hacking & securing of ios apps by saurabh mishra
TRANSCRIPT
HACKING & SECURING OF iOS APPS
-Saurabh Mishra
NSLog (@”About me !”); iOS developer >2 yr Web api developer iOS app pentester Security Enthusiast
Rough Agenda (we will digress) Introduction to iOS Introduction to iOS apps Objective C Environment & tool setup Static Analysis Dynamic Analysis Secure Coding & Best practices
iOS Mobile OS by Apple Inc. (i Operating
System , 2007) History Architecture of iOS
iOS architecture of Non Jailbroken device
OS & preinstalled Apps
Path/Application
Root user
Mobile user
App 1
App 2
Sandbox for app1contains all the files created or required by appApps from appstorePath/var/mobile/container/bundle/application*The permission architecture
*Sandboxing of iOS apps
Types of iOS Applications Web Applications:
HTML + CSS + JavaScript Run inside Safari/Webkit
Native Applications: Written in Objective-C (+ C/C++) Compiled into ARM for actual devices, x86
for iOS Simulator
What does an iOS Application Look Like?
iOS Applications: In Development with Apple SDK Xcode:
Distributed as XCode Project Folders Compiled and deployed through the app store:
Compiled as ARM Distributed as “.ipa” files zip files containing app resources and ARM executable
Deployed as “.app” directories Executable code is:
encrypted with FairPlay DRM (AES) signed with Apple’s signature
Objective CObjective-C is a superset of C, this means all C code still applies.
[self doSomethingWithVar:var1];
Environment Setup/Tools required Tool List:
Your Phone: Jailbreak GDB Command Line Knowledge Crackulous/appcrack/Clutch Class-dump-z Cycript
Your PC: Burp SQLite Manager IDA/Hopper
How do we Test?
Analysis of iOS apps
Static Analysis Dynamic Analysis
Binary Analysi
s Class dump
Local Storag
eMethod
SwizzlingNetwork Analysis
Static Analysis Hopper disassembler Class-dump-z
Demo
Dynamic Analysis GDB Method sizzling using “Cycript”
Cycript Cycript is an implementation of JavaScript
that can interact with Objective-C classes and objects. One of the most useful functions of Cycript is its ability to attach directly to a process, much like gdb, and alter the state of the running application. With Cycript, you can manipulate existing objects already in your application’s memory, or instantiate new objects, such as new view controller classes or windows.
Demo
Network Analysis Proxy setup
Local Storage Analysis NSUserdefault Sqlite CoreData
Secure Coding & Best Practices Secure coding is about increasing the
complexity demanded for an attack against the application to succeed. No application can ever be truly secure. With the right resources and time, any application, including those utilizing strong encryption, can be broken.
Precaution not Cure :-P Use dummy methods. Analyze flow & architecture of code. Is Jailbroken? Don’t use hardcoded strings (key,outhtoken etc). Is debugger attached. Handle - (void)applicationDidEnterBackground:
(UIApplication *)application Use keychain for sensitive info (key,outhtoken etc). Don’t use plain http web api. Always use server side validation for inapp
purchase.