HACKING & SECURING OF iOS APPS

-Saurabh Mishra

NSLog (@”About me !”); iOS developer >2 yr Web api developer iOS app pentester Security Enthusiast

Rough Agenda (we will digress) Introduction to iOS Introduction to iOS apps Objective C Environment & tool setup Static Analysis Dynamic Analysis Secure Coding & Best practices

iOS Mobile OS by Apple Inc. (i Operating

System , 2007) History Architecture of iOS

iOS architecture of Non Jailbroken device

OS & preinstalled Apps

Path/Application

Root user

Mobile user

App 1

App 2

Sandbox for app1contains all the files created or required by appApps from appstorePath/var/mobile/container/bundle/application*The permission architecture

*Sandboxing of iOS apps

Types of iOS Applications Web Applications:

HTML + CSS + JavaScript Run inside Safari/Webkit

Native Applications: Written in Objective-C (+ C/C++) Compiled into ARM for actual devices, x86

for iOS Simulator

What does an iOS Application Look Like?

iOS Applications: In Development with Apple SDK Xcode:

Distributed as XCode Project Folders Compiled and deployed through the app store:

Compiled as ARM Distributed as “.ipa” files zip files containing app resources and ARM executable

Deployed as “.app” directories Executable code is:

encrypted with FairPlay DRM (AES) signed with Apple’s signature

Objective CObjective-C is a superset of C, this means all C code still applies.

[self doSomethingWithVar:var1];

Environment Setup/Tools required Tool List:

Your Phone: Jailbreak GDB Command Line Knowledge Crackulous/appcrack/Clutch Class-dump-z Cycript

Your PC: Burp SQLite Manager IDA/Hopper

How do we Test?

Analysis of iOS apps

Static Analysis Dynamic Analysis

Binary Analysi

s Class dump

Local Storag

eMethod

SwizzlingNetwork Analysis

Static Analysis Hopper disassembler Class-dump-z

Demo

Dynamic Analysis GDB Method sizzling using “Cycript”

Cycript Cycript is an implementation of JavaScript

that can interact with Objective-C classes and objects. One of the most useful functions of Cycript is its ability to attach directly to a process, much like gdb, and alter the state of the running application. With Cycript, you can manipulate existing objects already in your application’s memory, or instantiate new objects, such as new view controller classes or windows.

Demo

Network Analysis Proxy setup

Local Storage Analysis NSUserdefault Sqlite CoreData

Secure Coding & Best Practices Secure coding is about increasing the

complexity demanded for an attack against the application to succeed. No application can ever be truly secure. With the right resources and time, any application, including those utilizing strong encryption, can be broken.

Precaution not Cure :-P Use dummy methods. Analyze flow & architecture of code. Is Jailbroken? Don’t use hardcoded strings (key,outhtoken etc). Is debugger attached. Handle - (void)applicationDidEnterBackground:

(UIApplication *)application Use keychain for sensitive info (key,outhtoken etc). Don’t use plain http web api. Always use server side validation for inapp

purchase.

All done ! Can contact me @

srbmishra91@gmail.com