Mobile Application Security Testing ASSES SESSMENT NT & CODE REVIEW EW st 2014 Sept. t. 31 31 st
Presenters ITAC 2014 Bishop Fox • Francis Brown Partner • Joe DeMesy Security Associate 2 2
Int ntrodu roductions ctions FRANCIS CIS BROW OWN • Hi, I’m Fran • Partner at Bishop Fox • You may remember me from such hacks as: • RFID Thief • Diggity Search Tool Suite • Sharepoint Hacking 3
Int ntrodu roductions ctions JOE DEME MESY • Hi, I’m Joe • Associate at Bishop Fox • I like computers • That run a POSIX OS* • Phones are cool too • Open source projects: • Root the Box • iSpy 4
Age gend nda COVERED RED TODAY AY Breaking eaking iOS App pps s – • Static analysis • Dynamic analysis • The future of iOS assessments • Protections & counter-measures Breaking eaking Andro droid id App pps s – • Static Analysis • Dynamic Analysis • Protections & counter-measures 5
App Se Secur curity ity Requir equiremen ements ts OUR TARG RGETS TS Scenar narios ios • Online Finance • Point of Sale • Streaming Media • Mobile Device Management (MDM) • Games (cheating, etc.) 6
THE GO GOLDEN DEN RULE APPL PLICATION ICATION SECURITY URITY
Us User ers s are e Evil EVERY LAST ONE OF ‘ EM EM • They have complete control • Do not trust them • Design applications and APIs accordingly 8
IOS OS DYNAMIC YNAMIC ANALYSIS ALYSIS BREAKING REAKING IOS APPL PLICATIONS ICATIONS
iOS OS Prerequisites erequisites WHAT T YOU NEED TO START ART • Mac & Xcode • HTTP Proxy • Burp Suite Pro ($300) • MitM Proxy ($0) • ARM Disassembler (optional) • Hopper ($90) • IDA Pro ($600+) • Jailbroken iOS Device • SSH access 10 10
INTERCEP TERCEPTIN TING G HTTP TP TRAFFIC AFFIC BREAKING REAKING MOBIL ILE APPL PLICATIONS ICATIONS
HT HTTP TP Proxy xy Se Setup tup PROXY XY SETT TTIN INGS 12 12
HTTP HT TP Proxy xy Se Setup tup INTE TERCE RCEPT PTIN ING HTTP TPS TRAFFIC IC 13 13
HTTP HT TP Proxy xy Se Setup tup INTE TERCE RCEPT PTIN ING HTTP TPS TRAFFIC IC 14 14
Th The e SS SSL L Ce Certi tificat ficate e Ch Chain ain CERTIF RTIFICATE ICATE VALI LIDAT DATION ION Root Intermediate Leaf 15 15
SS SSL Ce Certi tificat ficate e Ch Chain in CERTIF RTIFICATE ICATE VALI LIDAT DATION ION Root Intermediate #1 Intermediate #2 Intermediate #3 Leaf 16 16
Bur urp p Su Suite te Pro ADDING DING A TRUS USTE TED ROOT CERTI RTIFICATE ICATE 17 17
Bur urp p Su Suite te Pro ADDING DING A TRUS USTE TED ROOT CERTI RTIFICATE ICATE 18 18
Bur urp p Su Suite te Pro ADDING DING A TRUS USTE TED ROOT CERTI RTIFICATE ICATE 19 19
Bur urp p Su Suite te Pro ADDING DING A TRUS USTE TED ROOT CERTI RTIFICATE ICATE 20 20
HTTP HT TP Proxy xy Se Setup tup INTE TERCE RCEPT PTIN ING HTTP TPS TRAFFIC IC 21 21
HTTP HT TP Proxy xy Se Setup tup SECURE URE TRAF AFFIC IC INTE TERCEP CEPTION TION 22 22
HTTP HT TP Proxy xy Se Setup tup INTE TERCE RCEPT PTIN ING HTTP TPS TRAFFIC IC 23 23
ACM CME E Ce Certificate tificate Pinning nning NON-BROWS ROWSER R CERTIF TIFICATE ICATE VALID IDATI ATION ACME Root ACME Intermediate Application Leaf 24 24
IOS OS DYNAMIC YNAMIC ANALYSIS ALYSIS BREAKING REAKING IOS APPL PLICATIONS ICATIONS
Op Operating erating Sy System stem Se Secur curity ity Model del WHY WE NEED TO JAIL ILBRE REAK AK • Signed Binaries • Modifying binaries • Code injection • Runtime modification • App Sandbox • Debugging • Filesystem access 26 26
DEMONST MONSTRATION RATION CODE INJ NJECTION CTION TECHN HNIQ IQUE UES
APP P ST STOR ORE E ENCRYP CRYPTION TION BREAKING REAKING IOS APPL PLICATIONS ICATIONS
Binary nary Enc ncryption yption GETT TTIN ING G PLAIN AINTEXT XT BIN INS • Encrypted Binaries • AppStore • Clutch • Rasticrac • No Encryption • Provisioned Device • Test Flight, etc. 29 29
Cl Clut utch ch Us Usage ge DECRY CRYPT PTIN ING G IOS BINARIE INARIES • Open source (GitHub) • Decrypts iOS applications and repackages them • Saves apps in: • /var/root/Documents/Cracked • Saves apps as .ipa files (they’re just ZIPs ) • Use: clutch <app name> 30 30
The Th e IPA PA Arch chiv ive e Fo Format mat NOT DELI LICIO CIOUS US BEER Foobar.ipa iTunesMetadata. plist iTunesArtwork Payload/ Foobar.app Foobar … 31 31
iTu Tune nes s Metadat etadata SOFTWARE WARE VERSION ION BUNDLE ID 32 32
ARM M Disass sassemb embly ly I AM IN YOUR BIN INARIES ARIES CHANGING GING YOUR CODE 33 33
ARM M Dec ecompiler ompiler I AM IN UR BINARIES MODIF’IN UR UR CODE DEZ 34 34
XO XOR is s Not t Ob Obfusc uscation ation JAIL ILBREAK AK DETEC TECTION TION BYPAS YPASSES 35 35
Modify difying ing ARM M Ass ssem embly bly ASSEMBLE INSTRUCT TRUCTION ION 36 36
Modify difying ing ARM M Ass ssem embly bly PRODU ODUCE CE NEW W EXECUT UTAB ABLE 37 37
OB OBJECTIVE ECTIVE-C HEADER ADERS STATI ATIC C ANAL ALYSIS YSIS
Cl Class ss Dum ump OBJECTIVE CTIVE-C CLAS ASS INTE TERF RFACES ACES 39 39
#import <XXUnknownSuperclass.h> // Unknown library @class NSString; @interface XXasymEncryptor : XXUnknownSuperclass { NSString* _publicKeyID; NSString* _privateKeyID; } @property(copy, nonatomic) NSString* privateKeyID; @property(copy, nonatomic) NSString* publicKeyID; -(id)privateQueryDict; -(id)publicQueryDict; -(void)decryptWithPrivateKey; -(void)encryptWithPublicKey; -(void)KeysPlease; -(id)decryptData:(id)data; -(id)encryptData:(id)data; -(id)init; @end
#import <XXUnknownSuperclass.h> // Unknown library @class NSString; @interface XXasymEncryptor : XXUnknownSuperclass { NSString* _publicKeyID; NSString* _privateKeyID; } @property(copy, nonatomic) NSString* privateKeyID; @property(copy, nonatomic) NSString* publicKeyID; -(id)privateQueryDict; -(id)publicQueryDict; -(void)decryptWithPrivateKey; -(void)encryptWithPublicKey; Hmmmm … -(void)KeysPlease; -(id)decryptData:(id)data; -(id)encryptData:(id)data; -(id)init; @end
MOB OBILE ILE SU SUBSTRAT STRATE CODE INJ NJECTION CTION TECHN HNIQ IQUE UES
Th The e Ob Objective ective-C C Runtime untime MESSAGE AGE PASSIN ING iOS App Call Obj C Type? objc_msgSend Native C Execute Code 43 43
The Th e Ob Objective ective-C C Runtime untime MESSAGE AGE PASSIN ING iOS App Mobile Substrate (Our code runs here) Call Obj C Type? objc_msgSend Native C Execute Code 44 44
Jailbr break eak Det etec ection tion Co Code de BYPASSIN PASSING G COMMON ON DETE TECTION CTION METH THOD ODS • Fork() • Stat() / Lstat() • Cydia • /apt/ • Etc • dyld_count() • dyld_get_image_name() 45 45
Jailbr break eak Det etec ection tion Co Code de BYPASSING COMMON DETECTION METHODS @class NSString; @interface DeviceSecurity : { BOOL _jbstatus; } @property(assign, nonatomic) BOOL jbstatus; +( BOOL ) isJailbroken ; @end 46 46
Th Theos eos + Lo + Logos gos + Mo + Mobi bile le Su Substrat bstrate CLASS AND METHOD HOOKING #import "substrate.h" %hook DeviceSecurity -( BOOL ) isJailbroken { %log; // Logos built-in logging return NO; // Return FALSE } %end 47 47
Ce Certifi tificat cate e Bypasse passes “TRUST ME” BYPASS #import "substrate.h" /* New function definition */ OSStatus new_SecTrustEvaluate(SecTrustRef trust, SecTrustResultType *result) { *result = kSecTrustResultProceed; return errSecSuccess; } %ctor { /* Hook the function */ MSHookFunction(( void *)SecTrustEvaluate, ( void *)new_SecTrustEvaluate, ( void **)&original_SecTrustEvaluate); } 48 48
CY CYCR CRIPT PT RUNT NTIM IME MODI DIFICATION ICATION
Cycr Cy cript pt is s Black ck Magic gic RUNTIM TIME MODI DIFICATION ICATION TECHNIQUE HNIQUES • JavaScript REPL • JavaScript + Cycript language extensions • Objective-C runtime is merged into the REPL • Attach to running apps 50 50
Cy Cycr cript pt Basics sics ATTACHING TO A PROCESS iphone:~root# cycript – p AlienBlue cy# UIApp @"<UIApplication: 0x8ba2c0>" cy# UIApp.keyWindow.delegate @"<CustomNavigationController: 0x836900>" cy# ui(UIApp.keyWindow, "Foobar") <UILabel: 0x82f0d0; frame = (132 12; 55 21); text = 'Foobar'; clipsToBounds = YES; userInteractionEnabled = NO; layer = <CALayer: 0x82f190>> 51 51
Cy Cycr cript pt Basics sics ATTACHING TO A PROCESS cy# var label = new Instance(0x82f0d0) @"<UILabel: 0x82f0d0; frame = (132 12; 55 21); text = 'Reddits'; clipsToBounds = YES; userInteractionEnabled = NO; layer = <CALayer: 0x82f190> >” cy# label.text @"Foobar" cy# label.text = @"Barfoo" @"Barfoo" 52 52
DEMONST MONSTRATION RATION CYCRIPT RIPT IN ACTIO ION
Recommend
More recommend