[PDF] [PDF] Pen Testing iOS Apps

[PDF] idb - iOS Blackbox Pentesting - NCC Group Research

Daniel A Mayer » idb - iOS Blackbox Pentesting Existing Tool Landscape ‣ Many great tools [1] • Scattered • Static and dynamic ‣ Fully understand app's 

[PDF] iOS Testing - Security Innovation

Compiling Customer-Provided Source Code for Pentesting on Latest iOS Using Xcode A tool to aid many of the commonly seen iOS application test cases

[PDF] Penetration Testing for iPhone / iPad Applications - SecurityLearn

Mobile application penetration testing is an up and coming security testing need simulator, it is necessary to install the iOS Software Development Kit (SDK)

[PDF] Pen Testing iOS Apps

2 jui 2015 · Tools Most tools we'll use are either open source or inexpensive – iExplorer for exploring file system on an iOS device – iOS device and a 

iOS Penetration Testing - SpringerLink

iOS Penetration Testing: A Definitive Guide to iOS Security □Chapter 3: iOS App Vulnerabilities and Jailbreaking 31 Installing the Tools

[PDF] Mobile Application Security Testing - Deloitte

farm of jailbroken iOS and rooted Android devices along with specialised tools are required to execute fine grained mobile app security tests Skill sets

[PDF] iOS Applications Testing - Multivocal Sources - LU Dspace

Deploying iOS Applications for Testing and the App Store - MonkeyTalk Mobile App Testing Tool IOS Application Security Testing Cheat Sheet - OWASP:

[PDF] Blackbox iOS App Testing Using idb - Black Hat

UK Headquarters, Worldwide Offices Application Security Consultancy Software Escrow, Testing, Domain Services Daniel A Mayer - Blackbox iOS App 

[PDF] MOBILE APPLICATION SECURITY WITH OPEN-SOURCE TOOLS

Continued importance of Application Security Instances of web-application security issues which lead to breaches iOS Security Test Cases

[PDF] iOS Hacking: Advanced Pentest & Forensic Techniques - Troopers

iOS Application Penetration Testing ▫ Application Analyze existing security mechanism on iOS platform System software authorization: Firmware

[PDF] ios developer tools

[PDF] ios file system

[PDF] ios file system partitions

[PDF] ios human interface guidelines pdf 2019

[PDF] ios license

[PDF] ios programs

[PDF] ios swift tutorial pdf

[PDF] ios terms

[PDF] iot applications in healthcare

[PDF] iot architecture should be heterogeneous

[PDF] iot cisco packet tracer pdf

[PDF] iot project in cisco packet tracer

[PDF] iot protocols

[PDF] iot protocols pdf

[PDF] iowa courts online

Copyright© 2015 KRvW Associates, LLC

Ken van Wyk, ken@krvw.com, @KRvW

Pen Testing iOS Apps

FIRST 2015

Ken van Wyk, @KRvW Berlin, Germany

14-19 June 2015

Copyright© 2015 KRvW Associates, LLC

Topics we'll cover

We'll focus on how to break

typical iOS apps -iOS topics -Application topics

Simple analysis

-Surface of app -Static analysis -Dynamic analysis

Deeper analysis

-Explore app binary -Run-time exploration and exploitation 3

Copyright© 2015 KRvW Associates, LLC

Tools

Most tools we'll use are

either open source or inexpensive -iExplorer for exploring file system on an iOS device -iOS device and a USB cable

Preferably jailbroken

Cydia

Cycript

4

Copyright© 2015 KRvW Associates, LLC

Clear up some misconceptions

Apple's iOS has been a huge

success for Apple -Together with Android, they have re-defined mobile telephony

Apple has made great advances

in security -They are still far from really good -Not even sure if they're pretty good

Software developers still make

silly mistakes 5

Copyright© 2015 KRvW Associates, LLC

System Hardening Features

Attack surface reduction

Stripped down OS

-No /bin/sh

Privilege separation

Code signing

Data execution prevention (DEP)

-Vital for return oriented programming -No architectural separation of data and code segments

Address space layout

randomization (ASLR) 6

Copyright© 2015 KRvW Associates, LLC

Application sandboxing

By policy, apps are only

permitted to access resources in their sandbox -Inter-app comms are by established APIs only

URLs, keychains (limited)

-File i/o in ~/Documents only

These rules don't always

apply to Apple's own apps 7

Copyright© 2015 KRvW Associates, LLC

Hardware encryption

Each iOS device (as of

3GS) has hardware crypto

module -Unique AES-256 key for every iOS device -Sensitive data hardware encrypted

Sounds brilliant, right?

-Well... 8

Copyright© 2015 KRvW Associates, LLC

iOS crypto keys

GID key - Group ID key

UID key - Unique per dev

Dkey - Default file key

EMF! - Encrypts entire

file system and HFS journal

Class keys - One per

protection class -Some derived from UID +

Passcode

9

Copyright© 2015 KRvW Associates, LLC

iOS NAND (SSD) mapping

Block 0 - Low level boot

loader

Block 1 - Effaceable storage

-Locker for crypto keys, including Dkey and EMF!

Blocks 2-7 - NVRAM

parameters

Blocks 8-15 - Firmware

Blocks 8-(N-15) - File system

Blocks (N-15)-N - Last 15

blocks reserved by Apple 10

Copyright© 2015 KRvW Associates, LLC

Built-in file protection classes

iOS (since 4) supports file protection classes -NSFileProtectionComplete -NSFileProtectionCompleteU nlessOpen -NSFileProtectionCompleteU ntilFirstUserAuthentication -NSFileProtectionNone

All but None are derived

11

Copyright© 2015 KRvW Associates, LLC

Built-in file protection limitations

Pros -Easy to use, with key management done by iOS -Powerful functionality -Always available -Zero performance hit Cons -For Complete, crypto keying includes UDID + Passcode

4 digit PIN problem

12

Copyright© 2015 KRvW Associates, LLC

Keychains

Keychain API provided for

storage of small amounts of sensitive data -Login credentials, passwords, etc. -Credit card data often found here

Stored in a SQLite database

-Encrypted using hardware

AES with derived key

13

Copyright© 2015 KRvW Associates, LLC

Jailbreaks

Apple's protection architecture

is based on a massive digital signature hierarchy -Starting from bootloader -Through app loader

Jailbreak software breaks that

hierarchy -Current breaks up to 8.1.2

DFU mode allows USB vector

for boot loader -Older iPhones mostly, but... 14

Copyright© 2015 KRvW Associates, LLC

Keyboard data

All "keystrokes" are

stored -Used for auto-correct feature -Nice spell checker

Key data can be harvested

using forensics procedures -Passwords, credit cards... -Needle in haystack? 15

Copyright© 2015 KRvW Associates, LLC

Screen snapshots

Devices routinely grab

screen snapshots and store in JPG -Used for minimizing app animation -It looks pretty

WHAT?!

-It's a problem -Requires local access to device, but still... 16

Copyright© 2015 KRvW Associates, LLC

Let's consider the basics

We'll cover these (from

the mobile top 10) -Protecting secrets

At rest

In transit

-Input/output validation -Authentication -Session management -Access control -Privacy concerns 17

Copyright© 2015 KRvW Associates, LLC

Examples

Airline app

-Stores frequent flyer data in plaintext XML file

Healthcare app

-Stores patient data in plist file

But it's base64 encoded for your

protection...

Banking app

-Framework cache revealed sensitive account data

Consumer ticket app

-Accepted SSL from self signed key -Exposed credit card data 18

Copyright© 2015 KRvW Associates, LLC

SQLlite example

Let's look at a database

app that stores sensitive data into a SQLite db -We'll recover it trivially by looking at the unencrypted database file 19

Copyright© 2015 KRvW Associates, LLC

Protecting secrets at rest

Encryption is the answer,

quotesdbs_dbs20.pdfusesText_26