IOS App Pentest

Penetration Testing For iOS Applications

NSLog (@”Hello, (@”Hello, OWASP!”); OWASP!”); •

•

•

•

•

About me!  Jason Haddix  i"e i"e#to" #to" o$ Penet"ation Penet"at ion %estin esting g HP HP &o"ti$' &o"ti$' &o"me" Neten gu' u""ent *obile and a nd Weben Weben gu' S+adoLabs -u'

•

•

&o"ti$' on emand does d'nami# testing $o" eb as, mobile, se#ial "o.e#ts, ba/eo0s, et#1  %+at2s us

3oug+ Agenda (e ill dig"ess) •

•

•

•

•

4ui#/ O5e"5ie o$ t+e iP+one Plat$o"m  %+"eat *odeling 6"d a"t' ali#ations 7n5i"onment Setu W+itebox Assessments 8la#/box Assessments

 %e#+ Sta#/   e   "   o  "   o   #  <    l   s   a  s   u  e   #    d  o   "   ;    P    H    *    *    3    :    A    :    9

Ob.e#ti5e ? APs)

  /  e a  "   l  b   J a  i

iOS ($o"/ o$ a"in ($o"/ o$ 8S))

Oe"atin g S'stem

A3* 7xe#utabl es

W+at does an iOS Ali#ation Loo/ Li/e •

iOS Ali#ationsB  –

n e5eloment it+ Ale SC D#odeB •

 –

omiled and delo'ed t+"oug+ t+e a sto"eB •

•

•

•

•

ist"ibuted as Dode P"o.e#t &olde"s

omiled as A3* ist"ibuted as EFia” Gles

i Gles #ontaining a "esou"#es and A3* exe#utable

elo'ed as EFa” di"e#to"ies 7xe#utable #ode isB  –

 –

en#"'ted it+ &ai"Pla' 3* (A7S) signed it+ Ale2s signatu"e

W+at does an iOS Ali#ation Loo/ Li/e

Ob.e#ti5e <  (in D#ode)

omiled to A3* and en#"'ted

Pa#/aged as PA Gle it+ "esou"#es

elo'ed to +one Gle s'stem as Fa di"e#to"'

 %'es o$ iOS Ali#ations •

Web Ali#ationsB  –

 –

•

H%*L = SS = Ja5aS#"it 3un inside Sa$a"iWeb/it

Nati5e Ali#ationsB  –

 –

W"itten in Ob.e#ti5e a##ess W+e"e is it sto"ed

W+at +aens i$ t+e use" loses +is P+one O" it2s stolen 

ndi5idual ali#ations data lost, +o bad is it

3eminde"s 

*an' as ill en#ode sensiti5e data, not en#"'tF Loo/ $o"B 









8aseI  #-&#6d5#m4 Hex  :I66I$QI e#imal  Q R   R   :: *d  $d##6baaIdId96Qdeb99Q#$RR SHA  baaIe#RbR6$6$:I9QQ:bI#$966beeI9$d9

3eminde"s o" a mobile a #an be di0e"ent t+at +at 'ou exe#tF Loo



?se"names Passo"ds ? -eolo#ationadd"essi O8 e5i#e Name Neto"/ onne#tion Name



Ali#ation ata

     

Ha"da"e 7n#"'tion and ** Will Sa5e ?s! 

Ha"da"e en#"'tion in iOS onl' alies +e"e se#iG#all' #alled and to mail and S*S



Ce' to unen#"'t t+e data is sto"ed in e0a#eable sto"ageF



Ha"da"e en#"'tion it+out ** is sus#etible to b"ute $o"#e atta#/s  Q min to b"ea/ a  digit PN



Ha"da"e en#"'tion it+ **, it+ "emote ie enabled, and long PN  8est otion +ttBgooFglH#HDN

 %+e big ta/eaa' it+ iOS 7n#"'tion 

P+'si#al a##ess ins!



Plus 'ou #an ala's ulls some sue" #ool s' mo5es!

+ttBgooFgl?Wtg

W+itebox %esting

W+ite8ox 7n5i"onment Setu  %ool ListB 

 Tou" *a#B  D#ode (neest)  8uildanal'e#lang  P"oe"t' List 7dito"  Plutil  otool  nst"uments  Wi"es+a"/%s+a"/1  net#at  Nma  8u" Suite  &laGnde"  S4Lite *ange"  &u8

Anatom' o$ an Ali#ation in iOS Sim 



S+o all GlesB de$aults "ite #omFaleF&inde" AleS+oAll&iles  T7S

?se"sUuse"nameLib"a"'Ali#ation Suo"tiP+one Simulato"Ali#ationsUa    ./Documents   "oe"ties, logs    ./Library/Caches  #a#+e' t+ings    ./Library/Caches/Snapshots   s#"eens+ots o$ 'ou" a    ./Library/Cookies  #oo/ie lists    ./Library/Preferences  5a"ious "e$e"en#e lists    ./Library/WebKit  WebCit lo#al sto"age    ./Appname.app  a "esou"#esB bina"', g"a+i#s, nibs, n$oFlist    ./tmp  tm and logs sometimes

W+itebox  lient ata Sto"age



*anual Sou"#e #ode nse#tion

Anal'ing > SA %ools 

8uild and Anal'e 





&unnil' enoug+ D#ode +as a built in sou"#e #ode s#anne" $o"me"l' /non as LAN-F +ttB#lang