Presentation is loading. Please wait.

Presentation is loading. Please wait.

Kevin Stadmeyer Garrett Held COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Hacking (and Defending) iPhone Applications.

Published byThomas Greene Modified over 9 years ago

Similar presentations

Presentation on theme: "Kevin Stadmeyer Garrett Held COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Hacking (and Defending) iPhone Applications."— Presentation transcript:

1 Kevin Stadmeyer Garrett Held COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Hacking (and Defending) iPhone Applications

2 COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Garrett Held and Kevin Stadmeyer ›Managing Consultants with Trustwave SpiderLabs ›Have performed hundreds of application tests from mainframe to web to mobile Who Are We?

3 COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL ›The Basics ›Setup For Testing ›Secure Storage of Data And Credentials ›Inadvertent Local Storage and Caching ›Client Side Sanitization ›Secure Coding ›Push Notifications ›Secure Communications Agenda What we’ll cover – secure coding and beyond, what to look for when assessing an iPhone application

4 COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL The Basics

5 COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Why are people attacking mobile apps? ›Stealing Money ›Embarrassing People (“Hactivists”) ›Get Famous Just the Facts, Ma’am

6 COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Just the Facts, Ma’am iPhone Apps in the Press

7 COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL How are people attacking mobile apps? ›New and unsafe operating systems? ›Terrible developers who don’t care? ›Clueless users who don’t know they should care? Just the Facts, Ma’am

8 COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL What Security Model We’re Not Talking About? ›Layer 1: Apple Store ›Layer 2: Sandboxing via “Seatbelt” Just the Facts, Ma’am

9 COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Just the Facts, Ma’am

10 COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Setting Up The Testing Environment

11 COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Don’t you mean setting up the decompiler? ›No Setting Up The Testing Environment

12 COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL On das metal – Step 1: get your proxy right We Built This City

13 COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL On das metal – Step 2: Get ya certs heard! We Built This City

14 COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL On das metal – Step 3: Roll It Up We Built This City

15 COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL On das metal – Step 4: Mail it! We Built This City

16 COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL On das metal – Step 5: Install It We Built This City

17 COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL On das metal – Step 6: Install It (Errrr….) We Built This City

18 COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL On das metal – Step 7: Proxy It! We Built This City

19 COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL On das metal – Step 8: Victory! We Built This City

20 COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL On The Computer Machine – Step 6: Install It! We Built This City

21 COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL On The Computer Machine – Step 7: Install It! We Built This City

22 COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL On The Computer Machine We Built This City ›The format is X’ ’

23 COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Now What? We Built This City

24 COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Now What? We Built This City

25 COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Now What? We Built This City

26 COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Secure Storage Of Data

27 COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL The Keychain ›Indefinite Storage ›Can you store credentials securely without the keychain? – Don’t let the feature make you lazy – Don’t store credentials in the keychain unless you don’t care about certain things Storing Credentials

28 COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Keychain Compromise via Jailbreaking ›Through a series of steps, retrieves passwords stored in the keychain [1] ›Researchers compromised keychain passwords only, not other protected classes such as passwords for websites – Jailbreak stolen iPhone (requires physical access), gain SSH access – Copy scripts that will compromise the keychain – Scripts output the victims passwords Storing Credentials [1] http://www.sit.fraunhofer.de/en/Images/sc_iPhone%20Passwords_tcm502-80443.pdf

29 COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Where Should You Store Them? ›Not on the device? – At least not in plaintext! Storing Credentials

30 COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Securely Storing Data At Rest – things to look for ›Database calls? – Injection Possible? ›Using Core Data? – Does the application trust the integrity of the data? – Remember trust boundaries! Storing Credentials

31 COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Recommendations for non-credential data ›Do not store data on the phone if at all possible – Never has it been so easy to lose so much data so fast! ›Require user to enter a passcode – Can still be brute-forced with time once the encrypted text is found – Poor user-experience on mobile devices Storing Credentials

32 COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Recommendations for non-credential data ›Store decryption key on a server and require credentials (non-stored) to access key – Only works for applications that do not require offline access – Increases data usage – Revocable though – Data not “stored” in the cloud Storing Credentials

33 COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL B-b-b-but kSecAttrAccessibleWhenUnlocked! ›By default iOS writes information to the keychain with this attribute ›By default most user’s passwords suck Storing Credentials

34 COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Look Familiar? Storing Credentials

35 COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Most Users Storing Credentials Pick Simple PINS 10,000 possibilities ~.1 second to crack (100k a second is pretty standard)

36 COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Protect Stupid Users Storing Credentials  Require Strong Passwords (8+ alpha-numeric chars)  Use REAL and GOOD encryption  Don’t rely on an inherently insecure PIN to protect users.  If they knew what they were doing we wouldn’t be here today.

37 COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Inadvertent Local Storage and Caching

38 COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Screenshots ›Where are they stored? ›When are they taken? ›Who can access them! I Accidently Your Data…

39 COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Screenshots I Accidently Your Data…

40 COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Screenshot Protection I Accidently Your Data…

41 COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Other Storage Of Information ›Autocomplete, etc. I Accidently Your Data…

42 COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Autocomplete ›Override autocomplete ›textfield.autocorrectionType = UITextAutocorrectionNone I Accidently Your Data…

43 COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Client Side Sanitization

44 COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL It’s bad… ›Less burden on server ›Critical bypasses (yay!) Client Side? More like Bad side, amirite?

45 COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL It’s bad… ›Some classic Web Application faults translate well into the iPhone. ›Web developers relied on: – JavaScript controls – Hidden fields – JSON responses – Information stored in Flash objects Client Side? More like Bad side, amirite?

46 COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Rogue Clients ›Attackers can write apps (Some testers, too) ›Client side secrets can be decompiled – We don’t care if it’s obfuscated for now, that’s a point in time. ›Distributed through trusted App store? – Already happened to Android Client Side? More like Bad side, amirite?

47 COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL How To Do It Right ›Server Side Controls ›Assume everything coming in came from a rouge or compromised client ›Enforce secure communications Client Side? More like Bad side, amirite?

48 COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL What Applies in the iOS world? Client Side? More like Bad side, amirite? AppliesDoes Not Apply SQL InjectionCSRF* XML InjectionXSS* Other Injection Privilege Escalation Session Hijacking Overflows (Buffer, Integer) Format String Problems Insecure use of SSL

49 COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL CSRF and XSS In Apps? ›Calls to browser – Recent Android Issue [1] – Loads javascript:alert(document.cookie) ›Embedded browser shares web app issues ›Rogue applications and rogue users Client Side? More like Bad side, amirite? ]1] http://www.crn.com.au/News/265931,video-details-android-browser-intercept-flaw.aspx

50 COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Break That Down Into Attackers View Client Side? More like Bad side, amirite? Attacker Targets ServerAttacker Targets Device SQL InjectionOverflows (Buffer, Integer) XML InjectionFormat String Problems Other Injection Privilege Escalation Session Hijacking Insecure use of SSL

51 COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL What Does This Mean to a Developer? ›Time to throw out any assumptions that the device will protect you by obfuscating anything ›A new set of security practices need to be developed and followed when creating App’s Client Side? More like Bad side, amirite?

52 COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Shifting Paradigms – we hate ourselves ›Local Storage Review – What is stored and why? ›Educating QA – Proxy testing ›Review Local and Remote Inputs ›Information Leakage Client Side? More like Bad side, amirite?

53 COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Local Storage Review ›Review what’s stored on the device by the application ›Review what’s stored on the device by iOS ›Keep it simple, review to remove A New Methodology

54 COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Educating QA ›Develop test cases for new and old vulnerabilities ›Formal process for testing communications and settings A New Methodology

55 COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Local And Remote Inputs ›User input from Apps is always a concern ›Don’t forget about responses that could be intercepted or hijacked. ›Maintain the integrity of the device. A New Methodology

56 COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Information Leakage ›Examine all traffic to / from the application, like should be done with web applications ›Additional examination of what sensitive data may be in the binary. – Is it necessary? Keep it simple. Review to Remove. A New Methodology

57 COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Secure Coding

58 COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL What Can Go Wrong? ›Arbitrary executable code could be loaded and executed on the device ›Bypass “seatbelt” Buffer Overflow

59 COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL How To Do It Right ›Same concerns as in C ›Use appropriate functions [1] – Example: strlcpy NOT strncpy ›Properly calculate buffer size (constants) ›Includes integer bounds checking Buffer Overflow [1] http://developer.apple.com/library/mac/#documentation/Security/Conceptual/SecureCodingGuide/Articles/BufferOverflows.html

60 COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL What Can Go Wrong? ›Application displays user input (as applications are known to do) ›Uses the [NSString stringWithFormat] method ›Uses the printf function ›Attacker sends “%s%s%s%s” instead of “Hello” Format String Attack

61 COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL How To Do It Right ›Enforce Secure Coding Standard – Just like web applications – No vulnerable function should accept untrusted user input that could be used to determine the format of the output Format String Attack

62 COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL What Can Go Wrong? ›Application manages state using the deviceID NOT the session ID. ›Sessions not terminated properly on the server side ›Following Conditions – User logged into the application at some point in the last day and subsequently logged out. – Attacker supplies wrong credentials through the mobile app. Race Conditions

63 COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL What Can Go Wrong? ›Following Conditions – Application request “session refresh” while waiting for the incorrect login response to be sent. – Server “refreshes” the session based on the device ID. – Application receives a response indicating the login was successful, followed by a login denied error. – Application subsequently ignores the login denied, continues using the previous session now tied to the Device ID. Race Conditions

64 COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL How To Do It Right ›Strong server side controls over access – Policy enforcement on concurrent logins – Do not maintain session via Device ID – Properly Logout Users ›Make sure any mobile applications have the same, proper logic enforcement as web applications. Race Conditions

65 COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL What Can Go Wrong? ›Just about everything – Logic vulnerabilities – Weak session controls – Classic web application vulnerabilities – Too much trust in the client-side controls Server Side

66 COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL How To Do It Right ›Harden the server – Every client is treated like it might be malicious ›Use same guidelines as Web Apps – OWASP Secure Development Server Side

67 COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Push Notifications

68 COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Real Fast Push Notifications http://www.dhanjani.com/

69 COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Secure Communications

70 COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL SSL Whaaaa? ›NSURL method – iOS is secure by default in regards to SSL certs when using this method to retrieve HTTPS content Secure Communications Source: http://www.flickr.com/photos/mikebaird/

71 COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Well, that’s true now… ›SSLizzard – Exploit developed by SpiderLabs to take advantage of weakness in certificate validation. [1] – Allowed SSL MITM attacks without errors. – Apple patched this, “This vulnerability has been corrected in versions 5.0b4, 4.3.5, and 4.2.10.” Secure Communications [1] TWSL2011-007: iOS SSL Implementation Does Not Validate Certificate Chain, https://www.trustwave.com/spiderlabs/advisories/TWSL2011-007.txt

72 COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL SSL Whaaaa? Secure Communications Source: http://www.flickr.com/photos/lenore-m/

73 COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL This Is It

74 COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL ›The Basics ›Setup For Testing ›Secure Storage of Data And Credentials ›Inadvertent Local Storage and Caching ›Client Side Sanitization ›Secure Coding ›Push Notifications ›Secure Communications This Is It Review

75 COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Summary ›Testing is easy – For you and for “them” ›Security is hard – Really just for you ›So test everything! This Is It

Download ppt "Kevin Stadmeyer Garrett Held COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Hacking (and Defending) iPhone Applications."

Similar presentations

Module XIV SQL Injection

Module XIV SQL Injection
SEC835 OWASP Top Ten Project.

SEC835 OWASP Top Ten Project.
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Demonstrating HTTP Session Hijacking through ARP Cache Poisoning and Man-in-the-Middle Attack and exploring HTTPS and VOIP session vulnerabilities Mainuddin.

Demonstrating HTTP Session Hijacking through ARP Cache Poisoning and Man-in-the-Middle Attack and exploring HTTPS and VOIP session vulnerabilities Mainuddin.
© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 14 Implementation Flaws Part 2: Malicious Input and Data Validation Issues.

© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 14 Implementation Flaws Part 2: Malicious Input and Data Validation Issues.
Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.

Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Lecture 12 Overview.

Lecture 12 Overview.
OWASP Mobile Top 10 Why They Matter and What We Can Do

OWASP Mobile Top 10 Why They Matter and What We Can Do
Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.

Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.
CRYPTOGRAPHY PROGRAMMING ON ANDROID Jinsheng Xu Associate Professor North Carolina A&T State University.

CRYPTOGRAPHY PROGRAMMING ON ANDROID Jinsheng Xu Associate Professor North Carolina A&T State University.

Similar presentations

Ads by Google