iOS (Vulner)ability

37
iOS (Vulner)ability Subho Halder Co Founder AppKnox

description

iOS security architecture.

Transcript of iOS (Vulner)ability

Page 1: iOS (Vulner)ability

iOS (Vulner)abilitySubho Halder Co Founder AppKnox

Page 2: iOS (Vulner)ability
Page 3: iOS (Vulner)ability

./WhoAmI

Co Founder of AppKnox ( XYSec Labs )

Python Lover

Security Geeks

Found Security Bugs in Apple, Google, Skype, Webkit, Facebook, Microsoft, …..

Page 4: iOS (Vulner)ability

Security is ……

http://xkcd.com/327/

Page 5: iOS (Vulner)ability

NSLog [@“Agenda”];

Quick overview of iPhone iOS Platform.

iOS Security Structure

What is a Jailbreak?

iOS App (IN)Securities

Page 6: iOS (Vulner)ability

Peek into a state-of-art Prison

Page 7: iOS (Vulner)ability

iOS Hardware Architecture

Application Processor

Baseband

iOSUser interaction

Applications ...

NucleusOSRadio communication

Page 8: iOS (Vulner)ability

iOS Hardware Architecture

Application Processor Baseband Processor

audio

display

power managment

camera

WIFI

BT

GSM

UART

I2S GPIO DMA

controls sim/net-lock !

Page 9: iOS (Vulner)ability

Phew, Security Architecture

Page 10: iOS (Vulner)ability

***[Sandboxing]***

NAND Flash

FTL: converts logical partition to NAND flash architecture

looks like BLOCK device

System Partition / (Read Only)

User Partition /private/var NAND

FTL

Block Device

/ (RO) (System Partition)

/private/var (RW) (User Partition)

Page 11: iOS (Vulner)ability

***[Sandboxing]***

3rd Party lives only on User Partition

Apps run as mobile user

Kernel Signature checks executables in system-call execve()

%{ How did you Jailbreak it? }%NAND

FTL

Block Device

/ (RO) (System Partition)

/private/var (RW) (User Partition)

Page 12: iOS (Vulner)ability

**Memory Protection

W^X Policy

Non Executable Stack or Heap

ASLR (Address Space Layout Randomisation)

%{ Did you forget about Return-Oriented-Program }%

Page 13: iOS (Vulner)ability

Code Signing

Implemented inside Kernel

Kernel signature checks executables in systemcall execve()

Kernel stored on System Partition (kernelcache)

Kernel is signature checked before being loaded.

%{ Can still be by-passed :/ }%

Page 14: iOS (Vulner)ability

Encryption @#%$#^% !

Everythong is encrypted

Hardware AES Engine

Keys derived from hardware keys GID-key UID-key

%{Possible to use Jailbreak tools e.g. Syringe to use the hardware engine}%

Page 15: iOS (Vulner)ability

What is J@!lbr3@k ?

Page 16: iOS (Vulner)ability

How your iPhone boots up?

signature check

signature check

signature check

signature check

Bootrom LLB (Low Level Bootloader)

iBoot Kernel Application

NOR NOR NAND NAND

Page 17: iOS (Vulner)ability

Recovery Mode?

BootromLLB

(Low Level Bootloader)

iBoot

signature check

signature check

Kernel

Kernel

Ramdisk

Page 18: iOS (Vulner)ability

DFU Mode !

Bootrom iBSS iBEC Kernel

Ramdisk

Bootrom LLB (Low Level Bootloader)

iBoot Kernel Application

minimal iBoot

Page 19: iOS (Vulner)ability

Attacking the chain of trust!

signature check

BootromLLB

(Low Level Bootloader)

iBoot Kernel Application

signature check

signature check

signature check

signature check

attack here

(cannot be fixed)

attack here attack here attack here

System Software

Page 20: iOS (Vulner)ability

Where do we go wrong?

Page 21: iOS (Vulner)ability

Plists

Used by iPhone to store saved properties and data

XML

Binary (compressed XML) (depreciated)

The binary plists need converting, you can use:

plutil to convert to XML

Property List Editor (in XCode)

plists contain all kinds of juicy information. Check for:

Cookies, emails, usernames, passwords, sensitive application data, client side role identifiers, protocol handlers, etc.

Page 22: iOS (Vulner)ability

B00M! :O

Page 23: iOS (Vulner)ability

INSERT into `SQLite`

A lot of iOS applications sensitive data in SQLite3 databases on the device.

Sqlite3 does not have built-in support for encryption.

There are extensions (CEROD is one, sqlcipher is another) that support encryption, but the code is not publicly available, you need to license it. Apple has not, so the included version of sqlite3 does not support encrypted databases.

Still dangerous to store stuff client side.

To bypass: Cerod is as simple as looking for “cerod:passwd” or break pointing and pulling out of memory: sqlite3_open(":cerod:passwd:filename.db", &db);

Page 24: iOS (Vulner)ability

)()()( Keychains )()()(

Keychain = Encrypted container for storing sensitive information

Smarter devs store passwords and sensitive data using the keychain.

Unfortunately with access to a phone and jailbreaking we can decrypt the keychain and dump the contents.

Page 25: iOS (Vulner)ability

tail -f /var/logs/

iOS Logs lots of data, NSLog especially, They can be viewed after the fact in:

~/Library/Logs/CrashReporter/MobileDevice/<Device name>/private/var/log/system.log

Can be viewed in you mac “console” app under utilities

Page 26: iOS (Vulner)ability

File Caching \m/\m/

If the application uses PDF, Excel, or other files it may be possible that these files may have been cached on the device.

These can be found at: ~/Library/Application Support/iPhone simulator/x.x.x/Applications/<application folder>/Documents/temp.pdf

Page 27: iOS (Vulner)ability

$(`Keyboard Caching`)

Keystrokes for predictive spellcheck are stored in:

~/Library/Application Support/iPhone Simulator/x.x.x/Library/Keyboard/dynamic-text.dat

This issue is similar to autocomplete for web browsers.

Already disabled for password fields Should be disabled for any potentially sensitive fields (account numbers, SSN, etc, etc…)

Set UITextField property autocorrectionType = UITextAutocorrectionNo for mitigation.

Page 28: iOS (Vulner)ability

Snapshot Caching

When in an application and the home button is pushed, the application stores a snapshot (screenshot) in the apps snapshot folder

~/Library/Application Support/iPhone Simulator/x.x.x/Applications/<application folder>/Library/Caches/Snapshots/

These persist until reboot. Hopefully you weren’t on a screen with any sensitive data!

Page 29: iOS (Vulner)ability

Snapshot Caching

Page 30: iOS (Vulner)ability

SQL Injection Client-Side

SQL injection is a problem on the client side too!

BAD:

NSString *sql = [NSString stringWithFormat:@"SELECT name FROM products WHERE id = '%@'", id]; const char *query = [sql UTF8String];

GOOD:

const char *sql = "SELECT name FROM products WHERE id = ?"; sqlite3_prepare_v2(database, sql, -1, &sql_statement, NULL); sqlite3_bind_text(&sql_statement, 1, id, -1, SQLITE_TRANSIENT);

Page 31: iOS (Vulner)ability

XSS Client-Side

Can occur whenever user controlled Objective C variables populated in to WebView

stringByEvaluatingJavaScriptFromString NSString *javascript = [[NSString alloc] initWithFormat:@"var myvar=\"%@\";", username]; [mywebView stringByEvaluatingJavaScriptFromString:javascript];

Page 32: iOS (Vulner)ability

Vulnerable Obj-C Methods

NSLog()

[NSString stringWithFormat:]

[NSString initWithFormat:]

[NSMutableString appendFormat:]

[NSAlert informativeTextWithFormat:]

[NSPredicate predicateWithFormat:]

[NSException format:]

NSRunAlertPanel

Page 33: iOS (Vulner)ability

How can you get started?

https://www.owasp.org/index.php/OWASP_iGoat_Project

Page 34: iOS (Vulner)ability

AppKnox - Cloud Based Security Automation Tool

Page 35: iOS (Vulner)ability

Available for Android Coming soon for iOS

Page 36: iOS (Vulner)ability

–Cicero

“There is no castle so strong that it cannot be overthrown”

Page 37: iOS (Vulner)ability

Thank Youhttps://www.appknox.com

http://subho.me @sunnyrockzzs

[email protected]