iOS app security -analyze and defense Hokila Cocoaheads Taipei 2013.10
iOS app security
Aug 19, 2014
Cocoaheads Taipei 2013.10
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
iOS app security-analyze and defense
Hokila
Cocoaheads Taipei 2013.10
源起Android Taipei (2013 August)
Android Apps Security Taien Wang
Ruby Tuesday (2013.9.10)別再偷我App裡的⾦金幣:Server端IAP的處理與驗證Kevin Wang
所以今天是來致(ㄉㄚˇ )敬(ㄌ⼀一ㄢˇ )
的
( ˘•ω•˘ )
不會講這些
不會講這些
如何破解神魔之塔 / 百萬亞瑟⺩王 / 全⺠民打棒球
不會講這些
如何破解神魔之塔 / 百萬亞瑟⺩王 / 全⺠民打棒球
免費使⽤用Splashtop / KKBOX / WhosCall
會講這些
● iOS app native leak● network monitor● IAP crack● Analyze tools● Encode /decode● Good Habits
絕對講不完我猜可以講⼀一⼩小時
還好之前講過了
2012.12 Cocoaheads TaipeiIn App Purchase 攻防戰
youtu.be/g2tWRPdweeY
1.基本功○ iOS app 資料結構○ API分析
2. 脫離新⼿手○ 同時監看多個畫⾯面○ 常⾒見漏洞&防禦⽅方法
3.必殺技(屁孩愛⽤用)○ IAP Free /LocalAppStore○ iGameGardian /⼋八⾨門神器○ Flex
OWASP Mobile Top 10 Risk (2013-M1)M1. 不安全的資料儲存(Insecure Data Storage)
M2. 弱伺服器端的控制(Weak Server Side Controls)
M3. 傳輸層保護不⾜足(Insufficient Transport Layer Protection)
M4. 客⼾戶端注⼊入(Client Side Injection)
M5. 粗糙的授權與認證(Poor Authorization and Authentication)
M6. 不適當的會話處理(Improper Session Handling)
M7. 安全決策是經由不受信任的輸⼊入(Security Decisions Via Untrusted Inputs)
M8. 側通道資料洩漏(Side Channel Data Leakage)
M9. 加密失效(Broken Cryptography)
M10. 敏感資訊洩漏(Sensitive Informaiton Disclosure)
Ref: File System Programming Guide
app itself
temporary files,clean when app restartNSTemporaryDirectory
app /user dataautomatically backed up by iCloud.
Cache
Prefences NSUSerDefault
Library
Application Support good place for configuration/template
Data that can be downloaded again or regenerated
Cookie store cookies for sandbox webView
info.plist
info.plist
iphone configuration utility
iTool(2012)
console log
DEMO
會看到app沒有埋好的logframework ⾃自⼰己帶的log
system notificationmemory warming
User Defaults,secure?
User Defaults,secure?
dump keychain database (jb necessary)
keychain locate at /var/Keychains/keychain-2.dbApple says “keychain is a secure place to store keys and passwords”
API Charles / ⽂文化部open data /iCulture
DEMO
1. Charles (Mac Windows) $
2. ZAP (Mac Windows) Free
3. Fiddler (Windows) Free
4. Wire Shark (Mac Windows) Free
⾄至少要同時看
● device screen● console log● plist、db● API request/response
⼀一些發現
其他app verify資料正確性的作法
某些遊戲讓你抽卡多選1,但是結果在你進⼊入抽卡畫⾯面時就決定了
竟然有app把db放在google doc和dropbox (⽽而且還不少)
讓我萬萬沒想到的是......(這邊不能打出來)
class dump-z
https://code.google.com/p/networkpx/
● dumping class info from an iOS app● guess class utility
DEMO
破解⼯工具 IAP Free/LocalAppStore欺騙app 購買成功
破解⼯工具 IAP Free/LocalAppStore欺騙app 購買成功
iGameGardin /⼋八⾨門神器搜尋記憶體位置,修改value
破解⼯工具 IAP Free/LocalAppStore欺騙app 購買成功
iGameGardin /⼋八⾨門神器搜尋記憶體位置,修改value
Flex鎖定function 回傳值例 -(BOOL)isTransactionSucess ⼀一定回傳YES
破解⼯工具 IAP Free/LocalAppStore欺騙app 購買成功
iGameGardin /⼋八⾨門神器搜尋記憶體位置,修改value
Flex鎖定function 回傳值例 -(BOOL)isTransactionSucess ⼀一定回傳YES
對於developer來說,就是app裡⾯面.....
有內奸
再安全的OS也有不安全的app啊啊啊啊啊怎麼辦
不要太相信server/model 的data適時的關⼼心,請問您是內奸嗎?是的話殺爆他
綜合來說,這就是....
King Of Design Pattern:MVCmodel 和view可以不⼀一樣
use encrypt ,not hash要hash也記得要加salt
計中計中計中計
這是⼀一個很基本的API
GET http://xxx.yyy/getUserData.php
response(string)name(array)xxlist
(string)itemname(int)quantity(string)status
paeameters(string)userID
POST http://xxx.yyy/getUserData.php public
response(string)name(array)xxlist
(string)itemname(int)quantity(string)status(int)status
parameters(string)token(string)call_file_name (string)userID
POST http://xxx.yyy/getUserData.php public
response(string)name(array)xxlist
(string)itemname(int)quantity(string)status(int)status
parameters(string)token(string)call_file_name (string)userID
公⼦子獻頭
SSL POST http://xxx.yyy/public
response(string)name(array)xxlist
(string)itemname(int)quantity(int)status(object)item
parameters(string)token(string)call_file_name (string)userID
struct object(string)itemname(int)quantity(int)status
base64 encode
讓對⽅方知道你的下兩步,在第三步衝康他
In-App Purchase Programming Guide
base64
SSL POST http://xxx.yyy/public
response(string)name(array)xxlist
(object)item
parameters(string)token(string)call_file_name (string)userID
還能怎麼改?
SSL POST http://xxx.yyy/public
response(string)name(array)xxlist
(object)item
parameters(string)token(string)call_file_name (string)userID
還能怎麼改?
Accept = "*/*";Accept-Language = zh-TW;Connection = close;User-Agent = "Something special~~";
確定資料正確
public entry access tokenSSL
status codeobject ,not clear dictionaryand...?
King Of Design Pattern:MVC
UILabel
Model memory View
APIplistdb
NSStringNSNumber
Money20002000
08f90c1a417155361a5c4b8d297e0d78
encrypt()
King Of Design Pattern:MVC
UILabel
Model memory View
APIplistdb
NSStringNSNumber
Money20002000
08f90c1a417155361a5c4b8d297e0d78
encrypt()
need protection!!
double_check
http://xxx.yyy/buyresponse(string)status(string)itemID(int)quantity(int)leftmoney
paeameters(string)user(string)itemID
double_check
http://xxx.yyy/buyresponse(string)status(string)itemID(int)quantity(int)leftmoney
paeameters(string)user(string)itemID
http://xxx.yyy/double_checkresponse(string)status (OK /Reject)
paeameters(string)user(string)itemID
use encrypt ,not hashsha1、md5、base64
這些你敢⽤用?
實驗證明,⼀一個經過訓練的QA可以⾁肉眼反解出1~100的md5 hash
use encrypt ,not hashhash⾄至少要加salt
md5($salt.$pass.$username)
md5($salt.md5($pass)) md5($salt.md5($pass).$salt)
sha1($salt.$pass)
sha1($salt.$username.$pass.$salt)
sha1($salt.md5($pass))
encrypt
use encrypt ,not hashhash⾄至少要加salt
md5($salt.$pass.$username)
md5($salt.md5($pass)) md5($salt.md5($pass).$salt)
sha1($salt.$pass)
sha1($salt.$username.$pass.$salt)
sha1($salt.md5($pass))
encrypt DES1977誕⽣生、1999被破
use encrypt ,not hashhash⾄至少要加salt
md5($salt.$pass.$username)
md5($salt.md5($pass)) md5($salt.md5($pass).$salt)
sha1($salt.$pass)
sha1($salt.$username.$pass.$salt)
sha1($salt.md5($pass))
encrypt DES1977誕⽣生、1999被破
AES-128 AES-256 當今最潮 passwd = AESEncrypt(“string”,” key”)
So....
public data可以不⽤用加密,但是private data⼀一定要加密
要檢查user有沒有作弊,但不要太頻繁的去檢查資料
需要server的service絕對都可以檔(播⾳音樂、遠端遙控)
發現別⼈人app有漏洞,記得回報開發者
So....
public data可以不⽤用加密,但是private data⼀一定要加密
要檢查user有沒有作弊,但不要太頻繁的去檢查資料
需要server的service絕對都可以檔(播⾳音樂、遠端遙控)
發現別⼈人app有漏洞,記得回報開發者
think as a service,not an app.這樣想會找到很多漏洞
One more thing
video on niconico youtube
video on niconico youtube
availiable today
Related Documents
