Weitere ähnliche Inhalte Mehr von IBM Security (20) Kürzlich hochgeladen (20) The 411 on Mobile Application Security Testing and Runtime Protection for iOS Applications1. © 2015 IBM Corporation
Eitan Worcel
IBM Application Security on Cloud
Chris Stahly
Arxan Director Application Protection
Services
The 411 on Mobile Application Security
Testing and Runtime Protection for iOS
Applications
2. 2© 2015 IBM Corporation
Security Intelligence
Enterprise Applications
and Cloud Services
Identity, Fraud,
and Data Protection
Content Security
Application Security
Transaction Security
Device Security
DATA
Personal and
Consumer
Enterprise
Device Security Content Security Application Security Transaction Security Device as ID
Provision, manage
and secure
Corporate and
BYOD devices
Secure enterprise
content access and
sharing
Develop
vulnerability free,
tamper proof and
risk aware
applications
Prevent & detect
high risk mobile
transactions from
employees,
customers and
partners
Mobile Identity
Platform
Security Intelligence
A unified architecture for integrating mobile security information & event management (SIEM), log management,
anomaly detection, and configuration & vulnerability management
IBM Mobile Security Framework
3. 3© 2015 IBM Corporation
Agenda
Mobile App Sec
• Exploring Mobile App Vulnerabilities
• Mobile Security Overview
iOS Mobile App Sec
• Exploring iOS vulnerabilities & attacks
• Protection Approaches
• Application Testing Demo
Additional Resources
4. 4© 2015 IBM Corporation
December 2013
Android Fragment Injection
A set of vulnerabilities exposed by Mobile Analyzer
Research leading to a new discovery of Android
vulnerability class!
X-Force Mobile Vulnerability Findings
5. 5© 2015 IBM Corporation
March 2014
Firefox vulnerability
Overtaking Firefox Profiles identified by Mobile Analyzer
Disclosed and fixed
X-Force Mobile Vulnerability Findings
6. 6© 2015 IBM Corporation
July 2014
Android KeyStore Vulnerability
Stack Buffer Overflow
X-Force Mobile Vulnerability Findings
7. 7© 2015 IBM Corporation
August 2014
Apache Cordova Vulnerability
10% of Android Banking Apps Potentially Vulnerable
X-Force Mobile Vulnerability Findings
8. 8© 2015 IBM Corporation
February 2015
Dating Apps Vulnerabilities
Mobile Analyzer identified medium to high
vulnerabilities in over 60% of the top dating apps
X-Force Mobile Vulnerability Findings
9. 9© 2015 IBM Corporation
August 2015
Android Serialization Vulnerability
Over 55 percent of Android phones are at risk.
Vulnerability Gives Underprivileged Apps Super
Status
X-Force Mobile Vulnerability Findings
10. 10© 2015 IBM Corporation
X-Force Mobile Vulnerability Findings
April 2015
Deobfuscating iOS Kernel Pointers
Vulnerability
Information leak vulnerability in iOS which can be
used to defeat the kernel address obfuscation
mechanism available since iOS 6
12. 12© 2015 IBM Corporation
Web Apps
Internet
Web Apps Run in a Browser
Database
Internet
13. 13© 2015 IBM Corporation
Database
Mobile Apps Run on the Phone
and are Supported by Mobile Services
Internet
Mobile Services
14. 14© 2015 IBM Corporation
Internet
Mobile Services
Database
Testing Mobile Apps is Different from Testing Web Apps
We know how to pen test
our networks
We know how to pen test
web app/services
This is the new area
where we need to focus
15. 15© 2015 IBM Corporation
Internet
Web Apps
Mobile Applications Have a Different Threat Model
Internet
Mobile Services
Carrier
Application Logic
Temporary
Storage
Application Logic
Temporary
Storage
JavaScript is
sandboxed
JavaScript can access device
features
Malicious Site
Malicious Site
Attacker with Root
Malicious Apps Application
Services
17. 17© 2015 IBM Corporation
iOS Security Controls
Why should we trust the OS?
– Code signing
– Anti arbitrary code execution policies
• ASLR
• Memory pages marked W^X
o Writable XOR executable
• Stack canaries
– Sandboxing
– App encryption
18. 18© 2015 IBM Corporation
Circumventing iOS Controls
Jailbreaking
– Remove iOS controls
– Gain root access
– Custom kernel
– Privilege escalation
19. 19© 2015 IBM Corporation
Apple’s Threat Modeling
Attacks on System Integrity
– Attacks on system integrity […] modify the system in such a way
that it can no longer be trusted. […] the attacker might be able to:
• Execute malicious code
• Impersonate a user or server
• Repudiate an action
• https://developer.apple.com/library/ios/DOCUMENTATION/Security/Conceptua
l/Security_Overview/ThreatModeling/ThreatModeling.html
20. 20© 2015 IBM Corporation
Jailbreak History
• iPhone 1.0 (June 29th 2007)
• Jailbroken (July 10th 2007)
• 4.3.2
• redsn0w 0.9.11x (April 2011)
• 4.3.3
• jailbreakme.com remote jailbreak (July 2011)
• 5.1.1
• absinthe 2.0.x (May 2012)
• 6.1
• evasi0n (January 30 2013)
• 7.0
• evasi0n7 (December 2013)
• 7.1
• Pangu (June 23 2014)
• 8.1
• Pangu (January 2015)
• 9.0
• Pangu (October 2015)
21. 21© 2015 IBM Corporation
iOS Recent Attacks
Nobody is safe: Major App Store malware breach may affect millions of
iPhone users
“A substantial security threat called XcodeGhost managed to fool App Store security and
sneak into the App Store inside real App Store apps potentially affecting hundreds of
millions of iPhone and iPad users on both stock and jailbroken devices.”
Key Raider — Another iOS malware steals account info and more
“Malicious code surreptitiously included with Cydia apps [has] pilfered account
data…disabled some infected phones until users pay a ransom, and…made unauthorized
charges against some victims’ accounts.”
Flaws in OS X, iOS Allow Malicious Apps to Steal Passwords, Other Data
“In a paper titled “Unauthorized Cross-App Resource Access on MAC OS X and iOS,”
researchers demonstrated that cross-app resource access (XARA) attacks are possible on
Apple’s operating systems, allowing malicious applications to steal passwords and other
sensitive data from other programs.”
22. 22© 2015 IBM Corporation
Anatomy of Attacks on iOS Mobile App
Reverse-engineering
app contents
1. Decrypt the mobile
app (iOS apps)
2. Open up and examine
the app
3. Create a hacked version
11 110 01
0 1001110
1100 001
01 111 00
11 110 01
0 0101010
0101 110
011100 00
Extract and steal
confidential data
Create a
tampered, cracked
or patched version
of the app
Release / use the
hacked app
Use malware to
infect/patch the
app on other
devices
4. Distribute app
23. 23© 2015 IBM Corporation
Tools for Hacking are Found Everywhere
Category Example Tools Platform/Target
Mobile decryption,
unpacking & conversion
Clutch iOS
APKTool Android
Dex2jar Android
Static binary analysis:
disassembly,
decompilation, info
dumping
IDA Pro & Hex-Rays Linux, Mac OS, Windows
Hopper iOS, Linux, Mac OS, Windows
JD Project Java
baksmali Android / Java
class-dump-z iOS, Linux, Mac OS, Windows
nm Windows / .obj, .lib
Strings Windows / UNICODE
Runtime binary analysis:
debugging, tracing
GDB Windows, UNIX / C, C++, Obj-C & more
ADB Android
Introspy-Android,
Introspy-iOS
Android, iOS
Sogeti ESEC Lab Android
Runtime manipulation,
code injection, method
swizzling, patching
Cydia Substrate Android, iOS
Cycript iOS, Mac OS
DYLD Mac OS
Theos suite iOS
Hex Editors Everything
CheatEngine Windows
Jailbreak detection evasion xCon, tsProtector iOS
What do these tools
allow?
– Decrypt iOS apps
– Modify data in-
memory
– Modify data on disk
– Inject custom code
– Change existing
code
– Read network traffic
– Manipulate network
traffic
– Bypass jailbreak
detections
26. 26© 2015 IBM Corporation
Mobile Application Security
Static Analysis of
Source Code
IBM AppScan Source/ IBM
MobileFirst Application
Scanning
Dynamic Analysis of Back
End Calls
IBM AppScan Standard
Interactive Analysis of
Mobile App
IBM Application Security on Cloud
Hardening of Binary Code
Arxan Application Protection for
IBM Solutions
Security Intelligence
Enterprise Applications
and Cloud Services
Identity, Fraud,
and Data Protection
Content Security
Application Security
Transaction Security
Device Security
DATA
Personal and
Consumer
Enterprise
IBM Mobile Application Security Framework
27. 27© 2015 IBM Corporation
Obfuscation
Confuse the Hacker
• Dummy Code Insertion
• Instruction Merging
• Block Shuffling
• Function Inlining
• … and More!
Turns this
into this …
28. 28© 2015 IBM Corporation
Preventing Reverse Engineering
Other Techniques
• Method Renaming
• String Encryption
• … and More!
String not
found
29. 29© 2015 IBM Corporation
Preventing Tampering
Common Techniques
Jailbreak Detection
Am I on a
jailbroken device?
Checksum
Has the binary
changed?
Method Swizzling
Detection
Is someone hijacking my
code? Debug Detection
Is a Debugger Running?
33. 33© 2015 IBM Corporation
Learn More about Mobile Application Security Testing on Cloud
Replay recent Webinar
• Oct 20nd - Making the Case for Application Security Testing on Cloud
• Nov. 3rd - Protecting Mission-Critical Source Code from AppSec Vulnerabilities
Read the Blogs
• AppSec Testing on Cloud and the Future of Penetration Testing
• A Lever to Move the World: Automating AppSec Testing in the Cloud
• Protecting Your Apps at Runtime
View the Infographic
• Case Closed with IBM AppSec on Cloud
View the YouTube Video
• Identify and Remediate Application Security Vulnerabilities Effectively
Visit the Web Page
• Cloud Marketplace
34. 34© 2015 IBM Corporation
Free Evaluation of “Arxan Application Protection
for IBM Solutions”
Now offered as part of IBM’s Security Portfolio
Your Next Steps to Protecting Your Apps
Curious how your app binary is
exposed to hacking?
Get Free Assessment of your
app’s binary exposures in 9
categories
36. © Copyright IBM Corporation 2015. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any
kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor
shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use
of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or
capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product
or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries
or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside
your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks
on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access.
IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other
systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE
IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
THANK YOU
www.ibm.com/security