This presentation will cover the basics of attacking iOS applications (and their back ends) using a web proxy to intercept, modify, and repeat HTTP/HTTPS requests. From setting up the proxy to pulling data from the backend systems, this talk will be a great primer for anyone interested in testing iOS applications at the HTTP protocol level. There will be a short (2 minute) primer on setting up the intercepting proxy, followed by three practical examples showing how to intercept data headed to the phone, how to modify data heading to the application server, and how to pull extra data from application servers to further an attack. All of these examples will focus on native iOS apps (Game Center and Passbook) and/or functionality (Passbook Passes).
Video Link - http://www.irongeek.com/i.php?page=videos/louisvilleinfosec2013/attacking-ios-applications-karl-fosaaen
4. Intercepting traffic: Why
• iOS traffic can be interesting
‒ Most apps use web service calls
‒ Most apps are web browsers
• Traffic tampering
‒ Can you name your own price?
‒ Submit a higher score?
• Server responses can be interesting
‒ Modify what the server says to trick your app
‒ Intercepting files (ie: Passbook Passes)
• Same goes for Android
5. Intercepting traffic: How
• Use an intercepting proxy
‒ Set it up to capture your traffic
‒ Store and forward allows for tampering
• SSL Interception
‒ Requires a trusted certificate
‒ Some apps don’t trust iOS cert stores
•
This is a good thing, just a pain for interception
• Traffic sniffing
‒ Some apps send requests in the clear
‒ Packet sniffing can be useful
9. Intercepting Traffic: Certs
• Exporting the Burp Root CA
• Save the root cert as
PortSwiggerCA.crt
• Send the cert to yourself via email
and add it to your iOS device
• Instructions from Portswigger:
http://portswigger.net/burp/help/proxy_options_installingCAcert.html#iphone
14. Intercepting Traffic: Burp
• A quick warning…
‒ Watch your credentials
•
•
Exchange ActiveSync sends encoded passwords
Your login creds for other apps and sites will get
stored in your proxy
‒ Mostly watch the data getting stored in your
proxy
•
You never know when you will need to send your
Burp session to someone else
15. Intercepting Traffic: Certs
• Identifying pinned apps
• Able to intercept normal browser SSL
traffic
• Can’t get app specific data
• Pinning might be in use
• The app may also be looking for specific
cert parameters
•
This is not pinning
• It’s cert checking
16. Intercepting Traffic: Certs
• Avoiding issues with cert pinned apps
•
•
•
•
Open the app without the proxy enabled
Get to a spot where you request an
external resource
Switch over to your preferences
• Turn on the Proxy
Request the resource
•
•
•
Passbook pass
Coupon
Or just use the exclusions in Burp
20. Attack Examples: GameCenter
• Attacking High Scores
‒GameCenter scores update with
HTTPS POST requests
‒No input validation on “score-value”
parameter
• Max score of
9,223,372,036,844,775,807
21. Attack Examples: GameCenter
• Attack Process
‒Set up intercepting proxy
‒Play a game
•
Beat the first level
or
•
Trigger a score update
‒ Intercept the score update
•
Look for “submitScores” page
‒ Replace score value with
9,223,372,036,844,775,807
27. Attack Examples: GameCenter
• Capturing Email Hashes
• SHA1 email hashes can be leaked by
requesting player information
• This can be done for current friends
and accounts of “friends of friends”
• What can we do with these?
• Why would anyone want those?
28. Attack Examples: GameCenter
• Next Steps
‒ So you have some hashes, so what…
•
You have their handle, first and last names too
‒ What’s your email address?
•
Common email user names
•
•
•
•
First.last
FirstinitialLast
Handle/username
NameBirthYear (or other “significant” number)
‒ Who’s your email provider?
•
Gmail, yahoo, hotmail, AOL
29. Attack Examples: GameCenter
• Capturing Email Hashes
• Step One: Add a bunch of friends
•
Current recommendations,
leaderboards, friends of your friends
30. Attack Examples: GameCenter
• Capturing Email Hashes
• Step Two: Get a list of all of their friends
•
•
So “friends of friends”
Use Burp for this
32. Attack Examples: GameCenter
• Capturing Email Hashes
• RETURN to Step One multiple times
• Step Four: Query for the email hashes
for all of your friends and all of their
friends too
•
•
This will be done with intruder in Burp
Much like step three – Send the request on the
next slide to intruder
34. Attack Examples: GameCenter
• Cracking Email Hashes
‒ PowerShell Script to Guess Email user names
• kfosaaen@example.com
• k.fosaaen@example.com
• karlfosaaen@example.com
• karl.fosaaen@example.com
• karl.f@example.com
• karlf@example.com
‒ Append the top 500 email domains to the
end and SHA1 the whole thing
35. Attack Examples: GameCenter
• Cracking Email Hashes
‒ PowerShell Script to SHA1 hash the guessed
emails
•
This was basic, but worked well
‒ Use the email guesses as a dictionary for
Hashcat
•
The rule set can be customized to make cracking
easier
36. Attack Examples: GameCenter
• Final Numbers:
‒225 friends added* (as of 10/16/13)
*Records collection stopped after 45 friends
‒1,635 records gathered
• 1,534 after Unicode removal
• 14,377 available to me currently
‒300 email hashes cracked (19.5%)
Records Example:
SHA1 Email Hash
: username : First Name : last Name
591542B50A99EAA8E41136305075F9FF708F1992:bubblefish:Deb:Morgan
38. Attack Examples: Passbook
• Multiple Apps are now available with Passbook
• Mostly used to store loyalty cards, coupons, and
boarding passes
‒ Gift cards are now getting adopted
• Can actually be pretty convenient to use
39. Attack Examples: Passbook
• Common Application Issues:
• Failure to securely deliver .pkpass files
• No HTTPs or certificate pinning
• Failure to validate pass information on
backend systems
•
Do you really have $1,000 on that gift
card?
40. Attack Examples: Passbook
• Passes are sent as .pkpass files
‒.pkpass is just a renamed .zip file
‒Required contents:
• manifest.json
• pass.json
• Signature
•
•
A signature file for integrity
Prevents file replacement and a re-zip
41. Attack Examples: Passbook
• Creating your own
‒ Join the Apple Developer Program ($99)
‒ Create the pass.json to match your needs
• The teamIdentifier and passTypeIdentifier
fields need to be modified to match your
Apple cert
• Modify the pass details that you want to
‒ Use the signpass application (from Apple) to
generate the new .pkpass file
‒ Can be done in Windows and Linux
•
Apple Developer cert is still needed
43. Attack Examples: Passbook
• Attack overview – Proxy method
‒ Set up your intercepting proxy
‒ Request a Passbook pass from the app
•
Look for the “Add to Passbook” button
‒ Intercept the request for the pass
•
Usually to a third party site
‒ Request and save the pass in your browser
‒ Modify your pass
‒ Re-sign and use your new and improved pass
44. Attack Examples: Passbook
• Delta Boarding Passes
‒ One of many Passbook apps, but it’s the one
that I use the most
‒ Main Delta App does not do certificate
pinning
46. Attack Examples: Passbook
• Attack overview – Easier way
‒ Add your pass to Passbook
‒ Send yourself the pass from the Passbook app
‒ Modify your pass
‒ Re-sign and use your new and improved pass
=