Hacking (and Defending) iPhone Applications Kevin Stadmeyer Garrett Held COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Who Are We? Garrett Held and Kevin Stadmeyer ›Managing Consultants with Trustwave SpiderLabs ›Have performed.
Download ReportTranscript Hacking (and Defending) iPhone Applications Kevin Stadmeyer Garrett Held COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Who Are We? Garrett Held and Kevin Stadmeyer ›Managing Consultants with Trustwave SpiderLabs ›Have performed.
Hacking (and Defending) iPhone Applications Kevin Stadmeyer Garrett Held COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Who Are We? Garrett Held and Kevin Stadmeyer ›Managing Consultants with Trustwave SpiderLabs ›Have performed hundreds of application tests from mainframe to web to mobile COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Agenda What we’ll cover – secure coding and beyond, what to look for when assessing an iPhone application ›The Basics ›Setup For Testing ›Secure Storage of Data And Credentials ›Inadvertent Local Storage and Caching ›Client Side Sanitization ›Secure Coding ›Push Notifications ›Secure Communications COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL The Basics COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Just the Facts, Ma’am Why are people attacking mobile apps? ›Stealing Money ›Embarrassing People (“Hactivists”) ›Get Famous COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Just the Facts, Ma’am iPhone Apps in the Press COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Just the Facts, Ma’am How are people attacking mobile apps? ›New and unsafe operating systems? ›Terrible developers who don’t care? ›Clueless users who don’t know they should care? COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Just the Facts, Ma’am What Security Model We’re Not Talking About? ›Layer 1: Apple Store ›Layer 2: Sandboxing via “Seatbelt” COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Just the Facts, Ma’am COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Setting Up The Testing Environment COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Setting Up The Testing Environment Don’t you mean setting up the decompiler? ›No COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL We Built This City On das metal – Step 1: get your proxy right COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL We Built This City On das metal – Step 2: Get ya certs heard! COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL We Built This City On das metal – Step 3: Roll It Up COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL We Built This City On das metal – Step 4: Mail it! COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL We Built This City On das metal – Step 5: Install It COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL We Built This City On das metal – Step 6: Install It (Errrr….) COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL We Built This City On das metal – Step 7: Proxy It! COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL We Built This City On das metal – Step 8: Victory! COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL We Built This City On The Computer Machine – Step 6: Install It! COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL We Built This City On The Computer Machine – Step 7: Install It! COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL We Built This City On The Computer Machine ›The format is X’<SHA1 Fingerprint>’ COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL We Built This City Now What? COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL We Built This City Now What? COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL We Built This City Now What? COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Secure Storage Of Data COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Storing Credentials The Keychain ›Indefinite Storage ›Can you store credentials securely without the keychain? – Don’t let the feature make you lazy – Don’t store credentials in the keychain unless you don’t care about certain things COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Storing Credentials Keychain Compromise via Jailbreaking ›Through a series of steps, retrieves passwords stored in the keychain [1] ›Researchers compromised keychain passwords only, not other protected classes such as passwords for websites – Jailbreak stolen iPhone (requires physical access), gain SSH access – Copy scripts that will compromise the keychain – Scripts output the victims passwords [1] http://www.sit.fraunhofer.de/en/Images/sc_iPhone%20Passwords_tcm502-80443.pdf COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Storing Credentials Where Should You Store Them? ›Not on the device? – At least not in plaintext! COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Storing Credentials Securely Storing Data At Rest – things to look for ›Database calls? – Injection Possible? ›Using Core Data? – Does the application trust the integrity of the data? – Remember trust boundaries! COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Storing Credentials Recommendations for non-credential data ›Do not store data on the phone if at all possible – Never has it been so easy to lose so much data so fast! ›Require user to enter a passcode – Can still be brute-forced with time once the encrypted text is found – Poor user-experience on mobile devices COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Storing Credentials Recommendations for non-credential data ›Store decryption key on a server and require credentials (non-stored) to access key – – – – Only works for applications that do not require offline access Increases data usage Revocable though Data not “stored” in the cloud COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Storing Credentials B-b-b-but kSecAttrAccessibleWhenUnlocked! ›By default iOS writes information to the keychain with this attribute ›By default most user’s passwords suck COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Storing Credentials Look Familiar? COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Storing Credentials Most Users Pick Simple PINS 10,000 possibilities ~.1 second to crack (100k a second is pretty standard) COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Storing Credentials Protect Stupid Users Require Strong Passwords (8+ alpha-numeric chars) Use REAL and GOOD encryption Don’t rely on an inherently insecure PIN to protect users. If they knew what they were doing we wouldn’t be here today. COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Inadvertent Local Storage and Caching COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL I Accidently Your Data… Screenshots ›Where are they stored? ›When are they taken? ›Who can access them! COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL I Accidently Your Data… Screenshots COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL I Accidently Your Data… Screenshot Protection COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL I Accidently Your Data… Other Storage Of Information ›Autocomplete, etc. COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL I Accidently Your Data… Autocomplete ›Override autocomplete ›textfield.autocorrectionType = UITextAutocorrectionNone COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Client Side Sanitization COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Client Side? More like Bad side, amirite? It’s bad… ›Less burden on server ›Critical bypasses (yay!) COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Client Side? More like Bad side, amirite? It’s bad… ›Some classic Web Application faults translate well into the iPhone. ›Web developers relied on: – – – – JavaScript controls Hidden fields JSON responses Information stored in Flash objects COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Client Side? More like Bad side, amirite? Rogue Clients ›Attackers can write apps (Some testers, too) ›Client side secrets can be decompiled – We don’t care if it’s obfuscated for now, that’s a point in time. ›Distributed through trusted App store? – Already happened to Android COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Client Side? More like Bad side, amirite? How To Do It Right ›Server Side Controls ›Assume everything coming in came from a rouge or compromised client ›Enforce secure communications COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Client Side? More like Bad side, amirite? What Applies in the iOS world? Applies Does Not Apply SQL Injection CSRF* XML Injection XSS* Other Injection Privilege Escalation Session Hijacking Overflows (Buffer, Integer) Format String Problems Insecure use of SSL COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Client Side? More like Bad side, amirite? CSRF and XSS In Apps? ›Calls to browser – Recent Android Issue [1] – Loads javascript:alert(document.cookie) ›Embedded browser shares web app issues ›Rogue applications and rogue users ]1] http://www.crn.com.au/News/265931,video-details-android-browser-intercept-flaw.aspx COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Client Side? More like Bad side, amirite? Break That Down Into Attackers View Attacker Targets Server Attacker Targets Device SQL Injection Overflows (Buffer, Integer) XML Injection Format String Problems Other Injection Privilege Escalation Session Hijacking Insecure use of SSL COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Client Side? More like Bad side, amirite? What Does This Mean to a Developer? ›Time to throw out any assumptions that the device will protect you by obfuscating anything ›A new set of security practices need to be developed and followed when creating App’s COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Client Side? More like Bad side, amirite? Shifting Paradigms – we hate ourselves ›Local Storage Review – What is stored and why? ›Educating QA – Proxy testing ›Review Local and Remote Inputs ›Information Leakage COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL A New Methodology Local Storage Review ›Review what’s stored on the device by the application ›Review what’s stored on the device by iOS ›Keep it simple, review to remove COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL A New Methodology Educating QA ›Develop test cases for new and old vulnerabilities ›Formal process for testing communications and settings COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL A New Methodology Local And Remote Inputs ›User input from Apps is always a concern ›Don’t forget about responses that could be intercepted or hijacked. ›Maintain the integrity of the device. COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL A New Methodology Information Leakage ›Examine all traffic to / from the application, like should be done with web applications ›Additional examination of what sensitive data may be in the binary. – Is it necessary? Keep it simple. Review to Remove. COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Secure Coding COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Buffer Overflow What Can Go Wrong? ›Arbitrary executable code could be loaded and executed on the device ›Bypass “seatbelt” COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Buffer Overflow How To Do It Right ›Same concerns as in C ›Use appropriate functions [1] – Example: strlcpy NOT strncpy ›Properly calculate buffer size (constants) ›Includes integer bounds checking [1] http://developer.apple.com/library/mac/#documentation/Security/Conceptual/SecureCodingGuide/Articles/BufferOverflows.html COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Format String Attack What Can Go Wrong? ›Application displays user input (as applications are known to do) ›Uses the [NSString stringWithFormat] method ›Uses the printf function ›Attacker sends “%s%s%s%s” instead of “Hello” COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Format String Attack How To Do It Right ›Enforce Secure Coding Standard – Just like web applications – No vulnerable function should accept untrusted user input that could be used to determine the format of the output COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Race Conditions What Can Go Wrong? ›Application manages state using the deviceID NOT the session ID. ›Sessions not terminated properly on the server side ›Following Conditions – User logged into the application at some point in the last day and subsequently logged out. – Attacker supplies wrong credentials through the mobile app. COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Race Conditions What Can Go Wrong? ›Following Conditions – Application request “session refresh” while waiting for the incorrect login response to be sent. – Server “refreshes” the session based on the device ID. – Application receives a response indicating the login was successful, followed by a login denied error. – Application subsequently ignores the login denied, continues using the previous session now tied to the Device ID. COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Race Conditions How To Do It Right ›Strong server side controls over access – Policy enforcement on concurrent logins – Do not maintain session via Device ID – Properly Logout Users ›Make sure any mobile applications have the same, proper logic enforcement as web applications. COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Server Side What Can Go Wrong? ›Just about everything – – – – Logic vulnerabilities Weak session controls Classic web application vulnerabilities Too much trust in the client-side controls COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Server Side How To Do It Right ›Harden the server – Every client is treated like it might be malicious ›Use same guidelines as Web Apps – OWASP Secure Development COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Push Notifications COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Push Notifications Real Fast http://www.dhanjani.com/ COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Secure Communications COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Secure Communications SSL Whaaaa? ›NSURL method – iOS is secure by default in regards to SSL certs when using this method to retrieve HTTPS content Source: http://www.flickr.com/photos/mikebaird/ COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Secure Communications Well, that’s true now… ›SSLizzard – Exploit developed by SpiderLabs to take advantage of weakness in certificate validation. [1] – Allowed SSL MITM attacks without errors. – Apple patched this, “This vulnerability has been corrected in versions 5.0b4, 4.3.5, and 4.2.10.” [1] TWSL2011-007: iOS SSL Implementation Does Not Validate Certificate Chain, https://www.trustwave.com/spiderlabs/advisories/TWSL2011-007.txt COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Secure Communications SSL Whaaaa? Source: http://www.flickr.com/photos/lenore-m/ COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL This Is It COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL This Is It Review ›The Basics ›Setup For Testing ›Secure Storage of Data And Credentials ›Inadvertent Local Storage and Caching ›Client Side Sanitization ›Secure Coding ›Push Notifications ›Secure Communications COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL This Is It Summary ›Testing is easy – For you and for “them” ›Security is hard – Really just for you ›So test everything! COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL