analysing ios apps road from appstore to security
play

Analysing iOS apps: road from AppStore to security analysis report - PowerPoint PPT Presentation

Feb 01, 2023 •9 likes •429 views

Analysing iOS apps: road from AppStore to security analysis report Egor Fominykh, Lenar Safin, Yaroslav Alexandrov SmartDec REcon, Brussels, 2017 What we do at SmartDec Decompilation, deobfuscation x86/x64 ARM/AArch64 JVM,

  1. Analysing iOS apps: road from AppStore to security analysis report Egor Fominykh, Lenar Safin, Yaroslav Alexandrov SmartDec REcon, Brussels, 2017

  2. What we do at SmartDec • Decompilation, deobfuscation – x86/x64 – ARM/AArch64 – JVM, Android – Custom (VMs, less known archs, …) • Code analysis (sources and binaries) – Manual static analysis – Pentesting – Analysis tools development

  3. iTunes link https://itunes.apple.com/us/app/balloonist-travellers-world/id1070769999?mt=8 Pseudocode Security report

  4. Plan • Get an application binary • Translate application binary into some IR • Analyse IR for security flaws • Translate IR into human-readable pseudocode

  5. 1: Getting binary

  6. A problem Applications are encrypted. Decryption: 1. Launch an app on an iOS device. 2. iOS decrypts it and loads it to RAM. 3. Dump decrypted binary from RAM. Jailbroken iOS device is needed.

  7. Jailbreak • SSH • Bash • Cydia Substrate (call/hook any method) • Clutch

  8. Approach • Figure out chain of method calls / GUI decisions to initiate the download • Figure out how to make needed GUI decisions programmatically, using Cydia Substrate

  9. Main applications • Springboard.app (GUI) • AppStore.app

  10. Process 1. Unlock device — SpringBoard 2. Uninstall all apps — SpringBoard 3. Open iTunes page — SpringBoard 4. Press GET button — AppStore 5. Sign in (detect sign in alert, fill login/password, press ok) — SpringBoard 6. Wait OPEN button — AppStore 7. Decrypt — Clutch

  11. 2: Translation into IR

  12. iOS application recovery challenges • Lots of things to recover – Functions – Program CFG – Call site arguments and function signatures – Objective-C/Swift interfaces (even C++) – Data flow of the program • AArch64 – ARM32 is not supported anymore

  13. Why LLVM? • Nice and useful • Bunch of algorithms – Alias Analysis – Dominators – Loops – Transformations and optimizations • Pass Manager • Ok for C-family apps

  14. Ideas • Fast automatic translation into LLVM • Functions and function calls recovery • CFG reconstruction • Types and variables recovery • Objective-C/Swift3 support

  15. Architecture

  16. Image parsing • Unpacking Fat (Universal) binaries • Mach-O • Symbols • Function starts • Objective-C runtime (__objc_*) • Swift virtual tables

  17. CFG reconstruction • Entry point • Function starts • Vtables • Call sites • __TEXT section inspection • Tail calls and trampolines

  18. Trampolines

  19. Tail calls

  20. Interface recovery • Objective-C interface – Classes – Protocols – Method names – Ivars – Demangling • Swift interface – Vtables – Class hierarchy – Demangling

  21. Objective-C runtime

  22. Objective-C runtime

  23. Swift runtime

  24. Variables and types • Memory object reconstruction – Temporary – Variables – Globals – Strings • Types recovery – Interprocedural arguments recovery – Known function signatures – Objective-C signatures – WIP: arrays and structs (we already have done it for x86)

  25. Objective-C function signatures parsing example

  26. LLVM generation • Translation preserving semantics • Simplification – DCE (dead code elimination) – MemProp – ConstProp • CFG region analysis

  27. Example

  28. Example

  29. Example

  30. 3, 4: Vulnerabilities detection and results presentation

  31. Pseudocode LLVM to Objective-C/Swift-like pseudocode (more accurate for Objective-C) – Function names, signatures – Statements – Arguments – Types – Call sites – Structural analysis (WIP)

  32. Pseudocode

  33. Analysis • Pattern matching on LLVM (detects most of vulnerabilities) • TBD: deep dataflow analysis (e.g., taint analysis) • LLVM to pseudocode mapping (for results presentation)

  34. Vulnerabilities: data transfer Weak SSL

  35. Vulnerabilities: data transfer No SSL

  36. Vulnerabilities: bad crypto MD5, SHA1, 3DES, etc…

  37. Vulnerabilities: data storage – Pasteboard usage – NSLog – Background mode

  38. Vulnerabilities: reflection

  39. Vulnerabilities: TBD • Unencrypted sensitive data storage in application directory • Cache of network requests • Data validation (SQLi, XSS, path manipulation, …) • Weak jailbreak detection • Authentication (2fa, password complexity, number of attempts)

  40. Statistics: vulnerabilities Vulnerabilities NSLog 6% 7% Deprecated 9% Reflection 40% Weak cipher 9% No SSL Weak SSL 14% Pasteboard 15%

  41. Conclusion • Our toolset can: – Find vulnerabilities in iOS app using only its iTunes link – Present these vulnerabilities on pseudocode • Future work: – Deep analysis (dataflow, etc.) – Less false positives – Objective-C/Swift decompilation

  42. Questions? alexandrov@smartdec.net safin@smartdec.net

Recommend

THE ROAD TO ANGULAR 2.0 ABOUT ME Angular 1.x apps iOS apps REST API's in Java

THE ROAD TO ANGULAR 2.0 ABOUT ME Angular 1.x apps iOS apps REST API's in Java

THE ROAD TO ANGULAR 2.0 ABOUT ME Angular 1.x apps iOS apps REST API's in Java Maarten Hus, Developer @ WHY THIS TALK? WAIT WHAT?! GRAVEYARD WHY? DISCLAIMER THE ROAD 1.x T emplate Syntax 2.0 T ypes Bindings ES6

969 views • 70 slides
On the Road: Websites and Apps for Travel Loading the Right Apps Lets you get the most out

On the Road: Websites and Apps for Travel Loading the Right Apps Lets you get the most out

On the Road: Websites and Apps for Travel Loading the Right Apps Lets you get the most out of your vacation Helps you avoid missing important sites Eliminates confusion while travelling Keeps you connected to home Tips for

971 views • 39 slides
Analysing Object-Capability Security Toby Murray Oxford University Computing Laboratory

Analysing Object-Capability Security Toby Murray Oxford University Computing Laboratory

Analysing Object-Capability Security 01 Analysing Object-Capability Security Toby Murray Oxford University Computing Laboratory Analysing Object-Capability Security 02 Cooperation and Vulnerability Much of the power and utility of modern

542 views • 50 slides
Partial Namespace in NDN Minsheng Zhang, Lan Wang University of Memphis Application Sync

Partial Namespace in NDN Minsheng Zhang, Lan Wang University of Memphis Application Sync

PartialSync: Synchronizing a Partial Namespace in NDN Minsheng Zhang, Lan Wang University of Memphis Application Sync Scenarios AppStore: server has millions of apps, each users phone has a (different) subset of apps Facebook: each

649 views • 15 slides
INJECTING SECURITY INTO WEB APPS AT RUNTIME AJIN ABRAHAM SECURITY ENGINEER #WHOAMI

INJECTING SECURITY INTO WEB APPS AT RUNTIME AJIN ABRAHAM SECURITY ENGINEER #WHOAMI

INJECTING SECURITY INTO WEB APPS AT RUNTIME AJIN ABRAHAM SECURITY ENGINEER #WHOAMI Security Engineering @ Research on Runtime Application Self Defence Authored MobSF, Xenotix and NodeJSScan Teach Security: opsecx.com

906 views • 55 slides
YouTube AppStore Tips to boost your presentation skills David Tomlinson

YouTube AppStore Tips to boost your presentation skills David Tomlinson

tomlinson-communication.com Available on the YouTube AppStore Tips to boost your presentation skills David Tomlinson tomlinson-communication.com YouTube Available on the AppStore When we speak there are no spaces

639 views • 31 slides
Small Business Apps WHAT ARE MOBI LE APPS ? W h a t are mob i le apps ? A little bit of

Small Business Apps WHAT ARE MOBI LE APPS ? W h a t are mob i le apps ? A little bit of

WELCOME Small Business Apps WHAT ARE MOBI LE APPS ? W h a t are mob i le apps ? A little bit of information An App is a piece of so ware (a program) that needs to be installed on Mobile Apps are device specific, meaning that an App that runs

268 views • 12 slides
The Road Ahead Security Vulnerabilities DoS and D-DoS Firewalls Security

The Road Ahead Security Vulnerabilities DoS and D-DoS Firewalls Security

CS 640: Introduction to Computer Networks Aditya Akella Lecture 25 Network Security The Road Ahead Security Vulnerabilities DoS and D-DoS Firewalls Security Vulnerabilities Security Problems in the TCP/IP Protocol

1.29k views • 13 slides
Security Protocols 2 A pattern for message exchange, specifying agent Analysing Security

Security Protocols 2 A pattern for message exchange, specifying agent Analysing Security

216 views • 6 slides
Outline Introduction Background Progress on the implementation of the MTSF

Outline Introduction Background Progress on the implementation of the MTSF

Outline Introduction Background Progress on the implementation of the MTSF Analysing the Programme of Action Report Analysing the 2014 2019 MTSFs Analysing the performance management system of government Analysing

946 views • 18 slides
Analysing Cryptographic Hardware Interfaces with Tookan Graham Steel joint work with R. Bardou,

Analysing Cryptographic Hardware Interfaces with Tookan Graham Steel joint work with R. Bardou,

Analysing Cryptographic Hardware Interfaces with Tookan Graham Steel joint work with R. Bardou, M. Bortolozzo, M. Centenaro, R. Focardi, Y. Kawamoto, L. Simionato, J.-K. Tsay Graham Steel September 23, 2012 Analysing Security Device

377 views • 22 slides
Boxing them in Buggy apps can crash other apps The Kernel App 1 App 2 App 3 Buggy apps can

Boxing them in Buggy apps can crash other apps The Kernel App 1 App 2 App 3 Buggy apps can

Boxing them in Buggy apps can crash other apps The Kernel App 1 App 2 App 3 Buggy apps can crash OS wants to be your friend Buggy apps can hog all resources Operating System Malicious apps can violate Reading and writing memory, privacy

548 views • 17 slides
Week 5 Kullmann Analysing BFS Depth-first search Depth-first search Analysing DFS

Week 5 Kullmann Analysing BFS Depth-first search Depth-first search Analysing DFS

CS 270 Algorithms Oliver Week 5 Kullmann Analysing BFS Depth-first search Depth-first search Analysing DFS Analysing BFS Dags and 1 topological sorting Detecting Depth-first search 2 cycles Analysing DFS 3 Dags and topological

482 views • 23 slides
Security of diabetes monitoring apps Research project 1 Security and Network Engineering Edgar

Security of diabetes monitoring apps Research project 1 Security and Network Engineering Edgar

Security of diabetes monitoring apps Research project 1 Security and Network Engineering Edgar Bohte & Roy Vermeulen Why diabetes? 2 3 The upside 4 Smartphone app security 5 Health data confidentiality 6 Diabetes data integrity

645 views • 28 slides
Monitoring and analysing multilingual media reports Monitoring and analysing multilingual media

Monitoring and analysing multilingual media reports Monitoring and analysing multilingual media

The Second KYOTO Workshop, Gifu, Japan, 26 January 2011 1 Monitoring and analysing multilingual media reports Monitoring and analysing multilingual media reports to support users in their daily work Ralf Steinberger & the JRCs OPTIMA

319 views • 28 slides
STROLLING INTO RING-0 via i/o kit drivers @patrickwardle WHOIS security for the 21st century

STROLLING INTO RING-0 via i/o kit drivers @patrickwardle WHOIS security for the 21st century

STROLLING INTO RING-0 via i/o kit drivers @patrickwardle WHOIS security for the 21st century leverages the best combination of humans and technology to discover security vulnerabilities in our customers web apps, mobile apps, IoT

648 views • 47 slides
Mo(bile) Money, Mo(bile) Problems: Security Analysis of Branchless Banking Apps in the Developing

Mo(bile) Money, Mo(bile) Problems: Security Analysis of Branchless Banking Apps in the Developing

Mo(bile) Money, Mo(bile) Problems: Security Analysis of Branchless Banking Apps in the Developing World Bradly Reaves, Nolen Scaife, Adam Bates, Patrick Traynor, Kevin Butler University of Florida Published at USENIX Security 2015 Based on

444 views • 19 slides
F ROM WEBSITES TO APPS , AND NOW FROM APPS TO CHATBOTS ? A NTNIO B RANCO FROM APPS TO CHATBOTS

F ROM WEBSITES TO APPS , AND NOW FROM APPS TO CHATBOTS ? A NTNIO B RANCO FROM APPS TO CHATBOTS

F ROM WEBSITES TO APPS , AND NOW FROM APPS TO CHATBOTS ? A NTNIO B RANCO FROM APPS TO CHATBOTS CEO of large social network in annual development conference 2 months ago Shared vision for next 2 decades: past : with advent of PCs, companies

498 views • 14 slides
On Using a Black-Box Floating-Point Simplex for Generating Proof Witnesses Fr ed eric

On Using a Black-Box Floating-Point Simplex for Generating Proof Witnesses Fr ed eric

On Using a Black-Box Floating-Point Simplex for Generating Proof Witnesses Fr ed eric Besson Inria Rennes - Bretagne Atlantique Approaches for Mobile Code Security Reputation-based security Digital signature AppStore

578 views • 26 slides
OAuth 2.0 for Browser Based Apps OAuth Security Workshop 2019 David Waite, Principal Technical

OAuth 2.0 for Browser Based Apps OAuth Security Workshop 2019 David Waite, Principal Technical

OAuth 2.0 for Browser Based Apps OAuth Security Workshop 2019 David Waite, Principal Technical Architect, Ping Identity Purpose Best Current Practices Document Builds mostly on RFC 8252 - OAuth 2.0 for Native Apps I-D

386 views • 10 slides
The SPaCIoS Tool property-driven and vulnerability-driven security testing for Web-based apps

The SPaCIoS Tool property-driven and vulnerability-driven security testing for Web-based apps

The SPaCIoS Tool property-driven and vulnerability-driven security testing for Web-based apps Alessandro Armando DIBRIS University of Genova and Security & Trust FBK, Trento (on behalf of the SPaCIoS consortium) STREP Project number:

775 views • 17 slides
The Kernel wants to be your friend Boxing them in Buggy apps can crash other apps App 1 App 2

The Kernel wants to be your friend Boxing them in Buggy apps can crash other apps App 1 App 2

The Kernel wants to be your friend Boxing them in Buggy apps can crash other apps App 1 App 2 App 3 Buggy apps can crash OS Buggy apps can hog all resources Operating System Malicious apps can violate Reading and writing memory, privacy

1.15k views • 67 slides
Alpha Presentation 24-Hour Road Service Mobile Apps The Capstone Experience Team Auto-Owners

Alpha Presentation 24-Hour Road Service Mobile Apps The Capstone Experience Team Auto-Owners

Alpha Presentation 24-Hour Road Service Mobile Apps The Capstone Experience Team Auto-Owners Paul Fritschen Justin Hammack Lingyong Wang Department of Computer Science and Engineering Michigan State University Fall 2011 From Students

275 views • 13 slides
ANTI-VIRUS AND SECURITY APPS Stephan Huber, Siegfried Rasthofer, Steven Arzt, Michael Trger,

ANTI-VIRUS AND SECURITY APPS Stephan Huber, Siegfried Rasthofer, Steven Arzt, Michael Trger,

(IN-)SECURITY OF SMARTPHONE ANTI-VIRUS AND SECURITY APPS Stephan Huber, Siegfried Rasthofer, Steven Arzt, Michael Trger, Andreas Wittmann, Philipp Roskosch, Daniel Magin, Joseph Varghese 1 Who are we Stephan Siegfried Mobile Security

636 views • 49 slides

More recommend