SlideShare ist ein Scribd-Unternehmen logo

Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps

DefconRussia
DefconRussia
Technologie
1 von 56
Downloaden Sie, um offline zu lesen
Blackbox analysis of iOS apps Dmitry 'D1g1' Evdokimov, Security researcher at Digital Security (ERPScan)
Blackbox analysis of iOS apps #whoami • Director of DSecRG (ERPScan Research Group) • Section editor in the Xakep magazine • Co-organizer of DEFCON Russia & ZeroNights • Author of Python arsenal for RE Specialized in finding vulnerabilities in binary applications without source code 2 © 2002—2013, Digital Security
Blackbox analysis of iOS apps Attention please! It is not rocket science =) This work is a compilation of public information and my own experience 3 © 2002—2013, Digital Security
Blackbox analysis of iOS apps Goals of this workshop • How iOS and iOS applications work • The basics of iOS vulnerabilities • The skill of using common tools to find vulnerabilities in iOS apps 4 © 2002—2013, Digital Security
Blackbox analysis of iOS apps Agenda 1. iOS platform 1. How it works, Objective-C, ARM, security mechanisms, jailbreak 2. Introduction to Objective-C 3. iOS apps 1. Mach-O format, application structure, … 4. iOS vulns 5. Blackbox testing 1. Static and dynamic analysis 5 © 2002—2013, Digital Security
Blackbox analysis of iOS apps iOS • iOS is derived from OS X, with which it shares Darwin • • ARM The kernel sources remain closed • __arm__, ARM_ARCH • Touch-based • SpringBoard • Security mechanisms • Sandbox as a jail • … 6 © 2002—2013, Digital Security
Blackbox analysis of iOS apps iOS security mechanisms • Code Signing - X.509v3 certificates • Sandboxing (SeatBelt) - Inability to break the app’s directory - /var/mobile/Applications/<app-GUID>/ - Inability to access any other process - Inability to use any hardware devices directly - Inability to generate code dynamically • Privilege separation - Mobile user + Entitlements © 2002—2013, Digital Security 7
Blackbox analysis of iOS apps Jailbreak • Jaibreak depends on SW & HW • Tethered • Untethered • Ability to access file system • Copy/edit any file in the system • Bypassing sandbox restrictions • Break out of the app’s directory • Launching unsigned applications • Launch applications that do not belong to App Store © 2002—2013, Digital Security 8
Blackbox analysis of iOS apps Apple about jailbreak http://support.apple.com/kb/HT3743 9 © 2002—2013, Digital Security
Blackbox analysis of iOS apps ARM • • • • • Advanced RISC Machine Load-store architecture Fixed-length instructions 3-address instruction formats Instructions: • Data transfer • Data processing • Control flow 10 © 2002—2013, Digital Security
Blackbox analysis of iOS apps ARM modes 1. ARM • Length(Instr) = 4 bytes 2. Thumb • Length(Instr) = 2 bytes 3. Thumb2 • Length(Instr) = 2/4 bytes 4. Jazzle • Java bytecode + ARM/Thumb 11 © 2002—2013, Digital Security
Blackbox analysis of iOS apps ARM32 • Registers: • General Purpose: r0-r12 • Stack Pointer: r13 (SP) • Link Register: r14 (LR) • Program Counter: r15 (PC) • Current Program Status Register (CPSR) • Calling Convention: • Argument Values: r0-r3 • Local Values: r4-r12 • Return Value: r0 © 2002—2013, Digital Security 12
Blackbox analysis of iOS apps ARM 64-bit Architecture 1. iPhone 5S 2. AArch64 (ARM), ARM64 (Apple) 13 © 2002—2013, Digital Security
Blackbox analysis of iOS apps Divergences, divergences, divergences... 14 © 2002—2013, Digital Security
Blackbox analysis of iOS apps Development for iOS • • Mac Xcode • gcc/LLVM/LLVM-gcc compilers • iPhone Simulator (i386) • Cocoa Touch • Objective-C • Other: HTML, JavaScript, C# & .NET (Xamarin) 15 © 2002—2013, Digital Security
Blackbox analysis of iOS apps Objective-C • • Object-oriented language Based on: • Strict superset C • Smalltalk 16 © 2002—2013, Digital Security
Blackbox analysis of iOS apps Calling methods C++ ObjectPointer->MethodName(param1, param2) Obj-C [ObjectPointer MethodName:param1 param2Name:param2] objc_msgSend(ObjectPointer, "MethodName“,”param1”, “param2”) objc_msgSend() objc_msgSendSuper() objc_msgSend_fpret() objc_msgSend_stret() objc_msgSendSuper_stret() objc_msgSendSuper2() © 2002—2013, Digital Security 17
Blackbox analysis of iOS apps Go to device • • • • • Jailbreak Cydia SSH/putty itunnel_mux WinSCP/scp 18 © 2002—2013, Digital Security
Blackbox analysis of iOS apps Prepare env in device • otool • class-dump-z • APT 0.6 Transitional • apt-get • Command line tools • curl, dpkg, file, grep, netcat, python, sed, … 19 © 2002—2013, Digital Security
Blackbox analysis of iOS apps Install apps from console • Debian package dpkg -i <package.deb> killall -HUP SpringBoard • App without developer license or patched scp -r HelloWorld.app/ root@yourIP:/Applications/ uicache killall -HUP SpringBoard • IPA: o o IPA Installer Console iPhone Configuration Utility © 2002—2013, Digital Security 20
Blackbox analysis of iOS apps Useful commands • • cd /private/var/mobile/Applications find . -name '*Appname*‘ • • cd /private/var/mobile/Applications ls –l | grep ‘Time’ 21 © 2002—2013, Digital Security
Blackbox analysis of iOS apps Applications • AppStore • • On devices • • IPA packages = ZIP files /private/var/mobile/Applications/<UUID>/<AppName>.app/ Apple apps • /Applications/ 22 © 2002—2013, Digital Security
Blackbox analysis of iOS apps Mach-O file format basic structure 23 © 2002—2013, Digital Security
Blackbox analysis of iOS apps Mach-O header 1. 32bit (ARMv6,ARMv7) • 0xFEEDFACE 2. 64bit • 0xFEEDFACF 3. Universal binaries (FAT) • 0xCAFEBABE 24 © 2002—2013, Digital Security
Blackbox analysis of iOS apps Application structure AppName.app/ App Documents/ Data files saved by the app Library/ Miscellaneous app files iTunesArtwork App icon iTunesMetadata.plist The property list of the app tmp/ Directory for temporary files 25 © 2002—2013, Digital Security
Blackbox analysis of iOS apps Decrypt app from AppStore 1. gdb • Choosing the right architecture (if FAT) • Breakpoint at start 2. Clutch 3. dumpdecrypted.dylib 26 © 2002—2013, Digital Security
Blackbox analysis of iOS apps Decrypt • • Clutch • /var/root/Documents/Cracked/ dumpdecrypted.dylib 27 © 2002—2013, Digital Security
Blackbox analysis of iOS apps OWASP Mobile Top 10 Risks 28 © 2002—2013, Digital Security
Blackbox analysis of iOS apps Traffic analysis • Passive network traffic monitoring with tcpdump Then load the *.pcap file into wireshark for analysis • Gateway method • BurpSuite • HTTPS: Import PortSwigger CA to the iDevice • dnsRedir • Mallory (by Intrepidus Group) 29 © 2002—2013, Digital Security
Blackbox analysis of iOS apps Certificate pinning?! • • • Pinning is the process of associating a host with their expected X509 certificate or public key. OWASP • https://www.owasp.org/index.php/Certificate_and_Pu blic_Key_Pinning#iOS Attack • trustme • SecTrustEvaluate • ios-ssl-killswitch • SSLCreateContext,SSLSetSessionOption, SSLHandshake 30 © 2002—2013, Digital Security
Blackbox analysis of iOS apps Working with SSL certificates • NSURLConnection class • Accepting a self-signed certificate or incorrect error processing • • • allowsAnyHTTPSCertificateForHost setAllowsAnyHTTPSCertificate continueWithoutCredentialForAuthentica tionChallenge 31 © 2002—2013, Digital Security
Blackbox analysis of iOS apps CFStreams sockets • kCFStreamPropertySSLSettings • • • • • • kCFStreamSSLLevel kCFStreamSSLAllowsExpiredCertificates kCFStreamSSLAllowsExpiredRoots kCFStreamSSLAllowsAnyRoot kCFStreamSSLValidatesCertificateChain kCFStreamSSLPeerName 32 © 2002—2013, Digital Security
Blackbox analysis of iOS apps Cross-site scripting • UIWebView class • • stringByEvaluatingJavaScriptFromString shouldStartLoadWithRequest 33 © 2002—2013, Digital Security
Blackbox analysis of iOS apps List of interesting strings • Don’t use and don’t leak • UDID • IMEI • ICCID • PII • OSN-ID • LID 34 © 2002—2013, Digital Security
Blackbox analysis of iOS apps XML injections • • XML External Entity (XXE) flaws NSXMLParser class • • • libxml2 library • • setShouldResolveExternalEntities foundExternalEntityDeclarationWithName _xmlParseMemory 3rd party libraries and classes 35 © 2002—2013, Digital Security
Blackbox analysis of iOS apps Directory traversal • NSFileManager class • • • contentsAtPath fileHandleForReadingAtPath C functions • • fopen … © 2002—2013, Digital Security
Blackbox analysis of iOS apps File storage • NSFileManager class • NSFileProtectionKey attribute • • • • • NSFileProtectionNone NSFileProtectionComplete NSFileProtectionCompleteUnlessOpen NSFileProtectionCompleteUntilFirstUserAuthe ntication Tools: • filemon.iOS • FileDP 37 © 2002—2013, Digital Security
Blackbox analysis of iOS apps filemon.iOS 38 © 2002—2013, Digital Security
Blackbox analysis of iOS apps Plist files • plist – property lists • Serialized objects • XML • NSUserDefaults class • Tools: • Python library: plistlib, bplist • plist Editor • plutil • plutil - convert xml1 39 © 2002—2013, Digital Security
Blackbox analysis of iOS apps SQLite and SQL injections • SQLite database • • • • • /usr/lib/libsqlite3.dylib /<GUID>/Documents/ • *.sqlite, *.db, *.sqlite3 sqlite3_open sqlite3_prepare_v2 sqlite3_step • Use parameterized queries • sqlite3_bind_* 40 © 2002—2013, Digital Security
Blackbox analysis of iOS apps Keychain • Secure storage • • • • • File /private/var/Keychains/keychain-2.db SecItemAdd() SecItemUpdate() SecItemCopyMatching() SecItemDelete() • Tools: • keychain_dumper • keychain_dump 41 © 2002—2013, Digital Security
Blackbox analysis of iOS apps Cookies • Persistent cookies: Cookies.binarycookies • /private/var/mobile/Library/ • /private/var/mobile/<App GUID>/Library/Cookies • Tool: BinaryCookieReader.py 42 © 2002—2013, Digital Security
Blackbox analysis of iOS apps Logs NSLog() Tools: • iPhone Configuration Utility • syslogd 43 © 2002—2013, Digital Security
Blackbox analysis of iOS apps Cache • UIPasteboard class • generalPasteboard • Backgrounding • <Application GUID>/Library/Caches/Snapshots/*/*.png • applicationDidEnterBackground • Keyboard cache • • • /var/mobile/Library/Keyboard/en_GB-dynamictext.dat secureTextEntry = Yes autocorrectionType = UITextAutocorrectionTypeNo 44 © 2002—2013, Digital Security
Blackbox analysis of iOS apps IPC • URL schemes • handleOpenURL • openURL • http://wiki.akosma.com/IPhone_URL_Sche mes 45 © 2002—2013, Digital Security
Blackbox analysis of iOS apps Memory corruptions • Obj-C + C/C++ function = • Format string • • • • • • • • • • NSLog() [NSString stringWithFormat:] [NSString initWithFormat:] [NSMutableString appendFormat:] [NSAlert informativeTextWithFormat:] [NSPredicate predicateWithFormat:] [NSException format:] NSRunAlertPanel Buffer overflow Use-after-free © 2002—2013, Digital Security
Blackbox analysis of iOS apps Check for exploit mitigations • Stack cookie • • _stack_chk_fail _stack_chk_guard • PIE • ARC • • • • • • _objc_release _objc_retainAutoreleaseReturnValue _objc_autoreleaseReturnValue _objc_storeStrong _objc_retain _objc_retainAutoreleasedReturnValue © 2002—2013, Digital Security
Blackbox analysis of iOS apps TOOLS TOOLS TOOLS TOOLS TOOLS TOOLS TOOLS TOOLS TOOLS TOOLS TOOLS TOOLS 48 © 2002—2013, Digital Security
Blackbox analysis of iOS apps IDA Pro 49 © 2002—2013, Digital Security
Blackbox analysis of iOS apps radare2 ARM64 Mach-O 1. ??? 50 © 2002—2013, Digital Security
Blackbox analysis of iOS apps Hopper 51 © 2002—2013, Digital Security
Blackbox analysis of iOS apps iNalyzer 52 © 2002—2013, Digital Security
Blackbox analysis of iOS apps cycript 53 © 2002—2013, Digital Security
Blackbox analysis of iOS apps Introspy 54 © 2002—2013, Digital Security
Blackbox analysis of iOS apps Snoop-it 55 © 2002—2013, Digital Security
Blackbox analysis of iOS apps Q&A d.evdokimov@dsec.ru @evdokimovds 56 © 2002—2013, Digital Security

Empfohlen

iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3mPrem Kumar (OSCP)
 
iOS Application Penetation Test
iOS Application Penetation TestiOS Application Penetation Test
iOS Application Penetation TestJongWon Kim
 
[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101OWASP
 
Yow connected developing secure i os applications
Yow connected developing secure i os applicationsYow connected developing secure i os applications
Yow connected developing secure i os applicationsmgianarakis
 
Evaluating iOS Applications
Evaluating iOS ApplicationsEvaluating iOS Applications
Evaluating iOS Applicationsiphonepentest
 
Mobile Security Assessment: 101
Mobile Security Assessment: 101Mobile Security Assessment: 101
Mobile Security Assessment: 101wireharbor
 
44cafe heart bleed
44cafe heart bleed44cafe heart bleed
44cafe heart bleediphonepentest
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaYogesh Ojha
 

Empfohlen

iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3mPrem Kumar (OSCP)
 
iOS Application Penetation Test
iOS Application Penetation TestiOS Application Penetation Test
iOS Application Penetation TestJongWon Kim
 
[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101OWASP
 
Yow connected developing secure i os applications
Yow connected developing secure i os applicationsYow connected developing secure i os applications
Yow connected developing secure i os applicationsmgianarakis
 
Evaluating iOS Applications
Evaluating iOS ApplicationsEvaluating iOS Applications
Evaluating iOS Applicationsiphonepentest
 
Mobile Security Assessment: 101
Mobile Security Assessment: 101Mobile Security Assessment: 101
Mobile Security Assessment: 101wireharbor
 
44cafe heart bleed
44cafe heart bleed44cafe heart bleed
44cafe heart bleediphonepentest
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaYogesh Ojha
 
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Ajin Abraham
 
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadavMobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadavRomansh Yadav
 
iOS 6 Exploitation: 280 days later
iOS 6 Exploitation: 280 days lateriOS 6 Exploitation: 280 days later
iOS 6 Exploitation: 280 days laterSeguridad Apple
 
The 4 Levels of Open Source Risk Management
The 4 Levels of Open Source Risk ManagementThe 4 Levels of Open Source Risk Management
The 4 Levels of Open Source Risk ManagementBlack Duck by Synopsys
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliveryBlack Duck by Synopsys
 
Hacking Tizen: The OS of everything - Whitepaper
Hacking Tizen: The OS of everything - WhitepaperHacking Tizen: The OS of everything - Whitepaper
Hacking Tizen: The OS of everything - WhitepaperAjin Abraham
 
ASFWS 2012 - Audit d’applications iOS par Julien Bachmann
ASFWS 2012 - Audit d’applications iOS par Julien BachmannASFWS 2012 - Audit d’applications iOS par Julien Bachmann
ASFWS 2012 - Audit d’applications iOS par Julien BachmannCyber Security Alliance
 
Android Security Overview and Safe Practices for Web-Based Android Applications
Android Security Overview and Safe Practices for Web-Based Android ApplicationsAndroid Security Overview and Safe Practices for Web-Based Android Applications
Android Security Overview and Safe Practices for Web-Based Android Applicationsh4oxer
 
Droidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensicsDroidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensicsviaForensics
 
Customer Case Study: ScienceLogic - Many Paths to Compliance
Customer Case Study: ScienceLogic - Many Paths to ComplianceCustomer Case Study: ScienceLogic - Many Paths to Compliance
Customer Case Study: ScienceLogic - Many Paths to ComplianceBlack Duck by Synopsys
 
SecDevOps
SecDevOpsSecDevOps
SecDevOpsPeter Lamar
 
Contain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidenceContain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidenceBlack Duck by Synopsys
 
Mobile security part 2
Mobile security part 2Mobile security part 2
Mobile security part 2Romansh Yadav
 
Javier Hijas & Ori Kuyumgiski - Security at the speed of DevOps [rooted2018]
Javier Hijas & Ori Kuyumgiski - Security at the speed of DevOps [rooted2018]Javier Hijas & Ori Kuyumgiski - Security at the speed of DevOps [rooted2018]
Javier Hijas & Ori Kuyumgiski - Security at the speed of DevOps [rooted2018]RootedCON
 
михаил дударев
михаил дударевмихаил дударев
михаил дударевapps4allru
 
Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security Black Duck by Synopsys
 
Security in the Age of Open Source
Security in the Age of Open SourceSecurity in the Age of Open Source
Security in the Age of Open SourceBlack Duck by Synopsys
 
September 13, 2016: Security in the Age of Open Source:
September 13, 2016: Security in the Age of Open Source: September 13, 2016: Security in the Age of Open Source:
September 13, 2016: Security in the Age of Open Source: Black Duck by Synopsys
 
Safe and Secure Applications: Deploying in a Cloud or Multi-Cloud Environment
Safe and Secure Applications: Deploying in a Cloud or Multi-Cloud EnvironmentSafe and Secure Applications: Deploying in a Cloud or Multi-Cloud Environment
Safe and Secure Applications: Deploying in a Cloud or Multi-Cloud EnvironmentDevOps.com
 
CanSecWest 2013 - iOS 6 Exploitation 280 Days Later
CanSecWest 2013 - iOS 6 Exploitation 280 Days LaterCanSecWest 2013 - iOS 6 Exploitation 280 Days Later
CanSecWest 2013 - iOS 6 Exploitation 280 Days LaterStefan Esser
 
iOS application (in)security
iOS application (in)securityiOS application (in)security
iOS application (in)securityiphonepentest
 
Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Subhransu Behera
 

Weitere ähnliche Inhalte

Was ist angesagt?

Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Ajin Abraham
 
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadavMobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadavRomansh Yadav
 
iOS 6 Exploitation: 280 days later
iOS 6 Exploitation: 280 days lateriOS 6 Exploitation: 280 days later
iOS 6 Exploitation: 280 days laterSeguridad Apple
 
The 4 Levels of Open Source Risk Management
The 4 Levels of Open Source Risk ManagementThe 4 Levels of Open Source Risk Management
The 4 Levels of Open Source Risk ManagementBlack Duck by Synopsys
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliveryBlack Duck by Synopsys
 
Hacking Tizen: The OS of everything - Whitepaper
Hacking Tizen: The OS of everything - WhitepaperHacking Tizen: The OS of everything - Whitepaper
Hacking Tizen: The OS of everything - WhitepaperAjin Abraham
 
ASFWS 2012 - Audit d’applications iOS par Julien Bachmann
ASFWS 2012 - Audit d’applications iOS par Julien BachmannASFWS 2012 - Audit d’applications iOS par Julien Bachmann
ASFWS 2012 - Audit d’applications iOS par Julien BachmannCyber Security Alliance
 
Android Security Overview and Safe Practices for Web-Based Android Applications
Android Security Overview and Safe Practices for Web-Based Android ApplicationsAndroid Security Overview and Safe Practices for Web-Based Android Applications
Android Security Overview and Safe Practices for Web-Based Android Applicationsh4oxer
 
Droidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensicsDroidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensicsviaForensics
 
Customer Case Study: ScienceLogic - Many Paths to Compliance
Customer Case Study: ScienceLogic - Many Paths to ComplianceCustomer Case Study: ScienceLogic - Many Paths to Compliance
Customer Case Study: ScienceLogic - Many Paths to ComplianceBlack Duck by Synopsys
 
Contain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidenceContain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidenceBlack Duck by Synopsys
 
Mobile security part 2
Mobile security part 2Mobile security part 2
Mobile security part 2Romansh Yadav
 
Javier Hijas & Ori Kuyumgiski - Security at the speed of DevOps [rooted2018]
Javier Hijas & Ori Kuyumgiski - Security at the speed of DevOps [rooted2018]Javier Hijas & Ori Kuyumgiski - Security at the speed of DevOps [rooted2018]
Javier Hijas & Ori Kuyumgiski - Security at the speed of DevOps [rooted2018]RootedCON
 
михаил дударев
михаил дударевмихаил дударев
михаил дударевapps4allru
 
Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security Black Duck by Synopsys
 
September 13, 2016: Security in the Age of Open Source:
September 13, 2016: Security in the Age of Open Source: September 13, 2016: Security in the Age of Open Source:
September 13, 2016: Security in the Age of Open Source: Black Duck by Synopsys
 
Safe and Secure Applications: Deploying in a Cloud or Multi-Cloud Environment
Safe and Secure Applications: Deploying in a Cloud or Multi-Cloud EnvironmentSafe and Secure Applications: Deploying in a Cloud or Multi-Cloud Environment
Safe and Secure Applications: Deploying in a Cloud or Multi-Cloud EnvironmentDevOps.com
 
CanSecWest 2013 - iOS 6 Exploitation 280 Days Later
CanSecWest 2013 - iOS 6 Exploitation 280 Days LaterCanSecWest 2013 - iOS 6 Exploitation 280 Days Later
CanSecWest 2013 - iOS 6 Exploitation 280 Days LaterStefan Esser
 

Was ist angesagt? (20)

Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
 
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadavMobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
 
iOS 6 Exploitation: 280 days later
iOS 6 Exploitation: 280 days lateriOS 6 Exploitation: 280 days later
iOS 6 Exploitation: 280 days later
 
The 4 Levels of Open Source Risk Management
The 4 Levels of Open Source Risk ManagementThe 4 Levels of Open Source Risk Management
The 4 Levels of Open Source Risk Management
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous Delivery
 
Hacking Tizen: The OS of everything - Whitepaper
Hacking Tizen: The OS of everything - WhitepaperHacking Tizen: The OS of everything - Whitepaper
Hacking Tizen: The OS of everything - Whitepaper
 
ASFWS 2012 - Audit d’applications iOS par Julien Bachmann
ASFWS 2012 - Audit d’applications iOS par Julien BachmannASFWS 2012 - Audit d’applications iOS par Julien Bachmann
ASFWS 2012 - Audit d’applications iOS par Julien Bachmann
 
Android Security Overview and Safe Practices for Web-Based Android Applications
Android Security Overview and Safe Practices for Web-Based Android ApplicationsAndroid Security Overview and Safe Practices for Web-Based Android Applications
Android Security Overview and Safe Practices for Web-Based Android Applications
 
Droidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensicsDroidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensics
 
Customer Case Study: ScienceLogic - Many Paths to Compliance
Customer Case Study: ScienceLogic - Many Paths to ComplianceCustomer Case Study: ScienceLogic - Many Paths to Compliance
Customer Case Study: ScienceLogic - Many Paths to Compliance
 
SecDevOps
SecDevOpsSecDevOps
SecDevOps
 
Contain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidenceContain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidence
 
Mobile security part 2
Mobile security part 2Mobile security part 2
Mobile security part 2
 
Javier Hijas & Ori Kuyumgiski - Security at the speed of DevOps [rooted2018]
Javier Hijas & Ori Kuyumgiski - Security at the speed of DevOps [rooted2018]Javier Hijas & Ori Kuyumgiski - Security at the speed of DevOps [rooted2018]
Javier Hijas & Ori Kuyumgiski - Security at the speed of DevOps [rooted2018]
 
михаил дударев
михаил дударевмихаил дударев
михаил дударев
 
Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security
 
Security in the Age of Open Source
Security in the Age of Open SourceSecurity in the Age of Open Source
Security in the Age of Open Source
 
September 13, 2016: Security in the Age of Open Source:
September 13, 2016: Security in the Age of Open Source: September 13, 2016: Security in the Age of Open Source:
September 13, 2016: Security in the Age of Open Source:
 
Safe and Secure Applications: Deploying in a Cloud or Multi-Cloud Environment
Safe and Secure Applications: Deploying in a Cloud or Multi-Cloud EnvironmentSafe and Secure Applications: Deploying in a Cloud or Multi-Cloud Environment
Safe and Secure Applications: Deploying in a Cloud or Multi-Cloud Environment
 
CanSecWest 2013 - iOS 6 Exploitation 280 Days Later
CanSecWest 2013 - iOS 6 Exploitation 280 Days LaterCanSecWest 2013 - iOS 6 Exploitation 280 Days Later
CanSecWest 2013 - iOS 6 Exploitation 280 Days Later
 

Ähnlich wie Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps

iOS application (in)security
iOS application (in)securityiOS application (in)security
iOS application (in)securityiphonepentest
 
Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Subhransu Behera
 
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLBreaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLiphonepentest
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Ajin Abraham
 
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationDEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationFelipe Prado
 
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)ClubHack
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2drewz lin
 
Android pen test basics
Android pen test basicsAndroid pen test basics
Android pen test basicsOWASPKerala
 
Rapid Android Application Security Testing
Rapid Android Application Security TestingRapid Android Application Security Testing
Rapid Android Application Security TestingNutan Kumar Panda
 
Android Penetration testing - Day 2
Android Penetration testing - Day 2 Android Penetration testing - Day 2
Android Penetration testing - Day 2Mohammed Adam
 
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...Ajin Abraham
 
Introduction to Android Development and Security
Introduction to Android Development and SecurityIntroduction to Android Development and Security
Introduction to Android Development and SecurityKelwin Yang
 
Virtue Security - The Art of Mobile Security 2013
Virtue Security - The Art of Mobile Security 2013Virtue Security - The Art of Mobile Security 2013
Virtue Security - The Art of Mobile Security 2013Virtue Security
 
Ruxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration TestingRuxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration Testingeightbit
 
Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applicationsjasonhaddix
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Blueinfy Solutions
 
Please, Please, PLEASE Defend Your Mobile Apps!
Please, Please, PLEASE Defend Your Mobile Apps!Please, Please, PLEASE Defend Your Mobile Apps!
Please, Please, PLEASE Defend Your Mobile Apps!Jerod Brennen
 
Attacking and Defending Mobile Applications
Attacking and Defending Mobile ApplicationsAttacking and Defending Mobile Applications
Attacking and Defending Mobile ApplicationsJerod Brennen
 
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...tdc-globalcode
 

Ähnlich wie Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps (20)

iOS application (in)security
iOS application (in)securityiOS application (in)security
iOS application (in)security
 
Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1
 
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLBreaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
 
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationDEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
 
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2
 
Android pen test basics
Android pen test basicsAndroid pen test basics
Android pen test basics
 
Rapid Android Application Security Testing
Rapid Android Application Security TestingRapid Android Application Security Testing
Rapid Android Application Security Testing
 
Android Penetration testing - Day 2
Android Penetration testing - Day 2 Android Penetration testing - Day 2
Android Penetration testing - Day 2
 
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
 
Introduction to Android Development and Security
Introduction to Android Development and SecurityIntroduction to Android Development and Security
Introduction to Android Development and Security
 
Virtue Security - The Art of Mobile Security 2013
Virtue Security - The Art of Mobile Security 2013Virtue Security - The Art of Mobile Security 2013
Virtue Security - The Art of Mobile Security 2013
 
Ruxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration TestingRuxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration Testing
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
 
Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applications
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
 
Please, Please, PLEASE Defend Your Mobile Apps!
Please, Please, PLEASE Defend Your Mobile Apps!Please, Please, PLEASE Defend Your Mobile Apps!
Please, Please, PLEASE Defend Your Mobile Apps!
 
Attacking and Defending Mobile Applications
Attacking and Defending Mobile ApplicationsAttacking and Defending Mobile Applications
Attacking and Defending Mobile Applications
 
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...
 

Mehr von DefconRussia

[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...DefconRussia
 
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...DefconRussia
 
[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobinding[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobindingDefconRussia
 
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/LinuxDefconRussia
 
Георгий Зайцев - Reversing golang
Георгий Зайцев - Reversing golangГеоргий Зайцев - Reversing golang
Георгий Зайцев - Reversing golangDefconRussia
 
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC DefconRussia
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneDefconRussia
 
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...DefconRussia
 
HTTP HOST header attacks
HTTP HOST header attacksHTTP HOST header attacks
HTTP HOST header attacksDefconRussia
 
Attacks on tacacs - Алексей Тюрин
Attacks on tacacs - Алексей ТюринAttacks on tacacs - Алексей Тюрин
Attacks on tacacs - Алексей ТюринDefconRussia
 
Weakpass - defcon russia 23
Weakpass - defcon russia 23Weakpass - defcon russia 23
Weakpass - defcon russia 23DefconRussia
 
nosymbols - defcon russia 20
nosymbols - defcon russia 20nosymbols - defcon russia 20
nosymbols - defcon russia 20DefconRussia
 
static - defcon russia 20
static - defcon russia 20static - defcon russia 20
static - defcon russia 20DefconRussia
 
Zn task - defcon russia 20
Zn task - defcon russia 20Zn task - defcon russia 20
Zn task - defcon russia 20DefconRussia
 
Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20DefconRussia
 
Nedospasov defcon russia 23
Nedospasov defcon russia 23Nedospasov defcon russia 23
Nedospasov defcon russia 23DefconRussia
 
Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23DefconRussia
 
Miasm defcon russia 23
Miasm defcon russia 23Miasm defcon russia 23
Miasm defcon russia 23DefconRussia
 
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...DefconRussia
 
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условияхSergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условияхDefconRussia
 

Mehr von DefconRussia (20)

[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
 
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
 
[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobinding[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobinding
 
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
 
Георгий Зайцев - Reversing golang
Георгий Зайцев - Reversing golangГеоргий Зайцев - Reversing golang
Георгий Зайцев - Reversing golang
 
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-one
 
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
 
HTTP HOST header attacks
HTTP HOST header attacksHTTP HOST header attacks
HTTP HOST header attacks
 
Attacks on tacacs - Алексей Тюрин
Attacks on tacacs - Алексей ТюринAttacks on tacacs - Алексей Тюрин
Attacks on tacacs - Алексей Тюрин
 
Weakpass - defcon russia 23
Weakpass - defcon russia 23Weakpass - defcon russia 23
Weakpass - defcon russia 23
 
nosymbols - defcon russia 20
nosymbols - defcon russia 20nosymbols - defcon russia 20
nosymbols - defcon russia 20
 
static - defcon russia 20
static - defcon russia 20static - defcon russia 20
static - defcon russia 20
 
Zn task - defcon russia 20
Zn task - defcon russia 20Zn task - defcon russia 20
Zn task - defcon russia 20
 
Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20
 
Nedospasov defcon russia 23
Nedospasov defcon russia 23Nedospasov defcon russia 23
Nedospasov defcon russia 23
 
Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23
 
Miasm defcon russia 23
Miasm defcon russia 23Miasm defcon russia 23
Miasm defcon russia 23
 
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
 
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условияхSergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
 

Kürzlich hochgeladen

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityWSO2
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Bhuvaneswari Subramani
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 

Kürzlich hochgeladen (20)

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 

Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps

  • 1. Blackbox analysis of iOS apps Dmitry 'D1g1' Evdokimov, Security researcher at Digital Security (ERPScan)
  • 2. Blackbox analysis of iOS apps #whoami • Director of DSecRG (ERPScan Research Group) • Section editor in the Xakep magazine • Co-organizer of DEFCON Russia & ZeroNights • Author of Python arsenal for RE Specialized in finding vulnerabilities in binary applications without source code 2 © 2002—2013, Digital Security
  • 3. Blackbox analysis of iOS apps Attention please! It is not rocket science =) This work is a compilation of public information and my own experience 3 © 2002—2013, Digital Security
  • 4. Blackbox analysis of iOS apps Goals of this workshop • How iOS and iOS applications work • The basics of iOS vulnerabilities • The skill of using common tools to find vulnerabilities in iOS apps 4 © 2002—2013, Digital Security
  • 5. Blackbox analysis of iOS apps Agenda 1. iOS platform 1. How it works, Objective-C, ARM, security mechanisms, jailbreak 2. Introduction to Objective-C 3. iOS apps 1. Mach-O format, application structure, … 4. iOS vulns 5. Blackbox testing 1. Static and dynamic analysis 5 © 2002—2013, Digital Security
  • 6. Blackbox analysis of iOS apps iOS • iOS is derived from OS X, with which it shares Darwin • • ARM The kernel sources remain closed • __arm__, ARM_ARCH • Touch-based • SpringBoard • Security mechanisms • Sandbox as a jail • … 6 © 2002—2013, Digital Security
  • 7. Blackbox analysis of iOS apps iOS security mechanisms • Code Signing - X.509v3 certificates • Sandboxing (SeatBelt) - Inability to break the app’s directory - /var/mobile/Applications/<app-GUID>/ - Inability to access any other process - Inability to use any hardware devices directly - Inability to generate code dynamically • Privilege separation - Mobile user + Entitlements © 2002—2013, Digital Security 7
  • 8. Blackbox analysis of iOS apps Jailbreak • Jaibreak depends on SW & HW • Tethered • Untethered • Ability to access file system • Copy/edit any file in the system • Bypassing sandbox restrictions • Break out of the app’s directory • Launching unsigned applications • Launch applications that do not belong to App Store © 2002—2013, Digital Security 8
  • 9. Blackbox analysis of iOS apps Apple about jailbreak http://support.apple.com/kb/HT3743 9 © 2002—2013, Digital Security
  • 10. Blackbox analysis of iOS apps ARM • • • • • Advanced RISC Machine Load-store architecture Fixed-length instructions 3-address instruction formats Instructions: • Data transfer • Data processing • Control flow 10 © 2002—2013, Digital Security
  • 11. Blackbox analysis of iOS apps ARM modes 1. ARM • Length(Instr) = 4 bytes 2. Thumb • Length(Instr) = 2 bytes 3. Thumb2 • Length(Instr) = 2/4 bytes 4. Jazzle • Java bytecode + ARM/Thumb 11 © 2002—2013, Digital Security
  • 12. Blackbox analysis of iOS apps ARM32 • Registers: • General Purpose: r0-r12 • Stack Pointer: r13 (SP) • Link Register: r14 (LR) • Program Counter: r15 (PC) • Current Program Status Register (CPSR) • Calling Convention: • Argument Values: r0-r3 • Local Values: r4-r12 • Return Value: r0 © 2002—2013, Digital Security 12
  • 13. Blackbox analysis of iOS apps ARM 64-bit Architecture 1. iPhone 5S 2. AArch64 (ARM), ARM64 (Apple) 13 © 2002—2013, Digital Security
  • 14. Blackbox analysis of iOS apps Divergences, divergences, divergences... 14 © 2002—2013, Digital Security
  • 15. Blackbox analysis of iOS apps Development for iOS • • Mac Xcode • gcc/LLVM/LLVM-gcc compilers • iPhone Simulator (i386) • Cocoa Touch • Objective-C • Other: HTML, JavaScript, C# & .NET (Xamarin) 15 © 2002—2013, Digital Security
  • 16. Blackbox analysis of iOS apps Objective-C • • Object-oriented language Based on: • Strict superset C • Smalltalk 16 © 2002—2013, Digital Security
  • 17. Blackbox analysis of iOS apps Calling methods C++ ObjectPointer->MethodName(param1, param2) Obj-C [ObjectPointer MethodName:param1 param2Name:param2] objc_msgSend(ObjectPointer, "MethodName“,”param1”, “param2”) objc_msgSend() objc_msgSendSuper() objc_msgSend_fpret() objc_msgSend_stret() objc_msgSendSuper_stret() objc_msgSendSuper2() © 2002—2013, Digital Security 17
  • 18. Blackbox analysis of iOS apps Go to device • • • • • Jailbreak Cydia SSH/putty itunnel_mux WinSCP/scp 18 © 2002—2013, Digital Security
  • 19. Blackbox analysis of iOS apps Prepare env in device • otool • class-dump-z • APT 0.6 Transitional • apt-get • Command line tools • curl, dpkg, file, grep, netcat, python, sed, … 19 © 2002—2013, Digital Security
  • 20. Blackbox analysis of iOS apps Install apps from console • Debian package dpkg -i <package.deb> killall -HUP SpringBoard • App without developer license or patched scp -r HelloWorld.app/ root@yourIP:/Applications/ uicache killall -HUP SpringBoard • IPA: o o IPA Installer Console iPhone Configuration Utility © 2002—2013, Digital Security 20
  • 21. Blackbox analysis of iOS apps Useful commands • • cd /private/var/mobile/Applications find . -name '*Appname*‘ • • cd /private/var/mobile/Applications ls –l | grep ‘Time’ 21 © 2002—2013, Digital Security
  • 22. Blackbox analysis of iOS apps Applications • AppStore • • On devices • • IPA packages = ZIP files /private/var/mobile/Applications/<UUID>/<AppName>.app/ Apple apps • /Applications/ 22 © 2002—2013, Digital Security
  • 23. Blackbox analysis of iOS apps Mach-O file format basic structure 23 © 2002—2013, Digital Security
  • 24. Blackbox analysis of iOS apps Mach-O header 1. 32bit (ARMv6,ARMv7) • 0xFEEDFACE 2. 64bit • 0xFEEDFACF 3. Universal binaries (FAT) • 0xCAFEBABE 24 © 2002—2013, Digital Security
  • 25. Blackbox analysis of iOS apps Application structure AppName.app/ App Documents/ Data files saved by the app Library/ Miscellaneous app files iTunesArtwork App icon iTunesMetadata.plist The property list of the app tmp/ Directory for temporary files 25 © 2002—2013, Digital Security
  • 26. Blackbox analysis of iOS apps Decrypt app from AppStore 1. gdb • Choosing the right architecture (if FAT) • Breakpoint at start 2. Clutch 3. dumpdecrypted.dylib 26 © 2002—2013, Digital Security
  • 27. Blackbox analysis of iOS apps Decrypt • • Clutch • /var/root/Documents/Cracked/ dumpdecrypted.dylib 27 © 2002—2013, Digital Security
  • 28. Blackbox analysis of iOS apps OWASP Mobile Top 10 Risks 28 © 2002—2013, Digital Security
  • 29. Blackbox analysis of iOS apps Traffic analysis • Passive network traffic monitoring with tcpdump Then load the *.pcap file into wireshark for analysis • Gateway method • BurpSuite • HTTPS: Import PortSwigger CA to the iDevice • dnsRedir • Mallory (by Intrepidus Group) 29 © 2002—2013, Digital Security
  • 30. Blackbox analysis of iOS apps Certificate pinning?! • • • Pinning is the process of associating a host with their expected X509 certificate or public key. OWASP • https://www.owasp.org/index.php/Certificate_and_Pu blic_Key_Pinning#iOS Attack • trustme • SecTrustEvaluate • ios-ssl-killswitch • SSLCreateContext,SSLSetSessionOption, SSLHandshake 30 © 2002—2013, Digital Security
  • 31. Blackbox analysis of iOS apps Working with SSL certificates • NSURLConnection class • Accepting a self-signed certificate or incorrect error processing • • • allowsAnyHTTPSCertificateForHost setAllowsAnyHTTPSCertificate continueWithoutCredentialForAuthentica tionChallenge 31 © 2002—2013, Digital Security
  • 32. Blackbox analysis of iOS apps CFStreams sockets • kCFStreamPropertySSLSettings • • • • • • kCFStreamSSLLevel kCFStreamSSLAllowsExpiredCertificates kCFStreamSSLAllowsExpiredRoots kCFStreamSSLAllowsAnyRoot kCFStreamSSLValidatesCertificateChain kCFStreamSSLPeerName 32 © 2002—2013, Digital Security
  • 33. Blackbox analysis of iOS apps Cross-site scripting • UIWebView class • • stringByEvaluatingJavaScriptFromString shouldStartLoadWithRequest 33 © 2002—2013, Digital Security
  • 34. Blackbox analysis of iOS apps List of interesting strings • Don’t use and don’t leak • UDID • IMEI • ICCID • PII • OSN-ID • LID 34 © 2002—2013, Digital Security
  • 35. Blackbox analysis of iOS apps XML injections • • XML External Entity (XXE) flaws NSXMLParser class • • • libxml2 library • • setShouldResolveExternalEntities foundExternalEntityDeclarationWithName _xmlParseMemory 3rd party libraries and classes 35 © 2002—2013, Digital Security
  • 36. Blackbox analysis of iOS apps Directory traversal • NSFileManager class • • • contentsAtPath fileHandleForReadingAtPath C functions • • fopen … © 2002—2013, Digital Security
  • 37. Blackbox analysis of iOS apps File storage • NSFileManager class • NSFileProtectionKey attribute • • • • • NSFileProtectionNone NSFileProtectionComplete NSFileProtectionCompleteUnlessOpen NSFileProtectionCompleteUntilFirstUserAuthe ntication Tools: • filemon.iOS • FileDP 37 © 2002—2013, Digital Security
  • 38. Blackbox analysis of iOS apps filemon.iOS 38 © 2002—2013, Digital Security
  • 39. Blackbox analysis of iOS apps Plist files • plist – property lists • Serialized objects • XML • NSUserDefaults class • Tools: • Python library: plistlib, bplist • plist Editor • plutil • plutil - convert xml1 39 © 2002—2013, Digital Security
  • 40. Blackbox analysis of iOS apps SQLite and SQL injections • SQLite database • • • • • /usr/lib/libsqlite3.dylib /<GUID>/Documents/ • *.sqlite, *.db, *.sqlite3 sqlite3_open sqlite3_prepare_v2 sqlite3_step • Use parameterized queries • sqlite3_bind_* 40 © 2002—2013, Digital Security
  • 41. Blackbox analysis of iOS apps Keychain • Secure storage • • • • • File /private/var/Keychains/keychain-2.db SecItemAdd() SecItemUpdate() SecItemCopyMatching() SecItemDelete() • Tools: • keychain_dumper • keychain_dump 41 © 2002—2013, Digital Security
  • 42. Blackbox analysis of iOS apps Cookies • Persistent cookies: Cookies.binarycookies • /private/var/mobile/Library/ • /private/var/mobile/<App GUID>/Library/Cookies • Tool: BinaryCookieReader.py 42 © 2002—2013, Digital Security
  • 43. Blackbox analysis of iOS apps Logs NSLog() Tools: • iPhone Configuration Utility • syslogd 43 © 2002—2013, Digital Security
  • 44. Blackbox analysis of iOS apps Cache • UIPasteboard class • generalPasteboard • Backgrounding • <Application GUID>/Library/Caches/Snapshots/*/*.png • applicationDidEnterBackground • Keyboard cache • • • /var/mobile/Library/Keyboard/en_GB-dynamictext.dat secureTextEntry = Yes autocorrectionType = UITextAutocorrectionTypeNo 44 © 2002—2013, Digital Security
  • 45. Blackbox analysis of iOS apps IPC • URL schemes • handleOpenURL • openURL • http://wiki.akosma.com/IPhone_URL_Sche mes 45 © 2002—2013, Digital Security
  • 46. Blackbox analysis of iOS apps Memory corruptions • Obj-C + C/C++ function = • Format string • • • • • • • • • • NSLog() [NSString stringWithFormat:] [NSString initWithFormat:] [NSMutableString appendFormat:] [NSAlert informativeTextWithFormat:] [NSPredicate predicateWithFormat:] [NSException format:] NSRunAlertPanel Buffer overflow Use-after-free © 2002—2013, Digital Security
  • 47. Blackbox analysis of iOS apps Check for exploit mitigations • Stack cookie • • _stack_chk_fail _stack_chk_guard • PIE • ARC • • • • • • _objc_release _objc_retainAutoreleaseReturnValue _objc_autoreleaseReturnValue _objc_storeStrong _objc_retain _objc_retainAutoreleasedReturnValue © 2002—2013, Digital Security
  • 48. Blackbox analysis of iOS apps TOOLS TOOLS TOOLS TOOLS TOOLS TOOLS TOOLS TOOLS TOOLS TOOLS TOOLS TOOLS 48 © 2002—2013, Digital Security
  • 49. Blackbox analysis of iOS apps IDA Pro 49 © 2002—2013, Digital Security
  • 50. Blackbox analysis of iOS apps radare2 ARM64 Mach-O 1. ??? 50 © 2002—2013, Digital Security
  • 51. Blackbox analysis of iOS apps Hopper 51 © 2002—2013, Digital Security
  • 52. Blackbox analysis of iOS apps iNalyzer 52 © 2002—2013, Digital Security
  • 53. Blackbox analysis of iOS apps cycript 53 © 2002—2013, Digital Security
  • 54. Blackbox analysis of iOS apps Introspy 54 © 2002—2013, Digital Security
  • 55. Blackbox analysis of iOS apps Snoop-it 55 © 2002—2013, Digital Security
  • 56. Blackbox analysis of iOS apps Q&A d.evdokimov@dsec.ru @evdokimovds 56 © 2002—2013, Digital Security