building hacking modern ios apps
play

Building&Hacking modern iOS apps Wojciech Regua @_r3ggi - PowerPoint PPT Presentation

Aug 31, 2022 •321 likes •998 views

www.securing.pl Building&Hacking modern iOS apps Wojciech Regua @_r3ggi wojciech.regula@securing.pl @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl WHOAMI -Senior IT Security Consultant @ SecuRing -Focused on

  1. www.securing.pl Building&Hacking modern iOS apps Wojciech Reguła @_r3ggi wojciech.regula@securing.pl

  2. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl WHOAMI -Senior IT Security Consultant @ SecuRing -Focused on iOS apps security -Blogger https://wojciechregula.blog/ -OWASP SKF contributor

  3. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl INTRODUCTION

  4. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl AGENDA 1. iOS platform myths and reality 2. securityProblemsInMASVSCategories.forEach { problem in 2.1 Discuss problem 2.2 Show solution 2.3 Present new Apple WWDC feature } 3. My new library – iOS Security Suite 🚁 4. Short and long term things to implement in your code

  5. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl PART I PLATFORM MYTHS AND REALITY

  6. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl MYTH #1 APPLE’S REVIEW IS 100% RELIABLE https://twitter.com/orhaneee/status/1076147994574184449

  7. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl MYTH #2 THERE IS NO JAILBREAK FOR IOS 11+ https://github.com/pwn20wndstuff/Undecimus

  8. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl MYTH #3 NO JAILBREAK MEANS NO REVERSING APPS

  9. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl PART II SECURE DEVELOPMENT

  10. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl V1 ARCHITECTURE

  11. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl SWIFT VS OBJECTIVE-C -Integer overflow -> Runtime error -No direct memory access (unless usage of UnsafePointer) -Format string mitigated through string interpolation

  12. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl MYTH – SWIFT AUTOOBFUSCATES ITSELF -There is no obfuscation -Swift uses ”name mangling”

  13. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl MYTH – SWIFT AUTOOBFUSCATES ITSELF -Class TestClass -1 Instance variable -Constructor -2 Methods

  14. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl www.securing.pl www.securing.pl MYTH – SWIFT MYTH – SWIFT AUTOOBFUSCATES AUTOOBFUSCATES ITSELF ITSELF - _$ Swift Symbol - _$ Swift Symbol - Length and module name - Length and module name - Length and class name - Length and class name - C function of class (method) - C function of class (method) - Length and method name - Length and method name - Parameters and return type - Parameters and return type

  15. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl

  16. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl MYTH – SWIFT METHODS CANNOT BE DYNAMICALLY CHANGED -They can, using for example Frida -You just need to hook the symbol

  17. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl MYTH – SWIFT METHODS CANNOT BE DYNAMICALLY CHANGED

  18. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl DEMO HTTPS://VIMEO.COM/334861122

  19. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl TAKEAWAYS -Binary vulnerabilities mitigated -Mostly no memory access -Obufscation ⬇ https://github.com/rockbruno/swiftshield

  20. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl AUTOMATED SMS CODES INPUT (WWDC 2018) -Controversial feature since other app may have access to the one time password -Low risk but there is possibility to do social engineering

  21. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl DEMO HTTPS://VIMEO.COM/334861389

  22. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl V2 DATA STORAGE

  23. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl ON-DEVICE DATA STORAGE -Most common issue is storing sensitive data on the device that should not be there: • API Keys • SSH Keys • Cloud credentials • Test env credentials

  24. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl ON-DEVICE DATA STORAGE -Sensitive data may be insecurely stored in: • Info.plist • User defaults • Regular files • Hardcoded into the binary • Even in Keychain (as they shouldn’t be stored client-side)

  25. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl ON-DEVICE DATA STORAGE

  26. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl ON-DEVICE DATA STORAGE -Directories that are backed up: • Documents/ • Library/Application Support/ • Library/Preferences/ • Library/* -Directories not backed up: • Library/Caches/ • tmp/

  27. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl CREDENTIAL PROVIDER EXTENSION (WWDC 2018) -Password managers in native apps -Add UITextContentType

  28. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl TAKEAWAYS -No sensitive data in IPA -kSecAttrAccessibleWhen with ThisDeviceOnly -UIKit DataProtection -Credential Providers

  29. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl V3 CRYPTOGRAPHY

  30. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl CRYPTOGRAPHY - Insecure token generation - Bear case

  31. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl

  32. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl

  33. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl

  34. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl https://wojciechregula.blog/post/stealing-bear-notes-with-url-schemes/

  35. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl AUTOMATIC STRONG PASSWORDS (WWDC 2018) - Mentioned before Autofill can create new passwords connected with your domain - You are able to set the password policy that will be applied

  36. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl TAKEAWAYS -No home-made ciphers -Everything in IPA is public -SecKeyCreateEncryptedData instead of 3 rd party AES/RSA -Native password policy

  37. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl V4 SESSION MANAGEMENT

  38. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl SESSION MANAGEMENT -Local access control… -JWT -> sign the token!

  39. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl V5 NETWORK COMMUNICATION

  40. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl NETWORK COMMUNICATION -Avoid HTTP -Use HTTPS ✅ -App Transport Security -HTTPS -> make sure if cert is trusted

  41. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl

  42. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl V6 PLATFORM INTERACTION

  43. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl INTER-PROCESS (APPLICATION) COMMUNICATION -XPC (macOS, iOS not allowed) -Mach messages (macOS, iOS not allowed) -URL Schemes -AirDrop -Clipboard (please, do not do that)

  44. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl

  45. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl

  46. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl TAKEAWAYS -Verify sender -Check parameters -If WebView -> check permissions

  47. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl V7 CODE QUALITY

  48. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl CODE QUALITY -No deprecated APIs -Vulnerable libraries -CocoaPods/Carthage -> no fixed versions please

  49. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl AFNetworking 2.5.1 allowed to perform Man in the Middle attack when app did not use SSL pinning

  50. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl DEPRECATED UIWEBVIEW (WWDC 2018) -UIWebView has access to local files via file:// handler BY DEFAULT -WKWebView also has if you turn some flags on btw -XSS ☠

  51. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl DICTIONARY THAT LOOKS YOU UP

  52. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl

  53. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl

  54. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl DEMO HTTPS://VIMEO.COM/334862417

  55. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl HELP VIEWER PROBLEMS

  56. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl DEMO HTTPS://VIMEO.COM/334861507

  57. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl YAHOO IOS XSS EXAMPLE BY @OMESPINO

  58. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl V8 RESILIENCY REQUIREMENTS

  59. @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl ANTI TAMPERING For those who: • Don’t want their app to be tampered with • Consider malware as a risk • Have to be complaint with OWASP MASVS

Recommend

Hacking Your Own Virtual and Augmented Hacking Your Own Virtual and Augmented Reality Apps for

Hacking Your Own Virtual and Augmented Hacking Your Own Virtual and Augmented Reality Apps for

Hacking Your Own Virtual and Augmented Hacking Your Own Virtual and Augmented Reality Apps for Fun and Profit! Reality Apps for Fun and Profit! Tutorial Presentation Tutorial Presentation Linux Conf Au - Adelaide, SA Linux Conf Au - Adelaide,

621 views • 61 slides
ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical?

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical?

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical? Legality VS Ethics State Sanctioned hacking BLACK HAT - Stereotypical Hacker -Stealing data for personal gain -Obviously not ethical -Using

1.17k views • 10 slides
Building Beautiful Apps Ahmed Abu Eldahab GDE Flutuer & Daru @dahabdev Tell me about you?

Building Beautiful Apps Ahmed Abu Eldahab GDE Flutuer & Daru @dahabdev Tell me about you?

Building Beautiful Apps Ahmed Abu Eldahab GDE Flutuer & Daru @dahabdev Tell me about you? Developers , Designers , Mac , Linux , Windows , Web , Mobile , Android , ios ? @dahabdev Agenda Context about Apps Native apps

693 views • 53 slides
Running Apps at the Edge with AWS IoT Greengrass Machine Intelligence Modern Infrastructure

Running Apps at the Edge with AWS IoT Greengrass Machine Intelligence Modern Infrastructure

Running Apps at the Edge with AWS IoT Greengrass Machine Intelligence Modern Infrastructure http://mi2.live What is MI2? MI2 Webinars focus on the convergence of machine intelligence and modern infrastructure . Every alternate week, I deliver

335 views • 17 slides
Small Business Apps WHAT ARE MOBI LE APPS ? W h a t are mob i le apps ? A little bit of

Small Business Apps WHAT ARE MOBI LE APPS ? W h a t are mob i le apps ? A little bit of

WELCOME Small Business Apps WHAT ARE MOBI LE APPS ? W h a t are mob i le apps ? A little bit of information An App is a piece of so ware (a program) that needs to be installed on Mobile Apps are device specific, meaning that an App that runs

268 views • 12 slides
Building Pinterests Mobile Apps Mike Beltzner Product Manager Garrett Moon Mobile Team

Building Pinterests Mobile Apps Mike Beltzner Product Manager Garrett Moon Mobile Team

Building Pinterests Mobile Apps Mike Beltzner Product Manager Garrett Moon Mobile Team (iOS) Discover Pinterest Engineers Building Pinterests Mobile Apps Pinterest and mobile Launched iPhone app in 2011 Summer of Apps in

625 views • 36 slides
#UCLH_wired Building apps & getting mobile Sean Gilchrist Systems Development Manager Saduf

#UCLH_wired Building apps & getting mobile Sean Gilchrist Systems Development Manager Saduf

#UCLH_wired Building apps & getting mobile Sean Gilchrist Systems Development Manager Saduf Ali-Drakesmith Imaging Systems Manager Adam Bradley Mobile App Developer Agenda Getting mobile Device s MDM WiFi Building apps Web

468 views • 11 slides
Boxing them in Buggy apps can crash other apps The Kernel App 1 App 2 App 3 Buggy apps can

Boxing them in Buggy apps can crash other apps The Kernel App 1 App 2 App 3 Buggy apps can

Boxing them in Buggy apps can crash other apps The Kernel App 1 App 2 App 3 Buggy apps can crash OS wants to be your friend Buggy apps can hog all resources Operating System Malicious apps can violate Reading and writing memory, privacy

548 views • 17 slides
MODERN 1 MODERN 2 MODERN 3 MODERN 4 MODERN A peep at some distant orb has power to raise

MODERN 1 MODERN 2 MODERN 3 MODERN 4 MODERN A peep at some distant orb has power to raise

MODERN 1 MODERN 2 MODERN 3 MODERN 4 MODERN A peep at some distant orb has power to raise and purify our thoughts like a strain picture, or a passage from the grander poets. It always does one good. 5 MODERN 6 MODERN 7 MODERN 8

524 views • 24 slides
Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking

Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking

Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking AI-Corp Hacking RL 1. Information gathering 2. Scanning 3. Exploitation & privilege escalation 4. Maintaining access & covering tracks

960 views • 62 slides
JavaScript on TV Building full screen apps with Vue.js Welcome to multiplatform hell. Theres

JavaScript on TV Building full screen apps with Vue.js Welcome to multiplatform hell. Theres

JavaScript on TV Building full screen apps with Vue.js Welcome to multiplatform hell. Theres so many of them! LG Netcast LG WebOS Samsung Tizen Android TV Firefox OS (srsly.) Roku TV Fire TV tvOS and the

307 views • 18 slides
F ROM WEBSITES TO APPS , AND NOW FROM APPS TO CHATBOTS ? A NTNIO B RANCO FROM APPS TO CHATBOTS

F ROM WEBSITES TO APPS , AND NOW FROM APPS TO CHATBOTS ? A NTNIO B RANCO FROM APPS TO CHATBOTS

F ROM WEBSITES TO APPS , AND NOW FROM APPS TO CHATBOTS ? A NTNIO B RANCO FROM APPS TO CHATBOTS CEO of large social network in annual development conference 2 months ago Shared vision for next 2 decades: past : with advent of PCs, companies

498 views • 14 slides
The Kernel wants to be your friend Boxing them in Buggy apps can crash other apps App 1 App 2

The Kernel wants to be your friend Boxing them in Buggy apps can crash other apps App 1 App 2

The Kernel wants to be your friend Boxing them in Buggy apps can crash other apps App 1 App 2 App 3 Buggy apps can crash OS Buggy apps can hog all resources Operating System Malicious apps can violate Reading and writing memory, privacy

1.15k views • 67 slides
MODERN SYSTEMS: SECURITY Hakim Weatherspoon CS6410 Slides borrowed liberally from past

MODERN SYSTEMS: SECURITY Hakim Weatherspoon CS6410 Slides borrowed liberally from past

1 MODERN SYSTEMS: SECURITY Hakim Weatherspoon CS6410 Slides borrowed liberally from past presentations from Sai Krishna Deepak Maram Move to a Cloud-based model User apps User apps PaaS Software Software Cloud Provider manages the

474 views • 31 slides
Hacking SecondLife Michael Thumann Hacking SecondLife by Michael Thumann 2/24/08 1

Hacking SecondLife Michael Thumann Hacking SecondLife by Michael Thumann 2/24/08 1

Hacking SecondLife Michael Thumann Hacking SecondLife by Michael Thumann 2/24/08 1 Disclaimer Everything you are about to see, hear, read and experience is for educational purposes only. No warranties or guarantees implied or

692 views • 47 slides
Building scalable IoT apps using OSS technologies Pavel Hardak Basho Technologies Disclaimer:

Building scalable IoT apps using OSS technologies Pavel Hardak Basho Technologies Disclaimer:

Building scalable IoT apps using OSS technologies Pavel Hardak Basho Technologies Disclaimer: some of the opinions expressed here are mine and might not fully agree with those of my employer IOT & INDUSTRY VERTICALS IOT MARKET GROWTH

523 views • 50 slides
Drone Hacking Basics Intro to UAS Architectures, Attack Vectors and RF Hacking Matt Koskela June

Drone Hacking Basics Intro to UAS Architectures, Attack Vectors and RF Hacking Matt Koskela June

Drone Hacking Basics Intro to UAS Architectures, Attack Vectors and RF Hacking Matt Koskela June 15, 2017 Outline Drone Architectures RF Basics Information Gathering RF Hacking Tools Exploits & Demos Q&A Why? Wrights Law

486 views • 27 slides
BUILDING PROGRESSIVE WEB APPS IN KOTLIN Erik Hellman @ErikHellman Copenhagen Denmark Actual

BUILDING PROGRESSIVE WEB APPS IN KOTLIN Erik Hellman @ErikHellman Copenhagen Denmark Actual

BUILDING PROGRESSIVE WEB APPS IN KOTLIN Erik Hellman @ErikHellman Copenhagen Denmark Actual Cross Platform! Types - Theyre pretty great! Type definitions for JavaScript DOM APIs lib.dom.d.ts import { LitElement, html, property,

973 views • 81 slides
By: Taylor Thomas & Ashley Fischer There are apps for just about EVERYTHING! There are

By: Taylor Thomas & Ashley Fischer There are apps for just about EVERYTHING! There are

By: Taylor Thomas & Ashley Fischer There are apps for just about EVERYTHING! There are new apps being developed and posted everyday. Some of the best apps you will ever find are FREE! There are two ways to download apps for

606 views • 38 slides
Hacking, Hacktivism, and Counterhacking April 22, 2015 Outline Vocabulary Hacking motivated by

Hacking, Hacktivism, and Counterhacking April 22, 2015 Outline Vocabulary Hacking motivated by

Hacking, Hacktivism, and Counterhacking April 22, 2015 Outline Vocabulary Hacking motivated by benign purposes Hacktivism Counterhacking Case Studies Site defacement Network exploration / Port scanning / SQL injection / . . .

522 views • 18 slides
Hacking Copenhagen ITS World Congress, Copenhagen 2018 Hacking Copenhagen Digitalising (life in)

Hacking Copenhagen ITS World Congress, Copenhagen 2018 Hacking Copenhagen Digitalising (life in)

ECF gratefully acknowledges financial support from the European Commission. Hacking Copenhagen ITS World Congress, Copenhagen 2018 Hacking Copenhagen Digitalising (life in) the city of Copenhagen using bicycles. Bicycle-as-a-Sensor 1.

278 views • 11 slides
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 10 Hacking Web Servers

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 10 Hacking Web Servers

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 10 Hacking Web Servers Objectives After reading this chapter and completing the exercises, you will be able to: Describe Web applications Explain Web application

530 views • 9 slides
Building Tools for Hacking Deeply Embedded Systems Travis Goodspeed Recon, Montral -- 11 July,

Building Tools for Hacking Deeply Embedded Systems Travis Goodspeed Recon, Montral -- 11 July,

Building Tools for Hacking Deeply Embedded Systems Travis Goodspeed Recon, Montral -- 11 July, 2010 Sunday, July 25, 2010 Brief Introduction 8, 16-bit Embedded Systems No operating system, no symbol table, etc. Very different

902 views • 74 slides
JSON hijacking For the modern web About me Im a researcher at PortSwigger I love

JSON hijacking For the modern web About me Im a researcher at PortSwigger I love

JSON hijacking For the modern web About me Im a researcher at PortSwigger I love hacking JavaScript let : let { let :[x=1]}=[alert(1)] I love breaking browsers @garethheyes History of JSON hijacking Array constructor attack

630 views • 44 slides

More recommend