iOS Application Security Testing & Pentesting

Introduction:

Apple Inc., the largest consumer electronics manufacturers in the world is popularly known for its unique, innovative design and hardcore security features that it provides to the end consumers. The Apple product lineup uses indigenously developed iOS as the operating system to channelize the communication between hardware and software.

iOS is derived from OSX, with which it shares the Darwin Foundation and is therefore a UNIX like operating system, in nature. It’s the operating system that powers the iPhone, iPad, iPod and Apple TV. Apple designed the iOS platform with security at its core and the application built on and for this platform are very less vulnerable compared to the other competing platforms.

To safeguard the integrity of the customer data and privacy iOS uses Sandboxing method where the different applications are allowed to process their tasks and the data in a particular environment created for them. Let’s understand how it is one in detail-

iOS App Sandboxing:

All the applications running are signed by Apple. Developer submits an application, apple verifies it and signs the application. Applications are isolated by sandboxing. One application can not access the data of the other applications. Reading other application directory is not possible.  All applications run under user mobile. All system process run under user root.

Types Of iOS Application:

What is Jailbreak?

  • The name refers to breaking the device out of its own ‘JAIL’
  • Allows installation of apps, which are not present in the AppStore.
  • iOS jail breaking is the process of removing limitations on iOS.
  • Three types of jailbreaks i.e. Tethered, Un-Tethered and Semi-Tethered.
  • Tethered: In this type, Jailbreak is temporary. When you turn off your device you can’t boot your device up without connect it to PC to delete the Jailbreak and then you are able to boot the device. In this Jailbreak you have to install it every time you turn off your device.
  • Semi Tethered: It looks like tethered jailbreak with addition thing that here you can turn off your device and boot it again without any problem. The features are limited.
  • Untethered: It is the common jailbreak and the new one. It gives the user ability to run all the tools and applications they downloaded anytime they want. In this type, you can turn off your device without fear of losing the jailbreak.
  • Tools used to jailbreak the iOS device:  PwnageTool, redsn0w, Sn0wbreeze, Greenpois0n, jailbreakMe…, etc.
  • Cydia allows to install Apps which are not authorized. Able to download additional applications, extensions, tweaks, tools etc. that are unavailable through the official Apple App Store.
  • Jailbreaking permits root access to the iOS file system.

Tools Used for iOS Pentesting:

1. Access Filesystem on iDevice

    • iFunbox – The File and App Management Tool for iPhone, iPad & iPod Touch.
    • iProxy – With iProxy you can connect via SSH to your jailbroken iPhone when it’s connected via USB.
    • Itunnel- Use to forward SSH via USB.
    • Once you are able to SSH into your jailbroken iPhone you can use an FTP client like the following to browse the file system:
      • Cyberduck – Libre FTP, SFTP, WebDAV, S3, Azure & OpenStack Swift browser for Mac and Windows.
      • FileZilla – It supports FTP, SFTP, and FTPS (FTP over SSL/TLS).

2. Reverse Engineering and Static Analysis

      • class-dump – A command-line utility for examining the Objective-C runtime information stored in Mach-O files.
      • Clutch – Decrypt the application and dump specified bundleID into binary or .ipa file.
      • Dumpdecrypted – Dumps decrypted mach-o files from encrypted iPhone applications from memory to disk.
      • HopperApp (Commercial Tool) – Hopper is a reverse engineering tool for macOS and Linux, that lets you disassemble, decompile and debug your 32/64bits Intel Mac, Linux, Windows and iOS executables.
      • hopperscripts – Hopperscripts can be used to demangle the Swift function name in HopperApp.
      • otool – The otool command displays specified parts of object files or libraries.
      • Plutil – plutil is a program that can convert .plist files between a binary version and an XML version.
      • Weak Classdump – A Cycript script that generates a header file for the class passed to the function. Most useful when you cannot use classdump or dumpdecrypted, when binaries are encrypted etc.

3.Dynamic and Runtime Analysis

      • bfinject – bfinject loads arbitrary dylibs into running App Store apps. It has built-in support for decrypting App Store apps, and comes bundled with iSpy and Cycript.
      • BinaryCookieReader – A tool to dump all the cookies from the binary Cookies.binarycookies file.
      • Burp Suite Mobile Assistant – A tool to bypass certificate pinning and is able to inject into apps.
      • cycript – Cycript allows developers to explore and modify running applications on either iOS or macOS using a hybrid of Objective-C and JavaScript syntax through an interactive console that features syntax highlighting and tab completion.
      • Frida-cycript – This is a fork of Cycript in which we replaced its runtime with a brand new runtime.
      • This enables frida-cycript to run on all the platforms and architectures maintained by frida-core.
      • Fridpa – An automated wrapper script for patching iOS applications (IPA files) and work on non-jailbroken device.
      • gdb – A tool to perform runtime analysis of iOS applications.
      • idb – idb is a tool to simplify some common tasks for iOS pentesting and research.
      • Introspy-iOS – Blackbox tool to help understand what an iOS application is doing at runtime and assist in the identification of potential security issues.
      • keychaindumper – A tool to check which keychain items are available to an attacker once an iOS device has been jailbroken.
      • lldb – LLDB debugger by Apple’s Xcode is used for debugging iOS applications.
      • Needle – Needle is a modular framework to conduct security assessments of iOS apps including Binary Analysis, Static Code Analysis and Runtime Manipulation.
      • Passionfruit – Simple iOS app blackbox assessment tool with Fully web based GUI.

4.Bypassing Jailbreak Detection and SSL Pinning

      • SSL Kill Switch 2– Blackbox tool to disable SSL certificate validation – including certificate pinning – within iOS and macOS Apps.
      • tsProtector – Another tool for bypassing Jailbreak detection.
      • Xcon – A tool for bypassing Jailbreak detection.

iOS Application Directory Structure:

    • Application run in a sandbox (seatbelt) with ‘mobile’ privileges
  • Each application gets a private area of the file system-App Home directory: /var/mobile/Applications/[GUID]

Dynamic Analysis:

Once you capture the traffic it is a typical Web application pentesting, in which attacks are done on the application server.

Static Analysis:

    • Decrypt the application
    • Investigate property list files
    • Analyze iOS keychain
    • Analyze SQLlite database
    • Analyze NSUserdefault files etc.

1. Decrypting an iOS Application:

Clutch:

  • Clutch is a high-speed iOS decryption tool.
  • Clutch supports the iPhone, iPod Touch, and iPad as well as all iOS version
  • Clutch sets a breakpoint in loading process
  • Dumps application from memory
  • Clutch [OPTIONS ]:
    • -b –binary-dump: Only dump binary files from specified bundleID
    • -d –dump: Dump specified bundleID into .ipa file
    • -i –print-installed Print installed application
    • –clean: Clean /var/tmp/clutch directory
    • –version: Display version and exit
    • -? –help: Display this help and exit

Class-Dump:

  • Command-line utility for examining the Objective-C runtime
  • It will help us to understand the app’s structure, and to choose where we want to target.
  • This allows for an analysis of what methods exist in the executable, which can help you guess which ones to hook to get given functionality.
  • To install on your Mac, open up a new terminal and run: $ brew install class-dump
  • Then, find the app’s executable. After you unzip the .ipa/.zip file you copied to your computer, you will find it in the resulting folder at the path /Payload/AppName.app/AppName
  • Now, you can run: ./class-dump <AppName>.app/AppName > Dumped
  • Now, open up the ‘Dumped’ file in your favorite text editor, and you should see all of the app’s runtime headers.

2. Investigate property list files(Plist Files):

“An information property list file is a structured text file that contains essential configuration information for a bundled executable”

  • Property list files – /private/var/containers/Bundle/ Application/ – Often used to store user’s properties
  • Key value pairs are stored in binary format
  • Easily extracted and modified with property list editor, plutil etc.
  • Look for usernames , passwords, cookies.
  • Apps may take Authentication/Authorization decisions
  • Ex: admin=1, timeout=10
  • Plist files can be viewed and modified easily on both the Jailbroken and non Jailbroken iPhones.
  • Do not store clear text data in Plist files.

3. Analyze iOS keychain

  • One of the most important security elements for Apple developers is the iOS Keychain, which is a specialized database for storing metadata and sensitive information. Using Keychain is the best practice for storing small pieces of data that are critical to your app such as secrets and passwords.
  • Keychain items are encrypted using two different AES-256-GCM keys: a table key (metadata), and a per-row key (secret-key).
  • Keychain items can only be shared between apps from the same developer.
  • Located at: /var/Keychains/keychain-2.db
  • Keychain data is encrypted
    • – Uses hardware encryption key
    • – Uses user passcode for encryption
    • – Depends on accessibility constant of keychain entry
    • – Cannot be moved to other device

Side Channel Data Leakage:

iOS apps have a number of ‘features’ that can be security vulnerabilities.

1. Check for sensitive information in Log files:

    • Apps may write sensitive data in logs
      • – Debugging (NSLog calls)
      • – Trouble shooting
      • – Requests & Responses
      • – /private/var/log/syslog
      • To view iPhone logs
        • – Console App (from AppStore)
        • – Sync to iTunes
          • Mac OS X : ~/Library/Logs/CrashReporter/MobileDevice/<DEVICE_NAME>
          • Windows XP: C:Documents and Settings<USERNAME>Application DataApple computerLogsCrashReporter/<DEVICE_NAME>

2. Snapshot Caching:

      • On minimizing the iOS application, the screen shrinks and moves the application to the background.
      • To create that shrinking effect, iOS takes a snapshot of the application and stores it in the ‘/Library/Caches/Snapshots/’ folder of the application’s home directory.
      • This might result in storing the user’s sensitive information on the device which could be accessed by a malicious application.
      • These persist until reboot.

Solution:

      • Remove sensitive data or change the screen before the applicationDidEnterBackground() function returns
      • Instead of hiding or removing sensitive data you can also prevent back- grounding altogether by setting the “Application does not run in background” property in the applications Info.plist file.

3. File Caching:

      • If the application uses PDF, Excel, or other files it may be possible that these files may have been cached on the device. These can be found at : ~/<ApplicationDirectory>/Documents/temp.pdf

4. Keyboard Caching

      • Keystrokes for predictive spellcheck are stored in: ~/private/var/mobile/Library/Keyboard/dynamic-text.dat
      • This issue is similar to autocomplete for web browsers.

5. Investigate Cookies.binarycookies:

      • On the iPhone, Safari browser and third party iOS applications store the cookies in ‘Cookies.binarycookies’ files located at the path shown below:
        • – /ApplicationDirectory/Library/Cookies/
        • – /private/var/mobile/Library/
      • Cookies created only with the future expiration date (persistent cookies) are stored in the binary Cookies.binarycookies file.

Runtime Analysis:

  • Runtime analysis allows an attacker to manipulate the application’s behaviour during the runtime.
  • For example, Runtime analysis can be used for analysing and bypassing client side securities implemented by an application like security locks and access the sensitive information from memory.
  • Cycript:
    • Cycript is an implementation of JavaScript that can interact with Objective-C classes and objects.
    • With Cycript, you can manipulate existing objects already in your application’s memory, or instantiate new objects, such as new view controller classes or windows.
    • The tool works by hooking into the process of the running app by passing the ‘-p’ flag to Cycript, followed by the app name.

    Conclusion:

    As the core of the iOS platform is security, it becomes the key differentiator for the success of any iOS application. Creating an application with securities on all the fronts is not easy. However, if we stick onto the best practices provided by the host and further identify the vulnerabilities specific to the emerging industry standards, it is possible that the application clears all the checks.

    References:

    • Pentesting iOS Application by ‘Jason Haddix’
    • Mobile security testing guide- OWASP
    • Learning iOS Penetration Testing by Swaroop Yermalkar.
    Share Blog
    No Comments

    Post a Comment

    Comment
    Name
    Email
    Website