Jean-Luc Watson iOS App Security - inst.eecs.berkeley.educs261/fa18/presentations/11_14.pdfApp Code Signing is Mandatory App writers must sign up for an Apple Developer account ($100/yr)

iOS App Securityapple.com/business/site/docs/iOS_Security_Guide.pdf

Jean-Luc Watson

Apple’s Security Model

Apple’s Security Model

Apple’s Security Model

anything else

Apple’s Security Model

Key assumption: system security is

maintainedanything else

App Verification

App Code Signing is Mandatory

● App writers must sign up for an Apple Developer account ($100/yr)

● In return, they receive a code-signing certificate issued by Apple

facebook

Apple Root Authority

App Code Signing is Mandatory

● App writers must sign up for an Apple Developer account ($100/yr)

● In return, they receive a code-signing certificate issued by Apple

● Signed apps are subject to review before being placed in the App Store

and certificates are checked at load time by the OS

facebook

Apple Root Authority

review load-time verification

Result

● All code running on an iOS device is signed with a certificate issued by

Apple

● If the OS is secure, what is the benefit of forcing code signing?

Result

● All code running on an iOS device is signed with a certificate issued by

Apple

● If the OS is secure, what is the benefit of forcing code signing?

○ Attribution

○ Restricts dynamic linking to libraries sharing same team identifier

○ Barrier to third-party, unreviewed software

○ Prevents malicious changes to a signed app

Result

● All code running on an iOS device is signed with a certificate issued by

Apple

● If the OS is secure, what is the benefit of forcing code signing?

○ Attribution

○ Restricts dynamic linking to libraries sharing same team identifier

○ Barrier to third-party, unreviewed software

○ Prevents malicious changes to a signed app

● (Old) vulnerability: Masque Attack

Runtime Protection

iOS Sandbox

● Primary isolation mechanism

● Access to other apps and system resources strictly controlled by iOS

interfaces

● Apps run exclusively in user mode and the OS is read-only

● How should apps execute privileged actions?

iOS Sandbox

● Primary isolation mechanism

● Access to other apps and system resources strictly controlled by iOS

interfaces

● Apps run exclusively in user mode and the OS is read-only

● How should apps execute privileged actions?

○ “Normal” OS (e.g. Linux): setuid bit

○ Problem?

iOS Sandbox

● Primary isolation mechanism

● Access to other apps and system resources strictly controlled by iOS

interfaces

● Apps run exclusively in user mode and the OS is read-only

● How should apps execute privileged actions?

○ “Normal” OS (e.g. Linux): setuid bit

○ Problem? Privilege escalation!

Entitlements

● Key-value pairs set at compile time, signed with developer certificate:

<key>inter-app-audio</key><true/>

● Verified by iOS API calls without requiring privileged execution

● Why can’t an app give itself all entitlements?

Entitlements

● Key-value pairs set at compile time, signed with developer certificate:

<key>inter-app-audio</key><true/>

● Verified by iOS API calls without requiring privileged execution

● Why can’t an app give itself all entitlements?

○ Apple review process will (hopefully) notice the attempt

ARM Execute Never (XN)

● Bit ensures memory in app data pages will never be executed by

processor

● Mitigates dynamically loaded shellcode (e.g. buffer overflow)

● Does not prevent Return-Oriented Programming

● Effectively limits app to static, signed code. Is this a problem?

ARM Execute Never (XN)

● Bit ensures memory in app data pages will never be executed by

processor

● Mitigates dynamically loaded shellcode (e.g. buffer overflow)

● Does not prevent Return-Oriented Programming

● Effectively limits app to static, signed code. Is this a problem?

○ Huge issue for JITs (Safari), but a dangerous capability

○ Solution: Apple-only entitlement that can mmap one WX page

Sharing Functionality

I can’t post on FB without swiping

combine address spaces?

I can’t post on FB without swiping

Gboard can see all my Facebook data + FB can see everything I’ve typed :(

combine address spaces?

I can’t post on FB without swiping

Gboard can still see everything I’ve typed on my device :((

Talk back and forth over IPC?

Extensions

Instantiate Extension

Extensions

Instantiate Extension

Separate address space/files

Same permissions

Extensions

Instantiate Extension

Separate address space/files

Same permissionsLimited Sandbox: no network access and restricted APIs

Remote Interaction

Secure Accessory Pairing

HomeKit Public/Private Keys

Accessory Public/Private Keys

Secure Accessory Pairing MFi custom Apple IC authenticates access

HomeKit Public/Private Keys

Accessory Public/Private Keys

Secure Accessory Pairing

HomeKit Public/Private Keys

Accessory Public/Private Keys

Secure Remote Password protocol

Code0 4 1 52 5 2 7

Key exchange

Secure Accessory Pairing

HomeKit Public/Private Keys

Accessory Public/Private Keys

HKDF session keys encrypt further communication

Remote Access

● Convenient secure medium to transfer encrypted data:

● iOS device proxies a signed challenge from the accessory MFi chip to

obtain a certificate issued by iCloud

○ Used to authorize iOS users to access the accessory and to connect

to iCloud servers

Remote Access

● Convenient secure medium to transfer encrypted data:

● iOS device proxies a signed challenge from the accessory MFi chip to

obtain a certificate issued by iCloud

○ Used to authorize iOS users to access the accessory and to connect

to iCloud servers

● What are the risks of this registration process?

Questions and Feedback?