SlideShare ist ein Scribd-Unternehmen logo

Introduction to iOS Penetration Testing

‱
‱
OWASP
OWASP

Introduction to iOS Penetration Testing

Internet
1 von 57
Downloaden Sie, um offline zu lesen
Introduction to iOS Penetration Testing OWASP 15/11/2016 | Slawomir Kosowski
○ Working as Mobile and Web pentester ○ Focused on iOS ○ Previously worked on wide range of security projects ○ Educational background in Telecommunications About Me 2 https://www.linkedin.com/in/skosowski
Introduction How many iOS developers do we have here? How many of you are actually writing in Swift? Any pentesters? Android folks? 3
Agenda 4 What we will cover: ○ Introduction to iOS ○ Basics of Objective-C runtime ○ Setting up testing environment ○ Fundamentals of app testing ● Focus on black-box testing What we will not cover: ○ Jailbreak development ○ Swift (not in detail) ○ White box testing / code review ○ Webapp pentesting
Introduction to iOS - Mobile operating system from Apple - Based on XNU kernel from Darwin OS (Unix) - iOS is closed-source with some exceptions* - Applications written in Objective-C (and Swift) - Cocoa Touch - main API for iOS handling user interaction 5 * https://opensource.apple.com
Apple controls both hardware and software to provide end-to-end security, with following key features: ○ Secure Boot Chain ○ Secure Enclave (and Touch ID) ○ Encryption and Data Protection ○ Trusted Code Execution ○ Network Security Introduction to iOS security model 6 User Partition Application A Application B Data Protection Class Data Protection Class OS Partition software Source: https://www.apple.com/business/docs/iOS_Security_Guide.pdf Kernel
Keychain ○ Stores sensitive data such as passwords, certificates, tokens, etc. ○ Is implemented as SQLite database ○ Application can access only items in its keychain-access-group ○ Can be arbitrarily read on a jailbroken device using keychain-dumper 7
Application Sandbox ○ iOS Sandbox derives from TrustedBSD MAC framework ○ Each third-party application runs as mobile user ○ Only a few system daemons/apps run as root ○ Application can access only its own files and data ○ IPCs are very limited 8
Objective-C ○ Superset of C, adding object-oriented functionality ● This means you can include C code in your apps ○ Based on Smalltalk language, supporting message passing, dynamic typing and infix notation ○ Uses interface and implementation file ● Think about .h and .cpp files in C++ 9
Objective-C Objective-C is using infix notation with arguments listed after colon: 10 [Object method:argument] [NSString stringWithString:@”Hello World!”]
Class vs Instance Methods ○ Class method can be called on its own ○ Instance method must use instance of an object 11 @interface MyClass : NSObject + (void)aClassMethod; - (void)anInstanceMethod; @end [MyClass aClassMethod]; MyClass *object = [[MyClass alloc] init]; [object anInstanceMethod];
Objective-C - Message Passing When you pass method, a special function objc_msgSend() is called: 12 SaySomething *saySomething = [ [ SaySomething alloc ] init ]; [ saySomething say: @"Hello, world!" ]; [ saySomething release ]; Which gets translated into C calls: objc_msgSend( objc_msgSend( objc_msgSend( objc_msgSend( objc_getClass("SaySomething"), NSSelectorFromString(@"alloc")), NSSelectorFromString(@"init")), NSSelectorFromString(@"say:"), @"Hello, world!"), NSSelectorFromString(@"release:")); Source: Hacking and Securing iOS Applications - J. Zdziarski
Objective-C Call Graph 13 Source:http://blog.zynamics.com/2010/04/27/objective-c-reversing-i
Objective-C Runtime ○ Objective-C runtime is written in C and assembly ○ Very interesting subject on its own! ○ Calls are cached so that subsequent messages are dispatched quicker ○ Decision on which method will be called is resolved dynamically ○ This is called Method Swizzling ○ It will help us during black-box testing and runtime manipulation Read more: https://mikeash.com/pyblog/friday-qa-2009-03-20-objective-c-messaging.html http://cocoasamurai.blogspot.com/2010/01/understanding-objective-c-runtime.html http://www.friday.com/bbum/2009/12/18/objc_msgsend-part-1-the-road-map/ 14
Introduction to Application Analysis 15
Static Binary Analysis ○ IDA Pro ○ Hopper (demo closing after 30 minutes) ○ class-dump ○ otool ○ strings 16
Runtime Manipulation 1. Cycript a. injects into process and enables to manipulate the runtime with interactive console b. supports mixed Objective-C and Javascript syntax 2. Frida a. injects Javascript V8 Javascript Duktape engine into process runtime b. can inject a hook into starting process 17
Runtime Manipulation - Cont’d 3. Debugger a. Apple moved from GCC and GDB to LLVM and LLDB b. GDB is fully supported until iOS7 c. iOS8 and onwards uses LLDB d. Some key features are still missing in LLDB i. info mach-regions ii. Symbols from stripped ObjC Mach-O binary are not loaded in LLDB 18
Setting up Pentesting Lab ○ Bare minimum is one iDevice, e.g. iPad running iOS 8.x ● Recommended at least two or more iDevices ○ You will need to jailbreak it ○ Ideally grab another pair of iPads/iPhones running older iOS for any legacy apps ○ OS X and XCode is very useful, but not mandatory ○ Alternatively, grab your favourite Linux 19
Setting up Pentesting Lab - Cont’d ○ Beware: if you fail to JB your device correctly you can restore it and upgrade with iTunes ○ Semi-restore might be handy if your JB fails: https://semi-restore.com/ ○ No possibility to downgrade iOS version 20
Jailbreaking ○ Get appropriate jailbreak - https://ipsw.me might be handy ○ Jailbreak will install Cydia - the alternative application store as well as couple of useful services ○ From Cydia install aptitude and openssh ○ Install additional packages with aptitude 21
Jailbreaking - cont’d ○ SSH to your iDevice ● Two users are root and mobile ● Default password: alpine ○ Install additional packages with aptitude 22 inetutils syslogd less com.autopear.installipa class-dump com.ericasadun.utilities odcctools cycript sqlite3 adv-cmds bigbosshackertools
Install Frida ○ Check install guide: www.frida.re/docs/ios ○ Basically add https://build.frida.re to Cydia repo ○ Then install Frida with Cydia 23
IPA file and Binary ○ IPA file is simply a ZIP archive ● Think of APK but for iOS ● Contains all relevant files like binary itself, graphics, certificates, default data, etc. ○ For static analysis, the Mach-O Binary is interesting ○ Usually it contains two architectures ARM7(s) and ARM64 Read more about Mach-O File Format: https://developer.apple.com/library/mac/documentation/DeveloperTools/Conceptual/MachORuntime/index.html 24
Important File Location You can find system applications in /Applications For all the rest use installipa: 25 iOS8-jailbreak:~ root# installipa -l me.scan.qrcodereader iOS8-jailbreak:~ root# installipa -i me.scan.qrcodereader Bundle: /private/var/mobile/Containers/Bundle/Application/09D08A0A-0BC5-423C-8CC3-FF9499E0B19C Application: /private/var/mobile/Containers/Bundle/Application/09D08A0A-0BC5-423C-8CC3-FF9499E0B19C/QR Reader.app Data: /private/var/mobile/Containers/Data/Application/297EEF1B-9CC5-463C-97F7-FB062C864E56
Usual Test Approach 1. Obtain IPA file 2. Bypass jailbreak detection (if present) 3. Bypass certificate pinning (if present) 4. Inspect HTTP(S) traffic - usual web app test 5. Abuse application logic by runtime manipulation 6. Check for local data storage (caches, binary cookies, plists, databases) 7. Check for client-specific bugs, e.g. SQLi, XSS 8. Other checks like: logging to ASL with NSLog, application screenshots, no app backgrounding 26
Binary Encryption - Each app in Apple AppStore uses FairPlay DRM, hence is encrypted - You must decrypt it before doing static analysis - Easiest way to do it is to use Clutch - Alternatively you can use lldb and dump process memory once encrypted - Broadly documented in the Internet - If you are doing a pentest, you will get most likely unencrypted IPA file 27
Binary Security Features ○ ARC - Automatic Reference Counting - memory management feature ● adds retain and release messages when required ○ Stack Canary - helps preventing buffer overflow attacks ○ PIE - Position Independent Executable - enables full ASLR for binary All of above are currently set by default in XCode. 28
Setting up Burp 29
Jailbreak Detection - Common Methods ○ Check existence of additional files, e.g.: /bin/bash ○ Check API calls like: ● fork() - forbidden on non-JB devices ● system(NULL) returns 0 on non-JB and 1 on JB devices ○ Check if cydia:// URL scheme is registered Read more: https://www.trustwave.com/Resources/SpiderLabs-Blog/Jailbreak-Detection-Methods/ 30
Bypassing JB detection 1. The easy way: xcon 2. More challenging: a. Debugger/Binary patching b. Frida c. Cycript 31
Getting Info with Class-dump 32 iOS8-jailbreak:~ root# lipo -thin armv7 DamnVulnerableIOSApp -output DVIA32 iOS8-jailbreak:~ root# class-dump DVIA32 @interface FlurryUtil : ./DVIA/DVIA/DamnVulnerableIOSApp/DamnVulnerableIOSApp/YapDatabase/Extensions/Vie ws/Internal/ { } + (BOOL)appIsCracked; + (BOOL)deviceIsJailbroken;
Hopper - Disassembling 33
Cycript 34 iOS8-jailbreak:~ root# cycript -p 12345 cy# [SFAntiPiracy isTheDeviceJailbroken] true cy# a=choose(JailbreakDetectionVC) [] cy# a=choose(JailbreakDetectionVC) [#"<JailbreakDetectionVC: 0x14ee15620>"] cy# [a[0] isJailbroken] True Worth reading: http://iphonedevwiki.net/index.php/Cycript_Tricks
Cycript 35 cy# [a[0] isJailbroken] true cy# JailbreakDetectionVC.prototype.isJailbroken=fu nction(){return false} cy# [a[0] isJailbroken] false
Frida - Method Tracing 1. Install Frida on your workstation and iDevice 2. Connect iDevice to USB 3. Use frida-trace 36 $ frida-trace -U -f /Applications/DamnVulnerableIOSApp.app/DamnVulnerableIOSApp -m "-[JailbreakDetectionVC isJailbroken]:" 4. This creates JS hook with onEnter and onLeave callback functions: onLeave: function (log, retval, state) { console.log("Function [JailbreakDetectionVC isJailbroken] originally returned:"+ retval); retval.replace(0); console.log("Changing the return value to:"+retval); }
Frida - Method Tracing - Output 37 $ frida-trace -U -f /Applications/DamnVulnerableIOSApp.app/DamnVulnerableIOSApp -m "-[JailbreakDetectionVC isJailbroken]:" Instrumenting functions... `... -[JailbreakDetectionVC isJailbroken]: Loaded handler at "./__handlers__/__JailbreakDetectionVC_isJailbroken_.js" Started tracing 1 function. Press Ctrl+C to stop. Function [JailbreakDetectionVC isJailbroken] originally returned:0x1 Changing the return value to:0x0 /* TID 0x303 */ 6890 ms -[JailbreakDetectionVC isJailbroken] Function [JailbreakDetectionVC isJailbroken] originally returned:0x1 Changing the return value to:0x0 22475 ms -[JailbreakDetectionVC isJailbroken]
Frida on non-jailbroken device 38
Testing for Certificate Pinning Gradually relax requirements for server certificate, and check if traffic is successfully proxied through Burp on each stage: 1. Set Burp in proxy settings, make sure that SSL Killswitch is disabled and that Burp Profile is *not* installed → no certificate validation 2. Install Burp Profile (certificate) → no certificate pinning 3. Enable SSL Killswitch → certificate pinned 4. Bypass certificate pinning manually 39
Bypassing Certificate Pinning - Killswitch: https://github.com/iSECPartners/ios-ssl-kill-switch - Bypassing OpenSSL cert pinning with cycript: https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2015/january/bypassing-openssl-certificate-pinning-in-ios-apps/ Other tips: - Certificate is often bundled in the application- look for .der or .pem - Class-dump binary looking for strings like X509 or Cert - Look for the following methods in the binary: NSURLSession, CFStream, AFNetworking 40 Source: iOS Application Security - D. Thiel
Investigating Local Storage 1. Check app Data directory /private/var/mobile/Containers/Data/Application/<app Bundle> a. .db - using SQLite - check with sqlite3 b. plists 2. NSUserDefaults a. /User/Library/Preferences/ b. /<app>/Library/Preferences/ 3. Protection class a. fileDP tool* 41 http://www.securitylearn.net/2012/10/18/extracting-data-protection-clas s-from-files-on-ios/
Investigating Local Storage - Cont’d 4. Application screenshots a. /private/var/mobile/Containers/Data/Application/<BundleID>/Library/Caches/Snapshots/ 5. WebView caching a. /User/Library/Caches/*/Cache.db b. /Library/Caches/*/Cache.db 6. Forensic approach: a. ls -lR --full-time before application install, after install and after first use diff the results and check any files that changed b. use strings on any binary/unidentified file formats c. check for WAL files that may contain uncommitted DB transactions 42 http://www.securitylearn.net/2012/10/18/extracting-data-protection-clas s-from-files-on-ios/
iExplorer 43
Final Thoughts ○ Server-side bugs (LFI, SQLi, RCE) are still among most impactful ○ Limited scenarios for exploiting device data leakage ● Starting from iPhone 5s the Secure Enclave protects from easy passcode bruteforcing ● Backups? ○ Simple passcode might be an issue (1234, 0000, etc.) ○ User may choose to wipe device after 10 attempts 44
Current Challenges March 7, 2016 October 26, 2016 45
○ Frequent iOS release with quick adoption rate ○ Slow/unpredictable jailbreak release for recent iOSes ○ Customer asking to test on latest iOS ○ Swift does not use message passing :( ○ Pentesting toolset is lagging Current Challenges 46
Q&A or drop me a line: me@skosowski.com 47
Introspy 48
○ URL handlers, e.g. mailto:// ● open another app using its URL handler with: [[UIApplication sharedApplication] openURL:myURL]; ● sender can be authenticated :) ● URL scheme can be hijacked :( Read more: https://developer.apple.com/library/ios/documentation/iPhone/Conceptual/iPhoneOSProgrammingGuide/Inter-AppCommunication/Inter-AppCommunication.html Interprocess Communication 49 Note: If more than one third-party app registers to handle the same URL scheme, there is currently no process for determining which app will be given that scheme. - Apple’s Documentation
○ Universal Links introduced in iOS 9 ● solve problems of openURL ● no unregistered schemes - working over https:// ○ App Extensions introduced in iOS 8 ● are installed with host application and can communicate through extension points: Actions, Custom Keyboards, Document Providers, Photo Editing, Sharing, Today Widgets Read more: https://developer.apple.com/library/ios/documentation/General/Conceptual/AppSearch/UniversalLinks.html Interprocess Communication 50
File Data Protection 51 Hardware Key Passcode Key Class Key File System Key File Metadata [File Key] File Contents
Secure Boot Chain ○ Only Apple signed code is run on iDevice ○ You need developer’s account to write and run your apps ○ Each level of boot is checked for a valid signature 52 Boot ROM Low-Level Bootloader iBoot iOS Kernel OS Apple Root CA
Secure Boot Chain - Jailbreak ○ Jailbreak permits running self-signed code ○ It does not break Application Sandbox ○ Usually several exploits are chained to perform jailbreak ○ Look for: TaiG, Pangu, redsn0w 53 iOS Kernel OS Apple Root CA Boot ROM Low-Level Bootloader iBoot Exploit this or that
Protection Classes 54 Availability File Data Protection Keychain Data Protection When Unlocked NSFileProtectionComplete kSecAttrAccessibleWhenUnlocked When Locked NSFileProtectionCompleteUnlessOpen N/A After First Unlock NSFileProtectionCompleteUntil FirstUserAuthentication kSecAttrAccessibleAfterFirstUnlock Always NSFileProtectionNone kSecAttrAccessibleAlways Passcode Enabled N/A kSecAttrAccessibleWhenPasscodeSetThis DeviceOnly
$ unzip DamnVulnerableiOSApp.ipa $ cd Payload/DamnVulnerableIOSApp.app $ otool -hv DamnVulnerableIOSApp DamnVulnerableIOSApp (architecture armv7): Mach header magic cputype cpusubtype caps filetype ncmds sizeofcmds flags MH_MAGIC ARM V7 0x00 EXECUTE 38 4292 NOUNDEFS DYLDLINK TWOLEVEL WEAK_DEFINES BINDS_TO_WEAK PIE DamnVulnerableIOSApp (architecture arm64): Mach header magic cputype cpusubtype caps filetype ncmds sizeofcmds flags MH_MAGIC_64 ARM64 ALL 0x00 EXECUTE 38 4856 NOUNDEFS DYLDLINK TWOLEVEL WEAK_DEFINES BINDS_TO_WEAK PIE Binary Checks - PIE 55
$ otool -Iv DamnVulnerableIOSApp | grep stack 0x0046040c 83177 ___stack_chk_fail 0x0046100c 83521 _sigaltstack 0x004fc010 83178 ___stack_chk_guard 0x004fe5c8 83177 ___stack_chk_fail 0x004fe8c8 83521 _sigaltstack 0x00000001004b3fd8 83077 ___stack_chk_fail 0x00000001004b4890 83414 _sigaltstack 0x0000000100590cf0 83078 ___stack_chk_guard 0x00000001005937f8 83077 ___stack_chk_fail 0x0000000100593dc8 83414 _sigaltstack Binary Checks - SSP 56
$ otool -Iv DamnVulnerableIOSApp | grep release 0x0045b7dc 83156 ___cxa_guard_release 0x0045fd5c 83414 _objc_autorelease 0x0045fd6c 83415 _objc_autoreleasePoolPop 0x0045fd7c 83416 _objc_autoreleasePoolPush 0x0045fd8c 83417 _objc_autoreleaseReturnValue 0x0045ff0c 83441 _objc_release [SNIP] Binary Checks - ARC 57

Empfohlen

iOS Application Penetration Testing
iOS Application Penetration TestingiOS Application Penetration Testing
iOS Application Penetration Testingn|u - The Open Security Community
 
iOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for BeginnersiOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for BeginnersRyanISI
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3mPrem Kumar (OSCP)
 
Hacking and securing ios applications
Hacking and securing ios applicationsHacking and securing ios applications
Hacking and securing ios applicationsSatish b
 
iOS Application Exploitation
iOS Application ExploitationiOS Application Exploitation
iOS Application ExploitationPositive Hack Days
 
iOS Application Penetation Test
iOS Application Penetation TestiOS Application Penetation Test
iOS Application Penetation TestJongWon Kim
 
Android pentesting
Android pentestingAndroid pentesting
Android pentestingMykhailo Antonishyn
 
Pwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakPwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakAbraham Aranguren
 

Empfohlen

iOS Application Penetration Testing
iOS Application Penetration TestingiOS Application Penetration Testing
iOS Application Penetration Testingn|u - The Open Security Community
 
iOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for BeginnersiOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for BeginnersRyanISI
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3mPrem Kumar (OSCP)
 
Hacking and securing ios applications
Hacking and securing ios applicationsHacking and securing ios applications
Hacking and securing ios applicationsSatish b
 
iOS Application Exploitation
iOS Application ExploitationiOS Application Exploitation
iOS Application ExploitationPositive Hack Days
 
iOS Application Penetation Test
iOS Application Penetation TestiOS Application Penetation Test
iOS Application Penetation TestJongWon Kim
 
Android pentesting
Android pentestingAndroid pentesting
Android pentestingMykhailo Antonishyn
 
Pwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakPwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakAbraham Aranguren
 
iOS Application Security
iOS Application SecurityiOS Application Security
iOS Application SecurityEgor Tolstoy
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile ApplicationsDenim Group
 
Androidâ„ąç”„èŸŒăżé–‹ç™șćŸșç€Žă‚łăƒŒă‚č BeagleBoardç·š
Androidâ„ąç”„èŸŒăżé–‹ç™șćŸșç€Žă‚łăƒŒă‚č BeagleBoardç·šAndroidâ„ąç”„èŸŒăżé–‹ç™șćŸșç€Žă‚łăƒŒă‚č BeagleBoardç·š
Androidâ„ąç”„èŸŒăżé–‹ç™șćŸșç€Žă‚łăƒŒă‚č BeagleBoardç·šOESF Education
 
Spring Security
Spring SecuritySpring Security
Spring SecurityKnoldus Inc.
 
Security testing in mobile applications
Security testing in mobile applicationsSecurity testing in mobile applications
Security testing in mobile applicationsJose Manuel Ortega Candel
 
Android Internals at Linaro Connect Asia 2013
Android Internals at Linaro Connect Asia 2013Android Internals at Linaro Connect Asia 2013
Android Internals at Linaro Connect Asia 2013Opersys inc.
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaYogesh Ojha
 
OWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration TestingOWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration Testingeightbit
 
Android pentesting the hackers-meetup
Android pentesting the hackers-meetupAndroid pentesting the hackers-meetup
Android pentesting the hackers-meetupkunwaratul hax0r
 
Android Security
Android SecurityAndroid Security
Android SecurityArqum Ahmad
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration TestingSubho Halder
 
iOS Application Pentesting
iOS Application PentestingiOS Application Pentesting
iOS Application Pentestingn|u - The Open Security Community
 
Android security
Android securityAndroid security
Android securityMobile Rtpl
 
Android Security
Android SecurityAndroid Security
Android SecurityLars Jacobs
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamMohammed Adam
 
Understanding Android Security
Understanding Android SecurityUnderstanding Android Security
Understanding Android SecurityAsanka Dilruk
 
FRIDA 101 Android
FRIDA 101 AndroidFRIDA 101 Android
FRIDA 101 AndroidTony Thomas
 
Native Android Userspace part of the Embedded Android Workshop at Linaro Conn...
Native Android Userspace part of the Embedded Android Workshop at Linaro Conn...Native Android Userspace part of the Embedded Android Workshop at Linaro Conn...
Native Android Userspace part of the Embedded Android Workshop at Linaro Conn...Opersys inc.
 
Share preference
Share preferenceShare preference
Share preferenceSbahatNosheen
 
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadavMobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadavRomansh Yadav
 
Mirai botnet
Mirai botnetMirai botnet
Mirai botnetOWASP
 
[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10OWASP
 

Weitere Àhnliche Inhalte

Was ist angesagt?

iOS Application Security
iOS Application SecurityiOS Application Security
iOS Application SecurityEgor Tolstoy
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile ApplicationsDenim Group
 
Androidâ„ąç”„èŸŒăżé–‹ç™șćŸșç€Žă‚łăƒŒă‚č BeagleBoardç·š
Androidâ„ąç”„èŸŒăżé–‹ç™șćŸșç€Žă‚łăƒŒă‚č BeagleBoardç·šAndroidâ„ąç”„èŸŒăżé–‹ç™șćŸșç€Žă‚łăƒŒă‚č BeagleBoardç·š
Androidâ„ąç”„èŸŒăżé–‹ç™șćŸșç€Žă‚łăƒŒă‚č BeagleBoardç·šOESF Education
 
Spring Security
Spring SecuritySpring Security
Spring SecurityKnoldus Inc.
 
Security testing in mobile applications
Security testing in mobile applicationsSecurity testing in mobile applications
Security testing in mobile applicationsJose Manuel Ortega Candel
 
Android Internals at Linaro Connect Asia 2013
Android Internals at Linaro Connect Asia 2013Android Internals at Linaro Connect Asia 2013
Android Internals at Linaro Connect Asia 2013Opersys inc.
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaYogesh Ojha
 
OWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration TestingOWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration Testingeightbit
 
Android pentesting the hackers-meetup
Android pentesting the hackers-meetupAndroid pentesting the hackers-meetup
Android pentesting the hackers-meetupkunwaratul hax0r
 
Android Security
Android SecurityAndroid Security
Android SecurityArqum Ahmad
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration TestingSubho Halder
 
Android security
Android securityAndroid security
Android securityMobile Rtpl
 
Android Security
Android SecurityAndroid Security
Android SecurityLars Jacobs
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamMohammed Adam
 
Understanding Android Security
Understanding Android SecurityUnderstanding Android Security
Understanding Android SecurityAsanka Dilruk
 
FRIDA 101 Android
FRIDA 101 AndroidFRIDA 101 Android
FRIDA 101 AndroidTony Thomas
 
Native Android Userspace part of the Embedded Android Workshop at Linaro Conn...
Native Android Userspace part of the Embedded Android Workshop at Linaro Conn...Native Android Userspace part of the Embedded Android Workshop at Linaro Conn...
Native Android Userspace part of the Embedded Android Workshop at Linaro Conn...Opersys inc.
 
Share preference
Share preferenceShare preference
Share preferenceSbahatNosheen
 
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadavMobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadavRomansh Yadav
 

Was ist angesagt? (20)

iOS Application Security
iOS Application SecurityiOS Application Security
iOS Application Security
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile Applications
 
Androidâ„ąç”„èŸŒăżé–‹ç™șćŸșç€Žă‚łăƒŒă‚č BeagleBoardç·š
Androidâ„ąç”„èŸŒăżé–‹ç™șćŸșç€Žă‚łăƒŒă‚č BeagleBoardç·šAndroidâ„ąç”„èŸŒăżé–‹ç™șćŸșç€Žă‚łăƒŒă‚č BeagleBoardç·š
Androidâ„ąç”„èŸŒăżé–‹ç™șćŸșç€Žă‚łăƒŒă‚č BeagleBoardç·š
 
Spring Security
Spring SecuritySpring Security
Spring Security
 
Security testing in mobile applications
Security testing in mobile applicationsSecurity testing in mobile applications
Security testing in mobile applications
 
Android Internals at Linaro Connect Asia 2013
Android Internals at Linaro Connect Asia 2013Android Internals at Linaro Connect Asia 2013
Android Internals at Linaro Connect Asia 2013
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh Ojha
 
OWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration TestingOWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration Testing
 
Android pentesting the hackers-meetup
Android pentesting the hackers-meetupAndroid pentesting the hackers-meetup
Android pentesting the hackers-meetup
 
Android Security
Android SecurityAndroid Security
Android Security
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration Testing
 
iOS Application Pentesting
iOS Application PentestingiOS Application Pentesting
iOS Application Pentesting
 
Android security
Android securityAndroid security
Android security
 
Android Security
Android SecurityAndroid Security
Android Security
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed Adam
 
Understanding Android Security
Understanding Android SecurityUnderstanding Android Security
Understanding Android Security
 
FRIDA 101 Android
FRIDA 101 AndroidFRIDA 101 Android
FRIDA 101 Android
 
Native Android Userspace part of the Embedded Android Workshop at Linaro Conn...
Native Android Userspace part of the Embedded Android Workshop at Linaro Conn...Native Android Userspace part of the Embedded Android Workshop at Linaro Conn...
Native Android Userspace part of the Embedded Android Workshop at Linaro Conn...
 
Share preference
Share preferenceShare preference
Share preference
 
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadavMobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
 

Andere mochten auch

Mirai botnet
Mirai botnetMirai botnet
Mirai botnetOWASP
 
[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10OWASP
 
Android pen test basics
Android pen test basicsAndroid pen test basics
Android pen test basicsOWASPKerala
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android ApplicationsClåudio André
 
Yow connected developing secure i os applications
Yow connected developing secure i os applicationsYow connected developing secure i os applications
Yow connected developing secure i os applicationsmgianarakis
 
Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applicationsjasonhaddix
 
My Null Android Penetration Session
My Null Android Penetration Session My Null Android Penetration Session
My Null Android Penetration Session Avinash Sinha
 
Ruxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration TestingRuxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration Testingeightbit
 

Andere mochten auch (8)

Mirai botnet
Mirai botnetMirai botnet
Mirai botnet
 
[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10
 
Android pen test basics
Android pen test basicsAndroid pen test basics
Android pen test basics
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android Applications
 
Yow connected developing secure i os applications
Yow connected developing secure i os applicationsYow connected developing secure i os applications
Yow connected developing secure i os applications
 
Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applications
 
My Null Android Penetration Session
My Null Android Penetration Session My Null Android Penetration Session
My Null Android Penetration Session
 
Ruxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration TestingRuxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration Testing
 

Ähnlich wie Introduction to iOS Penetration Testing

[CONFidence 2016] SƂawomir Kosowski - Introduction to iOS Application Securit...
[CONFidence 2016] SƂawomir Kosowski - Introduction to iOS Application Securit...[CONFidence 2016] SƂawomir Kosowski - Introduction to iOS Application Securit...
[CONFidence 2016] SƂawomir Kosowski - Introduction to iOS Application Securit...PROIDEA
 
Is Android the New Embedded Linux? at AnDevCon V
Is Android the New Embedded Linux? at AnDevCon VIs Android the New Embedded Linux? at AnDevCon V
Is Android the New Embedded Linux? at AnDevCon VOpersys inc.
 
Is Android the New Embedded Linux? at AnDevCon VI
Is Android the New Embedded Linux? at AnDevCon VIIs Android the New Embedded Linux? at AnDevCon VI
Is Android the New Embedded Linux? at AnDevCon VIOpersys inc.
 
Lab Handson: Power your Creations with Intel Edison!
Lab Handson: Power your Creations with Intel Edison!Lab Handson: Power your Creations with Intel Edison!
Lab Handson: Power your Creations with Intel Edison!Codemotion
 
NCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios appsNCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios appsNCC Group
 
iOS Internals Part -2
iOS Internals Part -2iOS Internals Part -2
iOS Internals Part -2Anthony Jose
 
Leveraging Android's Linux Heritage at AnDevCon3
Leveraging Android's Linux Heritage at AnDevCon3Leveraging Android's Linux Heritage at AnDevCon3
Leveraging Android's Linux Heritage at AnDevCon3Opersys inc.
 
Leveraging Android's Linux Heritage at AnDevCon IV
Leveraging Android's Linux Heritage at AnDevCon IVLeveraging Android's Linux Heritage at AnDevCon IV
Leveraging Android's Linux Heritage at AnDevCon IVOpersys inc.
 
IoT: Contrasting Yocto/Buildroot to binary OSes
IoT: Contrasting Yocto/Buildroot to binary OSesIoT: Contrasting Yocto/Buildroot to binary OSes
IoT: Contrasting Yocto/Buildroot to binary OSesMender.io
 
Extending Android's Platform Toolsuite
Extending Android's Platform ToolsuiteExtending Android's Platform Toolsuite
Extending Android's Platform ToolsuiteOpersys inc.
 
Leveraging Android's Linux Heritage at AnDevCon VI
Leveraging Android's Linux Heritage at AnDevCon VILeveraging Android's Linux Heritage at AnDevCon VI
Leveraging Android's Linux Heritage at AnDevCon VIOpersys inc.
 
Leveraging Android's Linux Heritage at AnDevCon V
Leveraging Android's Linux Heritage at AnDevCon VLeveraging Android's Linux Heritage at AnDevCon V
Leveraging Android's Linux Heritage at AnDevCon VOpersys inc.
 
Socket Programming with Python
Socket Programming with PythonSocket Programming with Python
Socket Programming with PythonGLC Networks
 
Voxxed days Vilnius 2015 - Android Reverse Engineering Lab
Voxxed days Vilnius 2015 - Android Reverse Engineering LabVoxxed days Vilnius 2015 - Android Reverse Engineering Lab
Voxxed days Vilnius 2015 - Android Reverse Engineering LabRon Munitz
 
ATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudMITRE ATT&CK
 
Android for Embedded Linux Developers
Android for Embedded Linux DevelopersAndroid for Embedded Linux Developers
Android for Embedded Linux DevelopersOpersys inc.
 
First Steps Developing Embedded Applications using Heterogeneous Multi-core P...
First Steps Developing Embedded Applications using Heterogeneous Multi-core P...First Steps Developing Embedded Applications using Heterogeneous Multi-core P...
First Steps Developing Embedded Applications using Heterogeneous Multi-core P...Toradex
 
Modern IoT and Embedded Linux Deployment - Berlin
Modern IoT and Embedded Linux Deployment - BerlinModern IoT and Embedded Linux Deployment - Berlin
Modern IoT and Embedded Linux Deployment - BerlinDjalal Harouni
 
Android Hacks, Variants, Tricks and Resources ESC SV 2012
Android Hacks, Variants, Tricks and Resources ESC SV 2012Android Hacks, Variants, Tricks and Resources ESC SV 2012
Android Hacks, Variants, Tricks and Resources ESC SV 2012Opersys inc.
 

Ähnlich wie Introduction to iOS Penetration Testing (20)

[CONFidence 2016] SƂawomir Kosowski - Introduction to iOS Application Securit...
[CONFidence 2016] SƂawomir Kosowski - Introduction to iOS Application Securit...[CONFidence 2016] SƂawomir Kosowski - Introduction to iOS Application Securit...
[CONFidence 2016] SƂawomir Kosowski - Introduction to iOS Application Securit...
 
Is Android the New Embedded Linux? at AnDevCon V
Is Android the New Embedded Linux? at AnDevCon VIs Android the New Embedded Linux? at AnDevCon V
Is Android the New Embedded Linux? at AnDevCon V
 
Is Android the New Embedded Linux? at AnDevCon VI
Is Android the New Embedded Linux? at AnDevCon VIIs Android the New Embedded Linux? at AnDevCon VI
Is Android the New Embedded Linux? at AnDevCon VI
 
Lab Handson: Power your Creations with Intel Edison!
Lab Handson: Power your Creations with Intel Edison!Lab Handson: Power your Creations with Intel Edison!
Lab Handson: Power your Creations with Intel Edison!
 
IoT: LoRa and Java on the PI
IoT: LoRa and Java on the PIIoT: LoRa and Java on the PI
IoT: LoRa and Java on the PI
 
NCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios appsNCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios apps
 
iOS Internals Part -2
iOS Internals Part -2iOS Internals Part -2
iOS Internals Part -2
 
Leveraging Android's Linux Heritage at AnDevCon3
Leveraging Android's Linux Heritage at AnDevCon3Leveraging Android's Linux Heritage at AnDevCon3
Leveraging Android's Linux Heritage at AnDevCon3
 
Leveraging Android's Linux Heritage at AnDevCon IV
Leveraging Android's Linux Heritage at AnDevCon IVLeveraging Android's Linux Heritage at AnDevCon IV
Leveraging Android's Linux Heritage at AnDevCon IV
 
IoT: Contrasting Yocto/Buildroot to binary OSes
IoT: Contrasting Yocto/Buildroot to binary OSesIoT: Contrasting Yocto/Buildroot to binary OSes
IoT: Contrasting Yocto/Buildroot to binary OSes
 
Extending Android's Platform Toolsuite
Extending Android's Platform ToolsuiteExtending Android's Platform Toolsuite
Extending Android's Platform Toolsuite
 
Leveraging Android's Linux Heritage at AnDevCon VI
Leveraging Android's Linux Heritage at AnDevCon VILeveraging Android's Linux Heritage at AnDevCon VI
Leveraging Android's Linux Heritage at AnDevCon VI
 
Leveraging Android's Linux Heritage at AnDevCon V
Leveraging Android's Linux Heritage at AnDevCon VLeveraging Android's Linux Heritage at AnDevCon V
Leveraging Android's Linux Heritage at AnDevCon V
 
Socket Programming with Python
Socket Programming with PythonSocket Programming with Python
Socket Programming with Python
 
Voxxed days Vilnius 2015 - Android Reverse Engineering Lab
Voxxed days Vilnius 2015 - Android Reverse Engineering LabVoxxed days Vilnius 2015 - Android Reverse Engineering Lab
Voxxed days Vilnius 2015 - Android Reverse Engineering Lab
 
ATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudATT&CKING Containers in The Cloud
ATT&CKING Containers in The Cloud
 
Android for Embedded Linux Developers
Android for Embedded Linux DevelopersAndroid for Embedded Linux Developers
Android for Embedded Linux Developers
 
First Steps Developing Embedded Applications using Heterogeneous Multi-core P...
First Steps Developing Embedded Applications using Heterogeneous Multi-core P...First Steps Developing Embedded Applications using Heterogeneous Multi-core P...
First Steps Developing Embedded Applications using Heterogeneous Multi-core P...
 
Modern IoT and Embedded Linux Deployment - Berlin
Modern IoT and Embedded Linux Deployment - BerlinModern IoT and Embedded Linux Deployment - Berlin
Modern IoT and Embedded Linux Deployment - Berlin
 
Android Hacks, Variants, Tricks and Resources ESC SV 2012
Android Hacks, Variants, Tricks and Resources ESC SV 2012Android Hacks, Variants, Tricks and Resources ESC SV 2012
Android Hacks, Variants, Tricks and Resources ESC SV 2012
 

Mehr von OWASP

[OPD 2019] Web Apps vs Blockchain dApps
[OPD 2019] Web Apps vs Blockchain dApps[OPD 2019] Web Apps vs Blockchain dApps
[OPD 2019] Web Apps vs Blockchain dAppsOWASP
 
[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scale[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scaleOWASP
 
[OPD 2019] Life after pentest
[OPD 2019] Life after pentest[OPD 2019] Life after pentest
[OPD 2019] Life after pentestOWASP
 
[OPD 2019] .NET Core Security
[OPD 2019] .NET Core Security[OPD 2019] .NET Core Security
[OPD 2019] .NET Core SecurityOWASP
 
[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020OWASP
 
[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architecture[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architectureOWASP
 
[OPD 2019] Storm Busters: Auditing & Securing AWS Infrastructure
[OPD 2019] Storm Busters: Auditing & Securing AWS Infrastructure[OPD 2019] Storm Busters: Auditing & Securing AWS Infrastructure
[OPD 2019] Storm Busters: Auditing & Securing AWS InfrastructureOWASP
 
[OPD 2019] Side-Channels on the Web:‹Attacks and Defenses
[OPD 2019] Side-Channels on the Web:‹Attacks and Defenses[OPD 2019] Side-Channels on the Web:‹Attacks and Defenses
[OPD 2019] Side-Channels on the Web:‹Attacks and DefensesOWASP
 
[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...OWASP
 
[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilities[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilitiesOWASP
 
[OPD 2019] Automated Defense with Serverless computing
[OPD 2019] Automated Defense with Serverless computing[OPD 2019] Automated Defense with Serverless computing
[OPD 2019] Automated Defense with Serverless computingOWASP
 
[OPD 2019] Advanced Data Analysis in RegSOC
[OPD 2019] Advanced Data Analysis in RegSOC[OPD 2019] Advanced Data Analysis in RegSOC
[OPD 2019] Advanced Data Analysis in RegSOCOWASP
 
[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokensOWASP
 
[OPD 2019] Rumpkernels meet fuzzing
[OPD 2019] Rumpkernels meet fuzzing[OPD 2019] Rumpkernels meet fuzzing
[OPD 2019] Rumpkernels meet fuzzingOWASP
 
[OPD 2019] Trusted types and the end of DOM XSS
[OPD 2019] Trusted types and the end of DOM XSS[OPD 2019] Trusted types and the end of DOM XSS
[OPD 2019] Trusted types and the end of DOM XSSOWASP
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera SoftwareOWASP
 
[Wroclaw #9] To be or Not To Be - Threat Modeling in Security World
[Wroclaw #9] To be or Not To Be - Threat Modeling in Security World[Wroclaw #9] To be or Not To Be - Threat Modeling in Security World
[Wroclaw #9] To be or Not To Be - Threat Modeling in Security WorldOWASP
 
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure Software
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure SoftwareOWASP Poland 13 November 2018 - Martin Knobloch - Building Secure Software
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure SoftwareOWASP
 
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-miningOWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-miningOWASP
 
OWASP Poland Day 2018 - Damian Rusinek - Outsmarting smart contracts
OWASP Poland Day 2018 - Damian Rusinek - Outsmarting smart contractsOWASP Poland Day 2018 - Damian Rusinek - Outsmarting smart contracts
OWASP Poland Day 2018 - Damian Rusinek - Outsmarting smart contractsOWASP
 

Mehr von OWASP (20)

[OPD 2019] Web Apps vs Blockchain dApps
[OPD 2019] Web Apps vs Blockchain dApps[OPD 2019] Web Apps vs Blockchain dApps
[OPD 2019] Web Apps vs Blockchain dApps
 
[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scale[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scale
 
[OPD 2019] Life after pentest
[OPD 2019] Life after pentest[OPD 2019] Life after pentest
[OPD 2019] Life after pentest
 
[OPD 2019] .NET Core Security
[OPD 2019] .NET Core Security[OPD 2019] .NET Core Security
[OPD 2019] .NET Core Security
 
[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020
 
[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architecture[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architecture
 
[OPD 2019] Storm Busters: Auditing & Securing AWS Infrastructure
[OPD 2019] Storm Busters: Auditing & Securing AWS Infrastructure[OPD 2019] Storm Busters: Auditing & Securing AWS Infrastructure
[OPD 2019] Storm Busters: Auditing & Securing AWS Infrastructure
 
[OPD 2019] Side-Channels on the Web:‹Attacks and Defenses
[OPD 2019] Side-Channels on the Web:‹Attacks and Defenses[OPD 2019] Side-Channels on the Web:‹Attacks and Defenses
[OPD 2019] Side-Channels on the Web:‹Attacks and Defenses
 
[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...
 
[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilities[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilities
 
[OPD 2019] Automated Defense with Serverless computing
[OPD 2019] Automated Defense with Serverless computing[OPD 2019] Automated Defense with Serverless computing
[OPD 2019] Automated Defense with Serverless computing
 
[OPD 2019] Advanced Data Analysis in RegSOC
[OPD 2019] Advanced Data Analysis in RegSOC[OPD 2019] Advanced Data Analysis in RegSOC
[OPD 2019] Advanced Data Analysis in RegSOC
 
[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens
 
[OPD 2019] Rumpkernels meet fuzzing
[OPD 2019] Rumpkernels meet fuzzing[OPD 2019] Rumpkernels meet fuzzing
[OPD 2019] Rumpkernels meet fuzzing
 
[OPD 2019] Trusted types and the end of DOM XSS
[OPD 2019] Trusted types and the end of DOM XSS[OPD 2019] Trusted types and the end of DOM XSS
[OPD 2019] Trusted types and the end of DOM XSS
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software
 
[Wroclaw #9] To be or Not To Be - Threat Modeling in Security World
[Wroclaw #9] To be or Not To Be - Threat Modeling in Security World[Wroclaw #9] To be or Not To Be - Threat Modeling in Security World
[Wroclaw #9] To be or Not To Be - Threat Modeling in Security World
 
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure Software
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure SoftwareOWASP Poland 13 November 2018 - Martin Knobloch - Building Secure Software
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure Software
 
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-miningOWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
 
OWASP Poland Day 2018 - Damian Rusinek - Outsmarting smart contracts
OWASP Poland Day 2018 - Damian Rusinek - Outsmarting smart contractsOWASP Poland Day 2018 - Damian Rusinek - Outsmarting smart contracts
OWASP Poland Day 2018 - Damian Rusinek - Outsmarting smart contracts
 

KĂŒrzlich hochgeladen

Russian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsRussian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsstephieert
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024APNIC
 
Low Rate Call Girls Kolkata Avani đŸ€Œ 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani đŸ€Œ 8250192130 🚀 Vip Call Girls KolkataLow Rate Call Girls Kolkata Avani đŸ€Œ 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani đŸ€Œ 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGAPNIC
 
Russian Call Girls in Kolkata Ishita đŸ€Œ 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita đŸ€Œ 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Ishita đŸ€Œ 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita đŸ€Œ 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts servicesonalikaur4
 
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With RoomVIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Roomdivyansh0kumar0
 
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebGDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebJames Anderson
 
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Delhi Call girls
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024APNIC
 
AlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsAlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsThierry TROUIN ☁
 
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Roomdivyansh0kumar0
 
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine ServiceHot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Servicesexy call girls service in goa
 
â‚č5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
â‚č5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...â‚č5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
â‚č5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...Diya Sharma
 
Radiant Call girls in Dubai O56338O268 Dubai Call girls
Radiant Call girls in Dubai O56338O268 Dubai Call girlsRadiant Call girls in Dubai O56338O268 Dubai Call girls
Radiant Call girls in Dubai O56338O268 Dubai Call girlsstephieert
 
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersMoving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersDamian Radcliffe
 

KĂŒrzlich hochgeladen (20)

Russian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsRussian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girls
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
 
Dwarka Sector 26 Call Girls | Delhi | 9999965857 đŸ«Š Vanshika Verma More Our Se...
Dwarka Sector 26 Call Girls | Delhi | 9999965857 đŸ«Š Vanshika Verma More Our Se...Dwarka Sector 26 Call Girls | Delhi | 9999965857 đŸ«Š Vanshika Verma More Our Se...
Dwarka Sector 26 Call Girls | Delhi | 9999965857 đŸ«Š Vanshika Verma More Our Se...
 
Low Rate Call Girls Kolkata Avani đŸ€Œ 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani đŸ€Œ 8250192130 🚀 Vip Call Girls KolkataLow Rate Call Girls Kolkata Avani đŸ€Œ 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani đŸ€Œ 8250192130 🚀 Vip Call Girls Kolkata
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
 
Russian Call Girls in Kolkata Ishita đŸ€Œ 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita đŸ€Œ 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Ishita đŸ€Œ 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita đŸ€Œ 8250192130 🚀 Vip Call Girls Kolkata
 
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
 
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With RoomVIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
 
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebGDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
 
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
 
AlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsAlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with Flows
 
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
 
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
 
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine ServiceHot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
 
â‚č5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
â‚č5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...â‚č5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
â‚č5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
 
Call Girls In South Ex đŸ“± 9999965857 đŸ€© Delhi đŸ«Š HOT AND SEXY VVIP 🍎 SERVICE
Call Girls In South Ex đŸ“± 9999965857 đŸ€© Delhi đŸ«Š HOT AND SEXY VVIP 🍎 SERVICECall Girls In South Ex đŸ“± 9999965857 đŸ€© Delhi đŸ«Š HOT AND SEXY VVIP 🍎 SERVICE
Call Girls In South Ex đŸ“± 9999965857 đŸ€© Delhi đŸ«Š HOT AND SEXY VVIP 🍎 SERVICE
 
Radiant Call girls in Dubai O56338O268 Dubai Call girls
Radiant Call girls in Dubai O56338O268 Dubai Call girlsRadiant Call girls in Dubai O56338O268 Dubai Call girls
Radiant Call girls in Dubai O56338O268 Dubai Call girls
 
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersMoving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
 

Introduction to iOS Penetration Testing

  • 1. Introduction to iOS Penetration Testing OWASP 15/11/2016 | Slawomir Kosowski
  • 2. ○ Working as Mobile and Web pentester ○ Focused on iOS ○ Previously worked on wide range of security projects ○ Educational background in Telecommunications About Me 2 https://www.linkedin.com/in/skosowski
  • 3. Introduction How many iOS developers do we have here? How many of you are actually writing in Swift? Any pentesters? Android folks? 3
  • 4. Agenda 4 What we will cover: ○ Introduction to iOS ○ Basics of Objective-C runtime ○ Setting up testing environment ○ Fundamentals of app testing ● Focus on black-box testing What we will not cover: ○ Jailbreak development ○ Swift (not in detail) ○ White box testing / code review ○ Webapp pentesting
  • 5. Introduction to iOS - Mobile operating system from Apple - Based on XNU kernel from Darwin OS (Unix) - iOS is closed-source with some exceptions* - Applications written in Objective-C (and Swift) - Cocoa Touch - main API for iOS handling user interaction 5 * https://opensource.apple.com
  • 6. Apple controls both hardware and software to provide end-to-end security, with following key features: ○ Secure Boot Chain ○ Secure Enclave (and Touch ID) ○ Encryption and Data Protection ○ Trusted Code Execution ○ Network Security Introduction to iOS security model 6 User Partition Application A Application B Data Protection Class Data Protection Class OS Partition software Source: https://www.apple.com/business/docs/iOS_Security_Guide.pdf Kernel
  • 7. Keychain ○ Stores sensitive data such as passwords, certificates, tokens, etc. ○ Is implemented as SQLite database ○ Application can access only items in its keychain-access-group ○ Can be arbitrarily read on a jailbroken device using keychain-dumper 7
  • 8. Application Sandbox ○ iOS Sandbox derives from TrustedBSD MAC framework ○ Each third-party application runs as mobile user ○ Only a few system daemons/apps run as root ○ Application can access only its own files and data ○ IPCs are very limited 8
  • 9. Objective-C ○ Superset of C, adding object-oriented functionality ● This means you can include C code in your apps ○ Based on Smalltalk language, supporting message passing, dynamic typing and infix notation ○ Uses interface and implementation file ● Think about .h and .cpp files in C++ 9
  • 10. Objective-C Objective-C is using infix notation with arguments listed after colon: 10 [Object method:argument] [NSString stringWithString:@”Hello World!”]
  • 11. Class vs Instance Methods ○ Class method can be called on its own ○ Instance method must use instance of an object 11 @interface MyClass : NSObject + (void)aClassMethod; - (void)anInstanceMethod; @end [MyClass aClassMethod]; MyClass *object = [[MyClass alloc] init]; [object anInstanceMethod];
  • 12. Objective-C - Message Passing When you pass method, a special function objc_msgSend() is called: 12 SaySomething *saySomething = [ [ SaySomething alloc ] init ]; [ saySomething say: @"Hello, world!" ]; [ saySomething release ]; Which gets translated into C calls: objc_msgSend( objc_msgSend( objc_msgSend( objc_msgSend( objc_getClass("SaySomething"), NSSelectorFromString(@"alloc")), NSSelectorFromString(@"init")), NSSelectorFromString(@"say:"), @"Hello, world!"), NSSelectorFromString(@"release:")); Source: Hacking and Securing iOS Applications - J. Zdziarski
  • 14. Objective-C Runtime ○ Objective-C runtime is written in C and assembly ○ Very interesting subject on its own! ○ Calls are cached so that subsequent messages are dispatched quicker ○ Decision on which method will be called is resolved dynamically ○ This is called Method Swizzling ○ It will help us during black-box testing and runtime manipulation Read more: https://mikeash.com/pyblog/friday-qa-2009-03-20-objective-c-messaging.html http://cocoasamurai.blogspot.com/2010/01/understanding-objective-c-runtime.html http://www.friday.com/bbum/2009/12/18/objc_msgsend-part-1-the-road-map/ 14
  • 16. Static Binary Analysis ○ IDA Pro ○ Hopper (demo closing after 30 minutes) ○ class-dump ○ otool ○ strings 16
  • 17. Runtime Manipulation 1. Cycript a. injects into process and enables to manipulate the runtime with interactive console b. supports mixed Objective-C and Javascript syntax 2. Frida a. injects Javascript V8 Javascript Duktape engine into process runtime b. can inject a hook into starting process 17
  • 18. Runtime Manipulation - Cont’d 3. Debugger a. Apple moved from GCC and GDB to LLVM and LLDB b. GDB is fully supported until iOS7 c. iOS8 and onwards uses LLDB d. Some key features are still missing in LLDB i. info mach-regions ii. Symbols from stripped ObjC Mach-O binary are not loaded in LLDB 18
  • 19. Setting up Pentesting Lab ○ Bare minimum is one iDevice, e.g. iPad running iOS 8.x ● Recommended at least two or more iDevices ○ You will need to jailbreak it ○ Ideally grab another pair of iPads/iPhones running older iOS for any legacy apps ○ OS X and XCode is very useful, but not mandatory ○ Alternatively, grab your favourite Linux 19
  • 20. Setting up Pentesting Lab - Cont’d ○ Beware: if you fail to JB your device correctly you can restore it and upgrade with iTunes ○ Semi-restore might be handy if your JB fails: https://semi-restore.com/ ○ No possibility to downgrade iOS version 20
  • 21. Jailbreaking ○ Get appropriate jailbreak - https://ipsw.me might be handy ○ Jailbreak will install Cydia - the alternative application store as well as couple of useful services ○ From Cydia install aptitude and openssh ○ Install additional packages with aptitude 21
  • 22. Jailbreaking - cont’d ○ SSH to your iDevice ● Two users are root and mobile ● Default password: alpine ○ Install additional packages with aptitude 22 inetutils syslogd less com.autopear.installipa class-dump com.ericasadun.utilities odcctools cycript sqlite3 adv-cmds bigbosshackertools
  • 23. Install Frida ○ Check install guide: www.frida.re/docs/ios ○ Basically add https://build.frida.re to Cydia repo ○ Then install Frida with Cydia 23
  • 24. IPA file and Binary ○ IPA file is simply a ZIP archive ● Think of APK but for iOS ● Contains all relevant files like binary itself, graphics, certificates, default data, etc. ○ For static analysis, the Mach-O Binary is interesting ○ Usually it contains two architectures ARM7(s) and ARM64 Read more about Mach-O File Format: https://developer.apple.com/library/mac/documentation/DeveloperTools/Conceptual/MachORuntime/index.html 24
  • 25. Important File Location You can find system applications in /Applications For all the rest use installipa: 25 iOS8-jailbreak:~ root# installipa -l me.scan.qrcodereader iOS8-jailbreak:~ root# installipa -i me.scan.qrcodereader Bundle: /private/var/mobile/Containers/Bundle/Application/09D08A0A-0BC5-423C-8CC3-FF9499E0B19C Application: /private/var/mobile/Containers/Bundle/Application/09D08A0A-0BC5-423C-8CC3-FF9499E0B19C/QR Reader.app Data: /private/var/mobile/Containers/Data/Application/297EEF1B-9CC5-463C-97F7-FB062C864E56
  • 26. Usual Test Approach 1. Obtain IPA file 2. Bypass jailbreak detection (if present) 3. Bypass certificate pinning (if present) 4. Inspect HTTP(S) traffic - usual web app test 5. Abuse application logic by runtime manipulation 6. Check for local data storage (caches, binary cookies, plists, databases) 7. Check for client-specific bugs, e.g. SQLi, XSS 8. Other checks like: logging to ASL with NSLog, application screenshots, no app backgrounding 26
  • 27. Binary Encryption - Each app in Apple AppStore uses FairPlay DRM, hence is encrypted - You must decrypt it before doing static analysis - Easiest way to do it is to use Clutch - Alternatively you can use lldb and dump process memory once encrypted - Broadly documented in the Internet - If you are doing a pentest, you will get most likely unencrypted IPA file 27
  • 28. Binary Security Features ○ ARC - Automatic Reference Counting - memory management feature ● adds retain and release messages when required ○ Stack Canary - helps preventing buffer overflow attacks ○ PIE - Position Independent Executable - enables full ASLR for binary All of above are currently set by default in XCode. 28
  • 30. Jailbreak Detection - Common Methods ○ Check existence of additional files, e.g.: /bin/bash ○ Check API calls like: ● fork() - forbidden on non-JB devices ● system(NULL) returns 0 on non-JB and 1 on JB devices ○ Check if cydia:// URL scheme is registered Read more: https://www.trustwave.com/Resources/SpiderLabs-Blog/Jailbreak-Detection-Methods/ 30
  • 31. Bypassing JB detection 1. The easy way: xcon 2. More challenging: a. Debugger/Binary patching b. Frida c. Cycript 31
  • 32. Getting Info with Class-dump 32 iOS8-jailbreak:~ root# lipo -thin armv7 DamnVulnerableIOSApp -output DVIA32 iOS8-jailbreak:~ root# class-dump DVIA32 @interface FlurryUtil : ./DVIA/DVIA/DamnVulnerableIOSApp/DamnVulnerableIOSApp/YapDatabase/Extensions/Vie ws/Internal/ { } + (BOOL)appIsCracked; + (BOOL)deviceIsJailbroken;
  • 34. Cycript 34 iOS8-jailbreak:~ root# cycript -p 12345 cy# [SFAntiPiracy isTheDeviceJailbroken] true cy# a=choose(JailbreakDetectionVC) [] cy# a=choose(JailbreakDetectionVC) [#"<JailbreakDetectionVC: 0x14ee15620>"] cy# [a[0] isJailbroken] True Worth reading: http://iphonedevwiki.net/index.php/Cycript_Tricks
  • 36. Frida - Method Tracing 1. Install Frida on your workstation and iDevice 2. Connect iDevice to USB 3. Use frida-trace 36 $ frida-trace -U -f /Applications/DamnVulnerableIOSApp.app/DamnVulnerableIOSApp -m "-[JailbreakDetectionVC isJailbroken]:" 4. This creates JS hook with onEnter and onLeave callback functions: onLeave: function (log, retval, state) { console.log("Function [JailbreakDetectionVC isJailbroken] originally returned:"+ retval); retval.replace(0); console.log("Changing the return value to:"+retval); }
  • 37. Frida - Method Tracing - Output 37 $ frida-trace -U -f /Applications/DamnVulnerableIOSApp.app/DamnVulnerableIOSApp -m "-[JailbreakDetectionVC isJailbroken]:" Instrumenting functions... `... -[JailbreakDetectionVC isJailbroken]: Loaded handler at "./__handlers__/__JailbreakDetectionVC_isJailbroken_.js" Started tracing 1 function. Press Ctrl+C to stop. Function [JailbreakDetectionVC isJailbroken] originally returned:0x1 Changing the return value to:0x0 /* TID 0x303 */ 6890 ms -[JailbreakDetectionVC isJailbroken] Function [JailbreakDetectionVC isJailbroken] originally returned:0x1 Changing the return value to:0x0 22475 ms -[JailbreakDetectionVC isJailbroken]
  • 39. Testing for Certificate Pinning Gradually relax requirements for server certificate, and check if traffic is successfully proxied through Burp on each stage: 1. Set Burp in proxy settings, make sure that SSL Killswitch is disabled and that Burp Profile is *not* installed → no certificate validation 2. Install Burp Profile (certificate) → no certificate pinning 3. Enable SSL Killswitch → certificate pinned 4. Bypass certificate pinning manually 39
  • 40. Bypassing Certificate Pinning - Killswitch: https://github.com/iSECPartners/ios-ssl-kill-switch - Bypassing OpenSSL cert pinning with cycript: https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2015/january/bypassing-openssl-certificate-pinning-in-ios-apps/ Other tips: - Certificate is often bundled in the application- look for .der or .pem - Class-dump binary looking for strings like X509 or Cert - Look for the following methods in the binary: NSURLSession, CFStream, AFNetworking 40 Source: iOS Application Security - D. Thiel
  • 41. Investigating Local Storage 1. Check app Data directory /private/var/mobile/Containers/Data/Application/<app Bundle> a. .db - using SQLite - check with sqlite3 b. plists 2. NSUserDefaults a. /User/Library/Preferences/ b. /<app>/Library/Preferences/ 3. Protection class a. fileDP tool* 41 http://www.securitylearn.net/2012/10/18/extracting-data-protection-clas s-from-files-on-ios/
  • 42. Investigating Local Storage - Cont’d 4. Application screenshots a. /private/var/mobile/Containers/Data/Application/<BundleID>/Library/Caches/Snapshots/ 5. WebView caching a. /User/Library/Caches/*/Cache.db b. /Library/Caches/*/Cache.db 6. Forensic approach: a. ls -lR --full-time before application install, after install and after first use diff the results and check any files that changed b. use strings on any binary/unidentified file formats c. check for WAL files that may contain uncommitted DB transactions 42 http://www.securitylearn.net/2012/10/18/extracting-data-protection-clas s-from-files-on-ios/
  • 44. Final Thoughts ○ Server-side bugs (LFI, SQLi, RCE) are still among most impactful ○ Limited scenarios for exploiting device data leakage ● Starting from iPhone 5s the Secure Enclave protects from easy passcode bruteforcing ● Backups? ○ Simple passcode might be an issue (1234, 0000, etc.) ○ User may choose to wipe device after 10 attempts 44
  • 45. Current Challenges March 7, 2016 October 26, 2016 45
  • 46. ○ Frequent iOS release with quick adoption rate ○ Slow/unpredictable jailbreak release for recent iOSes ○ Customer asking to test on latest iOS ○ Swift does not use message passing :( ○ Pentesting toolset is lagging Current Challenges 46
  • 47. Q&A or drop me a line: me@skosowski.com 47
  • 49. ○ URL handlers, e.g. mailto:// ● open another app using its URL handler with: [[UIApplication sharedApplication] openURL:myURL]; ● sender can be authenticated :) ● URL scheme can be hijacked :( Read more: https://developer.apple.com/library/ios/documentation/iPhone/Conceptual/iPhoneOSProgrammingGuide/Inter-AppCommunication/Inter-AppCommunication.html Interprocess Communication 49 Note: If more than one third-party app registers to handle the same URL scheme, there is currently no process for determining which app will be given that scheme. - Apple’s Documentation
  • 50. ○ Universal Links introduced in iOS 9 ● solve problems of openURL ● no unregistered schemes - working over https:// ○ App Extensions introduced in iOS 8 ● are installed with host application and can communicate through extension points: Actions, Custom Keyboards, Document Providers, Photo Editing, Sharing, Today Widgets Read more: https://developer.apple.com/library/ios/documentation/General/Conceptual/AppSearch/UniversalLinks.html Interprocess Communication 50
  • 51. File Data Protection 51 Hardware Key Passcode Key Class Key File System Key File Metadata [File Key] File Contents
  • 52. Secure Boot Chain ○ Only Apple signed code is run on iDevice ○ You need developer’s account to write and run your apps ○ Each level of boot is checked for a valid signature 52 Boot ROM Low-Level Bootloader iBoot iOS Kernel OS Apple Root CA
  • 53. Secure Boot Chain - Jailbreak ○ Jailbreak permits running self-signed code ○ It does not break Application Sandbox ○ Usually several exploits are chained to perform jailbreak ○ Look for: TaiG, Pangu, redsn0w 53 iOS Kernel OS Apple Root CA Boot ROM Low-Level Bootloader iBoot Exploit this or that
  • 54. Protection Classes 54 Availability File Data Protection Keychain Data Protection When Unlocked NSFileProtectionComplete kSecAttrAccessibleWhenUnlocked When Locked NSFileProtectionCompleteUnlessOpen N/A After First Unlock NSFileProtectionCompleteUntil FirstUserAuthentication kSecAttrAccessibleAfterFirstUnlock Always NSFileProtectionNone kSecAttrAccessibleAlways Passcode Enabled N/A kSecAttrAccessibleWhenPasscodeSetThis DeviceOnly
  • 55. $ unzip DamnVulnerableiOSApp.ipa $ cd Payload/DamnVulnerableIOSApp.app $ otool -hv DamnVulnerableIOSApp DamnVulnerableIOSApp (architecture armv7): Mach header magic cputype cpusubtype caps filetype ncmds sizeofcmds flags MH_MAGIC ARM V7 0x00 EXECUTE 38 4292 NOUNDEFS DYLDLINK TWOLEVEL WEAK_DEFINES BINDS_TO_WEAK PIE DamnVulnerableIOSApp (architecture arm64): Mach header magic cputype cpusubtype caps filetype ncmds sizeofcmds flags MH_MAGIC_64 ARM64 ALL 0x00 EXECUTE 38 4856 NOUNDEFS DYLDLINK TWOLEVEL WEAK_DEFINES BINDS_TO_WEAK PIE Binary Checks - PIE 55
  • 56. $ otool -Iv DamnVulnerableIOSApp | grep stack 0x0046040c 83177 ___stack_chk_fail 0x0046100c 83521 _sigaltstack 0x004fc010 83178 ___stack_chk_guard 0x004fe5c8 83177 ___stack_chk_fail 0x004fe8c8 83521 _sigaltstack 0x00000001004b3fd8 83077 ___stack_chk_fail 0x00000001004b4890 83414 _sigaltstack 0x0000000100590cf0 83078 ___stack_chk_guard 0x00000001005937f8 83077 ___stack_chk_fail 0x0000000100593dc8 83414 _sigaltstack Binary Checks - SSP 56
  • 57. $ otool -Iv DamnVulnerableIOSApp | grep release 0x0045b7dc 83156 ___cxa_guard_release 0x0045fd5c 83414 _objc_autorelease 0x0045fd6c 83415 _objc_autoreleasePoolPop 0x0045fd7c 83416 _objc_autoreleasePoolPush 0x0045fd8c 83417 _objc_autoreleaseReturnValue 0x0045ff0c 83441 _objc_release [SNIP] Binary Checks - ARC 57