Needle - F-Secure Labs · Server Side Security. Client Side Security. Attacker’s Perspective...
Transcript of Needle - F-Secure Labs · Server Side Security. Client Side Security. Attacker’s Perspective...
![Page 1: Needle - F-Secure Labs · Server Side Security. Client Side Security. Attacker’s Perspective •Physical access ... ACTION TIME. DVIA. DEMO Binary Analysis. DEMO Storage. DEMO Dynamic](https://reader030.fdocuments.in/reader030/viewer/2022041022/5ed2e0c84768b17a6774228c/html5/thumbnails/1.jpg)
NeedleFinding Issues within iOS Applications
Marco Lancini
![Page 2: Needle - F-Secure Labs · Server Side Security. Client Side Security. Attacker’s Perspective •Physical access ... ACTION TIME. DVIA. DEMO Binary Analysis. DEMO Storage. DEMO Dynamic](https://reader030.fdocuments.in/reader030/viewer/2022041022/5ed2e0c84768b17a6774228c/html5/thumbnails/2.jpg)
Whoami
Me: Marco Lancini– Security Consultant at MWR InfoSecurity
– @lancinimarco
MWR InfoSecurity– Research-led Security Consultancy
– Offices in the UK, USA, Singapore, South Africa, Germany, Poland…
![Page 3: Needle - F-Secure Labs · Server Side Security. Client Side Security. Attacker’s Perspective •Physical access ... ACTION TIME. DVIA. DEMO Binary Analysis. DEMO Storage. DEMO Dynamic](https://reader030.fdocuments.in/reader030/viewer/2022041022/5ed2e0c84768b17a6774228c/html5/thumbnails/3.jpg)
What is this talk about?
Current State of Mobile (in)Security
iOS Pentesting (the current state)
Needle (idea, architecture, features, etc.)
Demo
Roadmap
![Page 4: Needle - F-Secure Labs · Server Side Security. Client Side Security. Attacker’s Perspective •Physical access ... ACTION TIME. DVIA. DEMO Binary Analysis. DEMO Storage. DEMO Dynamic](https://reader030.fdocuments.in/reader030/viewer/2022041022/5ed2e0c84768b17a6774228c/html5/thumbnails/4.jpg)
CURRENT STATE OF MOBILE (IN)SECURITY
![Page 5: Needle - F-Secure Labs · Server Side Security. Client Side Security. Attacker’s Perspective •Physical access ... ACTION TIME. DVIA. DEMO Binary Analysis. DEMO Storage. DEMO Dynamic](https://reader030.fdocuments.in/reader030/viewer/2022041022/5ed2e0c84768b17a6774228c/html5/thumbnails/5.jpg)
My Life as a Pentester
Scoping Testing ReportingTesting
![Page 6: Needle - F-Secure Labs · Server Side Security. Client Side Security. Attacker’s Perspective •Physical access ... ACTION TIME. DVIA. DEMO Binary Analysis. DEMO Storage. DEMO Dynamic](https://reader030.fdocuments.in/reader030/viewer/2022041022/5ed2e0c84768b17a6774228c/html5/thumbnails/6.jpg)
Mobile app lifecycle
Idea
Execution
Public Release
![Page 7: Needle - F-Secure Labs · Server Side Security. Client Side Security. Attacker’s Perspective •Physical access ... ACTION TIME. DVIA. DEMO Binary Analysis. DEMO Storage. DEMO Dynamic](https://reader030.fdocuments.in/reader030/viewer/2022041022/5ed2e0c84768b17a6774228c/html5/thumbnails/7.jpg)
Mobile app lifecycle
![Page 8: Needle - F-Secure Labs · Server Side Security. Client Side Security. Attacker’s Perspective •Physical access ... ACTION TIME. DVIA. DEMO Binary Analysis. DEMO Storage. DEMO Dynamic](https://reader030.fdocuments.in/reader030/viewer/2022041022/5ed2e0c84768b17a6774228c/html5/thumbnails/8.jpg)
Some real life examples…
![Page 9: Needle - F-Secure Labs · Server Side Security. Client Side Security. Attacker’s Perspective •Physical access ... ACTION TIME. DVIA. DEMO Binary Analysis. DEMO Storage. DEMO Dynamic](https://reader030.fdocuments.in/reader030/viewer/2022041022/5ed2e0c84768b17a6774228c/html5/thumbnails/9.jpg)
Where to focus
![Page 10: Needle - F-Secure Labs · Server Side Security. Client Side Security. Attacker’s Perspective •Physical access ... ACTION TIME. DVIA. DEMO Binary Analysis. DEMO Storage. DEMO Dynamic](https://reader030.fdocuments.in/reader030/viewer/2022041022/5ed2e0c84768b17a6774228c/html5/thumbnails/10.jpg)
OWASP Mobile Top 10 (2014)
![Page 11: Needle - F-Secure Labs · Server Side Security. Client Side Security. Attacker’s Perspective •Physical access ... ACTION TIME. DVIA. DEMO Binary Analysis. DEMO Storage. DEMO Dynamic](https://reader030.fdocuments.in/reader030/viewer/2022041022/5ed2e0c84768b17a6774228c/html5/thumbnails/11.jpg)
Server Side Security
![Page 12: Needle - F-Secure Labs · Server Side Security. Client Side Security. Attacker’s Perspective •Physical access ... ACTION TIME. DVIA. DEMO Binary Analysis. DEMO Storage. DEMO Dynamic](https://reader030.fdocuments.in/reader030/viewer/2022041022/5ed2e0c84768b17a6774228c/html5/thumbnails/12.jpg)
Client Side Security
![Page 13: Needle - F-Secure Labs · Server Side Security. Client Side Security. Attacker’s Perspective •Physical access ... ACTION TIME. DVIA. DEMO Binary Analysis. DEMO Storage. DEMO Dynamic](https://reader030.fdocuments.in/reader030/viewer/2022041022/5ed2e0c84768b17a6774228c/html5/thumbnails/13.jpg)
Attacker’s Perspective• Physical access– Stolen device– Unattended device– Shared environment
• Malware– JB devices– Non-JB devices
• Exploitation– Outdated software– 0day
![Page 14: Needle - F-Secure Labs · Server Side Security. Client Side Security. Attacker’s Perspective •Physical access ... ACTION TIME. DVIA. DEMO Binary Analysis. DEMO Storage. DEMO Dynamic](https://reader030.fdocuments.in/reader030/viewer/2022041022/5ed2e0c84768b17a6774228c/html5/thumbnails/14.jpg)
Attacker’s Perspective
• Network communications
– Man-in-the-Middle (MitM)
– Clear text / Weak encryption
– Client-side attacks
• The web server
– Web application security
![Page 15: Needle - F-Secure Labs · Server Side Security. Client Side Security. Attacker’s Perspective •Physical access ... ACTION TIME. DVIA. DEMO Binary Analysis. DEMO Storage. DEMO Dynamic](https://reader030.fdocuments.in/reader030/viewer/2022041022/5ed2e0c84768b17a6774228c/html5/thumbnails/15.jpg)
IOS PENTESTING(the current state)
![Page 16: Needle - F-Secure Labs · Server Side Security. Client Side Security. Attacker’s Perspective •Physical access ... ACTION TIME. DVIA. DEMO Binary Analysis. DEMO Storage. DEMO Dynamic](https://reader030.fdocuments.in/reader030/viewer/2022041022/5ed2e0c84768b17a6774228c/html5/thumbnails/16.jpg)
Assessment Scenarios
Source Code Review
Mobile App Test
Device Review
Mobile Device
Management
![Page 17: Needle - F-Secure Labs · Server Side Security. Client Side Security. Attacker’s Perspective •Physical access ... ACTION TIME. DVIA. DEMO Binary Analysis. DEMO Storage. DEMO Dynamic](https://reader030.fdocuments.in/reader030/viewer/2022041022/5ed2e0c84768b17a6774228c/html5/thumbnails/17.jpg)
Types of Applications
![Page 18: Needle - F-Secure Labs · Server Side Security. Client Side Security. Attacker’s Perspective •Physical access ... ACTION TIME. DVIA. DEMO Binary Analysis. DEMO Storage. DEMO Dynamic](https://reader030.fdocuments.in/reader030/viewer/2022041022/5ed2e0c84768b17a6774228c/html5/thumbnails/18.jpg)
Analysing iOS Applications
Run the app on a jailbroken device
MiTM all the network communications
Inspect the app via instrumentation
Manipulate the runtime
Review the codebase
![Page 19: Needle - F-Secure Labs · Server Side Security. Client Side Security. Attacker’s Perspective •Physical access ... ACTION TIME. DVIA. DEMO Binary Analysis. DEMO Storage. DEMO Dynamic](https://reader030.fdocuments.in/reader030/viewer/2022041022/5ed2e0c84768b17a6774228c/html5/thumbnails/19.jpg)
Techniques / 1
Static Analysis
• Reverse engineer the binary
• Perform code review
Data Security
• Look for insecure storage
• Assess data sources (keychain, plist files, cookies)
• Check presence of caching
![Page 20: Needle - F-Secure Labs · Server Side Security. Client Side Security. Attacker’s Perspective •Physical access ... ACTION TIME. DVIA. DEMO Binary Analysis. DEMO Storage. DEMO Dynamic](https://reader030.fdocuments.in/reader030/viewer/2022041022/5ed2e0c84768b17a6774228c/html5/thumbnails/20.jpg)
Techniques / 2
Runtime Analysis
• Bypass integrity checks
• [Patch the binary]
• Instrument the app (hooking)
Transport Security
• Proxy the traffic
• [Bypass TLS pinning]
• Asses WebViews / exploit JS bridges
![Page 21: Needle - F-Secure Labs · Server Side Security. Client Side Security. Attacker’s Perspective •Physical access ... ACTION TIME. DVIA. DEMO Binary Analysis. DEMO Storage. DEMO Dynamic](https://reader030.fdocuments.in/reader030/viewer/2022041022/5ed2e0c84768b17a6774228c/html5/thumbnails/21.jpg)
iOS Testing Environment
![Page 22: Needle - F-Secure Labs · Server Side Security. Client Side Security. Attacker’s Perspective •Physical access ... ACTION TIME. DVIA. DEMO Binary Analysis. DEMO Storage. DEMO Dynamic](https://reader030.fdocuments.in/reader030/viewer/2022041022/5ed2e0c84768b17a6774228c/html5/thumbnails/22.jpg)
Testing Tools
• Jailbroken device– Weaken the sandbox
– Emulate attackers’ perspective
• Alternate Market (Cydia)– Common unix tools (BigBoss)
– OpenSSH
• Hooking framework – Cycript/Frida/Theos
• Intercepting proxy (Burp)
![Page 23: Needle - F-Secure Labs · Server Side Security. Client Side Security. Attacker’s Perspective •Physical access ... ACTION TIME. DVIA. DEMO Binary Analysis. DEMO Storage. DEMO Dynamic](https://reader030.fdocuments.in/reader030/viewer/2022041022/5ed2e0c84768b17a6774228c/html5/thumbnails/23.jpg)
Testing Tools
![Page 24: Needle - F-Secure Labs · Server Side Security. Client Side Security. Attacker’s Perspective •Physical access ... ACTION TIME. DVIA. DEMO Binary Analysis. DEMO Storage. DEMO Dynamic](https://reader030.fdocuments.in/reader030/viewer/2022041022/5ed2e0c84768b17a6774228c/html5/thumbnails/24.jpg)
Common problems
• Need to rely on a multitude of different tools– each one developed for a specific need
– each one with its own mode of operation (and syntax)
• Issues– steep learning curve
– time wasted in configuring many different tools
– a “drozer for iOS” was missing
![Page 25: Needle - F-Secure Labs · Server Side Security. Client Side Security. Attacker’s Perspective •Physical access ... ACTION TIME. DVIA. DEMO Binary Analysis. DEMO Storage. DEMO Dynamic](https://reader030.fdocuments.in/reader030/viewer/2022041022/5ed2e0c84768b17a6774228c/html5/thumbnails/25.jpg)
INTRODUCING: NEEDLE(a new format)
![Page 26: Needle - F-Secure Labs · Server Side Security. Client Side Security. Attacker’s Perspective •Physical access ... ACTION TIME. DVIA. DEMO Binary Analysis. DEMO Storage. DEMO Dynamic](https://reader030.fdocuments.in/reader030/viewer/2022041022/5ed2e0c84768b17a6774228c/html5/thumbnails/26.jpg)
What is Needle?
• A tool for auditing iOS Application Security
• An open source, modular framework
– streamline the entire process
– acts as a central hub
![Page 27: Needle - F-Secure Labs · Server Side Security. Client Side Security. Attacker’s Perspective •Physical access ... ACTION TIME. DVIA. DEMO Binary Analysis. DEMO Storage. DEMO Dynamic](https://reader030.fdocuments.in/reader030/viewer/2022041022/5ed2e0c84768b17a6774228c/html5/thumbnails/27.jpg)
What it’s *not*
• Not a “drozer” for iOS– does not require an agent installed on the device
(for now)
– does require a jailbroken device
• Not a vuln scanner– knowledge (and intuition) of the tester is still
required
![Page 28: Needle - F-Secure Labs · Server Side Security. Client Side Security. Attacker’s Perspective •Physical access ... ACTION TIME. DVIA. DEMO Binary Analysis. DEMO Storage. DEMO Dynamic](https://reader030.fdocuments.in/reader030/viewer/2022041022/5ed2e0c84768b17a6774228c/html5/thumbnails/28.jpg)
Motivation
Beginners: easy to use
Professionals: save time during assessments
Developers: quickly test their products
![Page 29: Needle - F-Secure Labs · Server Side Security. Client Side Security. Attacker’s Perspective •Physical access ... ACTION TIME. DVIA. DEMO Binary Analysis. DEMO Storage. DEMO Dynamic](https://reader030.fdocuments.in/reader030/viewer/2022041022/5ed2e0c84768b17a6774228c/html5/thumbnails/29.jpg)
The Architecture
![Page 30: Needle - F-Secure Labs · Server Side Security. Client Side Security. Attacker’s Perspective •Physical access ... ACTION TIME. DVIA. DEMO Binary Analysis. DEMO Storage. DEMO Dynamic](https://reader030.fdocuments.in/reader030/viewer/2022041022/5ed2e0c84768b17a6774228c/html5/thumbnails/30.jpg)
Architecture
• Decoupled components
• Entirely written in Python
Framework Core
Helpers
UI
API
Device Manager
Modules
![Page 31: Needle - F-Secure Labs · Server Side Security. Client Side Security. Attacker’s Perspective •Physical access ... ACTION TIME. DVIA. DEMO Binary Analysis. DEMO Storage. DEMO Dynamic](https://reader030.fdocuments.in/reader030/viewer/2022041022/5ed2e0c84768b17a6774228c/html5/thumbnails/31.jpg)
UI
![Page 32: Needle - F-Secure Labs · Server Side Security. Client Side Security. Attacker’s Perspective •Physical access ... ACTION TIME. DVIA. DEMO Binary Analysis. DEMO Storage. DEMO Dynamic](https://reader030.fdocuments.in/reader030/viewer/2022041022/5ed2e0c84768b17a6774228c/html5/thumbnails/32.jpg)
Device Manager
• Manage connections with the iDevice– SSH over Wi-Fi
– SSH over USB
• Device setup, port forwarding, cleanup…
• Basic commands– shell, push/pull
• App management– metadata, open, decrypt, data protection…
![Page 34: Needle - F-Secure Labs · Server Side Security. Client Side Security. Attacker’s Perspective •Physical access ... ACTION TIME. DVIA. DEMO Binary Analysis. DEMO Storage. DEMO Dynamic](https://reader030.fdocuments.in/reader030/viewer/2022041022/5ed2e0c84768b17a6774228c/html5/thumbnails/34.jpg)
Framework Core
• Initialize and manage all the other components
• Load/execute modules/jobs
• Maintain status– global options, loaded modules, running jobs,
device status…
– pointers to instantiated objects
– constants
![Page 35: Needle - F-Secure Labs · Server Side Security. Client Side Security. Attacker’s Perspective •Physical access ... ACTION TIME. DVIA. DEMO Binary Analysis. DEMO Storage. DEMO Dynamic](https://reader030.fdocuments.in/reader030/viewer/2022041022/5ed2e0c84768b17a6774228c/html5/thumbnails/35.jpg)
Helpers
• Common functionalities offered both to the Core and APIs
• Sanitization, logging, printing…
![Page 36: Needle - F-Secure Labs · Server Side Security. Client Side Security. Attacker’s Perspective •Physical access ... ACTION TIME. DVIA. DEMO Binary Analysis. DEMO Storage. DEMO Dynamic](https://reader030.fdocuments.in/reader030/viewer/2022041022/5ed2e0c84768b17a6774228c/html5/thumbnails/36.jpg)
API
• The framework core exposes APIs to interact with the localand remote OS
• These wraps common functionalities– file and data access– command execution– networking
• Speed-up creation of new modules
![Page 37: Needle - F-Secure Labs · Server Side Security. Client Side Security. Attacker’s Perspective •Physical access ... ACTION TIME. DVIA. DEMO Binary Analysis. DEMO Storage. DEMO Dynamic](https://reader030.fdocuments.in/reader030/viewer/2022041022/5ed2e0c84768b17a6774228c/html5/thumbnails/37.jpg)
API
![Page 38: Needle - F-Secure Labs · Server Side Security. Client Side Security. Attacker’s Perspective •Physical access ... ACTION TIME. DVIA. DEMO Binary Analysis. DEMO Storage. DEMO Dynamic](https://reader030.fdocuments.in/reader030/viewer/2022041022/5ed2e0c84768b17a6774228c/html5/thumbnails/38.jpg)
Modules
• Heart of Needle’s functionalities
• Collection of python scripts
![Page 39: Needle - F-Secure Labs · Server Side Security. Client Side Security. Attacker’s Perspective •Physical access ... ACTION TIME. DVIA. DEMO Binary Analysis. DEMO Storage. DEMO Dynamic](https://reader030.fdocuments.in/reader030/viewer/2022041022/5ed2e0c84768b17a6774228c/html5/thumbnails/39.jpg)
Modules / Sample
![Page 41: Needle - F-Secure Labs · Server Side Security. Client Side Security. Attacker’s Perspective •Physical access ... ACTION TIME. DVIA. DEMO Binary Analysis. DEMO Storage. DEMO Dynamic](https://reader030.fdocuments.in/reader030/viewer/2022041022/5ed2e0c84768b17a6774228c/html5/thumbnails/41.jpg)
Currently Supported Modules
Binary
• App Metadata
• Compilation Checks
• Shared Libraries
• Strings
• Class Dump
• Install IPA
• Pull IPA
Storage
• Binary Cookies
• Cache.db Files
• Plist Files
• SQL Files
• Dump Keychain
• Screenshot Caching
• Keyboard Autocomplete Caching
![Page 42: Needle - F-Secure Labs · Server Side Security. Client Side Security. Attacker’s Perspective •Physical access ... ACTION TIME. DVIA. DEMO Binary Analysis. DEMO Storage. DEMO Dynamic](https://reader030.fdocuments.in/reader030/viewer/2022041022/5ed2e0c84768b17a6774228c/html5/thumbnails/42.jpg)
Currently Supported Modules
Dynamic
• Jailbreak Detection
• URI Handler
• Heap Dump
• Monitor File changes
• Monitor OS Pasteboard
• Syslog Monitor
• Syslog Watch
Hooking
• Cycript shell
• Frida shell
• Frida trace
• Frida launcher
• Enumerate Classes (script)
• Enumerate Methods (script)
• Enumerate All Methods (script)
![Page 43: Needle - F-Secure Labs · Server Side Security. Client Side Security. Attacker’s Perspective •Physical access ... ACTION TIME. DVIA. DEMO Binary Analysis. DEMO Storage. DEMO Dynamic](https://reader030.fdocuments.in/reader030/viewer/2022041022/5ed2e0c84768b17a6774228c/html5/thumbnails/43.jpg)
Currently Supported Modules
Comms
• List Installed Certificates
• Export Installed Certificates
• Import Installed Certificates
• Delete Installed Certificates
• Install MitmProxy CA Certificate
• Intercepting Proxy
Static
• Code Checks
![Page 44: Needle - F-Secure Labs · Server Side Security. Client Side Security. Attacker’s Perspective •Physical access ... ACTION TIME. DVIA. DEMO Binary Analysis. DEMO Storage. DEMO Dynamic](https://reader030.fdocuments.in/reader030/viewer/2022041022/5ed2e0c84768b17a6774228c/html5/thumbnails/44.jpg)
ACTION TIME
![Page 45: Needle - F-Secure Labs · Server Side Security. Client Side Security. Attacker’s Perspective •Physical access ... ACTION TIME. DVIA. DEMO Binary Analysis. DEMO Storage. DEMO Dynamic](https://reader030.fdocuments.in/reader030/viewer/2022041022/5ed2e0c84768b17a6774228c/html5/thumbnails/45.jpg)
DVIA
![Page 49: Needle - F-Secure Labs · Server Side Security. Client Side Security. Attacker’s Perspective •Physical access ... ACTION TIME. DVIA. DEMO Binary Analysis. DEMO Storage. DEMO Dynamic](https://reader030.fdocuments.in/reader030/viewer/2022041022/5ed2e0c84768b17a6774228c/html5/thumbnails/49.jpg)
DEMOHooking
![Page 50: Needle - F-Secure Labs · Server Side Security. Client Side Security. Attacker’s Perspective •Physical access ... ACTION TIME. DVIA. DEMO Binary Analysis. DEMO Storage. DEMO Dynamic](https://reader030.fdocuments.in/reader030/viewer/2022041022/5ed2e0c84768b17a6774228c/html5/thumbnails/50.jpg)
DEMONetwork Comms
![Page 52: Needle - F-Secure Labs · Server Side Security. Client Side Security. Attacker’s Perspective •Physical access ... ACTION TIME. DVIA. DEMO Binary Analysis. DEMO Storage. DEMO Dynamic](https://reader030.fdocuments.in/reader030/viewer/2022041022/5ed2e0c84768b17a6774228c/html5/thumbnails/52.jpg)
ROADMAP
![Page 53: Needle - F-Secure Labs · Server Side Security. Client Side Security. Attacker’s Perspective •Physical access ... ACTION TIME. DVIA. DEMO Binary Analysis. DEMO Storage. DEMO Dynamic](https://reader030.fdocuments.in/reader030/viewer/2022041022/5ed2e0c84768b17a6774228c/html5/thumbnails/53.jpg)
Roadmap
• Replace all the dependencies
Agent to deploy on device
Support for non-jailbroken devices
• Substrate integration
• WebView scanner
• Hook Swift methods
• URI handlers fuzzer
• Pinning detection/bypass
• Obfuscation detection
New modules
… community based
![Page 54: Needle - F-Secure Labs · Server Side Security. Client Side Security. Attacker’s Perspective •Physical access ... ACTION TIME. DVIA. DEMO Binary Analysis. DEMO Storage. DEMO Dynamic](https://reader030.fdocuments.in/reader030/viewer/2022041022/5ed2e0c84768b17a6774228c/html5/thumbnails/54.jpg)
Wanna help?
![Page 55: Needle - F-Secure Labs · Server Side Security. Client Side Security. Attacker’s Perspective •Physical access ... ACTION TIME. DVIA. DEMO Binary Analysis. DEMO Storage. DEMO Dynamic](https://reader030.fdocuments.in/reader030/viewer/2022041022/5ed2e0c84768b17a6774228c/html5/thumbnails/55.jpg)
Want to know more?
mwr.to/needle
@mwrneedle