
NSStringobjectsaren'tmagicallysafe.
NSStringmyStuff=@"Hereismystuff.
";myStuff=[myStuffstringByAppendingFormat:UtilityClassformatStuff:unformattedStuff.
text]];DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201162/68CommonAttackScenariosNewObjective-CStuFormatStringsLikelyculprits[NSString*WithFormat][NSStringstringByAppendingFormat][NSMutableStringappendFormat][NSAlertalertWithMessageText][NSException][NSLog]DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201163/68SecurecodingchecklistSecurecodingchecklistOrpenetrationtester'shitlistHTTPSusedandcorrectlycongured(i.
e.
notbypassedbydelegationorsetAllowsAnyHTTPSCertificate)AllformatstringsproperlydeclaredGeneralCissues(malloc(),str*,etc.
)Anythird-partyC/C++codeissuspectEntropygatheredcorrectlySecurebackgroundingDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201164/68SecurecodingchecklistSecurecodingchecklistContinuedUIPasteBoardsnotleakingsensitivedataCorrectobjectdeallocation,nouse-after-releaseURLhandlerparameterssanitizedSecurekeychainusageNoinappropriatedatastoredonlocallesystemCFStream,NSStream,NSURLinputssanitized/encodedNodirectuseofUDIDDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201165/68QuestionsQ://.
.
DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201166/68AppendixForFurtherReadingForFurtherReadingIH.
Dwivedi,C.
Clark,D.
ThielMobileApplicationSecurity.
McGrawHill,2010NeilArchibaldSTOP!
!
!
Objective-CRun-TIME.
http://felinemenace.
org/~nemo/slides/eusecwest-STOP-objc-runtime-nmo.
pdfApple,Inc.
iOSApplicationProgrammingGuidehttp://developer.
apple.
com/library/ios/#documentation/iPhone/Conceptual/iPhoneOSProgrammingGuide/Introduction/Introduction.
htmlDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201167/68AppendixForFurtherReadingForFurtherReadingIIOtherresourceshttp://culater.
net/wiki/moin.
cgi/CocoaReverseEngineeringhttp://www.
musicalgeometry.
com/archives/872http://www.
pskl.
us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.
pdfDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201168/68
.
.
.
.
.
.
SecureDevelopmentoniOSAdvicefordevelopersandpenetrationtestersDavidThielSOURCEBoston2011DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston20111/68Outline.
.
.
1IntrotoiOS.
.
.
2Objective-CPrimer.
.
.
3TestingSetup.
.
.
4Security-RelevantAPIsTLSandNetworkingDataStorageTheKeychainBackgroundingIPCAppURLsCopy/Paste.
.
.
5UDIDs.
.
.
6CommonAttackScenariosOldCStuNewObjective-CStu.
.
.
7SecurecodingchecklistDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston20112/68IntroMyperspectiveisthatofapenetrationtester(notdeveloper)InfohereisideallyofusetobothtestersanddevelopersAssumeslittletonoiOSknowledgeFocusisappsecurity,notOSsecurityTakeaways:beablexorbreakyourownorothers'iOSappsDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston20113/68IntrotoiOSIntrotoiPhoneiPhoneConceptualDesignDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston20114/68IntrotoiOSIntrotoiOSIt'sanOS,butwithaniHigh-levelAPI,"CocoaTouch"DevelopmentinXCodeSoyes,youneedaMaciOSSimulator(notemulator)CompilesiOSappstonativecodetorunlocallyApplicationswrittenprimarilyinObjective-CDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston20115/68Objective-CPrimerObjective-CHowtospotitfromaverylongwayawayC+Smalltalk…ishUses"inx"notation:[ObjectmessagePassedToObject:argument];Itisnottoeveryone'stastesSomeofushaveveryrenedtastesDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston20116/68Objective-CPrimerObjective-Cin1slideDeningInterfaces@interfaceClassname:NSParentObject{SomeTypeaThing;//instancevariables}+(type)classMethod:(vartype)myVariable;-(type)instanceMethod:(vartype)myVariable;@endThesegoin.
hles,anddenethestructureofobjects(likeCstructs).
DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston20117/68Objective-CPrimerObjective-Cin2slidesAlternativeinterfacedeclaration#import"NSParentClass.
h"@interfaceClassname:NSParentClass{@publicNSURL*blorg;@privateNSString*gurgle;}@property(readonly)NSURL*blorg;@property(copy)NSString*gurgle;Thisisthe"2.
0"waytodeclareinterfaces.
DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston20118/68Objective-CPrimerObjective-Cin3slidesorsoInxanddotnotation@implementationClassname@synthesizeblorg;//generatesset/getmethods@synthesizegurgle;Instance*myInstance=[[Instancealloc]init];[myInstancesetGurgle:@"eep"];//infixnotationmyInstance.
gurgle=@"eep";//dotnotationThisisthe"implementation",storedin.
mles.
@synthesizecreatesgetter/settermethodsforproperties.
DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston20119/68Objective-CPrimerObjective-CNotsubclassingCategoriesSimplemethodforaddingfunctionalitytoclasseswithoutsubclassingJustdeneanew@interfaceandimplementationwithnewmethods@implementationNSURL(CategoryName)-(BOOL)isPurple;{if([selfisColor:@"purple"])returnYES;elsereturnNO;}@endDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201110/68Objective-CPrimerMemoryManagementRetain/ReleaseNogarbagecollectioniniOSMusttrackwith"retain"and"release"methodsClassname*myClass=[[Classnamealloc]init];//Retaincount:1.
.
.
//Canbeshortenedto//[Classnamenew];[myClassrelease];DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201111/68TestingSetupXCodeDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201112/68TestingSetupTestingSetupInterceptingsecurecommunicationsStandardproxyinterceptwon'tworkCerterrorsareahardfailureOptions:ChangesourcetouseHTTPUsedevice+certforproxyUsesimulatorwith→proxy→realsiteDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201113/68TestingSetupStunnelcong;SSLclientmodeclient=yes;service-levelconfiguration[https]accept=127.
0.
0.
1:80connect=10.
10.
1.
50:443TIMEOUTclose=0DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201114/68TestingSetupProxyCongDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201115/68TestingSetupTheSandboxMechanismSeatbeltaka"Seatbelt"BaseduponTrustedBSDMACframeworkUnlikeAndroid'sUID-basedsegregation,appsrunasoneuserSeatbeltpoliciesprovideneededsegregation.
Probably.
SandboxpoliciesnowcompiledandrolledintothekernelOnjailbrokendevices,sandboxnolongerappliesDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201116/68TestingSetupTheSandboxMechanismJailbreakingOnjailbrokendevices,sandboxnolongerappliesHowever,devsforsideloadedappscanvoluntarilyhopintoone1DocumentedprolesforOSX:kSBXProfileNoNetwork(="nonet")kSBXProfileNoInternet(="nointernet")kSBXProfilePureComputation(="pure-computation")kSBXProfileNoWriteExceptTemporary(="write-tmp-only")kSBXProfileNoWrite(="nowrite")1http://iphonedevwiki.
net/index.
php/SeatbeltDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201117/68TestingSetupTheSandboxMechanismJailbreakDetectionNomoreocialApplejailbreakdetectionAPIIfyoumustdeterminewhetheradeviceisjailbroken,somepossiblechecks:/bin/bash/bin/ssh/private/var/lib/aptButdiscriminatingagainstjailbrokendevicesisnotnecessarilyagreatideaAndAppleappreviewmayagitDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201118/68TestingSetupBinaryAnalysisUsefulforblackboxtestingorself-testingDisassemblyofMach-ObinaryformatquitecleanSeveralusefultools:otool,otx,class-dumpUseforreversingotherapplications,orndingwhatinfowouldbeavailabletoathirdpartyObfuscationisgenerallyprettyfutile,butespeciallyinObjCEncryptedbinarieseasilydumped22http://www.
246tnt.
com/iPhone/DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201119/68TestingSetupBinaryAnalysisotoolotool-toV/Applications/iCal.
app/Contents/MacOS/iCal/Applications/iCal.
app/Contents/MacOS/iCalObjective-CsegmentModule0x22b52c.
.
.
ClassDefinitionsdefs[0]0x00204360isa0x0020a560super_class0x001a5f44CALCanvasItemname0x001c6574CALCanvasAttributedText.
.
.
ivars0x00224300ivar_count13ivar_name0x001a54e2_textivar_type0x001a53d0@"NSMutableAttributedString"ivar_offset0x0000012civar_name0x001a54e8DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201120/68TestingSetupBinaryAnalysisotxhttp://otx.
osxninja.
com/-(BOOL)[NSString(NSStringExtras)isFeedURLString]+00000348855pushl%ebp+10000348989e5movl%esp,%ebp+30000348b53pushl%ebx+40000348c83ec14subl$0x14,%esp+70000348f8b5d08movl0x08(%ebp),%ebx+1000003492c744240844430700movl$0x00074344,0x08(%esp)feed:+180000349aa180a00700movl0x0007a080,%eax_web_hasCaseInsensitivePrefix:+230000349f89442404movl%eax,0x04(%esp)+27000034a3891c24movl%ebx,(%esp)+30000034a6e850420800calll0x000876fb-[(%esp,1)_web_hasCaseInsensitivePrefix:]DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201121/68TestingSetupBinaryAnalysisclass-dumphttp://iphone.
freecoder.
org/classdump_en.
html(orviaCydia)class-dump-x/Developer/Platforms/iPhoneSimulator.
platform/Developer/SDKs/iPhoneSimulator3.
0.
sdk/Applications/MobileSafari.
app@protocolCALCanvasTextProtocol-(id)attributes;-(id)foregroundColor;-(float)fontSize;@end@protocolCALDetachmentDelegate-(int)decideDetachmentFor:(id)fp8withOccurrence:(id)fp12;@endDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201122/68TestingSetupStaticAnalysisXCode&ClangClanganalyzermergedintoXCode"Build&Analyze"optionIdentiesmemoryleakage,use-after-free,etc.
Note:insomerecentXCodeversions,AnalyzerresultsonlyshowfordeviceSDKbuilds.
MehDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201123/68TestingSetupStaticAnalysisOutputDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201124/68AppStructureLocalStorageKeyboardCachingKeyboardcacheusedforformautocompletion/root/Library/Keyboard/dynamic-text.
datAlreadydisabledforpasswordeldsShouldbedisabledforanypotentiallysensitiveeldsSetUITextFieldpropertyautocorrectionType=UITextAutocorrectionNoDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201125/68Security-RelevantAPIsTLSandNetworkingNetworkingTLSandNSURLHandlingStandardmethodforworkingwithURLsSSL/TLShandledproperly!
Bypassingfailedvericationnotallowedbydefault.
So,ofcourse,peopleturnitoDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201126/68Security-RelevantAPIsTLSandNetworkingNetworkingTLSandNSURLHandlingCheckforNSURLRequestvericationbypassviasetAllowsAnyHTTPSCertificateSSLvericationbypassviaNSURLConnectiondelegationSearchforcontinueWithoutCredentialForAuthenticationChallenge3Extrabonusstupid:DenecategorymethodtoslipbyApple'sprivateAPIchecks43http://stackoverflow.
com/questions/933331/4http://stackoverflow.
com/questions/2001565/DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201127/68Security-RelevantAPIsTLSandNetworkingNetworkingNSStreamsGoodfornon-HTTPtracorgoingslightlylower-level//FirstwedefinethehosttobecontactedNSHost*myhost=[NSHosthostWithName:[@"www.
conglomco.
com"]];//Thenwecreate[NSStreamgetStreamsToHost:myhostport:443inputStream:&MyInputStreamoutputStream:&MyOutputStream];[MyInputStreamsetProperty:NSStreamSocketSecurityLevelTLSv1//NoteforKey:NSStreamSocketSecurityLevelKey];DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201128/68Security-RelevantAPIsTLSandNetworkingNetworkingCFStreamsSlightlylower-levelstillSecuritydenedbykCFStreamPropertySSLSettingsHassadsetofconstants¨CFStringRefkCFStreamSSLLevel;CFStringRefkCFStreamSSLAllowsExpiredCertificates;CFStringRefkCFStreamSSLAllowsExpiredRoots;CFStringRefkCFStreamSSLAllowsAnyRoot;CFStringRefkCFStreamSSLValidatesCertificateChain;CFStringRefkCFStreamSSLPeerName;DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201129/68Security-RelevantAPIsDataStorageLocalDataStorageTheVariousMechanismsAfewwaysdataisstored(andpotentiallyexposed):SQLiteCoreDataInternally,SQLiteCookiemanagementCachesplistsDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201130/68Security-RelevantAPIsAppLayoutAnatomyofanApp/Library/ApplicationSupport/iPhoneSimulator/Applications/(appID).
/Documents→properties,logs.
/Library/Caches→cacheythings.
/Library/Caches/Snapshots→screenshotsofyourapp.
/Library/Cookies→cookieplists.
/Library/Preferences→variouspreferenceplists.
/Library/WebKit→WebKitlocalstorage.
/Appname.
app→appresources:binary,graphics,nibs,Info.
plist.
/tmp→tmpDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201131/68Security-RelevantAPIsAppLayoutCookiesNSHTTPCookieAcceptPolicyOnlyFromMainDocumentDomainOrOtherAuthoritativeSoundingPeopleByAppManipulatedbytheURLloadingsystemCanaltercookieAcceptPolicyto:NSHTTPCookieAcceptPolicyNeverNSHTTPCookieAcceptPolicyOnlyFromMainDocumentDomainNotethatthismayaectotherrunningapplicationsInOSX,cookiesandcookiepolicyaresharedamongappsIniOS,onlycookiepolicyissharedDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201132/68Security-RelevantAPIsAppLayoutSQLiteandSQLinjectionDynamicSQLNSString*uid=[myHTTPConnectiongetUID];NSString*statement=[NSStringStringWithFormat:@"SELECTusernameFROMuserswhereuid='%@'",uid];constchar*sql=[statementUTF8String];DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201133/68Security-RelevantAPIsAppLayoutSQLiteandSQLinjectionParameterizedSQLconstchar*sql="SELECTusernameFROMuserswhereuid=";sqlite3_prepare_v2(db,sql,-1,&selectUid,NULL);sqlite3_bind_int(selectUid,1,uid);intstatus=sqlite3_step(selectUid);DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201134/68Security-RelevantAPIsAppLayoutCachingHTTP&HTTPSrequestscachedbydefaultCanbepreventedbyNSURLConnectiondelegate-(NSCachedURLResponse*)connection:(NSURLConnection*)connectionwillCacheResponse:(NSCachedURLResponse*)cachedResponse{NSCachedURLResponse*newCachedResponse=cachedResponse;if([[[[cachedResponseresponse]URL]scheme]isEqual:@"https"]){newCachedResponse=nil;}returnnewCachedResponse;}DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201135/68Security-RelevantAPIsAppLayoutGeolocationBestPracticesUseleastdegreeofaccuracynecessaryCheckforgracefulhandlingoflocationServicesEnabledandauthorizationStatusmethodresponsesIfyoudon'twanttohandlesubpoenasfromdivorcelawyers:Don'tloglocallyAnonymizeserver-sidedataPrunelogsDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201136/68Security-RelevantAPIsAppLayoutGeolocationAccuracySettingsSeveralaccuracyconstants:CLLocationAccuracykCLLocationAccuracyBestForNavigation;CLLocationAccuracykCLLocationAccuracyBest;CLLocationAccuracykCLLocationAccuracyNearestTenMeters;CLLocationAccuracykCLLocationAccuracyHundredMeters;CLLocationAccuracykCLLocationAccuracyKilometer;CLLocationAccuracykCLLocationAccuracyThreeKilometers;DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201137/68Security-RelevantAPIsTheKeychainTheKeychainKeychainiswheresecretstugoesArgh!
DonotstorethisdatainNSUserDefaults!
Encryptedwithdevice-specickeyApps"can'tread",notincludedinbackupsSimplerAPIthanOSX:SecItemAdd,SecItemUpdate,SecItemCopyMatchingNotavailableinsimulatorforpre-4.
0←causeit'sgotkeysinit,seeDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201138/68Security-RelevantAPIsTheKeychainTheKeychainKeyprotectionPassanappropriatekSecAttrAccessiblevaluetoSecItemAdd:CFTypeRefkSecAttrAccessibleWhenUnlocked;CFTypeRefkSecAttrAccessibleAfterFirstUnlock;CFTypeRefkSecAttrAccessibleAlways;CFTypeRefkSecAttrAccessibleWhenUnlockedThisDeviceOnly;CFTypeRefkSecAttrAccessibleAfterFirstUnlockThisDeviceOnly;CFTypeRefkSecAttrAccessibleAlwaysThisDeviceOnly;DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201139/68Security-RelevantAPIsTheKeychainTheKeychainSharedkeychainsForusingthesamekeychainamongdierentapps5UsedbysettingkSecAttrAccessGrouponinitAppsmusthavesamekeychain-access-groupsAppscanonlyhaveoneaccessgroupOnjailbrokenphone…allbetso5http://useyourloaf.
com/blog/2010/4/3/keychain-group-access.
htmlDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201140/68Security-RelevantAPIsTheKeychainTheKeychainCerticatesOndevice,canbeinstalledviae-mail,SafarioriTunessyncOnoldersimulators,nosuchluckCertsstillveried,butnowaytoinstallnewonesSincethey'restoredintheKeychainStubsnecessaryfordetectingsimulatorvs.
deviceDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201141/68Security-RelevantAPIsTheKeychainDataProtectionImprovingleandkeychainprotectionBydefault,dataencryptedwith"hardware"keyIniOS4,"hardware"keycansupplementedwithPINDeveloperscanalsomarklesas"protected"Filesencrypted,unreadablewhiledeviceislockedDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201142/68Security-RelevantAPIsTheKeychainDataProtectionUsage2methodsforenablingPassNSDataWritingFileProtectionCompletetowriteToFilemethodofNSDataobjectSetNSFileProtectionKeytoNSFileProtectionCompleteonNSFileManagerobjectAgain,datanotaccessiblewhendeviceislockedCheckfordataavailabilitybeforeuse6CleanupwhenUIApplicationProtectedDataWillBecomeUnavailable6http://developer.
apple.
com/library/ios/#documentation/iPhone/Conceptual/iPhoneOSProgrammingGuide/StandardBehaviors/StandardBehaviors.
htmlDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201143/68Security-RelevantAPIsTheKeychainEntropyHowdoesitworkUsingCocoa,not/dev/randomGatheredviaSecRandomCopyBytesAgain,doesnotworkinsimulatorObviously,rand(),random(),arc4random()areallnon-startersintresult=SecRandomCopyBytes(kSecRandomDefault,sizeof(int),(uint8_t*)&randomResult);DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201144/68Security-RelevantAPIsBackgroundingBackgroundingInitiatingBackgroundTasksProbablymostsecurity-relevantAPIiniOS4.
0UsebeginBackgroundTaskWithExpirationHandlermethodtoinitiatebackgroundtasksNeedsmatchingendBackgroundTaskmethodRemainingtasktimestoredinbackgroundTimeRemainingpropertyDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201145/68Security-RelevantAPIsBackgroundingBackgroundingConcernsNote:appissnapshotteduponbackgroundingPriortothis,applicationshouldremoveanysensitivedatafromviewUsesplashscreenorsethiddenoralphapropertiesofUIWindowDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201146/68Security-RelevantAPIsBackgroundingBackgroundingStateTransitionsDetectstatetransitionsKeystatetransitionmethods:application:didFinishLaunchingWithOptions:applicationDidBecomeActive:applicationWillResignActive:applicationDidEnterBackground:applicationWillEnterForeground:applicationWillTerminate:DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201147/68Security-RelevantAPIsIPCIPCApplicationURLSchemesAppscanregistertheirownURLhandlers—addedbyeditingtheplist,usuallyfromXCodeCalledjustlikeanyURL,withmultipleparameters,e.
g.
openURL:[NSURLURLWithString:@"myapp://foo=urb&blerg=gah"];CanbecalledbyapporwebpageWithoutuserconrmation…ParamsaccessibletoreceivingappviaadelegateDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201148/68Security-RelevantAPIsIPCIPCApplicationURLSchemesDeprecateddelegationmethod:-(BOOL)application:(UIApplication*)applicationhandleOpenURL:(NSURL*)urlNewmethod:-(BOOL)application:(UIApplication*)applicationopenURL:(NSURL*)urlsourceApplication:(NSString*)sourceApplicationannotation:(id)annotationAllowsfordeterminingcallingapplication,receivesdatainplistformObviously,sanitizationiskeyhere,especiallygiven…DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201149/68Security-RelevantAPIsIPCIPCURLhandlerconictsWhathappensiftwoappsusethesamehandlerIfanAppleappusesit:AppleapplaunchesThird-partyapps:"Undened""IfyourURLtypeincludesaschemethatisidenticaltoonedenedbyApple,theApple-providedapplicationthathandlesaURLwiththatscheme(forexample,"mailto")islaunchedinsteadofyourapplication.
IfaURLtyperegisteredbyyourapplicationincludesaschemethatconictswithaschemeregisteredbyanotherthird-partyapplication,theapplicationthatlaunchesforaURLwiththatschemeisundened.
"Maygotothelastclaimingapp…ew.
Hence:bewaryofpassingprivatedatainappURLsDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201150/68Security-RelevantAPIsIPCIPCPushNoticationsRegisteringfornotications:[[UIApplicationsharedApplication]registerForRemoteNotificationTypes:(UIRemoteNotificationTypeBadge|UIRemoteNotificationTypeSound)];Receivingnotications:-(void)application:(UIApplication*)applicationdidReceiveRemoteNotification:(NSDictionary*)userInfo-(BOOL)application:(UIApplication*)applicationdidFinishLaunchingWithOptions:(NSDictionary*)launchOptionsCheckforvalidationofuserInfoandlaunchOptionsDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201151/68Security-RelevantAPIsIPCCopy/PastePasteboardsObligatorydigatApplere:copy/pastedebacle2systemUIPasteboardaccessmethods:UIPasteboardNameGeneral&UIPasteboardNameFindPasteboardsmarked"persistent"willbekeptinlocalstorageDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201152/68Security-RelevantAPIsIPCCopy/PastePasteboardsAlso"private"applicationpasteboards,which(intrueObjective-Cform)arenotinanyway"private"OccasionallyusedasIPChackMigratingdatafromfree→paidappIsawonesuggestiontotransferprivatekeyswiththepasteboard¨Bottomline:avoidsensitivedatahere&cleanupafteryourselfClearpasteboardonapplicationWillTerminatepasteBoard.
items=nilDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201153/68Security-RelevantAPIsIPCCopy/PasteExampleAbuseHownottopasteboard:TwitterOAuthlibrary7-(void)pasteboardChanged:(NSNotification*)note{UIPasteboard*pb=[UIPasteboardgeneralPasteboard];if([note.
userInfoobjectForKey:UIPasteboardChangedTypesAddedKey]==nil)return;NSString*copied=pb.
string;if(copied.
length!
=7||!
copied.
oauthtwitter_isNumeric)return;[selfgotPin:copied];}73rd-partylibrary,notbyTwitterDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201154/68Security-RelevantAPIsIPCCopy/PasteDisablingitPossiblemitigation:Foreldswithsensitivedata,disablecopy/pastemenu-(BOOL)canPerformAction:(SEL)actionwithSender:(id)sender{UIMenuController*menuController=[UIMenuControllersharedMenuController];if(menuController){[UIMenuControllersharedMenuController].
menuVisible=NO;}returnNO;}Canalsodisablemenuitemsindividually88http://stackoverflow.
com/questions/1426731/DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201155/68UDIDsUDIDsUseandAbuseUniqueidentierderivedfromhardwareinformationOftenabusedasausertrackingmechanism9OccasionallyabusedasanauthenticatorSee:TapulousContrarytopopularbelief,thisismutable9http://www.
pskl.
us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.
pdfDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201156/68UDIDsUDIDsUDIDFakeravailableonCydiaDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201157/68UDIDsUDIDsDon'tusethem.
Summary:Don'trelyonUDIDforanythingeverDon'tuseitfortracking,itgetsyoubadpressIfyoureallyneedtotrackusers,usehashofUDID+saltCheckcodeforuseof[[UIDevicecurrentDevice]uniqueIdentifier]DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201158/68CommonAttackScenariosOldCStuClassicCAttacksNothingnewhereStillhasthesameclassicissuesBueroverowsIntegerissues,especiallywithmalloc()Whyareyoumalloc'ing,grandpaWeareinthefuturehereSanitizeintcalculationswithcheckint(3)Double-freesFormatstringsDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201159/68CommonAttackScenariosNewObjective-CStuObjectuseafterreleaseExploitable!
Undersomecircumstances.
10Procedure:ReleaseobjectReleasesomeotherobjectAllocatespaceofsamesizeasrstobjectWriteyourcodetothenewbuer…Sendmessageorreleasetooriginalobject10http://felinemenace.
org/~nemo/slides/eusecwest-STOP-objc-runtime-nmo.
pdfDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201160/68CommonAttackScenariosNewObjective-CStuiOS&FormatStringswithFormat/appendingFormatfamily%xworks—%ndoesnot¨%ndoesstillworkwithregularCcode…DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201161/68CommonAttackScenariosNewObjective-CStuFormatStringsFormatstringconfusionFoundonpentest:NSStringmyStuff=@"Hereismystuff.
";myStuff=[myStuffstringByAppendingFormat:[UtilityClassformatStuff:unformattedStuff.
text]];Bzzt.
NSStringobjectsaren'tmagicallysafe.
NSStringmyStuff=@"Hereismystuff.
";myStuff=[myStuffstringByAppendingFormat:UtilityClassformatStuff:unformattedStuff.
text]];DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201162/68CommonAttackScenariosNewObjective-CStuFormatStringsLikelyculprits[NSString*WithFormat][NSStringstringByAppendingFormat][NSMutableStringappendFormat][NSAlertalertWithMessageText][NSException][NSLog]DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201163/68SecurecodingchecklistSecurecodingchecklistOrpenetrationtester'shitlistHTTPSusedandcorrectlycongured(i.
e.
notbypassedbydelegationorsetAllowsAnyHTTPSCertificate)AllformatstringsproperlydeclaredGeneralCissues(malloc(),str*,etc.
)Anythird-partyC/C++codeissuspectEntropygatheredcorrectlySecurebackgroundingDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201164/68SecurecodingchecklistSecurecodingchecklistContinuedUIPasteBoardsnotleakingsensitivedataCorrectobjectdeallocation,nouse-after-releaseURLhandlerparameterssanitizedSecurekeychainusageNoinappropriatedatastoredonlocallesystemCFStream,NSStream,NSURLinputssanitized/encodedNodirectuseofUDIDDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201165/68QuestionsQ://.
.
DavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201166/68AppendixForFurtherReadingForFurtherReadingIH.
Dwivedi,C.
Clark,D.
ThielMobileApplicationSecurity.
McGrawHill,2010NeilArchibaldSTOP!
!
!
Objective-CRun-TIME.
http://felinemenace.
org/~nemo/slides/eusecwest-STOP-objc-runtime-nmo.
pdfApple,Inc.
iOSApplicationProgrammingGuidehttp://developer.
apple.
com/library/ios/#documentation/iPhone/Conceptual/iPhoneOSProgrammingGuide/Introduction/Introduction.
htmlDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201167/68AppendixForFurtherReadingForFurtherReadingIIOtherresourceshttp://culater.
net/wiki/moin.
cgi/CocoaReverseEngineeringhttp://www.
musicalgeometry.
com/archives/872http://www.
pskl.
us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.
pdfDavidThiel(iSECPartners)SecureDevelopmentoniOSSOURCEBoston201168/68
- x001a54e8ios6.1.3越狱相关文档
- slowios6.1.3越狱
- 支持ios6.1.3越狱
- checkerios6.1.3越狱
- 支持ios6.1.3越狱
- 连接ios6.1.3越狱
- 编码ios6.1.3越狱
香港 1核 1G 5M 22元/月 美国 1核 512M 15M 19.36元/月 轻云互联
轻云互联成立于2018年的国人商家,广州轻云互联网络科技有限公司旗下品牌,主要从事VPS、虚拟主机等云计算产品业务,适合建站、新手上车的值得选择,香港三网直连(电信CN2GIA联通移动CN2直连);美国圣何塞(回程三网CN2GIA)线路,所有产品均采用KVM虚拟技术架构,高效售后保障,稳定多年,高性能可用,网络优质,为您的业务保驾护航。官方网站:点击进入广州轻云网络科技有限公司活动规则:用户购买任...
收到几个新商家投稿(HostMem,无忧云,青云互联,TTcloud,亚洲云端,趣米云),一起发布排名不分先后
7月份已经过去了一半,炎热的夏季已经来临了,主机圈也开始了大量的夏季促销攻势,近期收到一些商家投稿信息,提供欧美或者亚洲地区主机产品,价格优惠,这里做一个汇总,方便大家参考,排名不分先后,以邮件顺序,少部分因为促销具有一定的时效性,价格已经恢复故暂未列出。HostMem部落曾经分享过一次Hostmem的信息,这是一家提供动态云和经典云的国人VPS商家,其中动态云硬件按小时计费,流量按需使用;而经典...
ZJI:台湾CN2/香港高主频服务器7折每月595元起,其他全场8折
ZJI原名维翔主机,是原来Wordpress圈知名主机商家,成立于2011年,2018年9月更名为ZJI,提供香港、日本、美国独立服务器(自营/数据中心直营)租用及VDS、虚拟主机空间、域名注册业务。ZJI今年全新上架了台湾CN2线路服务器,本月针对香港高主频服务器和台湾CN2服务器提供7折优惠码,其他机房及产品提供8折优惠码,优惠后台湾CN2线路E5服务器月付595元起。台湾一型CPU:Inte...
ios6.1.3越狱为你推荐
-
宜昌市体育中心微信小程序直播功能准入要求preloadedbaidu伺服器win7水土保持ios8支持ipad支持ipad支持ipad重庆网通重庆联通网上营业厅手机版photoshop技术什么是ps技术