CNIT 128 Hacking Mobile Devices · 2020-04-29 · Hacking Mobile Devices 3. Attacking iOS Apps Part...
Transcript of CNIT 128 Hacking Mobile Devices · 2020-04-29 · Hacking Mobile Devices 3. Attacking iOS Apps Part...
![Page 1: CNIT 128 Hacking Mobile Devices · 2020-04-29 · Hacking Mobile Devices 3. Attacking iOS Apps Part 1. Topics: Part 1 ... apps •Must install the ...](https://reader030.fdocuments.in/reader030/viewer/2022040414/5f16b4b814722f42594804fe/html5/thumbnails/1.jpg)
CNIT 128 Hacking Mobile Devices
3. Attacking iOS AppsPart 1
![Page 2: CNIT 128 Hacking Mobile Devices · 2020-04-29 · Hacking Mobile Devices 3. Attacking iOS Apps Part 1. Topics: Part 1 ... apps •Must install the ...](https://reader030.fdocuments.in/reader030/viewer/2022040414/5f16b4b814722f42594804fe/html5/thumbnails/2.jpg)
Topics: Part 1
• Introduction to Transport Security
• Identifying Insecure Storage
• Patching iOS Applications with Hopper
![Page 3: CNIT 128 Hacking Mobile Devices · 2020-04-29 · Hacking Mobile Devices 3. Attacking iOS Apps Part 1. Topics: Part 1 ... apps •Must install the ...](https://reader030.fdocuments.in/reader030/viewer/2022040414/5f16b4b814722f42594804fe/html5/thumbnails/3.jpg)
Topics: Part 2
• Attacking the iOS Runtime
• Understanding Interprocess Communication
• Attacking Using Injection
![Page 4: CNIT 128 Hacking Mobile Devices · 2020-04-29 · Hacking Mobile Devices 3. Attacking iOS Apps Part 1. Topics: Part 1 ... apps •Must install the ...](https://reader030.fdocuments.in/reader030/viewer/2022040414/5f16b4b814722f42594804fe/html5/thumbnails/4.jpg)
Attack Scenarios
• From the network
• Tainted data from server-side applications
• Physical access to the phone
• Interactive access to the phone
• Control of another app on the phone
![Page 5: CNIT 128 Hacking Mobile Devices · 2020-04-29 · Hacking Mobile Devices 3. Attacking iOS Apps Part 1. Topics: Part 1 ... apps •Must install the ...](https://reader030.fdocuments.in/reader030/viewer/2022040414/5f16b4b814722f42594804fe/html5/thumbnails/5.jpg)
Introduction to Transport Security
![Page 6: CNIT 128 Hacking Mobile Devices · 2020-04-29 · Hacking Mobile Devices 3. Attacking iOS Apps Part 1. Topics: Part 1 ... apps •Must install the ...](https://reader030.fdocuments.in/reader030/viewer/2022040414/5f16b4b814722f42594804fe/html5/thumbnails/6.jpg)
Cleartext Channels
• Such as HTTP
• Never safe
• Even if not transmitting sensitive data like passwords
• Because an attacker could inject JavaScript
![Page 7: CNIT 128 Hacking Mobile Devices · 2020-04-29 · Hacking Mobile Devices 3. Attacking iOS Apps Part 1. Topics: Part 1 ... apps •Must install the ...](https://reader030.fdocuments.in/reader030/viewer/2022040414/5f16b4b814722f42594804fe/html5/thumbnails/7.jpg)
Finding Cleartext
• Examine traffic with Wireshark or Burp
![Page 8: CNIT 128 Hacking Mobile Devices · 2020-04-29 · Hacking Mobile Devices 3. Attacking iOS Apps Part 1. Topics: Part 1 ... apps •Must install the ...](https://reader030.fdocuments.in/reader030/viewer/2022040414/5f16b4b814722f42594804fe/html5/thumbnails/8.jpg)
Three SSL/TLS Implementations
• The URL loading system
• The Carbon Framework
• The Secure Transport API
![Page 9: CNIT 128 Hacking Mobile Devices · 2020-04-29 · Hacking Mobile Devices 3. Attacking iOS Apps Part 1. Topics: Part 1 ... apps •Must install the ...](https://reader030.fdocuments.in/reader030/viewer/2022040414/5f16b4b814722f42594804fe/html5/thumbnails/9.jpg)
The URL Loading System
• High-level classes and methods like
• NSURLConnection
• NSURLSession
• Simplest method
• Most widely adopted
![Page 10: CNIT 128 Hacking Mobile Devices · 2020-04-29 · Hacking Mobile Devices 3. Attacking iOS Apps Part 1. Topics: Part 1 ... apps •Must install the ...](https://reader030.fdocuments.in/reader030/viewer/2022040414/5f16b4b814722f42594804fe/html5/thumbnails/10.jpg)
Carbon Framework
• More granular API than the URL loading system
• Gives developers greater control over network requests
• Implemented using the CFNetwork class
![Page 11: CNIT 128 Hacking Mobile Devices · 2020-04-29 · Hacking Mobile Devices 3. Attacking iOS Apps Part 1. Topics: Part 1 ... apps •Must install the ...](https://reader030.fdocuments.in/reader030/viewer/2022040414/5f16b4b814722f42594804fe/html5/thumbnails/11.jpg)
Secure Transport API
• Low-level API
• The foundation of CFNetwork and the URL loading system
• Greatest control over the transport
• Complex to implement
• Rarely used directly
![Page 12: CNIT 128 Hacking Mobile Devices · 2020-04-29 · Hacking Mobile Devices 3. Attacking iOS Apps Part 1. Topics: Part 1 ... apps •Must install the ...](https://reader030.fdocuments.in/reader030/viewer/2022040414/5f16b4b814722f42594804fe/html5/thumbnails/12.jpg)
Certificate Validation
• SSL and TLS use certificate-based authentication to
• Ensure that you are communicating with the desired server
• Prevent eavesdropping and tampering attacks
• Unless the validation is weakened
![Page 13: CNIT 128 Hacking Mobile Devices · 2020-04-29 · Hacking Mobile Devices 3. Attacking iOS Apps Part 1. Topics: Part 1 ... apps •Must install the ...](https://reader030.fdocuments.in/reader030/viewer/2022040414/5f16b4b814722f42594804fe/html5/thumbnails/13.jpg)
Trusted CA
• Certificates must be signed by a trusted Certificate Authority (CA)
• Accepting self-signed or unvalidated certificates undermines TLS and SSL
• Allowing MiTM attacks
![Page 14: CNIT 128 Hacking Mobile Devices · 2020-04-29 · Hacking Mobile Devices 3. Attacking iOS Apps Part 1. Topics: Part 1 ... apps •Must install the ...](https://reader030.fdocuments.in/reader030/viewer/2022040414/5f16b4b814722f42594804fe/html5/thumbnails/14.jpg)
NSURLConnection Class
• Developer can allow self-signed certificates
• By customizing the didReceiveAuthenticationChallenge method
![Page 15: CNIT 128 Hacking Mobile Devices · 2020-04-29 · Hacking Mobile Devices 3. Attacking iOS Apps Part 1. Topics: Part 1 ... apps •Must install the ...](https://reader030.fdocuments.in/reader030/viewer/2022040414/5f16b4b814722f42594804fe/html5/thumbnails/15.jpg)
Carbon Framework
• Can allow self-signed certficates by setting up an SSL settings dictionary
• That sets the kCFStreamSSLValidatesCertificateChain constant to false
![Page 16: CNIT 128 Hacking Mobile Devices · 2020-04-29 · Hacking Mobile Devices 3. Attacking iOS Apps Part 1. Topics: Part 1 ... apps •Must install the ...](https://reader030.fdocuments.in/reader030/viewer/2022040414/5f16b4b814722f42594804fe/html5/thumbnails/16.jpg)
Secure Transport API
• Setting the kSSLSessionOptionBreakOnServerAuth option
• Disables the API's certificate validation
• But the app might have its own trust evaluation routines, like certificate pinning
![Page 17: CNIT 128 Hacking Mobile Devices · 2020-04-29 · Hacking Mobile Devices 3. Attacking iOS Apps Part 1. Topics: Part 1 ... apps •Must install the ...](https://reader030.fdocuments.in/reader030/viewer/2022040414/5f16b4b814722f42594804fe/html5/thumbnails/17.jpg)
Certificate Problems
• Self-signed certificates
• Expired certificates
• Mismatched hostnames
• Expired root CA certificates
• Allowing any root certificate
![Page 18: CNIT 128 Hacking Mobile Devices · 2020-04-29 · Hacking Mobile Devices 3. Attacking iOS Apps Part 1. Topics: Part 1 ... apps •Must install the ...](https://reader030.fdocuments.in/reader030/viewer/2022040414/5f16b4b814722f42594804fe/html5/thumbnails/18.jpg)
Dynamic Testing• Route traffic through the Burp proxy
• Browser detects the SSL error
![Page 19: CNIT 128 Hacking Mobile Devices · 2020-04-29 · Hacking Mobile Devices 3. Attacking iOS Apps Part 1. Topics: Part 1 ... apps •Must install the ...](https://reader030.fdocuments.in/reader030/viewer/2022040414/5f16b4b814722f42594804fe/html5/thumbnails/19.jpg)
GOTO Fail
![Page 20: CNIT 128 Hacking Mobile Devices · 2020-04-29 · Hacking Mobile Devices 3. Attacking iOS Apps Part 1. Topics: Part 1 ... apps •Must install the ...](https://reader030.fdocuments.in/reader030/viewer/2022040414/5f16b4b814722f42594804fe/html5/thumbnails/20.jpg)
![Page 21: CNIT 128 Hacking Mobile Devices · 2020-04-29 · Hacking Mobile Devices 3. Attacking iOS Apps Part 1. Topics: Part 1 ... apps •Must install the ...](https://reader030.fdocuments.in/reader030/viewer/2022040414/5f16b4b814722f42594804fe/html5/thumbnails/21.jpg)
![Page 22: CNIT 128 Hacking Mobile Devices · 2020-04-29 · Hacking Mobile Devices 3. Attacking iOS Apps Part 1. Topics: Part 1 ... apps •Must install the ...](https://reader030.fdocuments.in/reader030/viewer/2022040414/5f16b4b814722f42594804fe/html5/thumbnails/22.jpg)
SSL Session Security
• There are other possible SSL errors if an app is using the Carbon framework or the Secure Transport API
• But not if it uses the high-level URL loading API
• Because there is no way to modify the SSL/TLS session properties
![Page 23: CNIT 128 Hacking Mobile Devices · 2020-04-29 · Hacking Mobile Devices 3. Attacking iOS Apps Part 1. Topics: Part 1 ... apps •Must install the ...](https://reader030.fdocuments.in/reader030/viewer/2022040414/5f16b4b814722f42594804fe/html5/thumbnails/23.jpg)
Protocol Versions
• CFNetwork and Secure Transport APIs
• Both allow a developer to modify the protocol version
• SSLv2 and SSLv3 are vulnerable
![Page 24: CNIT 128 Hacking Mobile Devices · 2020-04-29 · Hacking Mobile Devices 3. Attacking iOS Apps Part 1. Topics: Part 1 ... apps •Must install the ...](https://reader030.fdocuments.in/reader030/viewer/2022040414/5f16b4b814722f42594804fe/html5/thumbnails/24.jpg)
CFNetwork API (Carbon Framework) Protocol Settings• These settings specify vulnerable versions
• kCFStreamSocketSecurityLevelSSLv2
• kCFStreamSocketSecurityLevelSSLv3
• kCFStreamSocketSecurityLevelTLSv1
• These settings allow negotiation of insecure versions
• kCFStreamSocketSecurityLevelNone
• kCFStreamSocketSecurityLevelNegotiatedSSL
![Page 25: CNIT 128 Hacking Mobile Devices · 2020-04-29 · Hacking Mobile Devices 3. Attacking iOS Apps Part 1. Topics: Part 1 ... apps •Must install the ...](https://reader030.fdocuments.in/reader030/viewer/2022040414/5f16b4b814722f42594804fe/html5/thumbnails/25.jpg)
Secure Transport API Protocol Settings
• These settings allow vulnerable versions
• kSSLProtocolUnknown
• kSSLProtocol3
• kTLSProtocol1
• kTLSProtocol11
• kDTLSProtocol1
• This is the preferred setting
• kTLSProtocol12
![Page 26: CNIT 128 Hacking Mobile Devices · 2020-04-29 · Hacking Mobile Devices 3. Attacking iOS Apps Part 1. Topics: Part 1 ... apps •Must install the ...](https://reader030.fdocuments.in/reader030/viewer/2022040414/5f16b4b814722f42594804fe/html5/thumbnails/26.jpg)
Cipher Suite Negotiation
![Page 27: CNIT 128 Hacking Mobile Devices · 2020-04-29 · Hacking Mobile Devices 3. Attacking iOS Apps Part 1. Topics: Part 1 ... apps •Must install the ...](https://reader030.fdocuments.in/reader030/viewer/2022040414/5f16b4b814722f42594804fe/html5/thumbnails/27.jpg)
Specific Cipher Suite• Developer may specify an insecure suite
• Secure Transport and CFNetwork APIs allow this
![Page 28: CNIT 128 Hacking Mobile Devices · 2020-04-29 · Hacking Mobile Devices 3. Attacking iOS Apps Part 1. Topics: Part 1 ... apps •Must install the ...](https://reader030.fdocuments.in/reader030/viewer/2022040414/5f16b4b814722f42594804fe/html5/thumbnails/28.jpg)
Intercepting Encrypted Communications
• Necessary to test apps
• Must install the Burp certificate on the phone
![Page 29: CNIT 128 Hacking Mobile Devices · 2020-04-29 · Hacking Mobile Devices 3. Attacking iOS Apps Part 1. Topics: Part 1 ... apps •Must install the ...](https://reader030.fdocuments.in/reader030/viewer/2022040414/5f16b4b814722f42594804fe/html5/thumbnails/29.jpg)
Bypassing Certificate Pinning
• An app has information about the correct certificate embedded in it
• And refuses to connect with other certificates
• This must be bypassed to view the network traffic
![Page 30: CNIT 128 Hacking Mobile Devices · 2020-04-29 · Hacking Mobile Devices 3. Attacking iOS Apps Part 1. Topics: Part 1 ... apps •Must install the ...](https://reader030.fdocuments.in/reader030/viewer/2022040414/5f16b4b814722f42594804fe/html5/thumbnails/30.jpg)
Substrate Tweaks
![Page 31: CNIT 128 Hacking Mobile Devices · 2020-04-29 · Hacking Mobile Devices 3. Attacking iOS Apps Part 1. Topics: Part 1 ... apps •Must install the ...](https://reader030.fdocuments.in/reader030/viewer/2022040414/5f16b4b814722f42594804fe/html5/thumbnails/31.jpg)
Identifying Insecure Storage
![Page 32: CNIT 128 Hacking Mobile Devices · 2020-04-29 · Hacking Mobile Devices 3. Attacking iOS Apps Part 1. Topics: Part 1 ... apps •Must install the ...](https://reader030.fdocuments.in/reader030/viewer/2022040414/5f16b4b814722f42594804fe/html5/thumbnails/32.jpg)
Local Storage• An attacker can steal local data when
• The phone is stolen while unlocked
• The Touch ID sensor is bypassed
• Remote compromise through exploitation
• Default credentials on jailbroken phones
• There is no passcode
• Pairing with a malicious computer
• Exploiting the boot chain
![Page 33: CNIT 128 Hacking Mobile Devices · 2020-04-29 · Hacking Mobile Devices 3. Attacking iOS Apps Part 1. Topics: Part 1 ... apps •Must install the ...](https://reader030.fdocuments.in/reader030/viewer/2022040414/5f16b4b814722f42594804fe/html5/thumbnails/33.jpg)
Storage Errors
• Stored by app in plaintext
• Using custom encryption with insecure key
• Stored with wrong data protection class
• Inadvertently stored by iOS
![Page 34: CNIT 128 Hacking Mobile Devices · 2020-04-29 · Hacking Mobile Devices 3. Attacking iOS Apps Part 1. Topics: Part 1 ... apps •Must install the ...](https://reader030.fdocuments.in/reader030/viewer/2022040414/5f16b4b814722f42594804fe/html5/thumbnails/34.jpg)
Data Protection API
![Page 35: CNIT 128 Hacking Mobile Devices · 2020-04-29 · Hacking Mobile Devices 3. Attacking iOS Apps Part 1. Topics: Part 1 ... apps •Must install the ...](https://reader030.fdocuments.in/reader030/viewer/2022040414/5f16b4b814722f42594804fe/html5/thumbnails/35.jpg)
Protection Classes
• No Protection • Not encrypted• Unsuitable for sensitive data
• Complete Until First User Authentication • Discouraged for sensitive data
![Page 36: CNIT 128 Hacking Mobile Devices · 2020-04-29 · Hacking Mobile Devices 3. Attacking iOS Apps Part 1. Topics: Part 1 ... apps •Must install the ...](https://reader030.fdocuments.in/reader030/viewer/2022040414/5f16b4b814722f42594804fe/html5/thumbnails/36.jpg)
Identifying Data Protection Classes
• If data can be backed up• Back up, then use
![Page 37: CNIT 128 Hacking Mobile Devices · 2020-04-29 · Hacking Mobile Devices 3. Attacking iOS Apps Part 1. Topics: Part 1 ... apps •Must install the ...](https://reader030.fdocuments.in/reader030/viewer/2022040414/5f16b4b814722f42594804fe/html5/thumbnails/37.jpg)
Keychain Items
• keychain_dump creates plist files
• protection_class key inside them
![Page 38: CNIT 128 Hacking Mobile Devices · 2020-04-29 · Hacking Mobile Devices 3. Attacking iOS Apps Part 1. Topics: Part 1 ... apps •Must install the ...](https://reader030.fdocuments.in/reader030/viewer/2022040414/5f16b4b814722f42594804fe/html5/thumbnails/38.jpg)
Dynamic Analysis
• Tests stored data that doesn't get backed up
• Use Cydia Substrate
• The old Snoop-It tool was helpful, but it's gone
![Page 39: CNIT 128 Hacking Mobile Devices · 2020-04-29 · Hacking Mobile Devices 3. Attacking iOS Apps Part 1. Topics: Part 1 ... apps •Must install the ...](https://reader030.fdocuments.in/reader030/viewer/2022040414/5f16b4b814722f42594804fe/html5/thumbnails/39.jpg)
Patching iOS Applications with Hopper
![Page 40: CNIT 128 Hacking Mobile Devices · 2020-04-29 · Hacking Mobile Devices 3. Attacking iOS Apps Part 1. Topics: Part 1 ... apps •Must install the ...](https://reader030.fdocuments.in/reader030/viewer/2022040414/5f16b4b814722f42594804fe/html5/thumbnails/40.jpg)
Get the Binary• Project M 702
![Page 41: CNIT 128 Hacking Mobile Devices · 2020-04-29 · Hacking Mobile Devices 3. Attacking iOS Apps Part 1. Topics: Part 1 ... apps •Must install the ...](https://reader030.fdocuments.in/reader030/viewer/2022040414/5f16b4b814722f42594804fe/html5/thumbnails/41.jpg)
Disassemble with Hopper
![Page 42: CNIT 128 Hacking Mobile Devices · 2020-04-29 · Hacking Mobile Devices 3. Attacking iOS Apps Part 1. Topics: Part 1 ... apps •Must install the ...](https://reader030.fdocuments.in/reader030/viewer/2022040414/5f16b4b814722f42594804fe/html5/thumbnails/42.jpg)
Jailbreak Detection
![Page 43: CNIT 128 Hacking Mobile Devices · 2020-04-29 · Hacking Mobile Devices 3. Attacking iOS Apps Part 1. Topics: Part 1 ... apps •Must install the ...](https://reader030.fdocuments.in/reader030/viewer/2022040414/5f16b4b814722f42594804fe/html5/thumbnails/43.jpg)
Pseudo Code
![Page 44: CNIT 128 Hacking Mobile Devices · 2020-04-29 · Hacking Mobile Devices 3. Attacking iOS Apps Part 1. Topics: Part 1 ... apps •Must install the ...](https://reader030.fdocuments.in/reader030/viewer/2022040414/5f16b4b814722f42594804fe/html5/thumbnails/44.jpg)