iOS App Pen-Testing Client Side Analysis Oct'16 NULL Meet
iOS App Pen-TestingClient Side AnalysisOct'16 NULL Meet
Me..
I work at Aleph Tav Technologies as AppSec guyI do web and mobile app pen testing @Aadarshaddy
To-Do
Traffic Analysis Setting proxy. Manipulate parameters using a
proxy tool. Client-Side Analysis (Run-time, rev-eng) Getting the application executable, getting class
info, local data storage, hard-coded information, Debugging
Attack Network Components
Agenda today
Traffic analysis is as simple as setting a proxy and listening to it using a proxy tool in your system. Pretty much like webapp pen-testing.
Agenda today is client-side analysis.
Uses these..
Uses the following technology stack..Objective-C (runtime oriented language)Cocoa library (API)Recently SWIFT
Pre-Requisite
Jailbroken (Cydia installed) device – Mandatory (Advisable to have a unsupported device to avoid frequent updates of OS)
This is a trade-off between what version of the OS the target application to test supports.
Macbook – Recommended to have one for using Xcode
White Box Testing Black Box Testing Most often it is Black Box testing, we shall see
bit of both
Tools list:jailbroken device requiredIos_analyze.pl ,Mac-robber and log2timelineCrackulous, appcrack, Appswitch, Cycript, OpenSSH, unzip, wgetSQLite 3.x, MobileTerminal, class-dump-z, tar, clutch,dumpencrypted, otoolGDB, r2clutch,Snoop-it, iPhonetunnelkeychain dumper, cydia substrate, adv-cmds, Darwin CC toolsAPT 0.6 Transitional, Git, GNU Debugger, less, make, ios-ssl-killswitchFlawfinder, wireshark, Xcode - property list editor, Plutil, otool & other cmd line utilities from mac storeNetcat, Nmap, Burp, SQLite Browser, FuzzDB, IDA Pro, iExplorer
Getting into the device
ssh root@ipaddressOfiPhone default pwd:alpine
apt-get update apt-get upgrade
Two stuffs are a basic knowledge to do analysis on a 3rd party iOS app
In /var/mobile/ApplicationsApplication sandbox is here EncryptedApp downloaded from app store is encrypted
Copying executable
sftp root@ipaddressOfiPhone cd /usr/bin put clutch
Clutch is the application used to decrypt the 3rd party applications. Typing clutch will list the applications which are possible to decrypt
Get the ipa file using clutch and unzip it. Get the class file of the executable using class-
dump-z. The executable is always the app's name.
As in, Class-dump-z path/to/app/executable >class-
info-executable
What and Where to look for?
1. Plists files - Use Plutil to convert to XML
Plutil -convert xml1 xxx.plist
Or Property list editor in Xcode Look for juicy information: passwords,
checksums, email-ids, any sensitive data
What and Where to look for?
2. SQLite: Again client side stored data is dangerous. Sqlite like
in android does not have inbuilt support for encrytion of data.
There are extenstions to do it – CEROD , sqlcipher, smartstore
-but again the encryption keys are available client side and we can breakpoint it and pull the keyfrom memory
Path/to/app/appname.app/database.sqlite3
What and Where to look for?
3. Logging Files:NSLogDefault:~/Library/Logs/CrashReporter/MobileDevice/
<Devicename>/private/var/log/system.logCustom:Grep -r -F “NSLog” $project_path/ | grep -v .svn
What and Where to look for?
4. Caching:File Caching~/Library/Application Support/iPhone
simulator/x.x.x/Applications/<application folder>/Documents/temp.pdfKeyboard Caching~/Library/Application Support/iPhone
Simulator/x.x.x/Library/keyboard/dynamic-text.datSnapshot Caching~/Library/Application Support/iPhone
Simulator/x.x.x/Applications/<application folder>/Library/Caches/Snapshots/
Clipboard Caching
What and Where to look for?
5 .Keychains: It’s a sqlite database file located at
/private/var/Keychains/keychain-2.db and all the data stored in it is encrypted
Snoop-it tool, keychain-dumper
What and Where to look for?
6. Stack Smashing Protection: To mitigate Stack Overflow attacks If used the application binary will contain
_stack_chk_fail and _stack_chk_guard symbols To Test: Otool –I –v ApplicationBinary | grep stack
What and Where to look for?
7. ASLR Flag:To mitigate memory corruption vulnerabilitiesTo Test:Otool –VhApplicaitonBinaryIt should have PIE flag in the output
What and Where to look for?
8. Automatic Reference Counting: Again to avoid memory corruption vulnerability
by moving the responsibility of memory management from the developer to the compiler
Otool –I –v ApplicationBinary | grep _objc_release
What and Where to look for?
Automatic Reference CountingClient Side Authentication bypassClient Side SQL InjectionHardcoded sensitive information anywhereClient Side validation bypassNo jailbreak detectionObselete filesTapjacking?? Every testcase recommended by OWASP for mobile applications in the
checklist P.S: Use putty, iExplorer to access the above mentioned files
Hard time with SSL Pinning
Use ios-ssl-killswitchUse Cycript, do runtime hooks and unpinDowngrade HTTPS to HTTP in burp(or)Ask the client to give the unpinned version – as
simple as that. It might not work for bounty hunters though :P
References
http://www.slideshare.net/jasonhaddix?utm_campaign=profiletracking&utm_medium=sssite&utm_source=ssslideview
http://resources.infosecinstitute.com/http://damnvulnerableiosapp.com/#learnMobile Application hacker's handbook