iOS Application Pentesting

1
iOS Application Pen testing
Ajay Nunna

ABOUT ME
• Java Developer
• Security Researcher
• 5 years into IT Industry
• Music and food lover

AGENDA
• Setting up an iOS pen-testing environment
• Understanding the iOS file system
• Understanding the Objective-C runtime
• Runtime analysis and manipulation
• Insecure Data storage
• URL schemes
• Analyzing network traffic over HTTP/HTTPs
• Automated testing

Setting up Environment
 A jail broken iOS device
 Cydia
• Clutch
• Cycript
• Class-dump-z
• Snoop-it
• OpenShh
• Keychain_dumper

• Jailbreak your device by downloading the
pangu/evasi0n.
• Click on jailbreak and follow the process to jailbreak
your device

Understanding the IOS File
system
• All the applications installed by Apple by default
go inside the /Applications directory and
run with the user root.
• All the applications downloaded from the app
store go inside /var/mobile/applications and
run with the user mobile.
• Every application runs in its own environment
known as the application sandbox, thereby
preventing it to access resources from other
applications. This is done to enforce additional
security.

Here is how a typical application directory looks
like
The APP_NAME.app folder contains the application binary.

Understanding the Objective-C runtime
•All native iOS applications are written in Objective-C, which is a runtime
oriented language.
•Objective-C defers decisions from compile time and link time to the time
when the code in the application is actually being executed.
•Gives rise to a category of attacks knows as runtime manipulation.
•Variables and properties can be analyzed and modified at runtime.
•Messages aren’t bound to method implementations until runtime,
thereby allowing us to modify the method implementations.
•The functions are implemented in the shared library found at
/usr/lib/libobjc.A.dylib.

• Command line utility. Extremely helpful tool in iOS pentesting.
• Extracts class information from unencrypted Mach-O binaries.
• Helps in finding out the method names, properties, protocols
being used in any class.
• Tells a lot about the design of the application.
• Information is presented in a readable format.
class-dump-z

• Application that are installed by default on iOS device won’t
be encrypted, and hence class information can be dumped
without any issues.
• For applications downloaded from the App store, you must
decrypt the application first using clutch.
class-dump-z

Usage: class-dump-z [binaryName]

Usage: clutch [App Name]
• Just using the clutch command will display a list of applications that can be decrypted.
• Use “clutch [App Name]” to decrypt the application. The decrypted ipa file will be stored in the location as shown below.

• Unzip the ipa file to a new folder.
• Dump the class information from the binary inside this folder.

• According to cycript.org - Cycript allows developers to explore and modify
running applications on either iOS or Mac OS X using a hybrid of Objective-
C++ and JavaScript syntax through an interactive console that features
syntax highlighting and tab completion.
• Allows the user to hook into a running process during runtime and modify
the values of instance variables, global variables, swizzle method
implementations, call a particular method etc.
• Complete documentation can be found at http://www.cycript.org/
Cycript

Runtime analysis using Cycript
• You can hook into the runtime of an application by using the command
“cycript -p [PID]”
• Some cool things that you can do with Cycript can be found here
http://iphonedevwiki.net/index.php/Cycript_Tricks

• For the case below, you can define a method named printMethods that
takes input as a class and prints out all its methods.
• This method has been taken from
http://iphonedevwiki.net/index.php/Cycript_Tricks
• For e.g, you can define your own methods.

• You can also use the messages property of a class to print out all its
messages, for e.g “AppDelegate.messages”. This will only print out the
instance methods.

Runtime manipulation using Cycript
• With cycript, you can manipulate the values of instance variables, global
variables for a particular class.
• You can also modify method implementations.

Runtime manipulation demo
• In this case, we are manipulating the instance variable “urlToLoad” in the
view controller RuntimeManipulationDetailsVC for DamnVulnerableiOSApp
(http://damnvulnerableiosapp.com)
• The first step is to get a reference to the view controller.
• Once you get the reference, you can modify any of it’s variables.
• For e.g
UIApp.keyWindow.rootViewController.topViewController.topViewControlle
r.urlToLoad = [NSString stringWithFormat:@"http://google.com"];

• We can also swizzle method implementations and replace the method
implementation with our own.
• Let’s assume you find a method with the name isLoginValidated in a
particular view controller that returns a YES or NO depending on whether
the login information is correct or not.
• To try this demo, download Damn Vulnerable iOS app from
http://damnvulnerableiosapp.com
Runtime manipulation demo (Method Swizzling)

• We can modify this method’s implementation to always return TRUE.
• As you can see, the code on the R.H.S is actually Javascript, this is the
beauty about Cycript, it can contain both Objective-C and javascript syntax.
Runtime manipulation demo (Method Swizzling)
• RuntimeManipulationDetailsVC.messages['isLoginValidated'] =
function() {return TRUE;}

• Plist
• NSUserDefaults
• CoreData (Sqlite)
• Keychain
Insecure Local Data Storage
There are many ways of storing data locally on an iOS device.
Some of these techniques are …

• Data stored in plist files is stored unencrypted in the application sandbox.
• An attacker doesn’t even need to have a jailbroken device to access the
contents of the plist file. It can be accessed using simple file explorer
utilities like iExplorer.
• Most often, developers make the mistake of storing confidential data in
Plist files.
Plist

Plist
• Sample code for storing data in plist files.

Plist
• These files can be easily found using any simple file explorer utility
like iExplorer in the application folder.

Plist
• On inspecting these files, you can find the information being saved
in the plist file.

Plist
• Do not use plist files to store confidential information like
username/passwords.
• Do not store session ID’s , important properties etc in a plist file.
• Plist files should only be used to store information that is not
important, for e.g, a list of image names, the last launch date of the
application etc.

NSUserDefaults
• Used for storing properties, objects that can persist even after an
application restart.
• Information is saved unencrypted inside the application sandbox in
a plist file with the name [BUNDLE_ID].plist inside the folder
Library -> preferences .
• Developers make a common mistake of storing critical data using
NSUserDefaults.

NSUserDefaults
• All the information stored using NSUserDefaults can be found
inside the file [BUNDLE_ID].plist inside the folder Library ->
Preferences.

NSUserDefaults
• All the key/value pairs stored using NSUserDefaults can be found in
this file.

Core Data
• Core Data framework is used to store persistent data, manage
relationships between objects etc.
• Information is again saved unencrypted on the device in .db or
.sqlite files.
• An attacker can gather information about Core data objects by
using a sqlite client.

• Navigate to your application directory and look for files with the
extension .db or .sqlite.
• Use an sqlite client to access these files.
Core Data

Core Data
• Core data framework should not be used to store confidential
information as the information is stored unencrypted on the device.
• If you want to save some confidential informaiton, encrypt it before
saving locally or use some wrappers over core data that store
encrypted information on the device.

Keychain
• It is the most secure way of storing information locally on the
device.
• Used by most of the popular application like Gmail, Facebook to
store confidential information like passwords, authentication tokens
etc.
• Currently, information stored in the keychain can only be dumped
from a jailbroken device using a tool named Keychain Dumper.
• https://github.com/ptoomey3/Keychain-Dumper

Keychain dumper demo
•Wi-Fi Password
• Even though keychain is one of the most secure places to store
information, consider adding an extra layer of encryption before
saving data using keychain to make the job even more difficult for
the attacker.

URL
Schemes
• Used for IPC between applications.
• Every application can register for a particular URL scheme.
• Any url starting with that particular URL scheme invokes the
application that is registered to handle that url.
• For e.g, the facebook iOS application registers for the URL scheme
“fb”
• Url’s starting with fb:// will invoke the facebook iOS application.
• The Facebook iOS application will decide what to do with that
particular url depending on its parameters.
• For e.g fb://chat_text?name=Prateek&message=Hello

URL
Schemes
• Any application can call a url starting with a particular url scheme
and invoke the registered application.
• Attacker can also embed the url inside an iframe in a malicious
page, and hence when the user visits the page, the url will execute
and the registered application will be called.
• These URL schemes can be used to execute important operations,
for e.g FaceTime iOS app allowed other apps to call users via URL
schemes.
• The problem happens when the operation is executed without any
validation from the user.

• A simple solution for this is to validate the action before
performing it.
• For critical apps, you can also set a list of whitelisted
applications and only allow them to invoke an action. This can
be checked by the sourceApplication property in
the calling method.
• Skype URL scheme vulnerability
http://software-
security.sans.org/blog/2010/11/08/insecure-handling-url-
schemes-apples-ios/
URL
Schemes

• How to find out the URL scheme used by a particular
application ?
• This info can be found from the Info.plist file.
URL
Schemes

• Look for the property CFBundleURLSchemes
inside CFBundleURLTypes -> Item 0
• As we can see, the Facebook iOS app registers for quite a lot
of URL schemes.
URL
Schemes

• Another important thing could be to find out the URL
structure an application is expecting in order to perform a
certain action.
• This can be found by reverse engineering the application
using tools like Hopper (hopperapp.com) and looking for
strings that start with that particular URL scheme or looking at
the disassembly of this method in the AppDelegate class.
• Related article: http://highaltitudehacks.com/2014/03/07/ios-
application-security-part-30-attacking-url-schemes
URL
Schemes

• It is important to analyze the network traffic that flows
between the client/server in an application.
• Look for credentials, authentication tokens, API keys being
transmitted over unsecured http channel.
• Check for the entropy in Session ID’s.
• Traffic can be analyzed using a simple proxy tool like Burp
proxy.
• Try to manipulate the request/response using Burp and see
how the client side application responds to it.
Analyzing network traffic over
HTTP/HTTPs

Analyzing traffic over
HTTP
• Configure Burp Proxy to start listening for traffic. Make sure it
is listening on all interfaces.

HTTP
• Configure your iOS device to use your computer as a proxy.

HTTPs
• Send this file to your device via email, click on it and Install it.
Accept all the instructions and click on Done.

HTTPs
• Quit and restart the application you want to sniff traffic for.
You will now be able to see the traffic even if it is over HTTPs

Automated testing
• Automating tests while doing an iOS penetration test can help you
save a lot of time.
• Though not all tests can be automated, there are some tools that do
a very good job at this.
• Snoop-it - https://code.google.com/p/snoop-it/
• iNalyzer - https://appsec-labs.com/iNalyzer
• iRET - https://blog.veracode.com/2014/03/introducing-the-ios-
reverse-engineering-toolkit/

Snoop-it
• Source: https://code.google.com/p/snoop-it/
• For iOS 7, it currently supports only 32 bit devices.

Snoop-it
• Here is how the interface looks like.

Credits
Prateek Gianchandani
Twitter:@prateekg147
http://damnvulnerableiosapp.com

iOS Application Pentesting

More Related Content

What's hot (20)

Viewers also liked (20)

Similar to iOS Application Pentesting (20)

More from n|u - The Open Security Community (20)

Recently uploaded (20)

iOS Application Pentesting