iOS App Pen-TestingClient Side AnalysisOct'16 NULL Meet

Me..

I work at Aleph Tav Technologies as AppSec guyI do web and mobile app pen testing @Aadarshaddy

To-Do

Traffic Analysis Setting proxy. Manipulate parameters using a

proxy tool. Client-Side Analysis (Run-time, rev-eng) Getting the application executable, getting class

info, local data storage, hard-coded information, Debugging

Attack Network Components

Agenda today

Traffic analysis is as simple as setting a proxy and listening to it using a proxy tool in your system. Pretty much like webapp pen-testing.

Agenda today is client-side analysis.

Uses these..

Uses the following technology stack..Objective-C (runtime oriented language)Cocoa library (API)Recently SWIFT

Pre-Requisite

Jailbroken (Cydia installed) device – Mandatory (Advisable to have a unsupported device to avoid frequent updates of OS)

This is a trade-off between what version of the OS the target application to test supports.

Macbook – Recommended to have one for using Xcode

White Box Testing Black Box Testing Most often it is Black Box testing, we shall see

bit of both

Tools list:jailbroken device requiredIos_analyze.pl ,Mac-robber and log2timelineCrackulous, appcrack, Appswitch, Cycript, OpenSSH, unzip, wgetSQLite 3.x, MobileTerminal, class-dump-z, tar, clutch,dumpencrypted, otoolGDB, r2clutch,Snoop-it, iPhonetunnelkeychain dumper, cydia substrate, adv-cmds, Darwin CC toolsAPT 0.6 Transitional, Git, GNU Debugger, less, make, ios-ssl-killswitchFlawfinder, wireshark, Xcode - property list editor, Plutil, otool & other cmd line utilities from mac storeNetcat, Nmap, Burp, SQLite Browser, FuzzDB, IDA Pro, iExplorer

Getting into the device

ssh root@ipaddressOfiPhone default pwd:alpine

apt-get update apt-get upgrade

Two stuffs are a basic knowledge to do analysis on a 3rd party iOS app

In /var/mobile/ApplicationsApplication sandbox is here EncryptedApp downloaded from app store is encrypted

Copying executable

sftp root@ipaddressOfiPhone cd /usr/bin put clutch

Clutch is the application used to decrypt the 3rd party applications. Typing clutch will list the applications which are possible to decrypt

Get the ipa file using clutch and unzip it. Get the class file of the executable using class-

dump-z. The executable is always the app's name.

As in, Class-dump-z path/to/app/executable >class-

info-executable

What and Where to look for?

1. Plists files - Use Plutil to convert to XML

Plutil -convert xml1 xxx.plist

Or Property list editor in Xcode Look for juicy information: passwords,

checksums, email-ids, any sensitive data

What and Where to look for?

2. SQLite: Again client side stored data is dangerous. Sqlite like

in android does not have inbuilt support for encrytion of data.

There are extenstions to do it – CEROD , sqlcipher, smartstore

-but again the encryption keys are available client side and we can breakpoint it and pull the keyfrom memory

Path/to/app/appname.app/database.sqlite3

What and Where to look for?

3. Logging Files:NSLogDefault:~/Library/Logs/CrashReporter/MobileDevice/

<Devicename>/private/var/log/system.logCustom:Grep -r -F “NSLog” $project_path/ | grep -v .svn

What and Where to look for?

4. Caching:File Caching~/Library/Application Support/iPhone

simulator/x.x.x/Applications/<application folder>/Documents/temp.pdfKeyboard Caching~/Library/Application Support/iPhone

Simulator/x.x.x/Library/keyboard/dynamic-text.datSnapshot Caching~/Library/Application Support/iPhone

Simulator/x.x.x/Applications/<application folder>/Library/Caches/Snapshots/

Clipboard Caching

What and Where to look for?

5 .Keychains: It’s a sqlite database file located at

/private/var/Keychains/keychain-2.db and all the data stored in it is encrypted

Snoop-it tool, keychain-dumper

What and Where to look for?

6. Stack Smashing Protection: To mitigate Stack Overflow attacks If used the application binary will contain

_stack_chk_fail and _stack_chk_guard symbols To Test: Otool –I –v ApplicationBinary | grep stack

What and Where to look for?

7. ASLR Flag:To mitigate memory corruption vulnerabilitiesTo Test:Otool –VhApplicaitonBinaryIt should have PIE flag in the output

What and Where to look for?

8. Automatic Reference Counting: Again to avoid memory corruption vulnerability

by moving the responsibility of memory management from the developer to the compiler

Otool –I –v ApplicationBinary | grep _objc_release

What and Where to look for?

Automatic Reference CountingClient Side Authentication bypassClient Side SQL InjectionHardcoded sensitive information anywhereClient Side validation bypassNo jailbreak detectionObselete filesTapjacking?? Every testcase recommended by OWASP for mobile applications in the

checklist P.S: Use putty, iExplorer to access the above mentioned files

Hard time with SSL Pinning

Use ios-ssl-killswitchUse Cycript, do runtime hooks and unpinDowngrade HTTPS to HTTP in burp(or)Ask the client to give the unpinned version – as

simple as that. It might not work for bounty hunters though :P

References

http://www.slideshare.net/jasonhaddix?utm_campaign=profiletracking&utm_medium=sssite&utm_source=ssslideview

http://resources.infosecinstitute.com/http://damnvulnerableiosapp.com/#learnMobile Application hacker's handbook