© 2015 IBM Corporation Eitan Worcel IBM Application Security on Cloud Chris Stahly Arxan Director Application Protection Services The 411 on Mobile Application Security Testing and Runtime Protection for iOS Applications
Jan 07, 2017
© 2015 IBM Corporation
Eitan Worcel IBM Application Security on Cloud
Chris Stahly Arxan Director Application Protection Services
The 411 on Mobile Application Security Testing and Runtime Protection for iOS Applications
2© 2015 IBM Corporation
Security Intelligence
Enterprise Applicationsand Cloud Services
Identity, Fraud,and Data Protection
Content SecurityApplication Security
Transaction Security
Device Security
DATA
Personal and Consumer Enterprise
Device Security Content Security Application Security Transaction Security Device as ID
Provision, manage and secure Corporate and BYOD devices
Secure enterprise content access and sharing
Develop vulnerability free, tamper proof and risk aware applications
Prevent & detect high risk mobile transactions from employees, customers and partners
Mobile Identity Platform
Security Intelligence
A unified architecture for integrating mobile security information & event management (SIEM), log management, anomaly detection, and configuration & vulnerability management
IBM Mobile Security Framework
3© 2015 IBM Corporation
Agenda
Mobile App Sec• Exploring Mobile App Vulnerabilities• Mobile Security Overview
iOS Mobile App Sec• Exploring iOS vulnerabilities & attacks• Protection Approaches• Application Testing Demo
Additional Resources
4© 2015 IBM Corporation
December 2013Android Fragment InjectionA set of vulnerabilities exposed by Mobile AnalyzerResearch leading to a new discovery of Android vulnerability class!
X-Force Mobile Vulnerability Findings
5© 2015 IBM Corporation
March 2014Firefox vulnerabilityOvertaking Firefox Profiles identified by Mobile AnalyzerDisclosed and fixed
X-Force Mobile Vulnerability Findings
6© 2015 IBM Corporation
July 2014Android KeyStore VulnerabilityStack Buffer Overflow
X-Force Mobile Vulnerability Findings
7© 2015 IBM Corporation
August 2014Apache Cordova Vulnerability10% of Android Banking Apps Potentially Vulnerable
X-Force Mobile Vulnerability Findings
8© 2015 IBM Corporation
February 2015Dating Apps VulnerabilitiesMobile Analyzer identified medium to high vulnerabilities in over 60% of the top dating apps
X-Force Mobile Vulnerability Findings
9© 2015 IBM Corporation
August 2015Android Serialization VulnerabilityOver 55 percent of Android phones are at risk. Vulnerability Gives Underprivileged Apps Super Status
X-Force Mobile Vulnerability Findings
10© 2015 IBM Corporation
X-Force Mobile Vulnerability Findings
April 2015Deobfuscating iOS Kernel Pointers VulnerabilityInformation leak vulnerability in iOS which can be used to defeat the kernel address obfuscation mechanism available since iOS 6
11© 2015 IBM Corporation
Mobile Security Overview
12© 2015 IBM Corporation
Web Apps
Internet
Web Apps Run in a Browser
Database
Internet
13© 2015 IBM Corporation
Database
Mobile Apps Run on the Phoneand are Supported by Mobile Services
Internet
Mobile Services
14© 2015 IBM Corporation
Internet
Mobile Services
Database
Testing Mobile Apps is Different from Testing Web Apps
We know how to pen test our networks
We know how to pen test web app/services
This is the new areawhere we need to focus
15© 2015 IBM Corporation
Internet
Web Apps
Mobile Applications Have a Different Threat Model
Internet
Mobile Services
Carrier
Application Logic
TemporaryStorage
Application Logic
TemporaryStorage
JavaScript is sandboxed
JavaScript can access device features
Malicious Site
Malicious Site
Attacker with Root
Malicious Apps Application Services
16© 2015 IBM Corporation
iOS Mobile App Sec
17© 2015 IBM Corporation
iOS Security Controls
Why should we trust the OS?
– Code signing– Anti arbitrary code execution policies
• ASLR• Memory pages marked W^Xo Writable XOR executable
• Stack canaries– Sandboxing– App encryption
18© 2015 IBM Corporation
Circumventing iOS Controls
Jailbreaking– Remove iOS controls– Gain root access– Custom kernel– Privilege escalation
19© 2015 IBM Corporation
Apple’s Threat Modeling
Attacks on System Integrity– Attacks on system integrity […] modify the system in such a way
that it can no longer be trusted. […] the attacker might be able to:• Execute malicious code• Impersonate a user or server• Repudiate an action
• https://developer.apple.com/library/ios/DOCUMENTATION/Security/Conceptual/Security_Overview/ThreatModeling/ThreatModeling.html
20© 2015 IBM Corporation
Jailbreak History• iPhone 1.0 (June 29th 2007)
• Jailbroken (July 10th 2007)
• 4.3.2• redsn0w 0.9.11x (April 2011)
• 4.3.3• jailbreakme.com remote jailbreak (July 2011)
• 5.1.1• absinthe 2.0.x (May 2012)
• 6.1• evasi0n (January 30 2013)
• 7.0• evasi0n7 (December 2013)
• 7.1• Pangu (June 23 2014)
• 8.1• Pangu (January 2015)
• 9.0• Pangu (October 2015)
21© 2015 IBM Corporation
iOS Recent Attacks
Nobody is safe: Major App Store malware breach may affect millions of iPhone users“A substantial security threat called XcodeGhost managed to fool App Store security and sneak into the App Store inside real App Store apps potentially affecting hundreds of millions of iPhone and iPad users on both stock and jailbroken devices.”
Key Raider — Another iOS malware steals account info and more“Malicious code surreptitiously included with Cydia apps [has] pilfered account data…disabled some infected phones until users pay a ransom, and…made unauthorized charges against some victims’ accounts.”
Flaws in OS X, iOS Allow Malicious Apps to Steal Passwords, Other Data“In a paper titled “Unauthorized Cross-App Resource Access on MAC OS X and iOS,” researchers demonstrated that cross-app resource access (XARA) attacks are possible on Apple’s operating systems, allowing malicious applications to steal passwords and other sensitive data from other programs.”
22© 2015 IBM Corporation
Anatomy of Attacks on iOS Mobile App
Reverse-engineering app contents
1. Decrypt the mobile app (iOS apps)
2. Open up and examine the app
3. Create a hacked version
11 110 010 10011101100 00101 111 00
11 110 010 01010100101 110011100 00
Extract and steal confidential data
Create a tampered, cracked or patched version of the app
Release / use the hacked app
Use malware to infect/patch the
app on other devices
4. Distribute app
23© 2015 IBM Corporation
Tools for Hacking are Found EverywhereCategory Example Tools Platform/TargetMobile decryption, unpacking & conversion
Clutch iOSAPKTool AndroidDex2jar Android
Static binary analysis: disassembly, decompilation, info dumping
IDA Pro & Hex-Rays Linux, Mac OS, Windows
Hopper iOS, Linux, Mac OS, WindowsJD Project Javabaksmali Android / Javaclass-dump-z iOS, Linux, Mac OS, Windowsnm Windows / .obj, .libStrings Windows / UNICODE
Runtime binary analysis: debugging, tracing
GDB Windows, UNIX / C, C++, Obj-C & more
ADB AndroidIntrospy-Android, Introspy-iOS
Android, iOS
Sogeti ESEC Lab AndroidRuntime manipulation, code injection, method swizzling, patching
Cydia Substrate Android, iOSCycript iOS, Mac OSDYLD Mac OSTheos suite iOSHex Editors EverythingCheatEngine Windows
Jailbreak detection evasion xCon, tsProtector iOS
What do these tools allow?– Decrypt iOS apps– Modify data in-
memory– Modify data on
disk– Inject custom
code– Change existing
code– Read network
traffic– Manipulate
network traffic– Bypass jailbreak
detections
24© 2015 IBM Corporation
IDA Example
25© 2015 IBM Corporation
Protection Approaches
26© 2015 IBM Corporation
Mobile Application SecurityStatic Analysis of
Source Code
IBM AppScan Source/ IBM MobileFirst Application
Scanning
Dynamic Analysis of Back End Calls
IBM AppScan Standard
Interactive Analysis of Mobile App
IBM Application Security on Cloud
Hardening of Binary Code
Arxan Application Protection for IBM Solutions
Security Intelligence
Enterprise Applicationsand Cloud Services
Identity, Fraud,and Data Protection
Content SecurityApplication Security
Transaction Security
Device Security
DATA
Personal and Consumer Enterprise
IBM Mobile Application Security Framework
27© 2015 IBM Corporation
Obfuscation
Confuse the Hacker• Dummy Code Insertion• Instruction Merging• Block Shuffling• Function Inlining• … and More!
Turns this into this …
28© 2015 IBM Corporation
Preventing Reverse Engineering
Other Techniques• Method Renaming• String Encryption• … and More!
String not found
29© 2015 IBM Corporation
Preventing Tampering
Common Techniques
Jailbreak DetectionAm I on a
jailbroken device?
ChecksumHas the binary changed?
Method Swizzling Detection
Is someone hijacking my code? Debug Detection
Is a Debugger Running?
30© 2015 IBM Corporation
Security Layers
© 2015 IBM Corporation
DEMO
32© 2015 IBM Corporation
Additional Resources
33© 2015 IBM Corporation
Learn More about Mobile Application Security Testing on Cloud
Replay recent Webinar• Oct 20nd - Making the Case for Application Security Testing on Cloud• Nov. 3rd - Protecting Mission-Critical Source Code from AppSec Vulnerabilities
Read the Blogs• AppSec Testing on Cloud and the Future of Penetration Testing• A Lever to Move the World: Automating AppSec Testing in the Cloud• Protecting Your Apps at Runtime
View the Infographic • Case Closed with IBM AppSec on Cloud
View the YouTube Video• Identify and Remediate Application Security Vulnerabilities Effectively
Visit the Web Page• Cloud Marketplace
34© 2015 IBM Corporation
Free Evaluation of “Arxan Application Protection for IBM Solutions”Now offered as part of IBM’s Security Portfolio
Your Next Steps to Protecting Your Apps
Curious how your app binary is exposed to hacking? Get Free Assessment of your app’s binary exposures in 9 categories
© 2015 IBM Corporation
QUESTIONS
© Copyright IBM Corporation 2015. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
THANK YOUwww.ibm.com/security