SlideShare a Scribd company logo

Mobile Security Assessment: 101

W
wireharbor

The document provides an overview of mobile security assessment, detailing various tools and techniques for analyzing mobile applications. It discusses attack vectors, security controls, and both basic and advanced techniques for exploitation, including jailbreaking and data manipulation. The presentation emphasizes the importance of security assessments in identifying vulnerabilities in mobile applications across platforms like iOS and Android.

Technology
Related topics:
Mobile Security Insights
1 of 38
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
Intro to Mobile Security Assessment: Tools and Techniques Copyright 2012 WireHarbor Security, Inc.
Who am I? • Founder/President - WireHarbor Security, Inc. • Previously: Led Global Application Security for F500 Insurance co. • Focus on:  Application Security, Mobile Security, Source Code Review • Partnerships:
Agenda • Overview • Attack Vectors • Setup • Basic Techniques • Advanced Tech. • Questions
Objectives - Security Assessment • Determine the correct path to Exploitation. • Many Attacks, Weaknesses and Impacts.
RULE #1: Mobile Security Perform sensitive/confidential/dangerous operations OFF-DEVICE... ...also, we still can’t trust user input.
Mobile Assessment: Key Difference • User-access to runtime environment  DEVS: **New perspective allows us to see everything you are doing** VS...
Jailbreak vs. Rooting • Jailbreak (iOS) - Users can break out of sandbox, but are still limited by the Apple kernel. (Your iPhone is still an iPhone) • Rooting (Android) - Implement a new kernel, turn your phone into ??? I
Attack Vectors • GSM Network • GPS • Applications (Malware) • Application Vuln’s (Objective-C) • Browser Exploits • Web Services • Bluetooth • WIFI (Rogue Access Points) • NFC/RFID
Security Controls • Reduced Attack Surface • Code Signing/App Store Approval Process - iOS  Android is more of a free-for-all • Sandboxing • NX Memory • ASLR/PIE (compiler flag)  Rarely used in 3rd party applications • Certificate Verification • Device Encryption
Mobile Security Assessment • Step #1 : Jailbreak • Step #2 : ??? • Step #3 : PROFIT!!!
Jailbreak in 30 sec • DISCLAIMER: BRICK WARNING!!! • DISCLAIMER: RUNTIME PROTECTIONS BECOME NIL! • DISCLAIMER: APPSTORE DEREGULATION! • Beware of Jailbreak SCAMMERS! • iPhone Dev Team (blog.iphone-dev.org) • evad3rs Team (http://evasi0n.com/) • Android is more complicated. (SuperOneclick)  Hardware/OS/Carrier dependent
Tools • Jailbroken/Rooted Device • Cydia Applications (tcpdump, sqlite, etc...) • Android Debug Bridge (ADB) • GDB (Runtime analysis) • IDA Pro (Binary Reverse-Engineering) • MobileSubstrate/Cycript • BurpSuite (HTTP Analysis) • Xcode/Eclipse (Custom development, binary tools)
Finding Targets PLENTY of them out there… 650,000+ Applications in AppStore* 250,000+ listed for iPad •App Store:  ~/Music/iTunes/iTunes Media/Mobile Applications  .ipa file (zip archive) •On iOS:  /var/mobile/Applications/<UUID>/<AppName>.app/ *Source: Techcrunch, July 2012
Techniques The easy stuff…
Mobile Hacking 101 • Gain Access • Look for interesting data  Log Files  Databases  Crash Dumps  In-Transit • Cause interesting execution  Form Input/Output  Application Redirects
Techniques: Log File Analysis • Applications output/store lots of logging data.  ~/Library/Logs/CrashReporter/MobileDevice/<DEVICE>  /private/var/log/system.log
Techniques: Data Storage • SQLite  “Self-contained, zero-configuration, embeddable DB” • Finding sqlite files… • Automation FTW!  find . –exec file {} ;
Techniques: Data Storage • Pulling out data…  SELECT * FROM <table>
Techniques: SQL Injection • Should look familiar...
Techniques: XSS Injection • XSS is in there too...  Be careful with WebKit. (UIWebView object) “Of the 197 vulnerabilities, 142 are related to WebKit...”, ZDNet review of iOS 6 NSString *js = [[NSString alloc] initWithFormat:@”var v=”%@”;”, user]; [mywebView stringByEvauatingJavaScriptFromString:js];
Techniques: Proxy Intercept • Certificate errors are validated.  Manually install Burpsuite cert.  http://www.tuaw.com/2011/02/21/how-to-inspect-ioss-http-traffic- without-spending-a-dime/
Techniques: Event Handler Abuse • Apps can register their own handlers via plist files. o openURL:[NSURL URLWithString:@"myapp://?foo=urb&blerg=gah"];
Techniques: Event Handler Abuse • Finding interesting handlers…  $> strings <target>.app/<target> | grep "://“ | grep –v “http” <string>googlegmail://</string> <string>googlegmail://</string> <string>mgc://</string> <string>currents://</string> <string>googletranslate://</string> <string>comgoogleshopper://</string> <string>comgoogleearth://</string> <string>googlelatitude://</string> <string>googlebooks://</string> <string>currents://</string>
Advanced Techniques The FUN stuff…
Advanced Techniques: Overview • Binary Decryption  API Tokens  Hard-coded Passwords • Passive/Active Fuzzing • Reverse Engineering  Token Generation Algorithms • Runtime Execution Interception/Manipulation  Interesting “hidden” methods  Web Services API’s
Advanced Techniques: Objective-C (iOS) Primer • Abstraction of Standard C  Based on Smalltalk  Designed to be “Object-oriented easy.”  The good old days: Buffer Overflows, Format Strings, etc... RETURN!!!
Advanced Techniques: iOS Binary Inspection • Object File display tool - otool (Xcode)  Display file headers (Mach-O and Universal)  Display Crypt segment info  Dump machine code  List Shared Libraries • ARM Processors  RISC instruction set  Little-endian representation
Advanced Techniques: iOS Binary Inspection • Universal Binaries  Contain multiple versions o otool –f <file>  May be encrypted o otool –l <file> | grep LC_ENCRYPTION_INFO –B1 –A4
Advanced Techniques: iOS Runtime Inspection • Anti-Debugging (The Anti-BYOD part)  ptrace PT_DENY_ATTACH  sysctl check  Known files  Binary Packing  Code Checksums  Driver Checks  Timing Measurements  Code Obfuscation  Junk Code
Advanced Techniques: iOS Runtime Inspection • GDB  Execute/load binary  Breakpoint on start address 0x2000 (PIE may cause this to move on you) gdb $> dump memory <filename> <start address> <end address>
Advanced Techniques: iOS Binary Inspection, Unencrypted • IDA Pro Binary graphing/analysis…
IDA Pro: What to look for? • Using the Apple DEV reference  File Writes  Network Connections  Keychain Access  UI Form Fields
Advanced Techniques: iOS Runtime Manipulation • Cycript - Javascript/Obj-C Interpreter  Hook active apps via Mobile Substrate  Interact with binaries in runtime using JS http://www.cycript.org/ http://iphonedevwiki.net/index.php/Cycript_Tricks
• Example: cy# [SBAwayController.sharedAwayController isPasswordProtected] 1 cy# [[UIApp.keyWindow recursiveDescription] <KHWindow: 0x1517a0; baseClass = UIWindow; frame = (0 0; 320 480); opaque = NO; autoresize = RM+BM; layer = <CALayer: 0x151640>> | <UIView: 0x17a120; frame = (0 20; 320 460); autoresize = W+H; layer = <CALayer: 0x17a1b0>> | | <UIToolbar: 0x17a3f0; frame = (0 416; 320 44); autoresize = W+TM; layer = <CALayer: 0x17a0d0>> | | | <UIToolbarButton: 0x17d150; frame = (12 0; 26 44); alpha = 0.25; opaque = NO; layer = <CALayer: 0x17d2e0>> | | | | <UISwappableImageView: 0x17d4c0; frame = (0 7; 26 27); opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x17d570>> | | | <UIToolbarButton: 0x17d340; frame = (153 0; 26 44); opaque = NO; layer = <CALayer: 0x14a220>> | | | | <UISwappableImageView: 0x17a680; frame = (0 7; 26 27); opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x17a6e0>> | | | <UIToolbarButton: 0x17df40; frame = (222 0; 18 44); opaque = NO; layer = <CALayer: 0x17d2b0>> | | | | <UISwappableImageView: 0x17dbf0; frame = (3 13; 18 19); opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x17d3f0>> Advanced Techniques: iOS Runtime Manipulation
Advanced Techniques: Fuzzing • Custom scripts… (Python, Ruby, Javascript) • Dumb or Smart  Mutation-Based: Randomly substitute data.  Generation-Based: Substitute based off RFC or Standards. • Classic Targets  Any file types. (PDF, PPT, etc…)  Protocols (HTTP, SMS, Push Notifications, etc...)  Image formats (PNG, TIFF, etc…)
Passive Fuzzing - iOS • Using MobileSubstrate:
• What can we do with this?  Application Tracing/Logging (filesystem, network, etc...)  Turn off Jailbreak detection  Fake GPS data... (think: location-aware security)  The possibilities get scarier as trust grows... Advanced Techniques: iOS Runtime Manipulation
Trey Keifer 847-239-5626 trey.keifer@wireharbor.com Twitter: @wireharbor Facebook: facebook.com/wireharbor http://www.wireharbor.com THANK YOU!!!

More Related Content

PDF
YOW! Connected 2014 - Developing Secure iOS Applications
eightbit
 
PPTX
iOS-Application-Security-iAmPr3m
Prem Kumar (OSCP)
 
PDF
CanSecWest 2013 - iOS 6 Exploitation 280 Days Later
Stefan Esser
 
PDF
iOS Application Penetation Test
JongWon Kim
 
PPTX
iOS jailbreaking
Varun Luthra
 
PDF
BYOM Build Your Own Methodology (in Mobile Forensics)
Reality Net System Solutions
 
PDF
SyScan 2015 - iOS 678 Security - A Study in Fail
Stefan Esser
 
PPT
Jail breaking
Rokkam Reddy
 
YOW! Connected 2014 - Developing Secure iOS Applications
eightbit
 
iOS-Application-Security-iAmPr3m
Prem Kumar (OSCP)
 
CanSecWest 2013 - iOS 6 Exploitation 280 Days Later
Stefan Esser
 
iOS Application Penetation Test
JongWon Kim
 
iOS jailbreaking
Varun Luthra
 
BYOM Build Your Own Methodology (in Mobile Forensics)
Reality Net System Solutions
 
SyScan 2015 - iOS 678 Security - A Study in Fail
Stefan Esser
 
Jail breaking
Rokkam Reddy
 

What's hot (20)

PPTX
Ярослав Воронцов — Пара слов о mobile security.
DataArt
 
PDF
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
Shakacon
 
PDF
from Realtime Operating systems to unlocking iPhones in less than 30 slides
Kai Aras
 
PPTX
iOS Basics
Richa Jain
 
PDF
Mobile Device Encryption Systems
Peter Teufl
 
PDF
SyScan Singapore 2011 - Stefan Esser - Targeting the iOS Kernel
Stefan Esser
 
PDF
Никита Корчагин - Introduction to Apple iOS Development.
DataArt
 
PDF
Troopers14 Advanced Smartphone forensics - Vladimir Katalov
Jose Moruno Cadima
 
PDF
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
DefconRussia
 
PPTX
Android vs iOS encryption systems
Birju Tank
 
PPTX
iOS platform
maya_slides
 
PDF
IOS Encryption Systems
Peter Teufl
 
PPTX
Apple iOS
Chetan Gowda
 
PDF
Session 1 - Introduction to iOS 7 and SDK
Vu Tran Lam
 
PPTX
Hacker Halted 2014 - Reverse Engineering the Android OS
EC-Council
 
PDF
iOS 6 Exploitation: 280 days later
Seguridad Apple
 
PDF
Antid0te 2.0 – ASLR in iOS
Seguridad Apple
 
PDF
ios-mobile-app-development-intro
Remesh Govind M
 
PPTX
Layer architecture of ios (1)
dwipalp
 
PPTX
Forensics WS Consolidated
Karter Rohrer
 
Ярослав Воронцов — Пара слов о mobile security.
DataArt
 
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
Shakacon
 
from Realtime Operating systems to unlocking iPhones in less than 30 slides
Kai Aras
 
iOS Basics
Richa Jain
 
Mobile Device Encryption Systems
Peter Teufl
 
SyScan Singapore 2011 - Stefan Esser - Targeting the iOS Kernel
Stefan Esser
 
Никита Корчагин - Introduction to Apple iOS Development.
DataArt
 
Troopers14 Advanced Smartphone forensics - Vladimir Katalov
Jose Moruno Cadima
 
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
DefconRussia
 
Android vs iOS encryption systems
Birju Tank
 
iOS platform
maya_slides
 
IOS Encryption Systems
Peter Teufl
 
Apple iOS
Chetan Gowda
 
Session 1 - Introduction to iOS 7 and SDK
Vu Tran Lam
 
Hacker Halted 2014 - Reverse Engineering the Android OS
EC-Council
 
iOS 6 Exploitation: 280 days later
Seguridad Apple
 
Antid0te 2.0 – ASLR in iOS
Seguridad Apple
 
ios-mobile-app-development-intro
Remesh Govind M
 
Layer architecture of ios (1)
dwipalp
 
Forensics WS Consolidated
Karter Rohrer
 
Ad

Similar to Mobile Security Assessment: 101 (20)

PDF
Webinar–Mobile Application Hardening Protecting Business Critical Apps
Synopsys Software Integrity Group
 
PPTX
iOS application (in)security
iphonepentest
 
PDF
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
iphonepentest
 
PPT
Outsmarting SmartPhones
saurabhharit
 
PPTX
Fiware IoT_IDAS_intro_ul20_v2
FIWARE
 
PDF
Exploring Your Apple M1 devices with Open Source Tools
Koan-Sin Tan
 
PPTX
Virtue Security - The Art of Mobile Security 2013
Virtue Security
 
PDF
2012 java one-con3648
Eing Ong
 
PDF
openioc_scan - IOC scanner for memory forensics
Takahiro Haruyama
 
PDF
iOS Development - Offline Class for Jasakomer
Andri Yadi
 
PDF
Android_Malware_IOAsis_2014_Analysis.pdf
jjb117343
 
PDF
Positive Technologies - S4 - Scada under x-rays
qqlan
 
KEY
Android Workshop
Junda Ong
 
PDF
Crash Course in AngularJS + Ionic (Deep dive)
ColdFusionConference
 
PDF
FI MUNI 2012 - iOS Basics
Petr Dvorak
 
PDF
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
Stephan Chenette
 
PDF
MobSecCon 2015 - Dynamic Analysis of Android Apps
Ron Munitz
 
PDF
MACTANS: Injecting Malware
into iOS Devices via Malicious Chargers
Joon Young Park
 
PDF
Thick Application Penetration Testing: Crash Course
Scott Sutherland
 
PPTX
Pentesting iOS Applications
jasonhaddix
 
Webinar–Mobile Application Hardening Protecting Business Critical Apps
Synopsys Software Integrity Group
 
iOS application (in)security
iphonepentest
 
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
iphonepentest
 
Outsmarting SmartPhones
saurabhharit
 
Fiware IoT_IDAS_intro_ul20_v2
FIWARE
 
Exploring Your Apple M1 devices with Open Source Tools
Koan-Sin Tan
 
Virtue Security - The Art of Mobile Security 2013
Virtue Security
 
2012 java one-con3648
Eing Ong
 
openioc_scan - IOC scanner for memory forensics
Takahiro Haruyama
 
iOS Development - Offline Class for Jasakomer
Andri Yadi
 
Android_Malware_IOAsis_2014_Analysis.pdf
jjb117343
 
Positive Technologies - S4 - Scada under x-rays
qqlan
 
Android Workshop
Junda Ong
 
Crash Course in AngularJS + Ionic (Deep dive)
ColdFusionConference
 
FI MUNI 2012 - iOS Basics
Petr Dvorak
 
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
Stephan Chenette
 
MobSecCon 2015 - Dynamic Analysis of Android Apps
Ron Munitz
 
MACTANS: Injecting Malware
into iOS Devices via Malicious Chargers
Joon Young Park
 
Thick Application Penetration Testing: Crash Course
Scott Sutherland
 
Pentesting iOS Applications
jasonhaddix
 
Ad

Recently uploaded (20)

PDF
KodekX | Application Modernization Development
KodekX
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
KodekX | Application Modernization Development
KodekX
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
Teaching material agriculture food technology
LiaRayya
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
A Presentation on Artificial Intelligence
memembruh336
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 

Mobile Security Assessment: 101

  • 1. Intro to Mobile Security Assessment: Tools and Techniques Copyright 2012 WireHarbor Security, Inc.
  • 2. Who am I? • Founder/President - WireHarbor Security, Inc. • Previously: Led Global Application Security for F500 Insurance co. • Focus on:  Application Security, Mobile Security, Source Code Review • Partnerships:
  • 3. Agenda • Overview • Attack Vectors • Setup • Basic Techniques • Advanced Tech. • Questions
  • 4. Objectives - Security Assessment • Determine the correct path to Exploitation. • Many Attacks, Weaknesses and Impacts.
  • 5. RULE #1: Mobile Security Perform sensitive/confidential/dangerous operations OFF-DEVICE... ...also, we still can’t trust user input.
  • 6. Mobile Assessment: Key Difference • User-access to runtime environment  DEVS: **New perspective allows us to see everything you are doing** VS...
  • 7. Jailbreak vs. Rooting • Jailbreak (iOS) - Users can break out of sandbox, but are still limited by the Apple kernel. (Your iPhone is still an iPhone) • Rooting (Android) - Implement a new kernel, turn your phone into ??? I
  • 8. Attack Vectors • GSM Network • GPS • Applications (Malware) • Application Vuln’s (Objective-C) • Browser Exploits • Web Services • Bluetooth • WIFI (Rogue Access Points) • NFC/RFID
  • 9. Security Controls • Reduced Attack Surface • Code Signing/App Store Approval Process - iOS  Android is more of a free-for-all • Sandboxing • NX Memory • ASLR/PIE (compiler flag)  Rarely used in 3rd party applications • Certificate Verification • Device Encryption
  • 10. Mobile Security Assessment • Step #1 : Jailbreak • Step #2 : ??? • Step #3 : PROFIT!!!
  • 11. Jailbreak in 30 sec • DISCLAIMER: BRICK WARNING!!! • DISCLAIMER: RUNTIME PROTECTIONS BECOME NIL! • DISCLAIMER: APPSTORE DEREGULATION! • Beware of Jailbreak SCAMMERS! • iPhone Dev Team (blog.iphone-dev.org) • evad3rs Team (http://evasi0n.com/) • Android is more complicated. (SuperOneclick)  Hardware/OS/Carrier dependent
  • 12. Tools • Jailbroken/Rooted Device • Cydia Applications (tcpdump, sqlite, etc...) • Android Debug Bridge (ADB) • GDB (Runtime analysis) • IDA Pro (Binary Reverse-Engineering) • MobileSubstrate/Cycript • BurpSuite (HTTP Analysis) • Xcode/Eclipse (Custom development, binary tools)
  • 13. Finding Targets PLENTY of them out there… 650,000+ Applications in AppStore* 250,000+ listed for iPad •App Store:  ~/Music/iTunes/iTunes Media/Mobile Applications  .ipa file (zip archive) •On iOS:  /var/mobile/Applications/<UUID>/<AppName>.app/ *Source: Techcrunch, July 2012
  • 15. Mobile Hacking 101 • Gain Access • Look for interesting data  Log Files  Databases  Crash Dumps  In-Transit • Cause interesting execution  Form Input/Output  Application Redirects
  • 16. Techniques: Log File Analysis • Applications output/store lots of logging data.  ~/Library/Logs/CrashReporter/MobileDevice/<DEVICE>  /private/var/log/system.log
  • 17. Techniques: Data Storage • SQLite  “Self-contained, zero-configuration, embeddable DB” • Finding sqlite files… • Automation FTW!  find . –exec file {} ;
  • 18. Techniques: Data Storage • Pulling out data…  SELECT * FROM <table>
  • 19. Techniques: SQL Injection • Should look familiar...
  • 20. Techniques: XSS Injection • XSS is in there too...  Be careful with WebKit. (UIWebView object) “Of the 197 vulnerabilities, 142 are related to WebKit...”, ZDNet review of iOS 6 NSString *js = [[NSString alloc] initWithFormat:@”var v=”%@”;”, user]; [mywebView stringByEvauatingJavaScriptFromString:js];
  • 21. Techniques: Proxy Intercept • Certificate errors are validated.  Manually install Burpsuite cert.  http://www.tuaw.com/2011/02/21/how-to-inspect-ioss-http-traffic- without-spending-a-dime/
  • 22. Techniques: Event Handler Abuse • Apps can register their own handlers via plist files. o openURL:[NSURL URLWithString:@"myapp://?foo=urb&blerg=gah"];
  • 23. Techniques: Event Handler Abuse • Finding interesting handlers…  $> strings <target>.app/<target> | grep "://“ | grep –v “http” <string>googlegmail://</string> <string>googlegmail://</string> <string>mgc://</string> <string>currents://</string> <string>googletranslate://</string> <string>comgoogleshopper://</string> <string>comgoogleearth://</string> <string>googlelatitude://</string> <string>googlebooks://</string> <string>currents://</string>
  • 25. Advanced Techniques: Overview • Binary Decryption  API Tokens  Hard-coded Passwords • Passive/Active Fuzzing • Reverse Engineering  Token Generation Algorithms • Runtime Execution Interception/Manipulation  Interesting “hidden” methods  Web Services API’s
  • 26. Advanced Techniques: Objective-C (iOS) Primer • Abstraction of Standard C  Based on Smalltalk  Designed to be “Object-oriented easy.”  The good old days: Buffer Overflows, Format Strings, etc... RETURN!!!
  • 27. Advanced Techniques: iOS Binary Inspection • Object File display tool - otool (Xcode)  Display file headers (Mach-O and Universal)  Display Crypt segment info  Dump machine code  List Shared Libraries • ARM Processors  RISC instruction set  Little-endian representation
  • 28. Advanced Techniques: iOS Binary Inspection • Universal Binaries  Contain multiple versions o otool –f <file>  May be encrypted o otool –l <file> | grep LC_ENCRYPTION_INFO –B1 –A4
  • 29. Advanced Techniques: iOS Runtime Inspection • Anti-Debugging (The Anti-BYOD part)  ptrace PT_DENY_ATTACH  sysctl check  Known files  Binary Packing  Code Checksums  Driver Checks  Timing Measurements  Code Obfuscation  Junk Code
  • 30. Advanced Techniques: iOS Runtime Inspection • GDB  Execute/load binary  Breakpoint on start address 0x2000 (PIE may cause this to move on you) gdb $> dump memory <filename> <start address> <end address>
  • 31. Advanced Techniques: iOS Binary Inspection, Unencrypted • IDA Pro Binary graphing/analysis…
  • 32. IDA Pro: What to look for? • Using the Apple DEV reference  File Writes  Network Connections  Keychain Access  UI Form Fields
  • 33. Advanced Techniques: iOS Runtime Manipulation • Cycript - Javascript/Obj-C Interpreter  Hook active apps via Mobile Substrate  Interact with binaries in runtime using JS http://www.cycript.org/ http://iphonedevwiki.net/index.php/Cycript_Tricks
  • 34. • Example: cy# [SBAwayController.sharedAwayController isPasswordProtected] 1 cy# [[UIApp.keyWindow recursiveDescription] <KHWindow: 0x1517a0; baseClass = UIWindow; frame = (0 0; 320 480); opaque = NO; autoresize = RM+BM; layer = <CALayer: 0x151640>> | <UIView: 0x17a120; frame = (0 20; 320 460); autoresize = W+H; layer = <CALayer: 0x17a1b0>> | | <UIToolbar: 0x17a3f0; frame = (0 416; 320 44); autoresize = W+TM; layer = <CALayer: 0x17a0d0>> | | | <UIToolbarButton: 0x17d150; frame = (12 0; 26 44); alpha = 0.25; opaque = NO; layer = <CALayer: 0x17d2e0>> | | | | <UISwappableImageView: 0x17d4c0; frame = (0 7; 26 27); opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x17d570>> | | | <UIToolbarButton: 0x17d340; frame = (153 0; 26 44); opaque = NO; layer = <CALayer: 0x14a220>> | | | | <UISwappableImageView: 0x17a680; frame = (0 7; 26 27); opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x17a6e0>> | | | <UIToolbarButton: 0x17df40; frame = (222 0; 18 44); opaque = NO; layer = <CALayer: 0x17d2b0>> | | | | <UISwappableImageView: 0x17dbf0; frame = (3 13; 18 19); opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x17d3f0>> Advanced Techniques: iOS Runtime Manipulation
  • 35. Advanced Techniques: Fuzzing • Custom scripts… (Python, Ruby, Javascript) • Dumb or Smart  Mutation-Based: Randomly substitute data.  Generation-Based: Substitute based off RFC or Standards. • Classic Targets  Any file types. (PDF, PPT, etc…)  Protocols (HTTP, SMS, Push Notifications, etc...)  Image formats (PNG, TIFF, etc…)
  • 36. Passive Fuzzing - iOS • Using MobileSubstrate:
  • 37. • What can we do with this?  Application Tracing/Logging (filesystem, network, etc...)  Turn off Jailbreak detection  Fake GPS data... (think: location-aware security)  The possibilities get scarier as trust grows... Advanced Techniques: iOS Runtime Manipulation
  • 38. Trey Keifer 847-239-5626 trey.keifer@wireharbor.com Twitter: @wireharbor Facebook: facebook.com/wireharbor http://www.wireharbor.com THANK YOU!!!