<<  Auditory and balance apparatus Augmenting Data Structures, Dynamic Order Statistics  >>
Auditting iPhone and iPad applications
Auditting iPhone and iPad applications
Transport security
Transport security
Transport security
Transport security
url handlers / IPC
url handlers / IPC
url handlers / IPC
url handlers / IPC
url handlers / IPC
url handlers / IPC
Auditting iPhone and iPad applications
Auditting iPhone and iPad applications
Auditting iPhone and iPad applications
Auditting iPhone and iPad applications
Auditting iPhone and iPad applications
Auditting iPhone and iPad applications
Exploiting bugs
Exploiting bugs
Auditting iPhone and iPad applications
Auditting iPhone and iPad applications
Auditting iPhone and iPad applications
Auditting iPhone and iPad applications
Auditting iPhone and iPad applications
Auditting iPhone and iPad applications
Auditting iPhone and iPad applications
Auditting iPhone and iPad applications
Auditting iPhone and iPad applications
Auditting iPhone and iPad applications
Auditting iPhone and iPad applications
Auditting iPhone and iPad applications
Auditting iPhone and iPad applications
Auditting iPhone and iPad applications
Auditting iPhone and iPad applications
Auditting iPhone and iPad applications
Auditting iPhone and iPad applications
Auditting iPhone and iPad applications
Auditting iPhone and iPad applications
Auditting iPhone and iPad applications
Auditting iPhone and iPad applications

: v-ilvans. , . , Auditting iPhone and iPad applications.ppt zip- 1974 .

Auditting iPhone and iPad applications

Auditting iPhone and iPad applications.ppt
1Auditting iPhone and iPad 34UIWebView. mitigation: render out of
applications. Ilja van Sprundel proc give url to safari instead of
<ivansprundel@ioactive.com> rendering in UIWebView attack surface
2Who am I? Ilja van Sprundel IOActive reduction if a bug gets exploited now,
netric blogs.23.nu/ilja. your application is no longer affected.
3What this talk is[nt] about. is: 35UIImage. Wide attack surface very
common security issues seen in 3rd party similar to UIWebViews UIImage is a
iOS applications possible fix or general image class can handle a _LOT_ of
mitigation of them document how to exploit image file formats.
them in some cases isnt: bugs in iOS 36UIImage. tiff jpeg png bmp ico cur xbm
itself to some extend it does cover some gif.
api shortcomings. 37UIImage. not to mention some
4Introduction. Mobile app market extensions that work with various image
exploded over the last 2 years lots of file formats: exif ICC profiles.
demand for security reviews of iPhone and 38UIImage. Huge attack surface there is
iPad apps over the last year or so Very no property to specify which one you want
little has been published Ive done a and which you dont want.
number of them in the last 10 months notes 39UIImage. 2 possible workaround UIImage
of what Ive learned so far. allows using CGImageRef use more low-level
5Application environment. native Core Graphics library to specifically load
applications iOS, port of MacOSX to arm jpg or png then feed the CGImageRef to
cpu obj-c (strict c superset) obj-c UIImage.
classes take care of most low level 40UIImage. or you could just look at the
handling (memory allocations, ....). first couple of bytes of the image file
6Transport security. fair amount of iOS each graphics format is trivial to detect
apps need to do secure transactions online based on some magic bytes in the begining
banking, online trading, ... They will use for example: png signature: 137 80 78 71
SSL use of https:// urls passed to 13 10 26 10 (decimal) jpg signature: 4A 46
NSURLRequest / NSURLConnection api uses a 49 46 GIF signature: 47 49 46 38 39 61 or
set of default ciphers: 47 49 46 38 37 61 BMP: first 2 bytes:
7Transport security. BM.
8Transport security. 41header / xml injection. not iOS
TLS_RSA_WITH_DES_CBC_SHA specific, however rampant in mobile apps
TLS_RSA_EXPORT_WITH_RC40_MD5 mostly with regards to interacting with
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA webservices devs implement their own http
TLS_DHE_RSA_WITH_DES_CBC_SHA handing stuff forget things like escaping
9Transport security. on by default no 42header / xml injection. Consider the
(documented) way to turn it off this is following example: - (NSData *)HTTPHdrData
(kinda) documented: from apples Secure { NSMutableString *metadataString =
Coding Guide (2010-02-12), page 29. [NSMutableString string]; [metadataString
10Transport security. SSL apis on iOS appendString:@"Content-Disposition:
arent granular enough developer should be form-data"]; if (self.name)
able to set ciphersuites cant fix it, but [metadataString appendFormat:@";
you can mitigate it include an ssl library name=\"%@\"", self.name];
and use that one (e.g. CyaSSL and if (self.fileName) [metadataString
MatrixSSL are build for embedded use). appendFormat:@";
11Transport security. documentation said filename=\"%@\"",
secure trasport programming not available, self.fileName]; [metadataString
use CFNetwork CFNetwork doesnt allow appendString:@"\r\n"]; if
setting ciphersuites (AFAIK) it does have (self.contentType) [metadataString
apis for some other things: allow expired appendFormat:@"Content-Type:
certs allow expired roots allow any root %@\r\n", self.contentType]; return
dont validate certificate chain. result; }.
12Transport security. 43header / xml injection. iOS has some
NSMutableDictionary *settings = decent apis for this NSMutableURLRequest
[[NSMutableDictionary alloc] addValue:forHTTPHeaderField
init];[settings setObject:[NSNumber setValue:forHTTPHeaderField not vulnerable
numberWithBool:YES] forKey:(NSString to injection although they do fail
*)kCFStreamSSLAllowsExpiredCertificates];[ silently if injection is detected.
ettings setObject:[NSNumber 44Format string bugs. iPhone apps use
numberWithBool:YES] forKey:(NSString obj-c which is native code however, if you
*)kCFStreamSSLAllowsExpiredRoots];[setting stick to the obj-c syntax and the classes
setObject:[NSNumber numberWithBool:YES] provided, chances of overflows and the
forKey:(NSString like are small (the provided classes can
*)kCFStreamSSLAllowsAnyRoot];[settings do almost anything you want) provided
setObject:[NSNumber numberWithBool:NO] classes also have format based functions.
forKey:(NSString 45Format string bugs. these formatstring
*)kCFStreamSSLValidatesCertificateChain];C functions can also lead to formatstring
ReadStreamSetProperty((CFReadStreamRef)inp bugs seems most iOS apps are riddled with
tStream, kCFStreamPropertySSLSettings, it most iOS apps developers dont seem to
(CFDictionaryRef)settings);CFWriteStreamSe know this is a problem.
Property((CFWriteStreamRef)outputStream, 46Format string bugs. vulnerable obj-c
kCFStreamPropertySSLSettings, methods NSLog() [NSString
(CFDictionaryRef)settings); stringWithFormat:] [NSString
13Transport security. Luckily none of initWithFormat:] [NSMutableString
that is on by default! takes quite some appendFormat:] [NSAlert
work to screw this up for a developer informativeTextWithFormat:] [NSPredicate
however its not unthinkable: wait, we predicateWithFormat:] [NSException
shipped that debug code ???. format:] NSRunAlertPanel.
14url handlers / IPC. By design iPhone 47Format string bugs. obj-c is a
does not allow sharing between superset of c so all c fmt functions could
applications application developers also be abused in iOS apps: printf
sometimes need to share anyway developers snprintf fprintf ...
(initially)found a way around this This 48exploiting NS* format string bugs.
now appears to be supported by apple These arent the format string bugs youre
(according to developer.apple.com). looking for NS* object format functions
15url handlers / IPC. Application can are slightly different from the printf*
register a url handler other application style ones They dont support %n cant
would call url, with data rather simple write to arbitrary addresses ?
IPC mechanism 49
http://mobileorchard.com/apple-approved-ip 50
one-inter-process-communication/. 51
16url handlers / IPC. info.plist file: 52Exploiting bugs.
code looks like: - 53
(BOOL)application:(UIApplication 54
*)application handleOpenURL:(NSURL *)url { 55
[viewController handleURL:url]; return 56
YES; }. 57
17url handlers / IPC. any webpage can 58
call that link too any webpage can now 59
also do IPC with the application this IPC 60
mechanism clearly had unintended 61
consequences. 62
18url handlers / IPC. so the browser 63binary protocol handling. said before
can call the url handlers too wouldnt it obj-c superset of c stick to NS* objects,
be neat if we could get it done without mostly safe binary protocol handling is
tricking a user into visiting a webpage sort of the exception no good obj-c
from their mobile safari ? classes for that developers have to fall
19url handlers / IPC. iOS 3 (and back to old c-style binary protocol
beyond) has this neat wifi hotspot feature parsing.
if it connects to a wifi network, and 64Directory traversal. iOS has similar
detects redirection, it assumes its a file apis as MacOSX same types of
wifi hotspot pops up mobile safari, and desktop/server os file issues
goes to the redirected page see NSFileManager.
http://support.apple.com/kb/HT3867. 65Directory traversal. classic dir
20url handlers / IPC. looks like this: traversal: ../../../../ will work.
21url handlers / IPC. Attack is quite NSString *file = [[NSString alloc]
simple you must be on the same lan knock initWithFormat: @"%@/%@",
iOS device off the network when it NSTemporaryDirectory(),
rejoins, forge the redirect to your attackerControlledString]; NSFileManager
webpage. *m = [NSFileManager defaultManager]; [m
22url handlers / IPC. on by default you createFileAtPath:text contents:nsd
can turn it off (on iOS 4). attributes:nil];
23url handlers / IPC. Starting from iOS 66Directory traversal. Poison NULL byte
4.2 there is newer api that should be used ../../../../blahblah\0 This works, because
application:openURL:sourceApplication:anno NSStrings dont use 0-bytes to terminate a
ation from the documentation: string, but the iOS kernel does. NSString
24url handlers / IPC. OpenURL is a much *file = [[NSString alloc] initWithFormat:
more elegant api for IPC shows you whos @"%@/%@.ext",
calling (so you can reject the browser for NSTemporaryDirectory(),
example) allows passing of object instead attackerControlledString]; NSFileManager
of serializing over url arguments. *m = [NSFileManager defaultManager]; [m
25UIWebView. can be used to build gui createFileAtPath:text contents:nsd
(mostly in web-like environments) attributes:nil];
basically renders html (can do 67NSXMLParser. NSXMLParser is the class
javascript!) a browser window more or used to parse xml files it handles DTDs
less. by default billion laughs no way to turn
26UIWebView. Vulnerable to attack (if it off doesnt resolve external entities
used as a gui) if attacker can inject by default can be turned on.
unescaped data will lead to Cross site 68NSXMLParser. Theres kindof a hairy
scripting. workaround. 6 callbacks can be defined,
27UIWebView. by default there is no that will be called if a DTD is
bridge from UIWebViews javascript to encountered.
actual obj-c most iOS apps developers that foundElementDeclarationWithName
use UIWebView (for guis) would like there foundAttributeDeclarationWithName
to be one url handler, only valid for that foundInternalEntityDeclarationWithName
specific UIWebView foundExternalEntityDeclarationWithName
shouldStartLoadingWithRequest: method. foundNotationDeclarationWithName
28UIWebView. that url handler can do foundUnparsedEntityDeclarationWithName.
anything you want it to do most 69NSXMLParser. - (void)
UIWebViews url handler are used to handle parser:(NSXMLParser*)parser
some internals, arguments are considered foundExternalEntityDeclarationWithName:(NS
trusted! even worse, a lot of them tring*)entityName { [self
serialize/unserialize a methodname and abort:@"DTD"]; } - (void)
parameters ! parser:(NSXMLParser*)parser
29UIWebView. foundAttributeDeclarationWithName:(NSStrin
30UIWebView. if used simply as a browser *)attributeName ... { [self
can do a lot more than render html and abort:@"DTD"]; } - (void)
interact with a webapplications can parse parser:(NSXMLParser*)parser
and render a large number of file formats foundElementDeclarationWithName:(NSString*
(and will not prompt user first!). elementName model:(NSString*)model { [self
31UIWebView. Excel (xls) keynote abort:@"DTD"]; } - (void)
(.key.zip) (and also zip files) numbers parser:(NSXMLParser*)parser
(.numbers.zip) Pages (.pages.zip) pdf foundInternalEntityDeclarationWithName:(NS
(.pdf) powerpoint (.ppt) word (.doc) rtf tring*)name value:(NSString*)value { [self
(.rtf) / rtf dictionary (.rtfd.zip) abort:@"DTD"]; } - (void)
keynote 09 (.key) numbers 09 (.numbers) parser:(NSXMLParser*)parser
pages 09 (.pages). foundUnparsedEntityDeclarationWithName:(NS
32UIWebView. Very long list enormously tring*)name ... { [self
difficult file formats to parse once abort:@"DTD"]; } - (void)
parsed it gets rendered as html in the parser:(NSXMLParser*)parser
current DOM apple apis, but they are in foundNotationDeclarationWithName:(NSString
proc ! on by default no way to turn this )name publicID:(NSString*)publicID ... {
off. [self abort:@"DTD"]; }.
33UIWebView. does a number of other 70NSXMLParser. This works, but its
things: e.g. try to detect phone numbers hairy and error prone it would be nice if
and turns them into tell:// urls you can NSXMLParser had a parseDTD attribute.
turn this off set detectPhoneNumbers 71Questions ?
property to NO.
Auditting iPhone and iPad applications.ppt

Auditting iPhone and iPad applications

Auditting iPhone and iPad applications

Ipad - , . , , . . Ipad . . . , . . . , (, Canon G12). 3-. .

- Those are clocks. That is a TV-set. This is a clock. This is an apple. Company Logo. those. . Those are bananas. these. That is a book. , 4 . that. These are cats. this. Remember. These are frogs. This is a fridge.

San Francisco - Comprehension questions. Two famous bridges in San Francisco. Museums and Theaters. Vocabulary List. Ghirardelli Square- Local Chocolate Factory. Additional vocabulary. Where is San Francisco. My Hometown- San Francisco. San Francisco Bay Area. What does your hometown produce. San Francisco has many russian immigrants.

- - PROMT Translation Suite. PROMT Translation Suite. . . . . . PROMT Translation Suite. .

- Flaxman pictures are open profound meanings to us but not every person can saw it. In sixteenth year Linton was apprenticed to the wood-engraver George Wilmot Bonner. Self-portrait. John Flaxman draws his pictures with strong love. Peter Lely studied painting in Haarlem. William James Linton was great illustrator.

Sommerferien - Wir Blume pflancen. Katze. Wir spiel mit dem Freund. Starikow Anton. Wir waren in Gebirge. Wir fahren auf Dampfschiff. Sommerferien. Das Fischen ist Hobbi. Wir fahren ins Auslands, ans Meer. Wir pflucken Beere. Langere Reise mit Ubernachtunger in einem Zelt jch findet besjnders toll. Wir waren in der Fluss und der Wald.


900igr.net > > > Auditting iPhone and iPad applications