SlideShare a Scribd company logo
1 of 71
Download to read offline
Crowd Security Intelligence
@patrickwardle
syn.ac/AppSecCA
(download slides)
OWASP’s Mobile Risks
in iOS Apps
uncovering
ABOUT (me)
“sources a global contingent of vetted security experts worldwide and
pays them on an incentivized basis to discover security vulnerabilities in
our customers’ web apps, mobile apps, and infrastructure endpoints.”
@patrick	
  wardle	
  	
  
/NASA	
  /NSA	
  /VRL	
  /SYNACK
always looking for
more experts!
vetted researchers
internal R&D
backed by google
AN OUTLINE
THE IOS ENVIRONMENT
THE TALK TODAY WILL COVER A SOLID AMOUNT OF MATERIAL
-> exploration of reversing iOS apps, focusing on uncovering common security issues
PREP’ING A REVERSING ENVIRONMENT
REVERSING TECHNIQUES IOS APP VULNERABILITIES
Background
…and why you should care about all of this
OUR iDEVICES
EMAIL PHOTOS FINANCIAL INFO
these devices are the gateways
into our digital lives…
THINK ABOUT YOUR IPHONE/IPAD
-> contains a vast amount of private and highly sensitive data
+ + +
GEO-LOCATION
iDevice thefts as % of total robberies (NYC)
iDEVICE THEFT
theft
STOLEN IDEVICES

they get stolen or lost all the time:

-> in larger cities, “cell phones comprise 30-40% of all robberies” -FCC.GOV
percentage
0
10
20
30
year
'03 '05 '07 '09 '11
~50%	
  no	
  passcode	
  lock
INSECURE REGARDLESS?
TRANSMISSIONS PROCESS UNTRUSTED DATA CLOSED-SOURCE
EVEN IN YOUR POSSESSION…
-> many (app-related) threats that can lead to serious privacy issues
BACKUPS
“Fake Tor browser for iOS laced with adware, spyware, members warn”
sensitive data may
be transmitted
insecurely
app process a lot of
data from untrusted
sources (attack surface)
apps are generally
not open-source
a juicy target for
hackers (PC’s aren’t
that hard to hack!)
IN THE NEWS
“major security holes
found in 90% of top
mobile banking apps”
“citi confirms critical
bug in iPhone mobile
banking app”
BANKING
“facebook for iOS
vulnerable to
credential theft”
“flaw in tinder app
let users track each
other in real time”
SOCIAL MEDIA
“starbucks stored iOS
app passwords and
location data in clear text”



“skype for iOS contains
an XSS vulnerability that
allows attackers steal
information”
ETC…
APPS ARE OFTEN SURPRISINGLY INSECURE
-> apple doesn't vet apps for bugs
IN SHORT
REVERSE-ENGINEERING TO THE RESCUE!
clearly, iOS apps are horribly insecure - what to do?
REVEAL VULNERABILITIES VERIFY THE APP
SECURITY AWARENESS++ MAKE SOME MONEY!
The iOS Environment
a brief technical overview
iOS
IOS IS DERIVED FROM OS X
-> basically just slimmed down with extra security
+
OS X
secure boot chain
signed-code requirements
anti-exploitation mechanisms
encrypted storage
sandboxed apps
SECURITY++
iOS
jailbreak	
  bypasses	
  these
APP SECURITY
signed (by apple’s signing certificate)
encrypted
run as limited user (‘mobile’)
sandboxed
iOS app security
confined to /private/var/mobile/Applications/<app-­‐GUID>
no direct access to hardware devices
no dynamic code generation/execution
no access to other app’s/processes
iOS APPs
.IPA .APP .APP’s FILES
SO WHATS IN AN IOS APP?
-> distributed as .IPA files, which contains the .APP bundle
installed:	
  /private/var/mobile/Applications/…just	
  a	
  zip	
  file	
  
“ios app store package”
or
“iphone application archive”
a ‘bundle’ (directory)
contains the app’s files
the app’s binary,
images, meta-data,
and more
#	
  pwd	
  	
  
/private/var/mobile/Applications/1C084B60-­‐26B9-­‐4F24-­‐BBA5-­‐CDAE229F72EB/	
  
#	
  tree	
  .	
  
|-­‐-­‐	
  Bank_hawaii.app	
  
|-­‐-­‐	
  Documents	
  
|-­‐-­‐	
  Library	
  
|-­‐-­‐	
  iTunesArtwork	
  
|-­‐-­‐	
  iTunesMetadata.plist	
  
|-­‐-­‐	
  ...	
  
`-­‐-­‐	
  tmp
#	
  tree	
  Bank_hawaii.app/	
  
|-­‐-­‐	
  Bank_hawaii	
  
|-­‐-­‐	
  Info.plist	
  
|-­‐-­‐	
  _CodeSignature	
  
|-­‐-­‐	
  appicon.png	
  
|-­‐-­‐	
  appicon@2x.png

|-­‐-­‐	
  ...	
  	
  	
  
`-­‐-­‐	
  en.lproj
app’s binaryapp bundle
iOS APPs
user data
app’s files/data
(caches, cookies, prefs)
app’s config file
(dir) digital signatures
<app-­‐GUID>	
  for	
  app
THE APP’S ON-DISK LAYOUT
-> apps have a standard layout, includes the app’s bundle/binary, & other resources
#	
  less	
  /usr/include/mach-­‐o/fat.h	
  
struct	
  fat_header	
  
{	
  
	
   uint32_t	
  magic;	
  
	
   uint32_t	
  nfat_arch;	
  
};	
  
struct	
  fat_arch	
  
{	
  
	
   cpu_type_t	
  cputype;	
  
	
   cpu_subtype_t	
  cpusubtype;	
  
	
   uint32_t	
  offset;	
  
	
   uint32_t	
  size;	
  
	
   uint32_t	
  align;	
  
};
APP BINARY
standard format for iOS and OS X binaries
contains multiple architecture-specific
(mach-O) binary images
FAT BINARY
THE APP BINARY IS ‘FAT’
-> allows a single distributable to run on multiple architectures
ARMV7 ARM64
ARMV7S
MACH-O BINARY
MACH-O HEADER LOAD COMMANDS RAW DATA
SO WHAT’S A MACH-O BINARY?
-> the file format for (architecture-specific) IOS/OS X binaries.
comprised of a header, load commands, and then binary data/code.
struct	
  mach_header	
  
{	
  
	
   uint32_t	
  magic;	
  
	
   cpu_type_t	
  cputype;	
  
	
   cpu_subtype_t	
  cpusubtype;	
  
	
   uint32_t	
  filetype;	
  
	
   uint32_t	
  ncmds;	
  
	
   uint32_t	
  sizeofcmds;	
  
	
   uint32_t	
  flags;	
  
};
struct	
  load_command	
  
{	
  
	
   uint32_t	
  cmd;	
  
	
   uint32_t	
  cmdsize;	
  
};	
  
//load_command	
  data
‘instructions’ how to setup/load
the binary memory layout,
thread context, etc.
segments with code,
data, etc
describes binary’s
meta-data/layout
OBJECTIVE-C
a superset of C with classes/methods, etc.
the programming language used to create iOS/OS X
apps
OBJECTIVE-C
what are iOS apps (mostly) written in?
//say	
  hi!	
  
NSLog(@"Hello,	
  AppSec’ers");
“Objective-C is a general-purpose, object-oriented
programming language that adds Smalltalk-style
messaging to the C programming language” 

-wikipedia
-­‐(void)insertObject:(id)anObject	
  atIndex:(NSUInteger)index;
parameter types
method signature keywords
OBJECTIVE-C
return type
method type
identifier
parameter names
YES, THE SYNTAX IS QUITE ‘ODD’
-> lookout for @ and [	
  ]
…and terms such as ‘message passing’ and ‘selectors’
//C++	
  
ObjectPtr-­‐>method(param1,	
  param2);	
  
//Obj-­‐C	
  
[ObjectPtr	
  method:param1	
  p2:param2];
C++ vs. Objective-C
REVERSING OBJECTIVE-C
REVERSING IS SOMEWHAT NON-TRIVIAL
-> being an object-oriented language, static analysis can be challenging
selector	
  is	
  the	
  name	
  of	
  a	
  method
objc_msgSend	
  
Sends	
  a	
  message	
  to	
  an	
  instance	
  of	
  a	
  class.	
  
//method	
  declaration	
  
id	
  objc_msgSend(id	
  self,	
  SEL	
  op,	
  ...)	
  
self	
  
A	
  pointer	
  to	
  the	
  instance	
  of	
  the	
  class	
  that	
  
is	
  to	
  receive	
  the	
  message.	
  
op	
  
The	
  selector	
  of	
  the	
  method	
  that	
  handles	
  the	
  
message.	
  
...	
  
A	
  variable	
  argument	
  list	
  containing	
  the	
  
arguments	
  to	
  the	
  method.
OBJC_MSGSEND
OBJECTIVE-C AND OBJC_MSGSEND
//some	
  Obj-­‐C	
  code	
  
[ObjectPtr	
  method:param1	
  p2:param2];
//compiler	
  generates	
  this	
  code	
  
objc_msgSend(ObjectPtr,	
  @selector(method:p2:),	
  param1,	
  param2);
…all messages pass thru objc_msgSend
ARM ARCHITECTURE
a RISC CPU strategy, with fixed length instructions
“load/store” architecture
encoded in various ‘modes’
ARM IS:
ARM
THUMB2THUMB
ARM POWERS MOBILE PROCESSORS EVERYWHERE
-> IOS DEVICES RUN ON PROCESSORS BASED ON THE ARM ARCHITECTURE
ARM: 4 byte instruction length
Thumb: 2 byte instruction length
-> subset of ARM instructions, encoded in 2-bytes
-> improves ‘code density’
Thumb2: 2 or 4 byte instruction length

-> ‘code density’ of Thumb w/ performance of ARM
‘ARM32’
REGISTERS
(FUNCTION) CALLING CONVENTION
ARM ARCHITECTURE ON (MODERN) 32-BIT CPUS
-> the ARMv7 processor instruction set (iPhone 3GS), 32-bit address space & arithmetic
memorize	
  this	
  info!
[register]	
  	
  [purpose]	
  
R0-­‐R12	
  	
  	
   	
   general	
  purpose	
  registers

R13	
  (SP)	
  	
  	
   stack	
  pointer	
  


R14	
  (LR)	
  	
  	
   link	
  register	
  (return	
  address)	
  


R15	
  (PC)	
  	
  	
   program	
  counter	
  


CPSR	
  	
  	
   	
   	
   current	
  program	
  status	
  register	
  
	
   	
   	
   	
   	
   	
  	
  (processor	
  mode,	
  thumb	
  bit,	
  etc)
[register]	
  	
  [purpose]	
  
R0-­‐R3	
  	
   	
   	
   arguments

R4-­‐R11	
  	
  	
   	
   local	
  variables/preserved	
  


R0-­‐R1	
  	
   	
   	
   return	
  value	
  (from	
  function)	
  
ARM64
REGISTERS
(FUNCTION) CALLING CONVENTION
ARM ARCHITECTURE ON 64-BIT CPUS
-> the ARMv8 processor instruction set (iPhone 5S), 64-bit address space & arithmetic
[register]	
  	
  [purpose]	
  
x0-­‐x28	
  	
  	
   	
   general	
  purpose	
  registers

x29	
  (FR)	
  	
  	
   frame	
  register	
  
x30	
  (LR)	
  	
  	
   link	
  register	
  (return	
  address)	
  
SP	
  	
  	
   	
   	
   	
   stack	
  pointer	
  


PC	
  	
  	
   	
   	
   	
   program	
  counter
[register]	
  	
  [purpose]	
  
x0-­‐x7	
  	
   	
   	
   arguments/return	
  values

x9-­‐x15	
  	
  	
   	
   local	
  variables	
  
x19-­‐x29	
  	
   	
   preserved	
  
64
read:	
  “ARM64	
  and	
  You”	
  (mike	
  ash)
Preparing a Reversing Environment
…getting some tools and some apps
REVERSING TOOLS
BASIC TOOLS ADVANCED TOOLS COMPREHENSIVE
TOOLS FOR REVERSING IOS APPS
-> there are a myriad of tools, from basic, to advanced, to largely comprehensive
openssh	
  
plutil	
  
gdb	
  
lsof	
  
less
otool	
  
class-­‐dump	
  
filemon	
  
cycript
#	
  apt-­‐get	
  	
  install	
  $(<tools.txt)
SnoopIt	
  (NESO)	
  
IntroSpy	
  (iSecPartners)	
  
idb	
  (Matasano)	
  
syslogd	
  
vim	
  
file	
  
grep	
  
sqlite3	
  
fileDP	
  
burp	
  
IDA	
  Pro	
  
suites that perform that
perform many tasks
slight learning curve, but
necessary for getting down &
dirty!
common *nix/ OS X
tools ported to iOS
REVERSING TOOLS
IOS OPEN-DEV
what about writing your own
(or fixing others)?
“sets up OS X and Xcode for ‘open’
development”
find	
  it	
  at	
  iosOpenDev.com
download /
run installer
write some
code
compile
copy to,
then run!
GETTING APPS
AUTOMATED APP GRABBING
-> sure you can do it manually (web/itunes), but that doesn’t scale

how about doing it programmatically?
request data
auth request
hrmmm?
buy request
app name
GETTING APPS
AUTOMATED APP GRABBING
-> All the parameters seem pretty much self-explanatory, and thus easy to
programmatically replicate….except for that ‘kbsync’ Parameter.
ask the
googlez
wtf is ‘kbsync’?
Forum	
  WASM.RU

"Reverse	
  algorithm	
  for	
  computing	
  the	
  
parameter	
  "kbsync"	
  in	
  iTunes"	
  
Requires	
  reverse-­‐engineering	
  of	
  the	
  
algorithm	
  for	
  calculating	
  the	
  parameter	
  
"kbsync"	
  in	
  iTunes.



Project	
  budget	
  of	
  $10,000;
.ru	
  results;	
  always	
  interesting
(ab)USING iTUNES
GRABBING APPS, IN TWO EASY STEPS
let iTUNES do the (hard) work
find the app in
iTunes
‘buy’ the app
iTunes
downloads
the app!
(.ipa)
iTUNES
(ab)USING iTUNES
SO PROGRAMMATICALLY, HOW IS THIS DONE?
-> actually, quite easily; applescript ftw :)
FIND THE APP CLICK ‘DOWNLOAD’ / ‘BUY’
//AppleScript	
  (open.scpt)	
  
tell	
  application	
  “iTunes”	
  
	
   open	
  location	
  item	
  1	
  of	
  argv	
  	
  
end	
  tell	
  
//exec	
  it	
  
#	
  osascript	
  open.scpt	
  itms://<app>	
  
itms	
  -­‐>	
  iTunes	
  music	
  store	
  protocol
//AppleScript	
  (open.scpt)	
  
set	
  elements	
  to	
  get	
  entire	
  contents	
  of	
  

	
   	
   window	
  1	
  
...	
  
if	
  (accessibility	
  description	
  of	
  element	
  as	
  text)	
  	
  
	
   	
   contains	
  “Download”	
  then	
  	
   	
  
	
   //trigger	
  download	
  	
  
	
   click	
  element	
  	
  
end	
  if
the app
APP DECRYPTION
encrypted
app
decrypted
app
REMOVING ENCRYPTION
-> apps are encrypted with apple’s ‘fairplay’ DRM (remove to allow analysis)
VIA GDB CYDIA APPS
or
LC_ENCRYPTION_INFO	
  with	
  cryptid	
  of	
  0x1
‘run & dump’ clutch or crackulous
APP DECRYPTION
REMOVING ENCRYPTION
-> want a method that doesn’t require an external program/scripting (GDB) or isn’t
closed source (CYDIA APPS)
executed code
within the app’s
address space
dump (now decrypted) app
to disk
1. to achieve code execution within that application’s process space, 

launch the app with the DYLD_INSERT_LIBRARIES environment variable set:
	
  	
  DYLD_INSERT_LIBRARIES=<decryptor>.dylib	
  file.app/file	
  
2. the dynamic library (<decryptor>.dylib), should export a constructor:
	
   	
   	
   

	
   __attribute__((constructor))	
  
	
  	
  this constructor should find the LC_ENCRYPTION_INFO load command
then parse it in order to find, then dump the originally encrypted code.

‘dumpdecrypted.c’	
  (by	
  i0n1c)
iOS Reversing Techniques
…methods to the madness
OTOOL
OTOOL; ‘OBJECT FILE DISPLAYING TOOL’
-> dumping general information about the (decrypted) app’s binary
#	
  otool	
  -­‐f	
  |	
  -­‐h
FAT/MACH-O HEADER LOAD COMMANDS DEPENDANCIES OBJECTIVE-C SEGMENT
#	
  otool	
  -­‐l #	
  otool	
  -­‐L #	
  otool	
  -­‐o
the fat binary/app
headers
‘instructions’ how to
setup/load the binary
Memory layout, thread
context, etc
frameworks and libraries
imported by the app
class names,
methods etc,
CLASS-DUMP
class-­‐dump-­‐z,	
  the	
  most	
  accurate
instance
variables
method
declarations
#	
  class-­‐dump-­‐z	
  Bank_hawaii	
  	
  
@interface	
  ASIHTTPRequest	
  :	
  XXUnknownSuperclass	
  <NSCopying>	
  {	
  
	
   NSURL*	
  url;	
  
	
   NSString*	
  username;	
  
	
   NSString*	
  password;	
  
	
   ...	
  	
  
}	
  
-­‐(void)handleNetworkEvent:(unsigned	
  long)event;	
  
-­‐(void)addBasicAuthenticationHeaderWithUsername:(id)name	
  andPassword:(id)passwd;	
  
-­‐(void)attemptToApplyCredentialsAndResume;	
  
-­‐(void)saveCredentialsToKeychain:(id)keychain;	
  
...	
  
@end	
  
CLASS-DUMP
-> parse/display objective-c @ interface declarations
interface
;load	
  pointer	
  to	
  obj_msgSend	
  info	
  R9	
  
__text:0000AE66	
  	
   MOV	
  	
   R9,	
  #(_objc_msgSend_ptr	
  -­‐	
  0xAE72)	
  	
  	
  	
  	
  	
   	
  	
  	
  
__text:0000AE6E	
  	
   ADD	
  	
   R9,	
  PC	
  	
   	
   	
   	
   	
   	
   	
   ;	
  _objc_msgSend_ptr	
  	
  	
   	
  	
   	
  	
  	
  	
  	
  
__text:0000AE70	
  	
   LDR	
  	
  	
  R9,	
  [R9]	
  	
  	
   	
   	
   	
   	
   	
   ;	
  IMPORT	
  _objc_msgSend	
  	
  	
   	
   	
  	
  	
  
;load	
  pointer	
  ‘date’	
  into	
  R1	
  
__text:0000AE72	
  	
   MOV	
  	
  	
  R1,	
  #(selRef_date	
  -­‐	
  0xAE7E)	
  	
  	
   	
  	
  	
   	
  
__text:0000AE7A	
  	
   ADD	
  	
  	
  R1,	
  PC	
  	
   	
   	
   	
   	
   	
   	
   ;	
  selRef_date	
  	
  	
   	
   	
  	
  	
  	
  	
  
__text:0000AE7C	
  	
   LDR	
  	
   R1,	
  [R1]	
  	
  	
   	
   	
   	
   	
   	
   ;	
  "date"	
  	
  	
   	
  	
  	
   	
  	
  	
  
;load	
  pointer	
  to	
  NSDate	
  class	
  into	
  R0	
  
__text:0000AE7E	
  	
   MOV	
  	
  	
  R0,	
  #(classRef_NSDate	
  -­‐	
  0xAE8A)	
  	
   	
   	
  	
  	
   	
  
__text:0000AE86	
  	
   ADD	
  	
  	
  R0,	
  PC	
  	
   	
   	
   	
   	
   	
   	
   ;	
  classRef_NSDate	
  	
  	
   	
   	
  	
  	
  	
  	
  
__text:0000AE88	
  	
   LDR	
  	
   R0,	
  [R0]	
   	
   	
   	
   	
   	
   	
   ;	
  IMPORT	
  _OBJC_CLASS_$_NSDate	
  	
  	
   	
  	
  	
   	
  	
  	
  	
  
;invoke	
  objc_msgSend	
  to	
  get	
  date	
  
__text:0000AE8A	
  	
   BLX	
  	
   R9	
  	
   	
   	
   	
   	
   	
   	
   	
   ;	
  objc_msgSend(classRef_NSDate,	
  “date”);	
  	
  	
  	
   	
  	
   	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  
;save	
  date	
  
__text:0000AE8C	
  	
   STR	
  	
   R0,	
  [SP,#0x64+date]	
   	
   	
   ;	
  save	
  into	
  local	
  variable	
  	
  	
  	
   	
  	
  	
  
;load	
  pointer	
  to	
  objc_msgSend	
  info	
  R9	
  
__text:0000AEF6	
   MOV	
  	
   R9,	
  #(_objc_msgSend_ptr	
  -­‐	
  0xAF02)	
  	
   	
  	
  	
  	
   	
  	
  	
  
__text:0000AEFE	
  	
   ADD	
  	
   R9,	
  PC	
  	
  	
   	
   	
   	
   	
   	
   ;	
  _objc_msgSend_ptr	
  	
  	
   	
  	
  	
   	
  	
  	
   	
  	
  	
   	
  	
  	
  
__text:0000AEF0	
  	
   LDR	
  	
   R9,	
  [R9]	
  	
   	
   	
   	
   	
   	
   ;	
  IMPORT	
  _objc_msgSend	
  	
  	
   	
  	
  	
   	
   	
  	
  	
   	
  	
  	
  
;load	
  date	
  object	
  into	
  R3	
  
__text:0000AEF2	
  	
   LDR	
  	
   R3,	
  [SP,#0x64+date]	
   	
   	
   ;	
  load	
  saved	
  date	
  	
  	
   	
  	
  	
  
;load	
  pointer	
  to	
  ‘the	
  time	
  is:	
  %@:’	
  into	
  R2	
  
__text:0000AEF4	
  	
  	
  MOV	
  	
   R2,	
  #(cfstr_TheTimeIs	
  -­‐	
  0xAF00)	
  	
  	
   	
  
__text:0000AEFC	
  	
  	
  ADD	
  	
   R2,	
  PC	
  	
  	
   	
   	
   	
   	
   	
   ;	
  "the	
  time	
  is:	
  %@“	
  
;load	
  pointer	
  to	
  ‘stringWithFormat:’	
  into	
  R1	
  
__text:0000AEFE	
  	
   MOV	
  	
   R1,	
  #(selRef_stringWithFormat_	
  -­‐	
  0xAF0C)	
  	
  
__text:0000AF06	
  	
   ADD	
  	
   R1,	
  PC	
  	
  	
   	
   	
   	
   	
   	
   ;	
  selRef_stringWithFormat_	
  
__text:0000AF08	
  	
   LDR	
  	
   R1,	
  [R1]	
  	
   	
   	
   	
   	
   	
   ;	
  "stringWithFormat:"	
  	
  
;load	
  pointer	
  to	
  NSString	
  class	
  into	
  R0	
  
__text:0000AF0A	
  	
   MOV	
  R0,	
  #(classRef_NSString	
  -­‐	
  0xAF16)	
  	
  
__text:0000AF12	
  	
   ADD	
  R0,	
  PC	
  	
  	
   	
   	
   	
   	
   	
   	
   ;	
  classRef_NSString	
  
__text:0000AF14	
  	
   LDR	
  R0,	
  [R0]	
  	
   	
   	
   	
   	
   	
   	
   ;	
  IMPORT	
  _OBJC_CLASS_$_NSString	
  	
  	
   	
   	
  	
  	
   	
  	
  	
   	
  	
  	
  
;invoke	
  objc_msgSend	
  create	
  formatted	
  string	
  
__text:0000AF08	
   BLX	
  	
   R9	
   	
   	
   	
   	
   	
   	
   	
   ;	
  objc_msgSend(classRef_NSString,	
  ...);	
  	
  	
   	
  	
  	
   	
   	
  	
  	
   	
  	
  	
   	
  	
  	
   	
  	
  	
  
NSString*	
  now	
  =	
  objc_msgSend(classRef_NSString,	
  @selector("stringWithFormat:"),	
  @"now	
  is:	
  %@",	
  date);
IDA PRO
IDA IS THE DE-FACTO REVERSING TOOL
-> let’s looks an reversing a small chunk of objective-c code
+
the app
disassembly (IDA)
NSString*	
  now	
  =	
  [NSString	
  stringWithFormat:@"now	
  is:	
  %@",	
  [NSDate	
  date]];
NSDate*	
  date	
  =	
  objc_msgSend(classRef_NSDate,	
  @selector("date"));
NSDate*	
  date	
  =	
  objc_msgSend(classRef_NSDate,	
  @selector("date"));
R0:	
  @"now	
  is:	
  2015-­‐01-­‐29	
  03:13:37"
NSString*	
  now	
  =	
  objc_msgSend(classRef_NSString,	
  @selector("stringWithFormat:"),	
  @"now	
  is:	
  %@",	
  date);
DYNAMIC ANALYSIS
DYNAMIC ANALYSIS OF IOS APPS
-> can be faster (simpler?) and provide more insight into the app
NETWORK TRAFFIC FILE-SYSTEM I/O
DEBUGGING INSTRUMENTATION
NETWORK ANALYSIS
SNIFFING SOME TRAFFIC
conceptually, quite simple:
execute the
app
the proxy
(collect & analyze)
internet/‘cloud’
NETWORK TRAFFIC ANALYSIS
NETWORK ANALYSIS
SO PRACTICALLY, HOW IS THIS DONE?
-> first a proxy should be setup/configured
BURP
proxy config
port
NETWORK ANALYSIS
SO PRACTICALLY, HOW IS THIS DONE?
-> then the device (iPhone) has to be config’d
DEVICE
BURP profile
iOS proxy settingssend	
  cert	
  via	
  email
FILE-SYSTEM I/O
MONITORING FILE-SYSTEM I/O
again, conceptually, quite simple:
execute the
app
passively
monitor
file-system
accessMONITORING FILE-SYSTEM I/O
capture/analyze
file event(s)
#	
  ./filemon	
  
Bank_hawaii	
  Created	
  	
  /Application	
  Support/analytics/analytics.db-­‐journal	
  
DEV:	
  1,3	
  INODE:	
  121171	
  MODE:	
  81a4	
  UID:	
  501	
  GID:	
  501	
  Arg64:	
  300649589561	
  
Bank_hawaii	
  Deleted	
  /Application	
  Support/analytics/analytics.db-­‐journal	
  
DEV:	
  1,3	
  INODE:	
  121171	
  MODE:	
  81a4	
  UID:	
  501	
  GID:	
  501	
  Arg64:	
  300650449950	
  
Bank_hawaii	
  Created	
  /Preferences/com.fis.140SUB.plist.l0mitdo	
  
DEV:	
  1,3	
  INODE:	
  121172	
  MODE:	
  8180	
  UID:	
  501	
  GID:	
  501	
  Arg64:	
  300677061026	
  
Bank_hawaii	
  Renamed	
  /Preferences/com.fis.140SUB.plist.l0mitdo	
  
DEV:	
  1,3	
  INODE:	
  121172	
  MODE:	
  8180	
  UID:	
  501	
  GID:	
  501
FILE-SYSTEM I/O
SO PRACTICALLY, HOW IS THIS DONE?
-> via a command-line filemon tool
FILEMON
create
rename
//handle	
  dropped	
  events	
  
if(fse-­‐>type	
  ==	
  FSE_EVENTS_DROPPED)	
  
{	
  
	
  	
  offInBuf	
  +=	
  sizeof(kfs_event_a)	
  +	
  
	
   	
  	
   	
   	
   	
   	
   	
   	
  sizeof(fse-­‐>type);	
  	
  
}
PATCH (FOR IOS 7+)
(newosxbook.com)
APP DEBUGGING
MONITORING CODE EXECUTION
conceptually, quite simple:
execute the
app
debugger code
executionAPP DEBUGGING
APP DEBUGGING
APP DEBUGGING WITH GDB
-> gdb is the de facto debugger for iOS
#	
  gdb	
  -­‐waitfor	
  <app	
  name>
ATTACH TO AN APP
VIEW LOADED MODULES
DISASSEMBLE THUMB CODE
PRINT OBJECTIVE-C OBJECTS
(gdb)	
  info	
  shared
(gdb)	
  x/hi	
  <offset+base>
(gdb)	
  po	
  <address>
to	
  debug	
  an	
  app,	
  its	
  
easiest	
  to	
  wait	
  for	
  
it,	
  then	
  attach. displaying	
  all	
  loaded	
  modules	
  	
  
(including	
  the	
  app’s	
  binary	
  
as	
  the	
  first	
  module)	
  displays	
  
ASLR	
  deltas
since	
  Apple’s	
  GDB	
  doesn’t	
  
support	
  the	
  ‘force-­‐mode	
  thumb’,	
  
use	
  the	
  ‘h’	
  format	
  letter	
  to	
  
view	
  thumb
with	
  the	
  ‘po’	
  (print	
  object)	
  
command,	
  gdb	
  can	
  parse/
display	
  Objective-­‐C	
  objects!
gdb	
  (iOS	
  7+):	
  cydia.radare.org
APP INSTRUMENTATION
INSTRUMENTING AN APP
Conceptually, quite simple:
execute the
appAPP INSTRUMENTATION
bypass client-side logic
execute hidden code
manipulate the app runtime
inject code or
interpreter
cy#	
  *UIApp	
  
{isa:#"UIApplication",_delegate:#"<TiApp:	
  0x17da6e10>”,	
  
	
   	
  	
   	
   	
   _touchMap:0x17db2860,_exclusiveTouchWindows:...}	
  	
  
cy#	
  UIApp.keyWindow.recursiveDescription	
  
@"<UIWindow:	
  0x17dd82b0;	
  frame	
  =	
  (0	
  0;	
  320	
  480)>	
  
|	
  <TiRootView:	
  0x17dda240;	
  frame	
  =	
  (0	
  20;	
  320	
  460)>	
  
|	
  	
  |	
  <TiUIWindow:	
  0x17d04100;	
  frame	
  =	
  (0	
  0;	
  320	
  460)>
APP INSTRUMENTATION
USING CYCRIPT
“allows developers to explore & modify running applications on either iOS/OS X using
a hybrid of Objective-C and JavaScript syntax through an interactive console”
save/install
inject into a
process
#	
  dpkg	
  -­‐i	
  cycript.deb
#	
  cycript	
  -­‐p	
  <pID>
CYCRIPT CONSOLE
APP INSTRUMENTATION
USING CYCRIPT TO INSTRUMENT AN APP
CYCRIPT INSTRUMENTATION
cy#	
  #0x167eb00.text	
  =	
  $99999
iOS App Vulnerabilities
…what to look for when reversing
THE MINDSET
THINK ABOUT IT THIS WAY
-> targeting mobile devices is unique; it’s all about gaining access to sensitive data
THEFT NETWORK MONITORING
BACK-UPS ‘SHADY’ APPS
NETWORK SECURITY


SSL should be used (correctly) to
prevent a myriad of issues such
as sniffing or content injection.
SECURED COMMS


content that is rendered (e.g. in a
browser view) should be sanitized
to prevent traditional ‘browser
security’ issues.
INPUT SANITATION
FIRST, HOW TO DO IT RIGHT?
-> all sensitive network communications should be secured
all network input should be sanitized.
standard network/browser
security practices
NETWORK (in)SECURITY
SPOTTING A VULNERABILITY STATICALLY
-> does the app use SSL and does it do so, ‘correctly’?
iOS	
  enables	
  SSL	
  for	
  ‘https://'
NON-SSL (HTTP)
statically verifying the (correct) use
of SSL can be accomplished by
examining the binary.
‘VULNERABLE’ SSL
Unfortunately, allowing self-signed certificates makes the App vulnerable to man-in-the-middle
attacks. This can manifest in code in several ways:
//allow	
  self	
  signed	
  certs	
  
[NSURLRequest	
  setAllowsAnyHTTPSCertificate:YES	
  	
  
	
   	
  	
   	
   	
   	
   	
   forHost:[[NSURL	
  URLWithString:@"someURL"]	
  host]];	
  	
  
[	
  or	
  ]	
  
//implement	
  the	
  following	
  category	
  (iOS	
  5+)	
  	
  
-­‐(void)connection:(NSURLConnection*)	
  inConnection	
  
	
  	
  willSendRequestForAuthenticationChallenge:(NSURLAuthenticationChallenge*)	
  	
  
	
   inChallenge;	
  
MOVT	
  R8,	
  #(:upper16:(classRef_NSURLRequest	
  -­‐	
  0xC254))	
  
ADD	
  	
  R8,	
  PC	
  ;	
  classRef_NSURLRequest	
  
MOV	
  	
  R2,	
  #(selRef_setAllowsAnyHTTPSCertificate_forHost_	
  -­‐	
  0xC2A4)	
  
ADD	
  	
  R2,	
  PC	
  
LDR	
  	
  R4,	
  [R2]	
  	
   	
   ;"setAllowsAnyHTTPSCertificate:forHost:"	
  	
  	
  	
  
LDR	
  	
  R5,	
  [R8]	
  	
   	
   ;_OBJC_CLASS_$_NSURLRequest	
  	
  	
  	
  
MOV	
  	
  R0,	
  R5	
  	
   	
   	
   ;_OBJC_CLASS_$_NSURLRequest	
  	
  	
  	
  	
  	
  	
  
MOV	
  	
  R1,	
  R4	
  	
   	
   	
   ;"setAllowsAnyHTTPSCertificate:forHost:"	
  	
  	
  	
  	
  	
  	
  
MOVS	
  R2,	
  #1	
  	
   	
   	
   ;’YES’	
  	
  	
  	
  	
  	
  	
  
MOV	
  	
  R3,	
  R8	
  	
   	
   	
   ;	
  the	
  host	
  	
  	
  	
  	
  	
  	
  
BLX	
  	
  _objc_msgSend	
  
A BROKEN SSL IMPLEMENTATION
-> remember, don’t allow self-signed certs!
class
NETWORK (in)SECURITY
invoke method “setAllowsAnyHTTPSCertificate:forHost:”
method
bug in actual app
NETWORK (in)SECURITY
SPOTTING A VULNERABILITY DYNAMICALLY
-> ‘sniff’/proxy network traffic - can it be manipulated?
https://	
  
https://	
  
http://	
  
https://
function	
  displayLoginMsg()	
  
	
  alert("session	
  expired,	
  please	
  login");	
  
<body	
  onload="displayLoginMsg()">	
  
<form>	
  
<input	
  name="userID"	
  value="User	
  ID">	
  
<input	
  name="password"	
  value="Password">	
  
<button	
  onclick="stealCreds()">login</button>	
  
...	
  
MALICIOUS CODE INJECTION
‘MIXED-CONTENT ATTACK’
#	
  tail	
  -­‐f	
  /var/log/syslog	
  
Bank_hawaii:	
  [DEBUG]	
  New	
  scheme:	
  <NSMutableURLRequest:	
  0x18816fa0>	
  {	
  URL:	
  http://xx.boh.com/	
  }	
  
Bank_hawaii:	
  [DEBUG]	
  New	
  scheme:	
  <NSMutableURLRequest:	
  0x175efe30>	
  {	
  URL:	
  http://xx.boh.com/phoenix.zhtml	
  }
PIN YOUR SSL CERTS!
-> only trust your cert to prevent MITM attacks
NETWORK (in)SECURITY
NON-JAILBROKEN DEVICE
+
HACKER’S CERT
can	
  MitM	
  the	
  connection
PIN YOUR SSL CERTS!
-> only trust your cert to prevent MITM attacks
NETWORK (in)SECURITY
no dual-factor auth
no ‘shared session’ alert
NETWORK (in)SECURITY


Since UIWebViews render all HTML and JS, it
may be possible to perform a XSS if proper sanitation
is not performed.
CROSS-SITE SCRIPTING (XSS)
SERVER-SIDE API
MORE NETWORK RELATED VULNERABILITIES?
-> Other common vulnerabilities include XSS or even server-side APIs.
see:	
  gibsonsec.org/snapchat
skype XSS in ‘Full Name’ (patched)
Analyzing an app binary and/or its network
traffic can reveal abusable server-side APIs.
SNAPCHAT API ABUSE (4.6M PHONE #S)
/ph/find_friends “A single request (once logged in, of course!) to /ph/find_friends

can find out whether or not a phone number is attached to an account”
{	
  
	
  	
  username:	
  "<your	
  account	
  name>",	
  
	
  	
  timestamp:	
  1373207221,	
  
	
  	
  req_token:	
  create_token(auth_token,	
  1373207221),	
  
	
  	
  countryCode:	
  "FI",	
  
	
  	
  numbers:	
  "{"3140001337":	
  "Mikko	
  Hyppönen"}"	
  
}	
  
SECURE DATA STORAGE
“While the device is locked, protected files [and keychain] are inaccessible
even to the app that created them” (apple.com)
FIRST, HOW TO DO IT RIGHT?
-> use the data protection APIs & iOS keychain
insecure encrypt with
passcode-derived key ‘secure’
+ =
use	
  FileDP	
  or	
  Keychain	
  Dumper
keychain
files
The encrypted data partition is decrypted at boot. Somebody with
access to the device can access this data without the passcode
INSECURE DATA STORAGE
COUNTLESS APP STORE SENSITIVE DATA INSECURELY
-> this includes, user names, passwords, session keys, geolocation data, etc
THE BINARY PROPERTY LISTS
DATABASES LOG FILES
STORAGE WITHIN THE BINARY
APPS MAY STORE SENSITIVE DATA WITHIN THEIR BINARY IMAGE

-> often will find credentials, or API keys, etc.
WITHIN THE BINARY
000E91ED	
  "www.puffchat.me"	
  	
  
000E91FD	
  "POST"	
  	
  	
  	
  
000E9202	
  "/v2/api/client/login"	
  
000E9217	
  "key=dl81Vh2uorfNdj2Rt2M4EylW91uUsQRZwhQ99g7K0MRXeMYePS”
see:	
  faptrackr.org
EMBEDDED “SECRET” API KEY (PUFFCHAT)
REST API
“We all know you can’t keep a secret key secret in a binary, you can try and hide it but not only is it
pretty futile, in this case it wasn’t done at all.”
STORAGE WITHIN A ‘PLIST’
APPS MAY STORE SENSITIVE DATA WITHIN PROPERTY LISTS (‘PLISTS’)

-> often will find credentials, session keys, etc within the App’s ‘user defaults’ plist
WITHIN PLISTS
USER DEFAULTS
//store	
  
NSUserDefaults	
  *defaults	
  =	
  [NSUserDefaults	
  standardUserDefaults];	
  
[defaults	
  setValue:@"someData"	
  forKey:@"someKey"];

//retrieve

NSUserDefaults	
  *defaults	
  =	
  [NSUserDefaults	
  standardUserDefaults];	
  
id	
  persistedData	
  =	
  [defaults	
  objectForKey:@"someKey"];	
  
#	
  plutil	
  -­‐convert	
  xml1	
  <appID>.plist
STORAGE WITHIN A ‘PLIST’
SPOTTING A VULNERABILITY
-> scope out the disassembly, or dump the ‘user defaults’ plist
APP DISASSEMBLY (‘USER DEFAULTS’) APP’S ‘USER DEFAULTS’ PLIST
has	
  NSFileProtectionNone!
MOV	
  R1,	
  #(selRef_standardUserDefaults-­‐0x5917A)	
  
ADD	
  R1,	
  PC	
  
LDR	
  R1,	
  [R1]	
  	
  	
   ;"standardUserDefaults"	
  
MOV	
  R0,	
  #(classRef_NSUserDefaults-­‐0x591A2)	
  
ADD	
  R0,	
  PC	
  	
  
LDR	
  R0,	
  [R0]	
  	
  	
   ;_OBJC_CLASS_$_NSUserDefaults	
  
BLX	
  _objc_msgSend	
  ;[NSUserDefaults	
  standardUserDefaults]	
  
MOV	
  R3,	
  #(cfstr_Sessionid_3-­‐0x591D6)	
  
ADD	
  R3,	
  PC	
  	
  	
   	
   ;"sessionCookie-­‐PRODUCTION"	
  
LDR	
  R2,	
  [SP,#0xB4+sessionID]	
   	
   ;session	
  data	
  
MOV	
  R1,	
  #(selRef_setObject_forKey_-­‐0x591D6)	
  
ADD	
  R1,	
  PC	
  
LDR	
  R1,	
  [R1]	
  	
  	
   ;"setObject:forKey:"	
  
BLX	
   _objc_msgSend	
  ;[userDefaults	
  setObject:	
  forKey:]
User	
  Defaults	
  in	
  the	
  app’s	
  /Library/Preferences/
STORAGE WITHIN A DATABASE
SQLITE IS A COMMON METHOD OF STORING DATA
-> may find user credentials, or often other sensitive info within app's databases
WITHIN DATABASES
WHATSAPP CHAT HISTORY
more	
  at:	
  bas.bosschert.nl/steal-­‐whatsapp-­‐database
chats
//create	
  a	
  file	
  path	
  (within	
  the	
  ‘Documents/’	
  dir)	
  
NSString	
  *documentsDirectory	
  =	
  	
  
	
   [NSSearchPathForDirectoriesInDomains(NSDocumentDirectory,	
  	
  
	
   NSUserDomainMask,	
  YES)	
  objectAtIndex:0];	
  
//init	
  file	
  name	
  
NSString	
  *fileName	
  =	
  [documentsDirectory	
  	
  	
  
	
   stringByAppendingPathComponent:@“logfile.txt"];	
  
//create	
  the	
  file	
  
[[NSFileManager	
  defaultManager]	
  createFileAtPath:fileName	
  	
  
	
   contents:nil	
  attributes:nil];	
  
//start	
  writing	
  data	
  to	
  file	
  
NSFileHandle	
  *file	
  =	
  [NSFileHandle	
  fileHandleForWritingAtPath:fileName];	
  
[file	
  writeData:[@“some	
  logging	
  data”	
  dataUsingEncoding:NSUTF8StringEncoding]];	
  
‘STORAGE’ WITHIN A LOGFILE
MANY APPS ‘STORE’ (LEAK) DEBUG/SENSITIVE INFO IN LOGS FILES
-> may find user creds, session data, etc. within log files created by the app
WITHIN LOG FILES
CREATING/WRITING TO A LOG FILE
BLX	
  	
  NSSearchPathForDirectoriesInDomains	
  
MOV	
  	
  R1,	
  #(selRef_objectAtIndex_	
  -­‐	
  0xABF6C)	
  
ADD	
  	
  R1,	
  PC	
  	
  ;selRef_objectAtIndex_	
  
LDR	
  	
  R1,	
  [R1]	
  	
  	
  ;"objectAtIndex:"	
  
BLX	
  _objc_msgSend	
  	
  ;[NSSearchPathForDirectoriesInDomains…	
  objectAtIndex:0]	
  
MOV	
  	
  R1,	
  #(selRef_createFileAtPath_contents_attributes_	
  -­‐	
  0xAC638)	
  
ADD	
  	
  R1,	
  PC	
  
LDR	
  	
  R1,	
  [R1]	
  	
  ;"createFileAtPath:contents:attributes:"	
  
BLX	
  	
  _objc_msgSend	
  	
  ;[[NSFileManager	
  defaultManager]	
  createFileAtPath:…]	
  
MOV	
  	
  R1,	
  #(selRef_fileHandleForWritingAtPath_	
  -­‐	
  0xAC670)	
  
ADD	
  	
  R1,	
  PC	
  
LDR	
  	
  R1,	
  [R1]	
  	
  ;"fileHandleForWritingAtPath:"	
  
BLX	
  	
  _objc_msgSend	
   	
  	
  ;[NSFileHandle	
  fileHandleForWritingAtPath:fileName];	
  
‘STORAGE’ WITHIN A LOGFILE
SPOTTING A VULNERABILITY
-> scope out the disassembly, or simply run filemon and dump the log file(s)
CREATING A LOG FILE
also:	
  tail	
  -­‐f	
  /var/log/syslog
GEOLOCATION
APPS OFTEN MAKE USE OF A USER’S LOCATION
-> this should be treated with care & secured!
iOS location services
default to the
highest level of
accuracy
REPORTING THE USER’S PRECISE LAT/LONG
sniff with burp
GEOLOCATION
USING A USER’S LOCATION ISN’T CAN BE VERY USEFUL
-> to the app, or an attacker!!
precise relative distances
location spoofing
anonymous non-limited APIs
“egyptian cops using grindr
to hunt gays” TRILATERATION
GRINDR USER’S IN SF
yikes!
GRINDR; DOING IT WRONG
GEOLOCATION
AN APP MAY ALLOW YOU TO OPT OUT OF GEOLOCATION
-> but should you trust it? (probably not!)
users monitored (opt’d out of geo)
user data indefinitely stored
information shared with US DOD
WHISPER MAP (USERS NEAR NSA)
“Revealed: how Whisper app tracks ‘anonymous’ users”
(the guardian)
WHISPER; ALSO DOING IT WRONG
OTHER BUGZ
MANY OTHER PLACES WHERE IOS APP VULNERABILITIES CAN POP UP
-> some include OS level design ‘issues’, while others are result of poorly designed apps
COOKIES (BINARY)
SCREEN SHOTS (OS)
CACHE’D REQUESTS/RESPONSES
“INTER-APP” COMMS
SO GO FORTH!
Currently, the security in iOS apps is generally an
afterthought. Using the techniques described in this
presentation, you should be able to reverse any iOS app
and hopefully find some interesting security vulnerabilities.!
…find bugz
reverse’ em
INSECURE APPS ARE EVERYWHERE
-> and don’t appear to be going away anytime soon :/
QUESTIONS/ANSWERS
patrick@synack.com
@patrickwardle
syn.ac/AppSecCA
Crowd Security Intelligence
CREDITS (IMAGES/ICONS)
thezooom.com
deviantart.com (FreshFarhan)


iconmonstr.com
flaticon.com

More Related Content

What's hot

RSA OSX Malware
RSA OSX MalwareRSA OSX Malware
RSA OSX MalwareSynack
 
iOS Automation Primitives
iOS Automation PrimitivesiOS Automation Primitives
iOS Automation PrimitivesSynack
 
DLL Hijacking on OS X
DLL Hijacking on OS XDLL Hijacking on OS X
DLL Hijacking on OS XSynack
 
Synack at ShmooCon 2015
Synack at ShmooCon 2015Synack at ShmooCon 2015
Synack at ShmooCon 2015Synack
 
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one![DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!Synack
 
DEF CON 23: Internet of Things: Hacking 14 Devices
DEF CON 23: Internet of Things: Hacking 14 DevicesDEF CON 23: Internet of Things: Hacking 14 Devices
DEF CON 23: Internet of Things: Hacking 14 DevicesSynack
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Jen Andre
 
Threat stack aws
Threat stack awsThreat stack aws
Threat stack awsJen Andre
 
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...Felipe Prado
 
Reverse Engineering iOS apps
Reverse Engineering iOS appsReverse Engineering iOS apps
Reverse Engineering iOS appsMax Bazaliy
 
The Mouse is mightier than the sword
The Mouse is mightier than the swordThe Mouse is mightier than the sword
The Mouse is mightier than the swordPriyanka Aash
 
Poc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitian
Poc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitianPoc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitian
Poc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitianLiang Chen
 
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...Felipe Prado
 
Внедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполненияВнедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполненияPositive Hack Days
 
На страже ваших денег и данных
На страже ваших денег и данныхНа страже ваших денег и данных
На страже ваших денег и данныхPositive Hack Days
 
DEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitchDEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitchFelipe Prado
 
Fire & Ice: Making and Breaking macOS Firewalls
Fire & Ice: Making and Breaking macOS FirewallsFire & Ice: Making and Breaking macOS Firewalls
Fire & Ice: Making and Breaking macOS FirewallsPriyanka Aash
 
Docker app armor_usecase
Docker app armor_usecaseDocker app armor_usecase
Docker app armor_usecaseKazuki Omo
 
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...RootedCON
 
AMIRA: Automated Malware Incident Response and Analysis for macOS (Black Hat ...
AMIRA: Automated Malware Incident Response and Analysis for macOS (Black Hat ...AMIRA: Automated Malware Incident Response and Analysis for macOS (Black Hat ...
AMIRA: Automated Malware Incident Response and Analysis for macOS (Black Hat ...Jakub "Kuba" Sendor
 

What's hot (20)

RSA OSX Malware
RSA OSX MalwareRSA OSX Malware
RSA OSX Malware
 
iOS Automation Primitives
iOS Automation PrimitivesiOS Automation Primitives
iOS Automation Primitives
 
DLL Hijacking on OS X
DLL Hijacking on OS XDLL Hijacking on OS X
DLL Hijacking on OS X
 
Synack at ShmooCon 2015
Synack at ShmooCon 2015Synack at ShmooCon 2015
Synack at ShmooCon 2015
 
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one![DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
 
DEF CON 23: Internet of Things: Hacking 14 Devices
DEF CON 23: Internet of Things: Hacking 14 DevicesDEF CON 23: Internet of Things: Hacking 14 Devices
DEF CON 23: Internet of Things: Hacking 14 Devices
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'
 
Threat stack aws
Threat stack awsThreat stack aws
Threat stack aws
 
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
 
Reverse Engineering iOS apps
Reverse Engineering iOS appsReverse Engineering iOS apps
Reverse Engineering iOS apps
 
The Mouse is mightier than the sword
The Mouse is mightier than the swordThe Mouse is mightier than the sword
The Mouse is mightier than the sword
 
Poc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitian
Poc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitianPoc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitian
Poc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitian
 
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
 
Внедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполненияВнедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполнения
 
На страже ваших денег и данных
На страже ваших денег и данныхНа страже ваших денег и данных
На страже ваших денег и данных
 
DEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitchDEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitch
 
Fire & Ice: Making and Breaking macOS Firewalls
Fire & Ice: Making and Breaking macOS FirewallsFire & Ice: Making and Breaking macOS Firewalls
Fire & Ice: Making and Breaking macOS Firewalls
 
Docker app armor_usecase
Docker app armor_usecaseDocker app armor_usecase
Docker app armor_usecase
 
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
 
AMIRA: Automated Malware Incident Response and Analysis for macOS (Black Hat ...
AMIRA: Automated Malware Incident Response and Analysis for macOS (Black Hat ...AMIRA: Automated Malware Incident Response and Analysis for macOS (Black Hat ...
AMIRA: Automated Malware Incident Response and Analysis for macOS (Black Hat ...
 

Viewers also liked

Let's Hack a House
Let's Hack a HouseLet's Hack a House
Let's Hack a HouseSynack
 
Home Automation Benchmarking Report
Home Automation Benchmarking ReportHome Automation Benchmarking Report
Home Automation Benchmarking ReportSynack
 
Zeronights 2016 - Automating iOS blackbox security scanning
Zeronights 2016 - Automating iOS blackbox security scanningZeronights 2016 - Automating iOS blackbox security scanning
Zeronights 2016 - Automating iOS blackbox security scanningSynack
 
Electromagnetic Hypersensitivity and You
Electromagnetic Hypersensitivity and YouElectromagnetic Hypersensitivity and You
Electromagnetic Hypersensitivity and YouSynack
 
Blended learning
Blended learningBlended learning
Blended learningAy_sel
 
Giver (archetypes)
Giver (archetypes)Giver (archetypes)
Giver (archetypes)Xiao Yun
 
Qcl 14-v3 _Problem Solving_SIMSREE_Divya Adity Selvaraj Nadar
Qcl 14-v3 _Problem Solving_SIMSREE_Divya Adity Selvaraj NadarQcl 14-v3 _Problem Solving_SIMSREE_Divya Adity Selvaraj Nadar
Qcl 14-v3 _Problem Solving_SIMSREE_Divya Adity Selvaraj NadarDivya Nadar
 
Zhang yi mou (lee sweet wan)
Zhang yi mou (lee sweet wan)Zhang yi mou (lee sweet wan)
Zhang yi mou (lee sweet wan)Xiao Yun
 
Ad hoc on demand distance
Ad hoc on demand distanceAd hoc on demand distance
Ad hoc on demand distanceJimit Rupani
 
istilah-istilah jaringan internet dalam komputer
istilah-istilah jaringan internet dalam komputeristilah-istilah jaringan internet dalam komputer
istilah-istilah jaringan internet dalam komputerAbednego Ringgo
 
pJapanese director (hayao miyazaki)
pJapanese director (hayao miyazaki)pJapanese director (hayao miyazaki)
pJapanese director (hayao miyazaki)Xiao Yun
 
The Multi-barrier Approach to Address Water Quality and Disease Prevention
The Multi-barrier Approach to Address Water Quality and Disease PreventionThe Multi-barrier Approach to Address Water Quality and Disease Prevention
The Multi-barrier Approach to Address Water Quality and Disease PreventionMadelyn Skinner
 
A touch of sin (lee sweet wan)
A touch of sin (lee sweet wan)A touch of sin (lee sweet wan)
A touch of sin (lee sweet wan)Xiao Yun
 
Networkingtips 130213160947-phpapp02
Networkingtips 130213160947-phpapp02Networkingtips 130213160947-phpapp02
Networkingtips 130213160947-phpapp02Sonu Jena
 
Ma10バックエンドレスサンプルアプリ(android編)の説明
Ma10バックエンドレスサンプルアプリ(android編)の説明Ma10バックエンドレスサンプルアプリ(android編)の説明
Ma10バックエンドレスサンプルアプリ(android編)の説明acrodea
 
Documentary proposal
Documentary proposalDocumentary proposal
Documentary proposalXiao Yun
 
Crack the Consumer Code
Crack the Consumer CodeCrack the Consumer Code
Crack the Consumer CodePlaceable
 
Departures 2008 yojiro takita
Departures 2008 yojiro takitaDepartures 2008 yojiro takita
Departures 2008 yojiro takitaXiao Yun
 
Jesusparablesaboutmoney 12737974976907-phpapp02
Jesusparablesaboutmoney 12737974976907-phpapp02Jesusparablesaboutmoney 12737974976907-phpapp02
Jesusparablesaboutmoney 12737974976907-phpapp02Sonu Jena
 
Storyboard
Storyboard Storyboard
Storyboard Xiao Yun
 

Viewers also liked (20)

Let's Hack a House
Let's Hack a HouseLet's Hack a House
Let's Hack a House
 
Home Automation Benchmarking Report
Home Automation Benchmarking ReportHome Automation Benchmarking Report
Home Automation Benchmarking Report
 
Zeronights 2016 - Automating iOS blackbox security scanning
Zeronights 2016 - Automating iOS blackbox security scanningZeronights 2016 - Automating iOS blackbox security scanning
Zeronights 2016 - Automating iOS blackbox security scanning
 
Electromagnetic Hypersensitivity and You
Electromagnetic Hypersensitivity and YouElectromagnetic Hypersensitivity and You
Electromagnetic Hypersensitivity and You
 
Blended learning
Blended learningBlended learning
Blended learning
 
Giver (archetypes)
Giver (archetypes)Giver (archetypes)
Giver (archetypes)
 
Qcl 14-v3 _Problem Solving_SIMSREE_Divya Adity Selvaraj Nadar
Qcl 14-v3 _Problem Solving_SIMSREE_Divya Adity Selvaraj NadarQcl 14-v3 _Problem Solving_SIMSREE_Divya Adity Selvaraj Nadar
Qcl 14-v3 _Problem Solving_SIMSREE_Divya Adity Selvaraj Nadar
 
Zhang yi mou (lee sweet wan)
Zhang yi mou (lee sweet wan)Zhang yi mou (lee sweet wan)
Zhang yi mou (lee sweet wan)
 
Ad hoc on demand distance
Ad hoc on demand distanceAd hoc on demand distance
Ad hoc on demand distance
 
istilah-istilah jaringan internet dalam komputer
istilah-istilah jaringan internet dalam komputeristilah-istilah jaringan internet dalam komputer
istilah-istilah jaringan internet dalam komputer
 
pJapanese director (hayao miyazaki)
pJapanese director (hayao miyazaki)pJapanese director (hayao miyazaki)
pJapanese director (hayao miyazaki)
 
The Multi-barrier Approach to Address Water Quality and Disease Prevention
The Multi-barrier Approach to Address Water Quality and Disease PreventionThe Multi-barrier Approach to Address Water Quality and Disease Prevention
The Multi-barrier Approach to Address Water Quality and Disease Prevention
 
A touch of sin (lee sweet wan)
A touch of sin (lee sweet wan)A touch of sin (lee sweet wan)
A touch of sin (lee sweet wan)
 
Networkingtips 130213160947-phpapp02
Networkingtips 130213160947-phpapp02Networkingtips 130213160947-phpapp02
Networkingtips 130213160947-phpapp02
 
Ma10バックエンドレスサンプルアプリ(android編)の説明
Ma10バックエンドレスサンプルアプリ(android編)の説明Ma10バックエンドレスサンプルアプリ(android編)の説明
Ma10バックエンドレスサンプルアプリ(android編)の説明
 
Documentary proposal
Documentary proposalDocumentary proposal
Documentary proposal
 
Crack the Consumer Code
Crack the Consumer CodeCrack the Consumer Code
Crack the Consumer Code
 
Departures 2008 yojiro takita
Departures 2008 yojiro takitaDepartures 2008 yojiro takita
Departures 2008 yojiro takita
 
Jesusparablesaboutmoney 12737974976907-phpapp02
Jesusparablesaboutmoney 12737974976907-phpapp02Jesusparablesaboutmoney 12737974976907-phpapp02
Jesusparablesaboutmoney 12737974976907-phpapp02
 
Storyboard
Storyboard Storyboard
Storyboard
 

Similar to Synack at AppSec California with Patrick Wardle

Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applicationsjasonhaddix
 
CONFidence 2015: iOS Hacking: Advanced Pentest & Forensic Techniques - Omer S...
CONFidence 2015: iOS Hacking: Advanced Pentest & Forensic Techniques - Omer S...CONFidence 2015: iOS Hacking: Advanced Pentest & Forensic Techniques - Omer S...
CONFidence 2015: iOS Hacking: Advanced Pentest & Forensic Techniques - Omer S...PROIDEA
 
iOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic TechniquesiOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic TechniquesÖmer Coşkun
 
Outsmarting smartphones
Outsmarting smartphonesOutsmarting smartphones
Outsmarting smartphonesSensePost
 
Hacking ios-on-the-run-using-cycript-viaforensics-rsa-conference-2014
Hacking ios-on-the-run-using-cycript-viaforensics-rsa-conference-2014Hacking ios-on-the-run-using-cycript-viaforensics-rsa-conference-2014
Hacking ios-on-the-run-using-cycript-viaforensics-rsa-conference-2014viaForensics
 
MicroEJ, the OS for IoT
MicroEJ, the OS for IoTMicroEJ, the OS for IoT
MicroEJ, the OS for IoTMicroEJ
 
MicroEJ OS for IoT devices
MicroEJ OS for IoT devicesMicroEJ OS for IoT devices
MicroEJ OS for IoT devicescharlotte75009
 
NYU Hacknight: iOS and OSX ABI
NYU Hacknight: iOS and OSX ABINYU Hacknight: iOS and OSX ABI
NYU Hacknight: iOS and OSX ABIMikhail Sosonkin
 
Mobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring BudgetMobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring BudgetBrent Muir
 
Mobile Security Assessment: 101
Mobile Security Assessment: 101Mobile Security Assessment: 101
Mobile Security Assessment: 101wireharbor
 
Unit 2
Unit 2Unit 2
Unit 2siddr
 
BIT204 1 Software Fundamentals
BIT204 1 Software FundamentalsBIT204 1 Software Fundamentals
BIT204 1 Software FundamentalsJames Uren
 
Hacking & Securing of iOS Apps by Saurabh Mishra
Hacking & Securing of iOS Apps by Saurabh MishraHacking & Securing of iOS Apps by Saurabh Mishra
Hacking & Securing of iOS Apps by Saurabh MishraOWASP Delhi
 
Open Kode, Airplay And The New Reality Of Write Once Run Anywhere
Open Kode, Airplay And The New Reality Of Write Once Run AnywhereOpen Kode, Airplay And The New Reality Of Write Once Run Anywhere
Open Kode, Airplay And The New Reality Of Write Once Run Anywhereguest991eb3
 
outpass system
outpass systemoutpass system
outpass systemDhivakar K
 
[CONFidence 2016] Sławomir Kosowski - Introduction to iOS Application Securit...
[CONFidence 2016] Sławomir Kosowski - Introduction to iOS Application Securit...[CONFidence 2016] Sławomir Kosowski - Introduction to iOS Application Securit...
[CONFidence 2016] Sławomir Kosowski - Introduction to iOS Application Securit...PROIDEA
 

Similar to Synack at AppSec California with Patrick Wardle (20)

Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applications
 
CONFidence 2015: iOS Hacking: Advanced Pentest & Forensic Techniques - Omer S...
CONFidence 2015: iOS Hacking: Advanced Pentest & Forensic Techniques - Omer S...CONFidence 2015: iOS Hacking: Advanced Pentest & Forensic Techniques - Omer S...
CONFidence 2015: iOS Hacking: Advanced Pentest & Forensic Techniques - Omer S...
 
iOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic TechniquesiOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic Techniques
 
Symbian OS
Symbian  OS Symbian  OS
Symbian OS
 
Outsmarting smartphones
Outsmarting smartphonesOutsmarting smartphones
Outsmarting smartphones
 
Hacking ios-on-the-run-using-cycript-viaforensics-rsa-conference-2014
Hacking ios-on-the-run-using-cycript-viaforensics-rsa-conference-2014Hacking ios-on-the-run-using-cycript-viaforensics-rsa-conference-2014
Hacking ios-on-the-run-using-cycript-viaforensics-rsa-conference-2014
 
MicroEJ, the OS for IoT
MicroEJ, the OS for IoTMicroEJ, the OS for IoT
MicroEJ, the OS for IoT
 
MicroEJ OS for IoT devices
MicroEJ OS for IoT devicesMicroEJ OS for IoT devices
MicroEJ OS for IoT devices
 
NYU Hacknight: iOS and OSX ABI
NYU Hacknight: iOS and OSX ABINYU Hacknight: iOS and OSX ABI
NYU Hacknight: iOS and OSX ABI
 
Mobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring BudgetMobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring Budget
 
Mobile Security Assessment: 101
Mobile Security Assessment: 101Mobile Security Assessment: 101
Mobile Security Assessment: 101
 
Unit 2
Unit 2Unit 2
Unit 2
 
Operating system
Operating systemOperating system
Operating system
 
BIT204 1 Software Fundamentals
BIT204 1 Software FundamentalsBIT204 1 Software Fundamentals
BIT204 1 Software Fundamentals
 
Hacking & Securing of iOS Apps by Saurabh Mishra
Hacking & Securing of iOS Apps by Saurabh MishraHacking & Securing of iOS Apps by Saurabh Mishra
Hacking & Securing of iOS Apps by Saurabh Mishra
 
Open Kode, Airplay And The New Reality Of Write Once Run Anywhere
Open Kode, Airplay And The New Reality Of Write Once Run AnywhereOpen Kode, Airplay And The New Reality Of Write Once Run Anywhere
Open Kode, Airplay And The New Reality Of Write Once Run Anywhere
 
OWASP for iOS
OWASP for iOSOWASP for iOS
OWASP for iOS
 
osi semair.pptx
osi semair.pptxosi semair.pptx
osi semair.pptx
 
outpass system
outpass systemoutpass system
outpass system
 
[CONFidence 2016] Sławomir Kosowski - Introduction to iOS Application Securit...
[CONFidence 2016] Sławomir Kosowski - Introduction to iOS Application Securit...[CONFidence 2016] Sławomir Kosowski - Introduction to iOS Application Securit...
[CONFidence 2016] Sławomir Kosowski - Introduction to iOS Application Securit...
 

Recently uploaded

UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarPrecisely
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxUdaiappa Ramachandran
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDELiveplex
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Brian Pichman
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 

Recently uploaded (20)

201610817 - edge part1
201610817 - edge part1201610817 - edge part1
201610817 - edge part1
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
20230104 - machine vision
20230104 - machine vision20230104 - machine vision
20230104 - machine vision
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity Webinar
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptx
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 

Synack at AppSec California with Patrick Wardle

  • 2. OWASP’s Mobile Risks in iOS Apps uncovering
  • 3. ABOUT (me) “sources a global contingent of vetted security experts worldwide and pays them on an incentivized basis to discover security vulnerabilities in our customers’ web apps, mobile apps, and infrastructure endpoints.” @patrick  wardle     /NASA  /NSA  /VRL  /SYNACK always looking for more experts! vetted researchers internal R&D backed by google
  • 4. AN OUTLINE THE IOS ENVIRONMENT THE TALK TODAY WILL COVER A SOLID AMOUNT OF MATERIAL -> exploration of reversing iOS apps, focusing on uncovering common security issues PREP’ING A REVERSING ENVIRONMENT REVERSING TECHNIQUES IOS APP VULNERABILITIES
  • 5. Background …and why you should care about all of this
  • 6. OUR iDEVICES EMAIL PHOTOS FINANCIAL INFO these devices are the gateways into our digital lives… THINK ABOUT YOUR IPHONE/IPAD -> contains a vast amount of private and highly sensitive data + + + GEO-LOCATION
  • 7. iDevice thefts as % of total robberies (NYC) iDEVICE THEFT theft STOLEN IDEVICES
 they get stolen or lost all the time:
 -> in larger cities, “cell phones comprise 30-40% of all robberies” -FCC.GOV percentage 0 10 20 30 year '03 '05 '07 '09 '11 ~50%  no  passcode  lock
  • 8. INSECURE REGARDLESS? TRANSMISSIONS PROCESS UNTRUSTED DATA CLOSED-SOURCE EVEN IN YOUR POSSESSION… -> many (app-related) threats that can lead to serious privacy issues BACKUPS “Fake Tor browser for iOS laced with adware, spyware, members warn” sensitive data may be transmitted insecurely app process a lot of data from untrusted sources (attack surface) apps are generally not open-source a juicy target for hackers (PC’s aren’t that hard to hack!)
  • 9. IN THE NEWS “major security holes found in 90% of top mobile banking apps” “citi confirms critical bug in iPhone mobile banking app” BANKING “facebook for iOS vulnerable to credential theft” “flaw in tinder app let users track each other in real time” SOCIAL MEDIA “starbucks stored iOS app passwords and location data in clear text”
 
 “skype for iOS contains an XSS vulnerability that allows attackers steal information” ETC… APPS ARE OFTEN SURPRISINGLY INSECURE -> apple doesn't vet apps for bugs
  • 10. IN SHORT REVERSE-ENGINEERING TO THE RESCUE! clearly, iOS apps are horribly insecure - what to do? REVEAL VULNERABILITIES VERIFY THE APP SECURITY AWARENESS++ MAKE SOME MONEY!
  • 11. The iOS Environment a brief technical overview
  • 12. iOS IOS IS DERIVED FROM OS X -> basically just slimmed down with extra security + OS X secure boot chain signed-code requirements anti-exploitation mechanisms encrypted storage sandboxed apps SECURITY++ iOS jailbreak  bypasses  these
  • 13. APP SECURITY signed (by apple’s signing certificate) encrypted run as limited user (‘mobile’) sandboxed iOS app security confined to /private/var/mobile/Applications/<app-­‐GUID> no direct access to hardware devices no dynamic code generation/execution no access to other app’s/processes
  • 14. iOS APPs .IPA .APP .APP’s FILES SO WHATS IN AN IOS APP? -> distributed as .IPA files, which contains the .APP bundle installed:  /private/var/mobile/Applications/…just  a  zip  file   “ios app store package” or “iphone application archive” a ‘bundle’ (directory) contains the app’s files the app’s binary, images, meta-data, and more
  • 15. #  pwd     /private/var/mobile/Applications/1C084B60-­‐26B9-­‐4F24-­‐BBA5-­‐CDAE229F72EB/   #  tree  .   |-­‐-­‐  Bank_hawaii.app   |-­‐-­‐  Documents   |-­‐-­‐  Library   |-­‐-­‐  iTunesArtwork   |-­‐-­‐  iTunesMetadata.plist   |-­‐-­‐  ...   `-­‐-­‐  tmp #  tree  Bank_hawaii.app/   |-­‐-­‐  Bank_hawaii   |-­‐-­‐  Info.plist   |-­‐-­‐  _CodeSignature   |-­‐-­‐  appicon.png   |-­‐-­‐  appicon@2x.png
 |-­‐-­‐  ...       `-­‐-­‐  en.lproj app’s binaryapp bundle iOS APPs user data app’s files/data (caches, cookies, prefs) app’s config file (dir) digital signatures <app-­‐GUID>  for  app THE APP’S ON-DISK LAYOUT -> apps have a standard layout, includes the app’s bundle/binary, & other resources
  • 16. #  less  /usr/include/mach-­‐o/fat.h   struct  fat_header   {     uint32_t  magic;     uint32_t  nfat_arch;   };   struct  fat_arch   {     cpu_type_t  cputype;     cpu_subtype_t  cpusubtype;     uint32_t  offset;     uint32_t  size;     uint32_t  align;   }; APP BINARY standard format for iOS and OS X binaries contains multiple architecture-specific (mach-O) binary images FAT BINARY THE APP BINARY IS ‘FAT’ -> allows a single distributable to run on multiple architectures ARMV7 ARM64 ARMV7S
  • 17. MACH-O BINARY MACH-O HEADER LOAD COMMANDS RAW DATA SO WHAT’S A MACH-O BINARY? -> the file format for (architecture-specific) IOS/OS X binaries. comprised of a header, load commands, and then binary data/code. struct  mach_header   {     uint32_t  magic;     cpu_type_t  cputype;     cpu_subtype_t  cpusubtype;     uint32_t  filetype;     uint32_t  ncmds;     uint32_t  sizeofcmds;     uint32_t  flags;   }; struct  load_command   {     uint32_t  cmd;     uint32_t  cmdsize;   };   //load_command  data ‘instructions’ how to setup/load the binary memory layout, thread context, etc. segments with code, data, etc describes binary’s meta-data/layout
  • 18. OBJECTIVE-C a superset of C with classes/methods, etc. the programming language used to create iOS/OS X apps OBJECTIVE-C what are iOS apps (mostly) written in? //say  hi!   NSLog(@"Hello,  AppSec’ers"); “Objective-C is a general-purpose, object-oriented programming language that adds Smalltalk-style messaging to the C programming language” 
 -wikipedia
  • 19. -­‐(void)insertObject:(id)anObject  atIndex:(NSUInteger)index; parameter types method signature keywords OBJECTIVE-C return type method type identifier parameter names YES, THE SYNTAX IS QUITE ‘ODD’ -> lookout for @ and [  ] …and terms such as ‘message passing’ and ‘selectors’ //C++   ObjectPtr-­‐>method(param1,  param2);   //Obj-­‐C   [ObjectPtr  method:param1  p2:param2]; C++ vs. Objective-C
  • 20. REVERSING OBJECTIVE-C REVERSING IS SOMEWHAT NON-TRIVIAL -> being an object-oriented language, static analysis can be challenging selector  is  the  name  of  a  method objc_msgSend   Sends  a  message  to  an  instance  of  a  class.   //method  declaration   id  objc_msgSend(id  self,  SEL  op,  ...)   self   A  pointer  to  the  instance  of  the  class  that   is  to  receive  the  message.   op   The  selector  of  the  method  that  handles  the   message.   ...   A  variable  argument  list  containing  the   arguments  to  the  method. OBJC_MSGSEND OBJECTIVE-C AND OBJC_MSGSEND //some  Obj-­‐C  code   [ObjectPtr  method:param1  p2:param2]; //compiler  generates  this  code   objc_msgSend(ObjectPtr,  @selector(method:p2:),  param1,  param2); …all messages pass thru objc_msgSend
  • 21. ARM ARCHITECTURE a RISC CPU strategy, with fixed length instructions “load/store” architecture encoded in various ‘modes’ ARM IS: ARM THUMB2THUMB ARM POWERS MOBILE PROCESSORS EVERYWHERE -> IOS DEVICES RUN ON PROCESSORS BASED ON THE ARM ARCHITECTURE ARM: 4 byte instruction length Thumb: 2 byte instruction length -> subset of ARM instructions, encoded in 2-bytes -> improves ‘code density’ Thumb2: 2 or 4 byte instruction length
 -> ‘code density’ of Thumb w/ performance of ARM
  • 22. ‘ARM32’ REGISTERS (FUNCTION) CALLING CONVENTION ARM ARCHITECTURE ON (MODERN) 32-BIT CPUS -> the ARMv7 processor instruction set (iPhone 3GS), 32-bit address space & arithmetic memorize  this  info! [register]    [purpose]   R0-­‐R12         general  purpose  registers
 R13  (SP)       stack  pointer   
 R14  (LR)       link  register  (return  address)   
 R15  (PC)       program  counter   
 CPSR           current  program  status  register                (processor  mode,  thumb  bit,  etc) [register]    [purpose]   R0-­‐R3         arguments
 R4-­‐R11         local  variables/preserved   
 R0-­‐R1         return  value  (from  function)  
  • 23. ARM64 REGISTERS (FUNCTION) CALLING CONVENTION ARM ARCHITECTURE ON 64-BIT CPUS -> the ARMv8 processor instruction set (iPhone 5S), 64-bit address space & arithmetic [register]    [purpose]   x0-­‐x28         general  purpose  registers
 x29  (FR)       frame  register   x30  (LR)       link  register  (return  address)   SP             stack  pointer   
 PC             program  counter [register]    [purpose]   x0-­‐x7         arguments/return  values
 x9-­‐x15         local  variables   x19-­‐x29       preserved   64 read:  “ARM64  and  You”  (mike  ash)
  • 24. Preparing a Reversing Environment …getting some tools and some apps
  • 25. REVERSING TOOLS BASIC TOOLS ADVANCED TOOLS COMPREHENSIVE TOOLS FOR REVERSING IOS APPS -> there are a myriad of tools, from basic, to advanced, to largely comprehensive openssh   plutil   gdb   lsof   less otool   class-­‐dump   filemon   cycript #  apt-­‐get    install  $(<tools.txt) SnoopIt  (NESO)   IntroSpy  (iSecPartners)   idb  (Matasano)   syslogd   vim   file   grep   sqlite3   fileDP   burp   IDA  Pro   suites that perform that perform many tasks slight learning curve, but necessary for getting down & dirty! common *nix/ OS X tools ported to iOS
  • 26. REVERSING TOOLS IOS OPEN-DEV what about writing your own (or fixing others)? “sets up OS X and Xcode for ‘open’ development” find  it  at  iosOpenDev.com download / run installer write some code compile copy to, then run!
  • 27. GETTING APPS AUTOMATED APP GRABBING -> sure you can do it manually (web/itunes), but that doesn’t scale
 how about doing it programmatically? request data auth request hrmmm? buy request app name
  • 28. GETTING APPS AUTOMATED APP GRABBING -> All the parameters seem pretty much self-explanatory, and thus easy to programmatically replicate….except for that ‘kbsync’ Parameter. ask the googlez wtf is ‘kbsync’? Forum  WASM.RU
 "Reverse  algorithm  for  computing  the   parameter  "kbsync"  in  iTunes"   Requires  reverse-­‐engineering  of  the   algorithm  for  calculating  the  parameter   "kbsync"  in  iTunes.
 
 Project  budget  of  $10,000; .ru  results;  always  interesting
  • 29. (ab)USING iTUNES GRABBING APPS, IN TWO EASY STEPS let iTUNES do the (hard) work find the app in iTunes ‘buy’ the app iTunes downloads the app! (.ipa) iTUNES
  • 30. (ab)USING iTUNES SO PROGRAMMATICALLY, HOW IS THIS DONE? -> actually, quite easily; applescript ftw :) FIND THE APP CLICK ‘DOWNLOAD’ / ‘BUY’ //AppleScript  (open.scpt)   tell  application  “iTunes”     open  location  item  1  of  argv     end  tell   //exec  it   #  osascript  open.scpt  itms://<app>   itms  -­‐>  iTunes  music  store  protocol //AppleScript  (open.scpt)   set  elements  to  get  entire  contents  of  
     window  1   ...   if  (accessibility  description  of  element  as  text)         contains  “Download”  then         //trigger  download       click  element     end  if the app
  • 31. APP DECRYPTION encrypted app decrypted app REMOVING ENCRYPTION -> apps are encrypted with apple’s ‘fairplay’ DRM (remove to allow analysis) VIA GDB CYDIA APPS or LC_ENCRYPTION_INFO  with  cryptid  of  0x1 ‘run & dump’ clutch or crackulous
  • 32. APP DECRYPTION REMOVING ENCRYPTION -> want a method that doesn’t require an external program/scripting (GDB) or isn’t closed source (CYDIA APPS) executed code within the app’s address space dump (now decrypted) app to disk 1. to achieve code execution within that application’s process space, 
 launch the app with the DYLD_INSERT_LIBRARIES environment variable set:    DYLD_INSERT_LIBRARIES=<decryptor>.dylib  file.app/file   2. the dynamic library (<decryptor>.dylib), should export a constructor:       
   __attribute__((constructor))      this constructor should find the LC_ENCRYPTION_INFO load command then parse it in order to find, then dump the originally encrypted code.
 ‘dumpdecrypted.c’  (by  i0n1c)
  • 34. OTOOL OTOOL; ‘OBJECT FILE DISPLAYING TOOL’ -> dumping general information about the (decrypted) app’s binary #  otool  -­‐f  |  -­‐h FAT/MACH-O HEADER LOAD COMMANDS DEPENDANCIES OBJECTIVE-C SEGMENT #  otool  -­‐l #  otool  -­‐L #  otool  -­‐o the fat binary/app headers ‘instructions’ how to setup/load the binary Memory layout, thread context, etc frameworks and libraries imported by the app class names, methods etc,
  • 35. CLASS-DUMP class-­‐dump-­‐z,  the  most  accurate instance variables method declarations #  class-­‐dump-­‐z  Bank_hawaii     @interface  ASIHTTPRequest  :  XXUnknownSuperclass  <NSCopying>  {     NSURL*  url;     NSString*  username;     NSString*  password;     ...     }   -­‐(void)handleNetworkEvent:(unsigned  long)event;   -­‐(void)addBasicAuthenticationHeaderWithUsername:(id)name  andPassword:(id)passwd;   -­‐(void)attemptToApplyCredentialsAndResume;   -­‐(void)saveCredentialsToKeychain:(id)keychain;   ...   @end   CLASS-DUMP -> parse/display objective-c @ interface declarations interface
  • 36. ;load  pointer  to  obj_msgSend  info  R9   __text:0000AE66     MOV     R9,  #(_objc_msgSend_ptr  -­‐  0xAE72)                   __text:0000AE6E     ADD     R9,  PC                 ;  _objc_msgSend_ptr                     __text:0000AE70     LDR      R9,  [R9]                 ;  IMPORT  _objc_msgSend               ;load  pointer  ‘date’  into  R1   __text:0000AE72     MOV      R1,  #(selRef_date  -­‐  0xAE7E)               __text:0000AE7A     ADD      R1,  PC                 ;  selRef_date                   __text:0000AE7C     LDR     R1,  [R1]                 ;  "date"                   ;load  pointer  to  NSDate  class  into  R0   __text:0000AE7E     MOV      R0,  #(classRef_NSDate  -­‐  0xAE8A)               __text:0000AE86     ADD      R0,  PC                 ;  classRef_NSDate                   __text:0000AE88     LDR     R0,  [R0]               ;  IMPORT  _OBJC_CLASS_$_NSDate                     ;invoke  objc_msgSend  to  get  date   __text:0000AE8A     BLX     R9                   ;  objc_msgSend(classRef_NSDate,  “date”);                                 ;save  date   __text:0000AE8C     STR     R0,  [SP,#0x64+date]       ;  save  into  local  variable               ;load  pointer  to  objc_msgSend  info  R9   __text:0000AEF6   MOV     R9,  #(_objc_msgSend_ptr  -­‐  0xAF02)                   __text:0000AEFE     ADD     R9,  PC                 ;  _objc_msgSend_ptr                               __text:0000AEF0     LDR     R9,  [R9]               ;  IMPORT  _objc_msgSend                           ;load  date  object  into  R3   __text:0000AEF2     LDR     R3,  [SP,#0x64+date]       ;  load  saved  date             ;load  pointer  to  ‘the  time  is:  %@:’  into  R2   __text:0000AEF4      MOV     R2,  #(cfstr_TheTimeIs  -­‐  0xAF00)         __text:0000AEFC      ADD     R2,  PC                 ;  "the  time  is:  %@“   ;load  pointer  to  ‘stringWithFormat:’  into  R1   __text:0000AEFE     MOV     R1,  #(selRef_stringWithFormat_  -­‐  0xAF0C)     __text:0000AF06     ADD     R1,  PC                 ;  selRef_stringWithFormat_   __text:0000AF08     LDR     R1,  [R1]               ;  "stringWithFormat:"     ;load  pointer  to  NSString  class  into  R0   __text:0000AF0A     MOV  R0,  #(classRef_NSString  -­‐  0xAF16)     __text:0000AF12     ADD  R0,  PC                   ;  classRef_NSString   __text:0000AF14     LDR  R0,  [R0]                 ;  IMPORT  _OBJC_CLASS_$_NSString                           ;invoke  objc_msgSend  create  formatted  string   __text:0000AF08   BLX     R9                 ;  objc_msgSend(classRef_NSString,  ...);                                       NSString*  now  =  objc_msgSend(classRef_NSString,  @selector("stringWithFormat:"),  @"now  is:  %@",  date); IDA PRO IDA IS THE DE-FACTO REVERSING TOOL -> let’s looks an reversing a small chunk of objective-c code + the app disassembly (IDA) NSString*  now  =  [NSString  stringWithFormat:@"now  is:  %@",  [NSDate  date]]; NSDate*  date  =  objc_msgSend(classRef_NSDate,  @selector("date")); NSDate*  date  =  objc_msgSend(classRef_NSDate,  @selector("date")); R0:  @"now  is:  2015-­‐01-­‐29  03:13:37" NSString*  now  =  objc_msgSend(classRef_NSString,  @selector("stringWithFormat:"),  @"now  is:  %@",  date);
  • 37. DYNAMIC ANALYSIS DYNAMIC ANALYSIS OF IOS APPS -> can be faster (simpler?) and provide more insight into the app NETWORK TRAFFIC FILE-SYSTEM I/O DEBUGGING INSTRUMENTATION
  • 38. NETWORK ANALYSIS SNIFFING SOME TRAFFIC conceptually, quite simple: execute the app the proxy (collect & analyze) internet/‘cloud’ NETWORK TRAFFIC ANALYSIS
  • 39. NETWORK ANALYSIS SO PRACTICALLY, HOW IS THIS DONE? -> first a proxy should be setup/configured BURP proxy config port
  • 40. NETWORK ANALYSIS SO PRACTICALLY, HOW IS THIS DONE? -> then the device (iPhone) has to be config’d DEVICE BURP profile iOS proxy settingssend  cert  via  email
  • 41. FILE-SYSTEM I/O MONITORING FILE-SYSTEM I/O again, conceptually, quite simple: execute the app passively monitor file-system accessMONITORING FILE-SYSTEM I/O capture/analyze file event(s)
  • 42. #  ./filemon   Bank_hawaii  Created    /Application  Support/analytics/analytics.db-­‐journal   DEV:  1,3  INODE:  121171  MODE:  81a4  UID:  501  GID:  501  Arg64:  300649589561   Bank_hawaii  Deleted  /Application  Support/analytics/analytics.db-­‐journal   DEV:  1,3  INODE:  121171  MODE:  81a4  UID:  501  GID:  501  Arg64:  300650449950   Bank_hawaii  Created  /Preferences/com.fis.140SUB.plist.l0mitdo   DEV:  1,3  INODE:  121172  MODE:  8180  UID:  501  GID:  501  Arg64:  300677061026   Bank_hawaii  Renamed  /Preferences/com.fis.140SUB.plist.l0mitdo   DEV:  1,3  INODE:  121172  MODE:  8180  UID:  501  GID:  501 FILE-SYSTEM I/O SO PRACTICALLY, HOW IS THIS DONE? -> via a command-line filemon tool FILEMON create rename //handle  dropped  events   if(fse-­‐>type  ==  FSE_EVENTS_DROPPED)   {      offInBuf  +=  sizeof(kfs_event_a)  +                    sizeof(fse-­‐>type);     } PATCH (FOR IOS 7+) (newosxbook.com)
  • 43. APP DEBUGGING MONITORING CODE EXECUTION conceptually, quite simple: execute the app debugger code executionAPP DEBUGGING
  • 44. APP DEBUGGING APP DEBUGGING WITH GDB -> gdb is the de facto debugger for iOS #  gdb  -­‐waitfor  <app  name> ATTACH TO AN APP VIEW LOADED MODULES DISASSEMBLE THUMB CODE PRINT OBJECTIVE-C OBJECTS (gdb)  info  shared (gdb)  x/hi  <offset+base> (gdb)  po  <address> to  debug  an  app,  its   easiest  to  wait  for   it,  then  attach. displaying  all  loaded  modules     (including  the  app’s  binary   as  the  first  module)  displays   ASLR  deltas since  Apple’s  GDB  doesn’t   support  the  ‘force-­‐mode  thumb’,   use  the  ‘h’  format  letter  to   view  thumb with  the  ‘po’  (print  object)   command,  gdb  can  parse/ display  Objective-­‐C  objects! gdb  (iOS  7+):  cydia.radare.org
  • 45. APP INSTRUMENTATION INSTRUMENTING AN APP Conceptually, quite simple: execute the appAPP INSTRUMENTATION bypass client-side logic execute hidden code manipulate the app runtime inject code or interpreter
  • 46. cy#  *UIApp   {isa:#"UIApplication",_delegate:#"<TiApp:  0x17da6e10>”,             _touchMap:0x17db2860,_exclusiveTouchWindows:...}     cy#  UIApp.keyWindow.recursiveDescription   @"<UIWindow:  0x17dd82b0;  frame  =  (0  0;  320  480)>   |  <TiRootView:  0x17dda240;  frame  =  (0  20;  320  460)>   |    |  <TiUIWindow:  0x17d04100;  frame  =  (0  0;  320  460)> APP INSTRUMENTATION USING CYCRIPT “allows developers to explore & modify running applications on either iOS/OS X using a hybrid of Objective-C and JavaScript syntax through an interactive console” save/install inject into a process #  dpkg  -­‐i  cycript.deb #  cycript  -­‐p  <pID> CYCRIPT CONSOLE
  • 47. APP INSTRUMENTATION USING CYCRIPT TO INSTRUMENT AN APP CYCRIPT INSTRUMENTATION cy#  #0x167eb00.text  =  $99999
  • 48. iOS App Vulnerabilities …what to look for when reversing
  • 49. THE MINDSET THINK ABOUT IT THIS WAY -> targeting mobile devices is unique; it’s all about gaining access to sensitive data THEFT NETWORK MONITORING BACK-UPS ‘SHADY’ APPS
  • 50. NETWORK SECURITY 
 SSL should be used (correctly) to prevent a myriad of issues such as sniffing or content injection. SECURED COMMS 
 content that is rendered (e.g. in a browser view) should be sanitized to prevent traditional ‘browser security’ issues. INPUT SANITATION FIRST, HOW TO DO IT RIGHT? -> all sensitive network communications should be secured all network input should be sanitized. standard network/browser security practices
  • 51. NETWORK (in)SECURITY SPOTTING A VULNERABILITY STATICALLY -> does the app use SSL and does it do so, ‘correctly’? iOS  enables  SSL  for  ‘https://' NON-SSL (HTTP) statically verifying the (correct) use of SSL can be accomplished by examining the binary. ‘VULNERABLE’ SSL Unfortunately, allowing self-signed certificates makes the App vulnerable to man-in-the-middle attacks. This can manifest in code in several ways: //allow  self  signed  certs   [NSURLRequest  setAllowsAnyHTTPSCertificate:YES                   forHost:[[NSURL  URLWithString:@"someURL"]  host]];     [  or  ]   //implement  the  following  category  (iOS  5+)     -­‐(void)connection:(NSURLConnection*)  inConnection      willSendRequestForAuthenticationChallenge:(NSURLAuthenticationChallenge*)       inChallenge;  
  • 52. MOVT  R8,  #(:upper16:(classRef_NSURLRequest  -­‐  0xC254))   ADD    R8,  PC  ;  classRef_NSURLRequest   MOV    R2,  #(selRef_setAllowsAnyHTTPSCertificate_forHost_  -­‐  0xC2A4)   ADD    R2,  PC   LDR    R4,  [R2]       ;"setAllowsAnyHTTPSCertificate:forHost:"         LDR    R5,  [R8]       ;_OBJC_CLASS_$_NSURLRequest         MOV    R0,  R5         ;_OBJC_CLASS_$_NSURLRequest               MOV    R1,  R4         ;"setAllowsAnyHTTPSCertificate:forHost:"               MOVS  R2,  #1         ;’YES’               MOV    R3,  R8         ;  the  host               BLX    _objc_msgSend   A BROKEN SSL IMPLEMENTATION -> remember, don’t allow self-signed certs! class NETWORK (in)SECURITY invoke method “setAllowsAnyHTTPSCertificate:forHost:” method bug in actual app
  • 53. NETWORK (in)SECURITY SPOTTING A VULNERABILITY DYNAMICALLY -> ‘sniff’/proxy network traffic - can it be manipulated? https://   https://   http://   https:// function  displayLoginMsg()    alert("session  expired,  please  login");   <body  onload="displayLoginMsg()">   <form>   <input  name="userID"  value="User  ID">   <input  name="password"  value="Password">   <button  onclick="stealCreds()">login</button>   ...   MALICIOUS CODE INJECTION ‘MIXED-CONTENT ATTACK’ #  tail  -­‐f  /var/log/syslog   Bank_hawaii:  [DEBUG]  New  scheme:  <NSMutableURLRequest:  0x18816fa0>  {  URL:  http://xx.boh.com/  }   Bank_hawaii:  [DEBUG]  New  scheme:  <NSMutableURLRequest:  0x175efe30>  {  URL:  http://xx.boh.com/phoenix.zhtml  }
  • 54. PIN YOUR SSL CERTS! -> only trust your cert to prevent MITM attacks NETWORK (in)SECURITY NON-JAILBROKEN DEVICE + HACKER’S CERT can  MitM  the  connection
  • 55. PIN YOUR SSL CERTS! -> only trust your cert to prevent MITM attacks NETWORK (in)SECURITY no dual-factor auth no ‘shared session’ alert
  • 56. NETWORK (in)SECURITY 
 Since UIWebViews render all HTML and JS, it may be possible to perform a XSS if proper sanitation is not performed. CROSS-SITE SCRIPTING (XSS) SERVER-SIDE API MORE NETWORK RELATED VULNERABILITIES? -> Other common vulnerabilities include XSS or even server-side APIs. see:  gibsonsec.org/snapchat skype XSS in ‘Full Name’ (patched) Analyzing an app binary and/or its network traffic can reveal abusable server-side APIs. SNAPCHAT API ABUSE (4.6M PHONE #S) /ph/find_friends “A single request (once logged in, of course!) to /ph/find_friends
 can find out whether or not a phone number is attached to an account” {      username:  "<your  account  name>",      timestamp:  1373207221,      req_token:  create_token(auth_token,  1373207221),      countryCode:  "FI",      numbers:  "{"3140001337":  "Mikko  Hyppönen"}"   }  
  • 57. SECURE DATA STORAGE “While the device is locked, protected files [and keychain] are inaccessible even to the app that created them” (apple.com) FIRST, HOW TO DO IT RIGHT? -> use the data protection APIs & iOS keychain insecure encrypt with passcode-derived key ‘secure’ + = use  FileDP  or  Keychain  Dumper keychain files The encrypted data partition is decrypted at boot. Somebody with access to the device can access this data without the passcode
  • 58. INSECURE DATA STORAGE COUNTLESS APP STORE SENSITIVE DATA INSECURELY -> this includes, user names, passwords, session keys, geolocation data, etc THE BINARY PROPERTY LISTS DATABASES LOG FILES
  • 59. STORAGE WITHIN THE BINARY APPS MAY STORE SENSITIVE DATA WITHIN THEIR BINARY IMAGE
 -> often will find credentials, or API keys, etc. WITHIN THE BINARY 000E91ED  "www.puffchat.me"     000E91FD  "POST"         000E9202  "/v2/api/client/login"   000E9217  "key=dl81Vh2uorfNdj2Rt2M4EylW91uUsQRZwhQ99g7K0MRXeMYePS” see:  faptrackr.org EMBEDDED “SECRET” API KEY (PUFFCHAT) REST API “We all know you can’t keep a secret key secret in a binary, you can try and hide it but not only is it pretty futile, in this case it wasn’t done at all.”
  • 60. STORAGE WITHIN A ‘PLIST’ APPS MAY STORE SENSITIVE DATA WITHIN PROPERTY LISTS (‘PLISTS’)
 -> often will find credentials, session keys, etc within the App’s ‘user defaults’ plist WITHIN PLISTS USER DEFAULTS //store   NSUserDefaults  *defaults  =  [NSUserDefaults  standardUserDefaults];   [defaults  setValue:@"someData"  forKey:@"someKey"];
 //retrieve
 NSUserDefaults  *defaults  =  [NSUserDefaults  standardUserDefaults];   id  persistedData  =  [defaults  objectForKey:@"someKey"];   #  plutil  -­‐convert  xml1  <appID>.plist
  • 61. STORAGE WITHIN A ‘PLIST’ SPOTTING A VULNERABILITY -> scope out the disassembly, or dump the ‘user defaults’ plist APP DISASSEMBLY (‘USER DEFAULTS’) APP’S ‘USER DEFAULTS’ PLIST has  NSFileProtectionNone! MOV  R1,  #(selRef_standardUserDefaults-­‐0x5917A)   ADD  R1,  PC   LDR  R1,  [R1]       ;"standardUserDefaults"   MOV  R0,  #(classRef_NSUserDefaults-­‐0x591A2)   ADD  R0,  PC     LDR  R0,  [R0]       ;_OBJC_CLASS_$_NSUserDefaults   BLX  _objc_msgSend  ;[NSUserDefaults  standardUserDefaults]   MOV  R3,  #(cfstr_Sessionid_3-­‐0x591D6)   ADD  R3,  PC         ;"sessionCookie-­‐PRODUCTION"   LDR  R2,  [SP,#0xB4+sessionID]     ;session  data   MOV  R1,  #(selRef_setObject_forKey_-­‐0x591D6)   ADD  R1,  PC   LDR  R1,  [R1]       ;"setObject:forKey:"   BLX   _objc_msgSend  ;[userDefaults  setObject:  forKey:] User  Defaults  in  the  app’s  /Library/Preferences/
  • 62. STORAGE WITHIN A DATABASE SQLITE IS A COMMON METHOD OF STORING DATA -> may find user credentials, or often other sensitive info within app's databases WITHIN DATABASES WHATSAPP CHAT HISTORY more  at:  bas.bosschert.nl/steal-­‐whatsapp-­‐database chats
  • 63. //create  a  file  path  (within  the  ‘Documents/’  dir)   NSString  *documentsDirectory  =       [NSSearchPathForDirectoriesInDomains(NSDocumentDirectory,       NSUserDomainMask,  YES)  objectAtIndex:0];   //init  file  name   NSString  *fileName  =  [documentsDirectory         stringByAppendingPathComponent:@“logfile.txt"];   //create  the  file   [[NSFileManager  defaultManager]  createFileAtPath:fileName       contents:nil  attributes:nil];   //start  writing  data  to  file   NSFileHandle  *file  =  [NSFileHandle  fileHandleForWritingAtPath:fileName];   [file  writeData:[@“some  logging  data”  dataUsingEncoding:NSUTF8StringEncoding]];   ‘STORAGE’ WITHIN A LOGFILE MANY APPS ‘STORE’ (LEAK) DEBUG/SENSITIVE INFO IN LOGS FILES -> may find user creds, session data, etc. within log files created by the app WITHIN LOG FILES CREATING/WRITING TO A LOG FILE
  • 64. BLX    NSSearchPathForDirectoriesInDomains   MOV    R1,  #(selRef_objectAtIndex_  -­‐  0xABF6C)   ADD    R1,  PC    ;selRef_objectAtIndex_   LDR    R1,  [R1]      ;"objectAtIndex:"   BLX  _objc_msgSend    ;[NSSearchPathForDirectoriesInDomains…  objectAtIndex:0]   MOV    R1,  #(selRef_createFileAtPath_contents_attributes_  -­‐  0xAC638)   ADD    R1,  PC   LDR    R1,  [R1]    ;"createFileAtPath:contents:attributes:"   BLX    _objc_msgSend    ;[[NSFileManager  defaultManager]  createFileAtPath:…]   MOV    R1,  #(selRef_fileHandleForWritingAtPath_  -­‐  0xAC670)   ADD    R1,  PC   LDR    R1,  [R1]    ;"fileHandleForWritingAtPath:"   BLX    _objc_msgSend      ;[NSFileHandle  fileHandleForWritingAtPath:fileName];   ‘STORAGE’ WITHIN A LOGFILE SPOTTING A VULNERABILITY -> scope out the disassembly, or simply run filemon and dump the log file(s) CREATING A LOG FILE also:  tail  -­‐f  /var/log/syslog
  • 65. GEOLOCATION APPS OFTEN MAKE USE OF A USER’S LOCATION -> this should be treated with care & secured! iOS location services default to the highest level of accuracy REPORTING THE USER’S PRECISE LAT/LONG sniff with burp
  • 66. GEOLOCATION USING A USER’S LOCATION ISN’T CAN BE VERY USEFUL -> to the app, or an attacker!! precise relative distances location spoofing anonymous non-limited APIs “egyptian cops using grindr to hunt gays” TRILATERATION GRINDR USER’S IN SF yikes! GRINDR; DOING IT WRONG
  • 67. GEOLOCATION AN APP MAY ALLOW YOU TO OPT OUT OF GEOLOCATION -> but should you trust it? (probably not!) users monitored (opt’d out of geo) user data indefinitely stored information shared with US DOD WHISPER MAP (USERS NEAR NSA) “Revealed: how Whisper app tracks ‘anonymous’ users” (the guardian) WHISPER; ALSO DOING IT WRONG
  • 68. OTHER BUGZ MANY OTHER PLACES WHERE IOS APP VULNERABILITIES CAN POP UP -> some include OS level design ‘issues’, while others are result of poorly designed apps COOKIES (BINARY) SCREEN SHOTS (OS) CACHE’D REQUESTS/RESPONSES “INTER-APP” COMMS
  • 69. SO GO FORTH! Currently, the security in iOS apps is generally an afterthought. Using the techniques described in this presentation, you should be able to reverse any iOS app and hopefully find some interesting security vulnerabilities.! …find bugz reverse’ em INSECURE APPS ARE EVERYWHERE -> and don’t appear to be going away anytime soon :/