actionios5

MathieuRenard/PracticaliOSAppshackingGreHack21f20;BACKGROUND-COLOR:#4ae2f7">012,Grenoble,France3AcceptedPapers3.
1MathieuRenard/PracticaliOSAppshacking3.
1.
1MathieuRenard@GoToHackMathieuRenard"GoToHack"isaSeniorPenetrationtester,workingforaFrenchcompany(SOGETI-ESEC)whereisleadingthepenetrationtestteam.
HisresearchareasfocusinWebApplicationSecurity,EmbeddedSystems,HardwarehackingandrecentlyMobiledeviceSecurity.
Sincelastyear,hehasfocusediswork(securityassessments)andhisresearchonprofessionaliOSapplicationsandtheirsupportingarchitecturewheredatasecurityisparamount.
twitter:@GoToHack3.
1.
2PracticaliOSAppshackingThistalkdemonstrateshowprofessionalapplicationslike,MobileDeviceManagement(MDM)Client,Con-dentialcontentsmanager(Sandbox),professionalmediaplayersandotherapplicationshandlingsensitivedataareattackedandsometimeseasilybreached.
ThistalkisdesignedtodemonstratemanyofthetechniquesattackersusetomanipulateiOSapplicationsinordertoextractcondentialdatafromthedevice.
Inthistalk,theaudiencewillseeexamplesoftheworstpracticeswearedealingwitheverydaywhenpentestingiOSapplicationsandlearnhowtomitigatetherisksandavoidcommonmistakesthatleaveapplicationsexposed.
Attendeeswillgainabasicunderstandingofhowtheseattacksareexecuted,andmanyexamplesanddemon-strationsofhowtocodemoresecurelyinwaysthatwon'tleaveapplicationsexposedtosuchattacks.
Thistalkwillfocusespeciallyonthefollowingfeatures:SecureDataStorageSecurePasswordStorageSecurecommunicationJailbreakdetectionDefensivetricksTalkandpapercanbedownloadedfromhttp://grehack.
org14/61GreHackPracticaliOSAppshackingCanwetrustvendorstosecureourdataMathieuRENARDSogetiESEC/GotoHack.
orgParis,FRANCEmathieu.
renard[-AT-]gotohack.
orgThispaperdemonstrateshowprofessionalapplicationslike,MobileDeviceManagement(MDM)Client,Confidentialcontentsmanager(Sandbox),professionalmediaplayersandotherapplicationshandlingsensitivedataareattackedandsometimeseasilybreached.
Readerswillgainabasicunderstandingofhowtheseattacksareexecuted,andmanyexamplesofhowtocodemoresecurelyinwaysthatwillnotleaveapplicationsexposedtosuchattacks.
I.
INTRODUCTIONGonearethedayswhenemployeesonlyusedacompany-issuedphoneforworkrelatedmatters.
Today,employeesbringpersonalsmartphonesandtabletstotheofficeandoftenhaveaccesstosensitivecompanyinformationonthesedevices.
Thispaperistheresultofone-yearpentestingiOSapplicationandisdesignedtodemonstratemanyofthetechniquesattackersusetomanipulateiOSapplicationsinordertoextractconfidentialdatafromthedevice.
Then,Jailbreakdetectionfeaturesareanalyzedbeforediscussingtheresultsoftestslaunchedonprofessionalapplicationslike,MobileDeviceManagement(MDM)Client,Confidentialcontentsmanager(Sandbox),professionalmediaplayersandotherapplicationshandlingsensitivedata.
Finallytheauthorproposesmitigationtechniquestoimplementinordertoavoidcommonmistakesthatleaveapplicationsexposed.
II.
ATTACKINGIOSAPPLICATIONSMostofthetimeattackingiOSapplicationissynonymtojailbreakaniDevice,decrypttheapplicationandreversethebinaries.
Beforedevelopingtheseitemsthereissomeinterestingpointstolingeron,especiallyonregulardevices.
A.
WhatattackerscandowithoutjailbreakingthedeviceWithouthavingaccesstothefilesystemitisimpossiblededecryptandreverseiOSapplicationsinstalledfromAppleAppStore.
Nevertheless,thissectionpresentattacksvectorsthatcanallowretrievingconfidentialinformationstoredbymissimplementediOSapplication.
1)UsingafcprotocoltoretrievedatastoredonthedeviceAppleFileCommunicationProtocol(AFC)isaserialportprotocolthatusesaframeworkcalledMobileDevicethatisinstalledbydefaultwithiTunes.
Since21f20;BACKGROUND-COLOR:#4ae2f7">011f20;BACKGROUND-COLOR:#4ae2f7">0thisprotocolisimplementedinthelibimobiledevice[8]open-sourcesproject.
TheprotocolusestheUSBPortandcablewhenitisconnectedtothecomputerandisresponsibleforthingssuchascopyingmusicandphotosandinstallingfirmwareupgrades.
AFCClientslikeiTunesareallowedaccesstoa"jailed"orlimitedareaofthedevicememory.
Actually,AFCclientscanonlyaccesstocertainfiles,namelythoselocatedintheMediaandUserinstalledapplicationsfolders.
Inotherwords,usingAFCclientauser/attackercandownloadtheapplicationresourcesanddata.
Includingthedefaultpreferencesfilewheresometimescredentialsarestored.
Theonlyrequirementisthedevicehastobeunlocked.
ButthisisdefinitivelynotaproblembecauseanevilmaidcansbackdooranyiDeviceDockStation.
Figure1iPownDock:Maliciousdockstation.
MathieuRenard/PracticaliOSAppshackingGreHack21f20;BACKGROUND-COLOR:#4ae2f7">012,Grenoble,France15/61GreHack2)RetrievingdatafrombackupsThemainfunctionofthebackupistopermitusertorestorepersonaldataandsettingstoaniPhoneduringaRestore(duringwhichthecontentontheiPhoneistypicallyerased).
WhentheiPhoneisconnectedtoacomputerandsyncedwithiTunes,iTunesautomaticallycreatesafolderwithdeviceUDID(UniquedeviceID–41f20;BACKGROUND-COLOR:#4ae2f7">0hexadecimalcharacterslong)asthenameandcopiesthedevicecontentstothenewlycreatedfolder.
Mostofthetimethisprocessisautomatic.
IftheautomaticsyncoptionisturnedoffiniTunes,theuserhastomanuallyinitiatethebackupprocessthroughtheiTuneinterface.
TABLEI.
BACKUPSFILEPATHSystemBackupPathWindows7C:\Users\(username)\AppData\Roaming\AppleComputer\MobileSync\Backup\MacOSX/Users/(username)/Library/ApplicationSupport/MobileSync/Backup/Sincethesyncoptionisdefinedonthecomputerside,nouserinteractionexceptunlockingthedeviceisrequired.
Thisimplementationallowsmaliciousdockstationtoinitiatebackupswithoutuserauthorization.
PerformingsuchattackanattackermayretrievepersonalandconfidentialdatalikecopiesofSMS,CallLogs,applicationdata,defaultpreferencesanddatastoredinthekeychain.
Keychainclasskeysdefinewhetherakeychainitemcanbemigratedtootherdeviceornot.
Listofprotectionclassesavailableforthekeychainitemsareshowninthetablebellow.
TABLEII.
KEYCHAINCLASSKEYSProtectionclassDescriptionkSecAttrAccessibleWhenUnlockedKeychainitemisaccessibleonlyafterthedeviceisunlockedkSecAttrAccessibleAfterFirstUnlockKeychainitemisaccessibleonlyafterthefirstunlockofthedevicetotillrebootkSecAttrAccessibleAlwaysKeychainitemisaccessibleeventhedeviceislockedkSecAttrAccessibleWhenUnlockedThisDeviceOnlyKeychainitemisaccessibleonlyafterthedeviceisunlockedandtheitemcannotbemigratedbetweendeviceskSecAttrAccessibleAfterFirstUnlockThisDeviceOnlyKeychainitemisaccessibleafterthefirstunlockofthedeviceandtheitemcannotbemigratedkSecAttrAccessibleAlwaysThisDeviceOnlyKeychainitemisaccessibleeventhedeviceislockedandtheitemcannotbemigratedTABLEIII.
PROTECTIONCLASSESFORBUILTINITEMApplication&ItemtypeProtectionclassWiFiPasswordAlwaysIMAP/POP/SMTPaccountsAfterFirstUnlockExchangeAccountsAlwaysVPNAlwaysLDAP/CalDAV/CardDAVAccountsAlwaysiTunesbackuppasswordWhenUnlockedThisDeviceOnlyDeviceCertificate&privateKeyAlwaysThisDeviceOnlyUsingtheiphonedataprotection[1]toolsdevelopedbyJean-BaptisteBédruneandJeanSigwaldofSogetiESEC,itispossibletoextractalldatastoredinthekeychain.
Nonetheless,onlydatastoredwithouttheThisDeviceOnlyprotectionclasscanbeextractedwithoutrequiringanyjailbreak.
Notice:ExtractingdatastoredwiththeThisDeviceOnlyprotectionclassrequiretopreviouslyextractingthe1f20;BACKGROUND-COLOR:#4ae2f7">0x835keytheattackisdetailedinthenextsection.
3)MonitoringcommunicationMonitoringcommunicationcanhighlightslackofencryptionallowingunsecuredcredentialgathering.
StartingiOS5,appleaddedaremotevirtualinterface(RVI)facilitythatallowscapturingtracesfromaniOSdevice.
OnMacOSXthevirtualinterfacecanbeenabledwiththervictlcommand.
$rvictl-s454b673c547582234decef5ef3abce676551f20;BACKGROUND-COLOR:#4ae2f7">06af45Startingdevice454b673c547582234decef5ef3abce676551f20;BACKGROUND-COLOR:#4ae2f7">06af45[SUCCEEDED]$#networkinterface,rvi1f20;BACKGROUND-COLOR:#4ae2f7">0,addedbythepreviouscommand.
$ifconfig-llo1f20;BACKGROUND-COLOR:#4ae2f7">0gif1f20;BACKGROUND-COLOR:#4ae2f7">0stf1f20;BACKGROUND-COLOR:#4ae2f7">0en1f20;BACKGROUND-COLOR:#4ae2f7">0en1p2p1f20;BACKGROUND-COLOR:#4ae2f7">0fw1f20;BACKGROUND-COLOR:#4ae2f7">0ppp1f20;BACKGROUND-COLOR:#4ae2f7">0utun1f20;BACKGROUND-COLOR:#4ae2f7">0rvi1f20;BACKGROUND-COLOR:#4ae2f7">0$sudotcpdump-irvi1f20;BACKGROUND-COLOR:#4ae2f7">0-nlisteningonrvi1f20;BACKGROUND-COLOR:#4ae2f7">0,link-typeRAW(RawIP),capturesize65535bytes…Figure2EnablingiOSvirtualinterfaceonOSX.
Onothersystemthiscanbedoneusingthecom.
apple.
pcapdservicethroughtheusbmux[8]deamon.
4)AttackingsecurecommunicationstoserversAlmosteveryapplicationhandlingsensitivedatawillconnectbacktosomeservercomponent.
Developersare,thus,facedwiththechallengeofhavingtoprotectsensitivedataintransitasittraversestheInternetandsometimeseveninsecurewirelessmedia.
Thiscanbedoneusingencryptionbutmustbeimplementedcorrectly.
MathieuRenard/PracticaliOSAppshackingGreHack21f20;BACKGROUND-COLOR:#4ae2f7">012,Grenoble,France16/61GreHackThisiswhy,developersmusttakecarewhenusingtheURLloadinglibrary.
Accordingtothesecuritybestpractices,thedefaultstateofoperationfortheURLloadinglibraryistofailonaninvalidservercertificate.
However,duringdevelopmentitisoftenrequiredtouseaninvalidcertificate.
Failuretousethelibrariesproperlycanresultinweakclienttoservercommunicationsthatattackersmaycompromisebysettingatransparentproxy(forexampleonafakeWi-Fiaccesspoint).
Thisiswhy,itisreallyimportanttocheckthispointbeforeproductionlaunch.
Nevertheless,thedefaultSSLWarningmessagecanbebypassedbyinstallingafakecertificateauthorityintheapplecertificatestore.
Onaregulardevice,thiscannotbedonewithoutuserinteraction.
However,prioriOS6,SMSapplicationsonlydisplayedthereply-tofield.
Thisallowsattackerstosendfakeconfigurationmessagespoofingthereply-tofield[28].
B.
InstallingtheapplicationonajailbrokendeviceAppledesignedtheiPhoneplatformwiththeintenttocontrolallsoftwarethatisexecutedonthedevice.
Thus,thedesigndoesnotintendtogivefullsystem(orroot)accesstoauser.
Moreover,onlysignedbinariescanbeexecuted.
Inotherswords,theloaderwillnotexecuteeitherunsignedbinariesorsignedbinarywithoutavalidsignaturefromApple.
ThisensuresthatonlyunmodiedApple-approvedapplicationsareexecutedonthedevice.
ThetermjailbreakingreferstoatechniquewhereaawintheiOSoperatingsystemisexploitedtounlockthedevice,therebyobtainingsystem-level(root)access.
Withsuchelevatedprivileges,itispossibletomodifythesystemloadersothatitacceptsanysignedbinary,evenifthesignatureisnotfromApple.
Inotherswords,theloaderwillaccepttolauncheverysignedbinariesevenifitisnotsignedwithApplecertificate.
1)Retrievinguserpassword&keychaincontentJailbreakingalsoallowsmalicioususertoretrieveapplicationanddatastoredonthedevice.
WhenadeviceisJailbroken,theconfidentialityofthedataandinformationreturnedbythesystemscallcannotbetrusted.
Moreover,jailbreakingallowsuserstoinstallanSSHservice,whichisoftenleftinadefactounsecurestate.
Remember:Worm:iPhoneOS/IkeethefirstwormwhichwastargetingtheAppleJailbrokeniPhone:‐Thefirstversionmostnotableactioninvolvedchangingthebackgroundwallpaperonthedevice.
‐Thesecondversionthewormwasaccessinguser'scomputingdeviceandchangingtheirdatawithoutpermission.
RunningcriticalapplicationonajailbrokendevicemayallowattackerstoretrievedatasuchasencryptionkeysandcredentialsevenwhenstoredintheKeychain.
IntheiPhoneDataProtectionframework,Jean-BaptisteBédruneandJeanSigwaldimplementedatoolnamed"KeychainViewer"[1]allowingbrowsingthekeychaincontentbydirectlyaccessingthekeychaindatabase.
Figure3BrowsingKeychainwithKechainViewer.
2)Retrievingthe1f20;BACKGROUND-COLOR:#4ae2f7">0x835KeyBrowsingthekeychaincontentonajailbrokenisnotreallydifficult.
Ontheopposite,extractingalldataincludingdatastoredwithintheThisDeviceOnlyprotectionclassformabackuprequireextractingthe1f20;BACKGROUND-COLOR:#4ae2f7">0x835key.
The1f20;BACKGROUND-COLOR:#4ae2f7">0x835keyisgeneratedbyencrypting1f20;BACKGROUND-COLOR:#4ae2f7">011f20;BACKGROUND-COLOR:#4ae2f7">011f20;BACKGROUND-COLOR:#4ae2f7">011f20;BACKGROUND-COLOR:#4ae2f7">011f20;BACKGROUND-COLOR:#4ae2f7">011f20;BACKGROUND-COLOR:#4ae2f7">011f20;BACKGROUND-COLOR:#4ae2f7">011f20;BACKGROUND-COLOR:#4ae2f7">011f20;BACKGROUND-COLOR:#4ae2f7">011f20;BACKGROUND-COLOR:#4ae2f7">011f20;BACKGROUND-COLOR:#4ae2f7">011f20;BACKGROUND-COLOR:#4ae2f7">011f20;BACKGROUND-COLOR:#4ae2f7">011f20;BACKGROUND-COLOR:#4ae2f7">011f20;BACKGROUND-COLOR:#4ae2f7">011f20;BACKGROUND-COLOR:#4ae2f7">01withtheUID-key(Hardwarekey).
Hardwarekeyscanonlybeaccessedfromkernel.
Therefore,IOAESAcceleratorkernelservicehastobepatchedinordertoallowkeysaccessfromuserland.
TheiPhoneDataProtectionframeworkembedstoolsallowingpatchingthekernelandretrievingthe1f20;BACKGROUND-COLOR:#4ae2f7">0x835key.
Figure4PatchingIOESAccelerator.
MathieuRenard/PracticaliOSAppshackingGreHack21f20;BACKGROUND-COLOR:#4ae2f7">012,Grenoble,France17/61GreHackC.
ReversingObjective-CBinariesiOSexecutablesareARMbinariesandusetheMach-Obinaryleformat.
1)FaiplayencryptionTheprimaryobstacletoovercomeinreversingiOSbinariesfromtheAppStoreisthatallpublishedapplicationsareencryptedusingApple'sbinaryencryptionscheme.
WhenanapplicationissynchronizedontotheiDevice,iTunesextractstheapplicationfolderfromthearchive(bundle)andstoresitonthedevice.
Furthermore,thedecryptionkeyfortheapplicationisaddedtothedevice'ssecurekeychain.
Thisisrequiredbecausetheapplicationbinariesarestoredinencryptedform(Whenanapplicationisencryptedthecryptidissetto1).
HerethebenetofjailbreakingisthattheuserobtainsimmediateaccesstomanydevelopmenttoolsreadytobeinstalledoniOS,suchas:debuggeranddisassembler.
Thismakesthedecryptionstepquitestraightforward:‐Theapplicationislaunchedinthedebugger.
‐Abreakpointissettotheprogramentrypoint.
Oncethisbreakpointtriggers,theattackerknowsthatthesystemloaderhasverriedthesignatureandperformedthedecryption.
‐Thememoryregionthatcontainsthenowdecryptedcodeisdumped.
‐Thebinaryencryptedpartisreplacedbythedumpedone.
‐TheCryptIDisredefinedto1f20;BACKGROUND-COLOR:#4ae2f7">0.
ToolslikeCrackulous[2]aremakingthistaskeasiersincetheyallowdecrypting/crackingiOSapplicationinoneclick.
UnfortunatelyCrackulousv1.
1f20;BACKGROUND-COLOR:#4ae2f7">0.
1f20;BACKGROUND-COLOR:#4ae2f7">0.
5doesnothandlethedecryptionofthinbinary(Binaryfilecompiledforoneprocessorarchitectureonly).
Figure5Crackingapplicationwithcrackulous.
Fortunately(fromtheauditorpointofview),StefanEsserAkai1f20;BACKGROUND-COLOR:#4ae2f7">0nic,publishedatoolcalled:dumpdecrypted[3]producingadecryptedversionoftheapplicationtoanalyzewhenloadedwith.
Nevertheless,inordertolimitiOSapplicationcracking,thetooldoesnotunsetthecrypticafterdecryption.
Whichmean,thattheflaghasdobeunsetmanuallyafterdecryption.
Sincethisstepisnotmandatoryforasecurityanalysisitwillnotbediscussedhere.
2)Objective-C&Objc_msgSendObjective-CisthemostprevalentprogramminglanguageusedtocreateapplicationsfortheiOSplatform.
InObjective-Cmethodsarenotcalledbutinsteadaso-calledmessageissenttoareceiverobject.
Thesemessagesarehandledbythedynamicdispatchroutinecalledobjc_msgSend.
Thisdispatchroutineisresponsibleforidentifyingandinvokingtheimplementationforthemethodthatcorrespondstoamessage.
Therstargumentisalwaysapointertothecalledobject.
Thatis,theobjectonwhichthemethodshouldgetinvoked(forexample,aninstanceoftheclassNSString).
Thesecondargumentisacalledselector.
Theselectorisastringrepresentationofthenameofthemethodthatshouldgetinvoked(forexamplelength).
Allremainingargumentsarepassedtothetargetmethodonceitisresolved.
Toperformthisresolution,theobj_msgSendfunctionwalkstheclasshierarchystartingatthereceiverandsearchesforamethodwhosenamecorrespondstotheselector.
Ifnomatchisfoundinthereceiverclass,itssuperclassesaresearchedrecursively.
Oncethecorrespondingmethodisidentied,objc_msgSendinvokesthemethodandpassesalongthenecessaryarguments.
3)RetreivingclassesheadersSincemanyapplicationsforiOSaredevelopedinObjective-C,theMach-Oformatsupportsspecicsections,organizedinso-calledcommands,tostoreadditionalmeta-dataaboutObjective-Cprograms.
The__objc_classlistsectioncontainsalistofallclassesforwhichthereisanimplementationinthebinary.
The__objc_classrefsection,ontheotherhand,containsreferencestoallclassesthatareusedbytheapplicationincludingimportedclasses.
Itistheresponsibilityofthedynamiclinkertoresolvethereferencesinthissectionwhenloadingthecorrespondinglibrary.
Otherssectionsincludeinformationaboutcategories,selectors,orprotocolsusedorreferencedbytheapplication.
ApplehasbeendevelopingtheObjective-Cruntimeasanopen-sourceproject.
Thus,thespecicmemorylayoutoftheinvolveddatastructurescanbefoundintheheaderlesoftheObjective-Cruntime.
MathieuRenard/PracticaliOSAppshackingGreHack21f20;BACKGROUND-COLOR:#4ae2f7">012,Grenoble,France18/61GreHackOnecanrebuiltbasicinformationabouttheimplementedclassestraversingthesestructuresinthebinary.
Using"class-dump",thecommercialversionofIDApro(starting6.
2)orusingtheIDApluginslikezynamics/objc-helper-plugin-ida[11]withintheIDAfreeversionitistrivialtoretrievetheseinformation.
Figure6AnalyzingiOSbinariewithclassdump.
4)WheretostartTostarttheanalysisintherightwaywehavetolocatethemainclass.
TheUIApplicationDelegateprotocoldeclaresmethodsthatareimplementedbythedelegateofaUIApplicationobject.
Thesemethodsprovideinformationaboutkeyeventsinanapplication'sexecutionsuchaswhenitfinishedlaunching,whenitisabouttobeterminated,whenmemoryislow,andwhenimportantchangesoccur.
Findingoneofthefollowingmethods:ApplicationDidFinishLaunching,ApplicationDidFinishLaunchingWithOptions,Application*…isagoodwaytofindoutwhichviewislaunchedfirst.
Regardingtheviewsinitialization,TheUIViewControllerclassprovidesspecificmethodsthatarecalledwhenspecificeventsoccur.
WhentryingtofollowtheexecutionpatchthemaineventtofocusourintentionisviewDidLoadthatiscalledafterviewsinitialization.
5)WheretolookThelistofpointstofocusonwhenreversingiOSApplicationisrelatedtothefeaturesoftheapplicationtobeanalyzed.
Hereisalistofobjectthatmayhaveaninterestregardingsecuritymatters.
TABLEIV.
INTERESTINGOBJECTS,CLASSES&METHODSUsecaseObjects/Classes/MethodsURLHandlingNSURL*SocketHandlingCFSocket*KeychainksecAttr*,SecKeychain*FilesHandlingNSFileManager*CryptoCCCrypt*D.
DynamicanalysisTherearemanydifferentapproachestodynamicanalysis.
InthissectionwewillfocusontheMobileSubstrate[6]framework.
1)IntroducingMobilesubstrateMobileSubstrate[6]isaframeworkthatallowsdeveloperstoproviderun-timepatches("MobileSubstrateextensions")tosystemfunctions.
MobileSubstratecaneasilyinstallonjailbrokendevicethroughCydia[6].
Theframeworkconsistsofthreemajorcomponents:‐MobileHookerisusedtoreplacesystemfunctions.
‐MobileLoaderisusedtoautomaticallyloadMobilesubstrateextensionatapplicationlaunch.
MobileLoaderwillfirstloaditselfintotherunapplicationusingDYLD_INSERT_LIBRARIESenvironmentvariable.
Thenitlooksforalldynamiclibrariesinthedirectory/Library/MobileSubstrate/DynamicLibraries/,anddlopenthem.
‐SafeMode:WhenaextensioncrashedtheSpringBoard,MobileLoaderwillcatchthatandputthedeviceintosafemodemenaingthatall3rd-partyextensionswillbedisabled.
Inordertodefineahookthedevelopercanusetwofunctions:‐MSHookMessageEx()willreplacetheimplementationoftheObjective-Cmessagebyreplacement,andreturntheoriginalimplementation.
ThisdynamicreplacementisinfactafeatureofObjective-C,andcanbedoneusingmethod_setImplementation.
‐MSHookFunction()islikeMSHookMessageEx()butisforC/C++functions.
Conceptually,MSHookFunction()willwriteinstructionsatassemblylevelthatjumpstothereplacementfunction,andallocatesomebytesonacustommemorylocation,whichhastheoriginalcut-outinstructionsandajumptotherestofthehookedfunction.
SinceontheiPhoneOSbydefaultamemorypagecannotbesimultaneouslywritableandexecutable,akernelpatchisappliedforMSHookFunction()towork.
UsingthisFrameworkattackercaneasilytraceanddynamicallypatchtheapplicationatruntime.
Hereisanexampleofjailbreakdetectionbypass:staticint(*old_system)(char*)=NULL;intst_system(char*cmd){if(!
cmd){returnnil;}returnold_system(cmd);}__attribute__((constructor))staticvoidinitialize(){MSHookFunction(system,st_system,&old_system);}Figure7BypassingJailbreakdetection.
MathieuRenard/PracticaliOSAppshackingGreHack21f20;BACKGROUND-COLOR:#4ae2f7">012,Grenoble,France19/61GreHack2)AttackingnetworkcommunicationHookingtheNSURLConnectionandsettingaproxyonthedeviceitispossibletosilentlystillthecredentialsandallthedataexchangedwiththeserverevenwhentransmittedthroughHTTPS.
iOSSSLKillSwitch[5]isaMobileSubstrate[6]extensiondevelopedbyiSECPartners.
ThisextensionallowsdisablingcertificatevalidationinordertofacilitateblackboxtestingofiOSApps.
Onceinstalledonajailbrokendevice,theextensionpatchesNSURLConnectiontooverrideanddisablethesystem'sdefaultcertificatevalidation.
3)StealingcryptoskeysHookingtheCCCrypt(3cc)APIitispossibletosilentlystillthecryptokeysusedonnativeiOSapplication.
ThisCCCrypt(3cc)APIprovidesaccesstoanumberofsymmetricencryptionalgorithms.
MostofthetimetheapplicationaredirectlycallingtheCCCrypt()function.
CCCrypt()isastateless,one-shotencryptordecryptoperation.
CCCrypt(CCOperationop,CCAlgorithmalg,CCOptionsoptions,constvoid*key,size_tkeyLength,constvoid*iv,constvoid*dataIn,size_tdataInLength,void*dataOut,size_tdataOutAvailable,size_t*dataOutMoved);Figure8CCCryptAPIdefinition.
III.
JAILBREAKDETECTIONFEATURES[THETRUTH]Jailbreakdetectionfeaturesareimplantedinordertodetectwhenanenduserhascompromisedtheirdevice,ortodetectwhetheranintruderhascompromisedastolendevice.
Forexample,allMDMapplicationembedsjailbreakdetectionfeatures.
ThefollowingsectionspresentcommonanduncommonjailbreakdetectionfeatureshighlightedduringoneyearstudyingiOSapplicationsecurity.
A.
CheckingforjailbreakfilesThisisthemostcommoncheckperformedontheapplicationweanalyzed.
Usuallyapplicationsarecheckingforfileslike:"/Applications/Cydia.
app","/bin/apt","/usr/sbin/sshd"…+(BOOL)doCydia{if([[NSFileManagerdefaultManager]fileExistsAtPath:@"/Applications/Cydia.
app"]){returnYES;}returnNO;}Figure9Checkingforjailbreakfiles.
Launchingasimple"strings"ontheapplicationbinarycanhighlightthistest.
Nonetheless,sometimesdevelopersusedynamicstringgenerationandobfuscationtricksinorderhidecheckedfiles.
Anyway,thistestcanbebypassedbyhookingNSFileManagermethods.
B.
CheckingifsystempartitioniswritableOnaregulardevicethesystempartitionismountedwiththereadonlyattribute.
AfterjailbreakingadevicewiththepublicjailbreaktoolAbsinthe[4],thesystempartitionremainswritable.
Thischangesaremadebyreplacingthe/etc/fstabfile.
Thefileiscommonly81f20;BACKGROUND-COLOR:#4ae2f7">0bytesforalliOSversion,whereasthecopyofthefileinstalledbythepublicjailbreaktool:Absintheisonly65bytes.
+(BOOL)doFstabSize{structstatsb;stat("/etc/fstab",&sb);longlongsize=sb.
st_size;if(size==81f20;BACKGROUND-COLOR:#4ae2f7">0){returnNO;returnYES;}Figure11f20;BACKGROUND-COLOR:#4ae2f7">0Checking/etc/fstabsize.
Thistestcaneasilybebypassedbyhookingthestatsystemcallwithinamobilesubstrateextension.
C.
CheckingforshellBydefaultnoshellisavailableonregulardevicebutitcomeswiththepublicjailbreak.
Thisiswhythistestaimstodetectifashellisavailableonthedevicebycallingsystem(1f20;BACKGROUND-COLOR:#4ae2f7">0).
IfthevalueofcommandisNULL,system()returnsnonzeroiftheshellisavailable,andzeroifnot.
+(BOOL)doShell{if(system(1f20;BACKGROUND-COLOR:#4ae2f7">0)){returnYES;}returnNO;}Figure11Checking/etc/fstabsize.
Thistestcaneasilybebypassedwithamobilesubstrateextension(SeeFigure7).
MathieuRenard/PracticaliOSAppshackingGreHack21f20;BACKGROUND-COLOR:#4ae2f7">012,Grenoble,France21f20;BACKGROUND-COLOR:#4ae2f7">0/61GreHackD.
Checkingforsigneridentity(Anothercommontest)Mostoftheapplicationscrackedwith"Crackulous"[2]comewithaSignerIdentitykeyaddedintheInfo.
plistfilebundledwiththeapplication.
+(BOOL)doSignerIdentity{NSBundle*bundle=[NSBundlemainBundle];NSDictionary*info=[bundleinfoDictionary];if([infoobjectForKey:@"SignerIdentity"]!
=nil){NSLog(@"Apphavehasbeenhacked");returnYES;}returnNO;}Figure12CheckingforSignerIdentity.
Thistestisdesignedtoovercomeautomatedprocessesatbest,andwillprobablyonlydefeatingmosttutorial-followers.
Anattackercanhexeditthebinaryfileandassuch,couldeditthestring@"SignerIdentity"toread@"siNGerIDentitY"orsomethingelsewhichwouldreturnnil,andthuspass.
ThistestcanalsobybypassedbyhookingobjectForKeyandreturnnil.
E.
LesscommonsJailbreakchecksLesscommonsjailbreakchecksareusingsystemcalls:‐Fork():Documentedinsomebooksandblogposts:Iftheprocesscanfork,thedeviceisjailbroken.
Exceptthischeckproducingalotoflogsintheconsole,andmostimportantdoesnotworkbecausethejailbreakdoesnotpatchthispartofthesandbox.
SeetheiPhoneWiki[12]fordetailsaboutjailbreakpatchs.
‐Open():Tryingtoopenafileinwritemodeinanotwritablepathoutsidethesandbox:ifnoerrorthedeviceisnotjailbroken.
Likeotherjailbreakdetectionfunctionspresentedinthissectionsystemcallscaneasilybeinghookedinordertohidethejailbreak.
F.
Conclusion:Jailbreakdetection=Failbydesign!
Despitethistestareinterestingandprobablystopsmostofthescriptkiddies,tutorialfollowerandautomatingtools,skillfulattackerscanbypassthem.
ThethingisthatAppledoesnotprovideanyAPItolaunchactioneitherbeforeoraftertheinstallation.
Asaresultattackersareabletodecryptandanalyzeapplicationsbeforetheycouldlaunchtheirjailbreakdetectiontests.
Moreoverafterjailbreaktheattackershaverootaccesstothedevice,whichmeanstocontroleverythingonthedeviceastheoppositeofiOSapplication.
Nevertheless,whenwellimplemented,jailbreakdetectionfeaturescandiscouragemostofscriptkiddiesandtutorialfollowers.
IV.
REALWORLDAPPS&SECURITYWORSTPRACTICESThissectionpresenttheworstpracticeshighlightedduring1-yearpentestingiOSApplicationusedinprofessionalenvironment.
A.
UnsecurepasswordstorageSomeapplicationsareusingtheNSUserDefaultsstandardUserDefaultsmethodinordertousercredentials.
TheproblemisthatstandardUserDefaultsstoresinformationinplaintextinaplistfilethatcanbedownloadedtroughAFCprotocol.
Figure13DefaultplistfileincludingcleartextstoredpasswordB.
AuthenticationBypassHerethepassworddefinedbytheuserisstoredonthefilesysteminanencrypteddatabase.
Theproblemisthattheapplicationhastodecryptthedatabasebeforetheuserbeingauthenticatedinordertocheckthepasswordvalidity.
Sincethedatabaseisdecryptedbeforetheuserwasauthenticateditispossibleforanattacker,havinganaccesstoanunlockedjailbrokendevicetoretrievethepasswordinthememory.
C.
UnsecuredatastorageThisexamplewashighlightedduringtheanalysisofasandboxlikeapplication.
Accordingtothedocumentationtheapplicationisusing"highgradeencryption"tosecurethedocument.
iExplorerisaniPhonebrowseroriPadfileexplorerthatrunsonMac&PC.
iExplorerletsusersbrowsethefilesandfoldersontheiriDeviceasifitwereanormalUSBflashdriveorpendrive(thisapplicationdoesnotrequireanyjailbreak).
Usingthistoolitispossibletodownloadalltheapplicationresourcesanddata.
Theanalysisofthedatahighlightsthelackofencryption.
Inthiscase,whenthevendorsays"highgradeencryption"youmustread:AlldataarestoredontheiPhoneencryptedfilesystemthatprovideshigh-gradeencryption.
MathieuRenard/PracticaliOSAppshackingGreHack21f20;BACKGROUND-COLOR:#4ae2f7">012,Grenoble,France21/61GreHackD.
ExtractiondatafromlogThisapplicationembedsasecurewebbrowser,accordingtothebestpractices;redirectallthenetworktrafficthroughanSSLTunnel(evenHTTPtrafficisredirectedtroughthistunnel).
However,allthecookiesusedduringtheusernavigationareexportedintheapplicationlogs.
Applicationlogsareavailabletoanyapplicationsinstalledonthedevice.
Amaliciousapplicationcouldusethesecookiesinordertoimpersonateusersessionsandaccess/stealconfidentialdata.
E.
Hardcodedencryptionkey–Common!
Thisapplicationissecuremediaplayerallowingtoplay/viewprotectedcontent.
Hereisthepseudocodeoftheimagesdecryptionroutine.
Base64Key=(int)objc_msgSend(*classRef_NSString_Ptr,*selRef_stringWithFormat_Ptr,CFSTR("HiddenTreasures"));NSData=&classRef_NSData;Key=objc_msgSend(&OBJC_CLASS___NSData,"dataFromBase64String:",Base64Key);BundlePath=objc_msgSend(&OBJC_CLASS__NSBundle,"mainBundle");cpngPath=(int)objc_msgSend(BundlePath,"pathForResource:ofType:"filename,CFSTR("cpng"),11f20;BACKGROUND-COLOR:#4ae2f7">063452672);Data=*NSData;cpngFileContent=(int)objc_msgSend(Data,dataWithContentsOfFile:",cpngPath);decyptedContent=(int)objc_msgSend(&OBJC_CLASS___FBEncryptorAES,"decryptData:key:iv:",cpngFileContent,Key,1f20;BACKGROUND-COLOR:#4ae2f7">0);Figure14ImagedecryptionfunctionpseudocodeHeretheKey/Password:"Hiddentreasures"isBase64decodedbeforebeingusedasakeyfortheAESdecryptionalgorithm.
MoreovertheIVusedbytheAEScryptofunctionisfixedto"1f20;BACKGROUND-COLOR:#4ae2f7">0".
Withthisinformationanattackercaneasilybere-implementthealgorithmanddecryptthedata.
F.
PlayingDRMvideowithMPMoviePlayerControlerThisapplicationwasusingtheapple"MPMoviePlayerControler"APItoplayencryptedcontentstoredonthedevice.
Inotherwordstheapplicationwaslocalystreamingthefiles.
The"MPMoviePlayerControler"isapartofAppleAPI's.
Appledeveloper'sdocumentationsays:‐Amovieplayer(oftypeMPMoviePlayerController)managestheplaybackofamoviefromafileoranetworkstream.
‐Whenencryptionisemployed,referencestothecorrespondingkeyfilesappearintheindexfilesothattheclientcanretrievethekeysfordecryption.
‐Whenakeyfileislistedintheindexfile,thekeyfilecontainsacipherkeythatmustbeusedtodecryptsubsequentmediafileslistedintheindexfile.
‐CurrentlyHTTPLiveStreamingsupportsAES-128encryptionusing16-byteskeys.
Theformatofthekeyfileisapackedarrayofthese16bytesinbinaryformat".
Allanattackerneedstoplaythevideoonanotherdeviceistheindexfile;thekeyandtheencryptedvideo,whichinthiscasearestoredin,cleartextonthefilesystemandcanberetrievedthroughAFCprotocols.
#EXTM3U#EXT-X-TARGETDURATION:63#EXT-X-VERSION:2#EXT-X-MEDIA-SEQUENCE:1f20;BACKGROUND-COLOR:#4ae2f7">0#EXTINF:63,#EXT-X-KEY:METHOD=AES-128,URI="http://localhost:12345/crypt5.
key",IV=1f20;BACKGROUND-COLOR:#4ae2f7">0cd4634ed46bbc1e8235e21b23dc6792e3http://localhost:12345/fileSequence5.
ts#EXT-X-ENDLISTFigure15MPMoviePlayerControlerindexfileThisallowsanattackertodevelopitsownmovieplayertoreadthevideosfilesextracted/dumpedfromtheIpad.
V.
DEFENDINGIOSAPPLICATIONInmatterofsecuritytheiOSsystemisnotperfect.
EvenifAppleincreasesthesecuritylevelofitsmobileoperatingsystem,foreachnewreleasecomesanewjailbreak.
Jailbreakingisaprocessthatallowsuserstogaintherootaccesstothecommandline,decrypt,analyzeandcrackiOSapplication.
Inthissectionwewillpresentsomedefensivestricks,whichcanbeusetotheaimtoslowdownskilfulattackers,discouragescriptkiddiesanddefeatautomatictools.
A.
Anti-analysispart1Itispossibletoaddananti-debuggingfeaturebysendinganon-standardptracevaluenamedPT_DENY_ATTACH.
Settingthisvalueallowsaprocessthatisnotcurrentlybeingtracedtodenyfuturetracesbyitsparent.
Allothersargumentsareignored.
Anattemptbytheparenttotraceaprocess,whichhassetthisflag,willresultinasegmentationviolationintheparent.
MathieuRenard/PracticaliOSAppshackingGreHack21f20;BACKGROUND-COLOR:#4ae2f7">012,Grenoble,France22/61GreHack#import#import#definePT_DENY_ATTACH31typedefint(*ptrace_ptr_t)(int_request,pid_t_pid,caddr_t_addr,int_data);voiddisable_gdb(){void*handle=dlopen(1f20;BACKGROUND-COLOR:#4ae2f7">0,RTLD_GLOBAL|RTLD_NOW);ptrace_ptr_tptrace_ptr=dlsym(handle,"ptrace");ptrace_ptr(PT_DENY_ATTACH,1f20;BACKGROUND-COLOR:#4ae2f7">0,1f20;BACKGROUND-COLOR:#4ae2f7">0,1f20;BACKGROUND-COLOR:#4ae2f7">0);dlclose(handle);}Figure16DisablingGDBwithPTRACE_DENY_ATTACHItisusefulfordefeatingmosttutorial-followersbutthisisnoguaranteethatyourapplicationcannotbedebugged,andinfacttherearewaysaroundthis.
Anattacker,cansetabreakpointwithintheapplicationpriortoissuingarunfromwithinadebugger,andspecifythatthedebuggerrunanycommandshewantswhenptracestartsandbeforetheapplicationcanshutdown.
HereisanexampleofaGDBscripttobypassPT_DENY_ATTACHsystemcall:breakptracecommands1returncontinueendFigure17BypassingPTRACE_DENY_ATTACHItisusefulfordefeatingmosttutorial-followersbutthisisnoguaranteethatyourapplicationcannotbedebugged,andinfacttherearewaysaroundthis.
Nevertheless,sincetheptracefunctionisbuiltinsidethekernel,theuserspaceinterfaceonlyperformssyscall26(ptrace).
Iftheanti-debuggingfunctionisinlinedliketheexamplebellowthePT_DENY_ATTACHwillbeinstalledandthereisnoway.
movr1f20;BACKGROUND-COLOR:#4ae2f7">0,#31movr1,#1f20;BACKGROUND-COLOR:#4ae2f7">0movr2,#1f20;BACKGROUND-COLOR:#4ae2f7">0movr3,#1f20;BACKGROUND-COLOR:#4ae2f7">0movip,#26svc#1f20;BACKGROUND-COLOR:#4ae2f7">0x81f20;BACKGROUND-COLOR:#4ae2f7">0Figure18InlinevesionofthePTRACE_DENY_ATTACHtestAnywayadedicatedandskillfulattackercanpatchthekernel/application.
B.
Anti-analysis2Whenanapplicationisbeingdebugged,thekernelsetstheP_TRACEDflagfortheprocesssignifyingthattheprocessisbeingtraced.
Applicationscanmonitorthestateofthisflag.
Ifthisflagisset,theapplicationknowsthatitwaseitherstartedwithadebugger,oradebuggerwaslaterattachedtoit.
Whentheapplicationdetectitisbeingdebugged,theprogramshouldsilentlywipeallconfidentialdataandencryptionkeysandtheninformtheuser.
#include#include#include#include#defineP_TRACED1f20;BACKGROUND-COLOR:#4ae2f7">0x1f20;BACKGROUND-COLOR:#4ae2f7">01f20;BACKGROUND-COLOR:#4ae2f7">01f20;BACKGROUND-COLOR:#4ae2f7">01f20;BACKGROUND-COLOR:#4ae2f7">01f20;BACKGROUND-COLOR:#4ae2f7">081f20;BACKGROUND-COLOR:#4ae2f7">01f20;BACKGROUND-COLOR:#4ae2f7">0staticintcheckGDB()__attribute__((always_inline));intcheckGDB(){size_tsize=sizeof(structkinfo_proc);structkinfo_procinfo;memset(&info,1f20;BACKGROUND-COLOR:#4ae2f7">0,sizeof(structkinfo_proc));intret,name[4];name[1f20;BACKGROUND-COLOR:#4ae2f7">0]=CTL_KERN;name[1]=KERN_PROC;name[2]=KERN_PROC_PID;name[3]=getpid();if(ret=(sysctl(name,4,&info,&size,NULL,1f20;BACKGROUND-COLOR:#4ae2f7">0)))returnret;return(info.
kp_proc.
p_flag&P_TRACED)1:1f20;BACKGROUND-COLOR:#4ae2f7">0;}Figure19CheckingtheP_TRACEDflagThistechniquewillonlyallowtheapplicationtodetectwhengdb,oranotherdebugger,isattachedtotheprocess,butwillnotdetectwhenmaliciouscodeisinjected,orwhenothertoolsthatdonottraceareattachedtotheprocess.
Implementingthisinyourcodewillonlyforceanattackertoeitheravoidusingadebugger(whichwillfurthercomplicatethingsforhim),ortolocateandpatchthedebuggingchecks.
Moreoveraskillfulattackercouldalsopatchouttheinvocationofsysctlitself.
Thisiswhysimple'ssanitychecksshouldbedonetoensurethatsysctlcanreturnotherdata,andtoensurethatthecalldoesnotfail.
Thiswillhelpfurthercomplicatetheattackandrequiretheattackertoproperlypopulatethekinfo_procstructurewithvalidinformation.
C.
PreventingHookingHookingallowingattackerstoalteroraugmentthebehaviourofapplications.
Byimplementingthefollowingdefensivesmeasuresallowingensuringthatcalledfunctionaretheonesimplementedintheapplication.
1)ValidatingAddressSpaceAnytimemaliciouscodeisinjectedintoanapplication,itisloadedintotheapplicationaddressspace.
Validatingtheaddressspaceforcriticalmethodsusedbytheapplicationforcetheattackertofindwaystoinjecthiscodeintotheexistingaddressspace.
MathieuRenard/PracticaliOSAppshackingGreHack21f20;BACKGROUND-COLOR:#4ae2f7">012,Grenoble,France23/61GreHackThedynamiclinkerlibraryincludesafunctionnameddladdr.
Thefunctiondladdr()takesafunctionpointerandtriestoresolvenameandfilewhereitislocated.
InformationisstoredintheDl_infostructure.
typedefstruct{constchar*dli_fname;/*Pathnameofsharedobjectthatcontainsaddress*/void*dli_fbase;/*SharedobjectAddress*/constchar*dli_sname;/*Nameofnearestsymbolwithaddresslowerthanaddr*/void*dli_saddr;/*Exactaddressofsymbolnamedindli_sname*/}Dl_info;Figure21f20;BACKGROUND-COLOR:#4ae2f7">0Dl_infostructureByprovidingthestructurewiththefunctionpointerofaclass'smethodimplementation,itsoriginscanbeverified.
#include#include#include#include#includestaticintcheckAddressSpace__attribute__((always_inline));intcheckAddressSpace(NStringMyCriticalClass,NSStringMyCriticalMethod){Dl_infoinfo;IMPimp=class_getMethodImplementation(objc_getClass(MyCriticalClass),sel_registerName(MyCriticalMethod));if(dladdr(imp,&info)){/*Dosomeadditionaltests:Pathnameofsharedobject…*/return1;}else{NSLog("Error:cannotfind%@symbol",MyCriticalMethod);return1f20;BACKGROUND-COLOR:#4ae2f7">0;}}Figure21Checkingaddressspace2)InliningiOSoffersawaytooverridefunctionsinasharedlibrarywithDYLD_INSERT_LIBRARIESenvironmentvariable(whichissimilartoLD_PRELOADonLinux).
OnajailbrokendevicetheMobileSubstrateframeworksimplifythistaskandallowsdeveloperstoeasilyloadlibrariesatapplicationlaunch.
Inlinefunctionsarefunctionsinwhichthecompilerexpandsafunctionbodytobeinsertedwithinthecodeeverytimeitiscalled.
Inotherwords,thereisnolongerafunction:thecodegetspastedintothemachinecodewheneveritiscalled.
Turningthecriticalfunctionsintoinlineoneswillcauseittoberepeatedthroughouttheapplicationeverytimeitiscalled.
Thisriseupattackscomplexitybyforcinganattackertohuntdowneveryoccurrenceofcodeandpatchit.
Tobeinlinedafunctionmustbedeclaredwithintheattribute__attribute__((always_inline));staticintisPasswordValid(char*pwd)__attribute__((always_inline));intisPasswordValid(char*pwd){//Functionbody}Figure22DefininginlineattributeInadditionofthisattributethefollowingtwocompilationsflagsshouldbeenabled:-finline-functions-WinlineD.
OthersbinaryprotectioniOSApplicationsarenotexemptofoverflowvulnerabilitiesthisiswhythefollowingmitigatingtechnicsshouldbeimplementedineveryapplication.
1)StacksmashingprotectionItispossibletoactivatestack-mashingprotectionatcompilationtime.
Thiscanbeachievedbyspecifyingthe–fstack-protector-allcompilerflag.
Whenanapplicationiscompiledwiththisprotection,aknownvaluecalled"canary"isplacedonthestackbeforethelocalvariablestoprotectthesavedbasepointer,savedinstructionpointerandfunctionarguments.
Thevalueofthecanaryisverifieduponthefunctionreturntoseeifithasbeenoverwritten.
Onecanidentifythepresenceofstackcanariesexaminingthesymboltableofthebinary,ifstack-smashingprotectioniscompiledintotheapplication,twoundefinedsymbolswillbepresent:‐___stack_chk_fail‐___stack_chk_guard2)AutomaticReferenceCountingAutomaticReferenceCounting(ARC)wasintroducediniOSSDKversion5.
1f20;BACKGROUND-COLOR:#4ae2f7">0tomovetheresponsibilityofmemorymanagementfromthedevelopertothecompiler.
Consequently,ARCalsoofferssomesecuritybenefitsasitreducesthelikelihoodofdevelopersintroducingmemorycorruption(specificallyobjectuse-after-freeanddoublefree)vulnerabilitiesintoapplications.
ARCcanbeenabledinanapplicationwithinXCodebysettingthecompileroption"Objective-CAutomaticReferenceCounting"to"yes".
ThisoptionisautomaticallycheckstatringXCode4.
3.
MathieuRenard/PracticaliOSAppshackingGreHack21f20;BACKGROUND-COLOR:#4ae2f7">012,Grenoble,France24/61GreHack3)BinaryobfuscationMainpurposeofcodeobfuscationandotherprotectionsappliedtosourcecodeorresultingbinariesistopreventreverseengineeringandcracking.
Unfortunately,therearenopopular,well-knowntoolsforObjectiveCcodeobfuscation.
ObjectiveCisadynamiclanguage,basedonmessagepassingparadigm,wheremostofbindingsareresolvedruntime.
Thereforeitisalwayspossibleforattackertotrack,interceptandreroutecalls,evenwithobfuscatednames.
Nevertheless,addingsomeobfuscationtothebinarieswillslowdowntheanalysis.
Sincenoopensourcetoolexiststoperformthistaskautomaticallythedeveloperhastoimplementtheobfuscationhimself.
Symbolstrippinganddynamicstringgenerationshouldbeimplemented.
EspeciallyiftheapplicationischeckingforJailbreakfilesandifitinformstheuserthey'reusingacrackedversion.
Actually,whenstringsarestoredinplaintext,thecrackerscanquicklytrackdownwheretheviewisgeneratedwithstringsanddisablethecheck.
Forexamplethedynamicstringsgenerationcaneasilybeingimplementedbyusingacryptoalgorithm.
Inthiscasestringsaredecryptedontheflyjustbeforebeingusedandclearedfrommemoryafteruse.
Inadditionofthesebasictricksitmaybeinterestingtorenameclassesandmethodswithrandomnames.
Usingbasicblockscloningtechnicsandinsertingopaquepredicatewillalsoincreasethebinaryobfuscationlevel.
Basicblocs'cloningallowsspreadingtheexecutionacrosstheclonedbasicblocks.
Insertingopaquepredicateaddextratestswhichcannotbeeasilyprovedtoconditionals.
Theobfuscationshouldbeperformedsemi-automatic,oversourcecodecopy,withtoolcustomdevelopedforsuchtask.
Obfuscatedcodeisbydefinitionhardtoreadbeforecompilationassameasafterdecompilingfrombinaries.
Anyway,itimportanttokeepinmindthatobfuscationwillsonlyslowdownattackersperformingstaticanalysisonly.
Itisonlyamatteroftimebeforeanattackermixingstaticanddynamicanalysiswillbeabletoreverseyourapplication.
E.
SecurityofrunningmemoryThefollowingguidelinescanhelptoimprovethesecurityofrunningmemory:‐Neverstoreanythinginmemoryuntiltheuserhasauthenticatedanddatahasbeendecrypted.
Itshouldnotevenbepossibletostorepasswords,credentials,orotherinformationinmemorybeforeauserhasenteredtheirpassphrase;ifitis,theapplicationisnotproperlyimplementingencryption.
‐DonotstoreencryptionkeysorothercriticaldatainsideObjective-Cinstancevariables,astheycanbeeasilyreferenced.
Instead,manuallyallocatememoryforthese.
Thiswillnotstopanattackerfromhookingintoyourapplicationwithadebugger,butwilluptheanteforanattacker.
Typically,ifadeviceiscompromisedwhiletheuserisusingit,theattackisautomatedmalwareratherthananactivehuman.
VI.
CONCLUSIONRegardingsecuritymostofiOSapplicationsarenotmature!
Developersshouldapplythefollowingrecommendationinordertomitigatetherisks.
‐DonotrelayonlyoniOSsecurity,‐DonotstorecredentialusingstandardUserDefaultsmethod.
‐Encryptyourdataevenwhenstoredinthekeychain,‐Donotstorecryptokeysonthedevice,‐Checkyourcode,classes,functions,methodsintegrity,‐Detectthejailbreak,‐Properlyimplementcryptographyinapplications(simpleimplementationarethemostsecure),‐Removealldebuginformationfromthefinalrelease,‐MinimizeuseofObjective-Cforcriticalfunctions&securityfeatures.
UsersandcompaniesshouldnotblindlythrustiOSapplicationvendorswhentalkingaboutsecurity.
REFERENCES[1]iPhoneDataProtection-Jean-BaptisteBédruneandJeanSigwald,[2]Crakulous-Angel,http://hackulo.
us[3]Dumpdecrypted–StefanEsser–i1f20;BACKGROUND-COLOR:#4ae2f7">0n1c,https://github.
com/stefanesser/dumpdecrypted[4]Absinthe-Chronic-DevTeamandiPhoneDevTeams(JailbreakDreamTeam),http://greenpois1f20;BACKGROUND-COLOR:#4ae2f7">0n.
com[5]iOSSSLKillSwitch–iSECPartners,https://github.
com/iSECPartners[6]MobileSubstrate,Cydia–Sauric,http://iphonedevwiki.
net/index.
php/MobileSubstrate,http://cydia.
saurik.
com/[7]iExplorer-Macroplatant,http://www.
macroplant.
com/iexplorer/[8]libimobiledevice&usbmuxd-Nikias,http://www.
libimobiledevice.
org/[9]Gutmannmethod,http://en.
wikipedia.
org/wiki/Gutmann_methodMathieuRenard/PracticaliOSAppshackingGreHack21f20;BACKGROUND-COLOR:#4ae2f7">012,Grenoble,France25/61GreHack[11f20;BACKGROUND-COLOR:#4ae2f7">0]iPhonesecuritymodel&vulnerabilities:http://esec-lab.
sogeti.
com/dotclear/public/publications/11f20;BACKGROUND-COLOR:#4ae2f7">0-hitbkl-iphone.
pdf[11]zynamics/objc-helper-plugin-ida-https://github.
com/zynamics/objc-helper-plugin-ida[12]Sandboxpatch,http://theiphonewiki.
com/wiki/index.
phptitle=Sandbox_Patch[13]EvolutionofiOSDataProtectionandiPhoneForensics:fromiPhoneOStoiOS5:https://media.
blackhat.
com/bh-ad-11/Belenko/bh-ad-11-Belenko-iOS_Data_Protection.
pdf[14]OvercomingiOSdataprotectiontore-enableiPhoneForensics:https://media.
blackhat.
com/bh-us-11/Belenko/BH_US_11_Belenko_iOS_Forensics_Slides.
pdf[15]AppleiOSSecurityEvaluation:http://hakim.
ws/BHUS21f20;BACKGROUND-COLOR:#4ae2f7">011/materials/DaiZovi/BH_US_11_DaiZovi_iOS_Security_WP.
pdf[16]NewageapplicationattacksagainstAppleiOSandcountermeasures:https://media.
blackhat.
com/bh-eu-11/Nitesh_Dhanjani/BlackHat_EU_21f20;BACKGROUND-COLOR:#4ae2f7">011_Dhanjani_Attacks_Against_Apples_iOS-WP.
pdf[17]HackingandSecuringNextGenerationiPhoneandiPadApps:http://software-security.
sans.
org/downloads/appsec-21f20;BACKGROUND-COLOR:#4ae2f7">011-files/dhanjani-hacking-securing-next-gen.
pdf[18]SecureDevelopmentoniOS–Advicefordevelopersandpenetrationtesters:http://www.
isecpartners.
com/storage/docs/presentations/iOS_Secure_Development_SOURCE_Boston_21f20;BACKGROUND-COLOR:#4ae2f7">011.
pdf[19]PentestingiPhone&iPadApps:http://www.
hackinparis.
com/slides/hip2k11/1f20;BACKGROUND-COLOR:#4ae2f7">07-Pentesting_iPhone_iPad.
pdf[21f20;BACKGROUND-COLOR:#4ae2f7">0]PenetrationtestingofiPhone/iPadapplications:http://www.
mcafee.
com/us/resources/white-papers/foundstone/wp-pen-testing-iphone-ipad-apps.
pdf[21]PracticalConsiderationofiOSDeviceEncryptionSecurity:http://sit.
sit.
fraunhofer.
de/studies/en/sc-iphone-passwords.
pdf[22]iPhone3GSForensics:LogicalanalysisusingAppleiTunesBackupUtility:http://www.
ssddfj.
org/papers/SSDDFJ_V4_1_Bader_Bagilli.
pdf[23]iOSSecuritybyApple:http://images.
apple.
com/ipad/business/docs/iOS_Security_May12.
pdf[24]CoronaJailbreakforiOS5.
1f20;BACKGROUND-COLOR:#4ae2f7">0.
1byDreamteam:http://conference.
hitb.
org/hitbsecconf21f20;BACKGROUND-COLOR:#4ae2f7">012ams/materials/D2T2–JailbreakDreamTeam–CoronaJailbreakforiOS5.
1f20;BACKGROUND-COLOR:#4ae2f7">0.
1.
pdf[25]AbsintheJailbreakforiOS5.
1f20;BACKGROUND-COLOR:#4ae2f7">0.
1byDreamteam:http://conference.
hitb.
org/hitbsecconf21f20;BACKGROUND-COLOR:#4ae2f7">012ams/materials/D2T2%21f20;BACKGROUND-COLOR:#4ae2f7">0-%21f20;BACKGROUND-COLOR:#4ae2f7">0Jailbreak%21f20;BACKGROUND-COLOR:#4ae2f7">0Dream%21f20;BACKGROUND-COLOR:#4ae2f7">0Team%21f20;BACKGROUND-COLOR:#4ae2f7">0-%21f20;BACKGROUND-COLOR:#4ae2f7">0Absinthe%21f20;BACKGROUND-COLOR:#4ae2f7">0Jailbreak%21f20;BACKGROUND-COLOR:#4ae2f7">0for%21f20;BACKGROUND-COLOR:#4ae2f7">0iOS%21f20;BACKGROUND-COLOR:#4ae2f7">05.
1f20;BACKGROUND-COLOR:#4ae2f7">0.
1.
pdf[26]iOSApplicationSecurity:http://www.
exploit-db.
com/wp-content/themes/exploit/docs/18831.
pdf[27]BreakingiOScodesigning:http://reverse.
put.
as/wp-content/uploads/21f20;BACKGROUND-COLOR:#4ae2f7">011/1f20;BACKGROUND-COLOR:#4ae2f7">06/syscan11_breaking_ios_code_signing.