<<  Auditory and balance apparatus Augmenting Data Structures, Dynamic Order Statistics  >>
Auditting iPhone and iPad applications
Auditting iPhone and iPad applications
Who am I
Who am I
What this talk is[nt] about
What this talk is[nt] about
Introduction
Introduction
Application environment
Application environment
Transport security
Transport security
Transport security
Transport security
Transport security
Transport security
Transport security
Transport security
Transport security
Transport security
Transport security
Transport security
Transport security
Transport security
Transport security
Transport security
url handlers / IPC
url handlers / IPC
url handlers / IPC
url handlers / IPC
url handlers / IPC
url handlers / IPC
url handlers / IPC
url handlers / IPC
url handlers / IPC
url handlers / IPC
url handlers / IPC
url handlers / IPC
url handlers / IPC
url handlers / IPC
url handlers / IPC
url handlers / IPC
url handlers / IPC
url handlers / IPC
url handlers / IPC
url handlers / IPC
url handlers / IPC
url handlers / IPC
UIWebView
UIWebView
UIWebView
UIWebView
UIWebView
UIWebView
UIWebView
UIWebView
UIWebView
UIWebView
UIWebView
UIWebView
UIWebView
UIWebView
UIWebView
UIWebView
UIWebView
UIWebView
UIWebView
UIWebView
UIImage
UIImage
UIImage
UIImage
UIImage
UIImage
UIImage
UIImage
UIImage
UIImage
UIImage
UIImage
header / xml injection
header / xml injection
header / xml injection
header / xml injection
header / xml injection
header / xml injection
Format string bugs
Format string bugs
Format string bugs
Format string bugs
Format string bugs
Format string bugs
Format string bugs
Format string bugs
exploiting NS* format string bugs
exploiting NS* format string bugs
Auditting iPhone and iPad applications
Auditting iPhone and iPad applications
Auditting iPhone and iPad applications
Auditting iPhone and iPad applications
Auditting iPhone and iPad applications
Auditting iPhone and iPad applications
Exploiting bugs
Exploiting bugs
Auditting iPhone and iPad applications
Auditting iPhone and iPad applications
Auditting iPhone and iPad applications
Auditting iPhone and iPad applications
Auditting iPhone and iPad applications
Auditting iPhone and iPad applications
Auditting iPhone and iPad applications
Auditting iPhone and iPad applications
Auditting iPhone and iPad applications
Auditting iPhone and iPad applications
Auditting iPhone and iPad applications
Auditting iPhone and iPad applications
Auditting iPhone and iPad applications
Auditting iPhone and iPad applications
Auditting iPhone and iPad applications
Auditting iPhone and iPad applications
Auditting iPhone and iPad applications
Auditting iPhone and iPad applications
Auditting iPhone and iPad applications
Auditting iPhone and iPad applications
binary protocol handling
binary protocol handling
Directory traversal
Directory traversal
Directory traversal
Directory traversal
Directory traversal
Directory traversal
NSXMLParser
NSXMLParser
NSXMLParser
NSXMLParser
NSXMLParser
NSXMLParser
NSXMLParser
NSXMLParser
Questions
Questions

: Auditting iPhone and iPad applications. : v-ilvans. : Auditting iPhone and iPad applications.ppt. zip-: 1974 .

Auditting iPhone and iPad applications

Auditting iPhone and iPad applications.ppt
1 Auditting iPhone and iPad applications

Auditting iPhone and iPad applications

Ilja van Sprundel <ivansprundel@ioactive.com>

2 Who am I

Who am I

Ilja van Sprundel IOActive netric blogs.23.nu/ilja

3 What this talk is[nt] about

What this talk is[nt] about

is: common security issues seen in 3rd party iOS applications possible fix or mitigation of them document how to exploit them in some cases isnt: bugs in iOS itself to some extend it does cover some api shortcomings

4 Introduction

Introduction

Mobile app market exploded over the last 2 years lots of demand for security reviews of iPhone and iPad apps over the last year or so Very little has been published Ive done a number of them in the last 10 months notes of what Ive learned so far

5 Application environment

Application environment

native applications iOS, port of MacOSX to arm cpu obj-c (strict c superset) obj-c classes take care of most low level handling (memory allocations, ....)

6 Transport security

Transport security

fair amount of iOS apps need to do secure transactions online banking, online trading, ... They will use SSL use of https:// urls passed to NSURLRequest / NSURLConnection api uses a set of default ciphers:

7 Transport security

Transport security

8 Transport security

Transport security

TLS_RSA_WITH_DES_CBC_SHA TLS_RSA_EXPORT_WITH_RC40_MD5 TLS_RSA_EXPORT_WITH_DES40_CBC_SHA TLS_DHE_RSA_WITH_DES_CBC_SHA TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA

9 Transport security

Transport security

on by default no (documented) way to turn it off this is (kinda) documented:

from apples Secure Coding Guide (2010-02-12), page 29

10 Transport security

Transport security

SSL apis on iOS arent granular enough developer should be able to set ciphersuites cant fix it, but you can mitigate it include an ssl library and use that one (e.g. CyaSSL and MatrixSSL are build for embedded use)

11 Transport security

Transport security

documentation said secure trasport programming not available, use CFNetwork CFNetwork doesnt allow setting ciphersuites (AFAIK) it does have apis for some other things: allow expired certs allow expired roots allow any root dont validate certificate chain

12 Transport security

Transport security

NSMutableDictionary *settings = [[NSMutableDictionary alloc] init];[settings setObject:[NSNumber numberWithBool:YES] forKey:(NSString *)kCFStreamSSLAllowsExpiredCertificates];[settings setObject:[NSNumber numberWithBool:YES] forKey:(NSString *)kCFStreamSSLAllowsExpiredRoots];[settings setObject:[NSNumber numberWithBool:YES] forKey:(NSString *)kCFStreamSSLAllowsAnyRoot];[settings setObject:[NSNumber numberWithBool:NO] forKey:(NSString *)kCFStreamSSLValidatesCertificateChain];CFReadStreamSetProperty((CFReadStreamRef)inputStream, kCFStreamPropertySSLSettings, (CFDictionaryRef)settings);CFWriteStreamSetProperty((CFWriteStreamRef)outputStream, kCFStreamPropertySSLSettings, (CFDictionaryRef)settings);

13 Transport security

Transport security

Luckily none of that is on by default! takes quite some work to screw this up for a developer however its not unthinkable: wait, we shipped that debug code ???

14 url handlers / IPC

url handlers / IPC

By design iPhone does not allow sharing between applications application developers sometimes need to share anyway developers (initially)found a way around this This now appears to be supported by apple (according to developer.apple.com)

15 url handlers / IPC

url handlers / IPC

Application can register a url handler other application would call url, with data rather simple IPC mechanism http://mobileorchard.com/apple-approved-iphone-inter-process-communication/

16 url handlers / IPC

url handlers / IPC

info.plist file: code looks like:

- (BOOL)application:(UIApplication *)application handleOpenURL:(NSURL *)url { [viewController handleURL:url]; return YES; }

17 url handlers / IPC

url handlers / IPC

any webpage can call that link too any webpage can now also do IPC with the application this IPC mechanism clearly had unintended consequences

18 url handlers / IPC

url handlers / IPC

so the browser can call the url handlers too wouldnt it be neat if we could get it done without tricking a user into visiting a webpage from their mobile safari ?

19 url handlers / IPC

url handlers / IPC

iOS 3 (and beyond) has this neat wifi hotspot feature if it connects to a wifi network, and detects redirection, it assumes its a wifi hotspot pops up mobile safari, and goes to the redirected page see http://support.apple.com/kb/HT3867

20 url handlers / IPC

url handlers / IPC

looks like this:

21 url handlers / IPC

url handlers / IPC

Attack is quite simple you must be on the same lan knock iOS device off the network when it rejoins, forge the redirect to your webpage

22 url handlers / IPC

url handlers / IPC

on by default you can turn it off (on iOS 4)

23 url handlers / IPC

url handlers / IPC

Starting from iOS 4.2 there is newer api that should be used application:openURL:sourceApplication:annotation from the documentation:

24 url handlers / IPC

url handlers / IPC

OpenURL is a much more elegant api for IPC shows you whos calling (so you can reject the browser for example) allows passing of object instead of serializing over url arguments

25 UIWebView

UIWebView

can be used to build gui (mostly in web-like environments) basically renders html (can do javascript!) a browser window more or less

26 UIWebView

UIWebView

Vulnerable to attack (if used as a gui) if attacker can inject unescaped data will lead to Cross site scripting

27 UIWebView

UIWebView

by default there is no bridge from UIWebViews javascript to actual obj-c most iOS apps developers that use UIWebView (for guis) would like there to be one url handler, only valid for that specific UIWebView shouldStartLoadingWithRequest: method

28 UIWebView

UIWebView

that url handler can do anything you want it to do most UIWebViews url handler are used to handle some internals, arguments are considered trusted! even worse, a lot of them serialize/unserialize a methodname and parameters !

29 UIWebView

UIWebView

30 UIWebView

UIWebView

if used simply as a browser can do a lot more than render html and interact with a webapplications can parse and render a large number of file formats (and will not prompt user first!)

31 UIWebView

UIWebView

Excel (xls) keynote (.key.zip) (and also zip files) numbers (.numbers.zip) Pages (.pages.zip) pdf (.pdf) powerpoint (.ppt) word (.doc) rtf (.rtf) / rtf dictionary (.rtfd.zip) keynote 09 (.key) numbers 09 (.numbers) pages 09 (.pages)

32 UIWebView

UIWebView

Very long list enormously difficult file formats to parse once parsed it gets rendered as html in the current DOM apple apis, but they are in proc ! on by default no way to turn this off

33 UIWebView

UIWebView

does a number of other things: e.g. try to detect phone numbers and turns them into tell:// urls you can turn this off set detectPhoneNumbers property to NO

34 UIWebView

UIWebView

mitigation: render out of proc give url to safari instead of rendering in UIWebView attack surface reduction if a bug gets exploited now, your application is no longer affected.

35 UIImage

UIImage

Wide attack surface very similar to UIWebViews UIImage is a general image class can handle a _LOT_ of image file formats

36 UIImage

UIImage

tiff jpeg png bmp ico cur xbm gif

37 UIImage

UIImage

not to mention some extensions that work with various image file formats: exif ICC profiles

38 UIImage

UIImage

Huge attack surface there is no property to specify which one you want and which you dont want

39 UIImage

UIImage

2 possible workaround UIImage allows using CGImageRef use more low-level Core Graphics library to specifically load jpg or png then feed the CGImageRef to UIImage

40 UIImage

UIImage

or you could just look at the first couple of bytes of the image file each graphics format is trivial to detect based on some magic bytes in the begining for example: png signature: 137 80 78 71 13 10 26 10 (decimal) jpg signature: 4A 46 49 46 GIF signature: 47 49 46 38 39 61 or 47 49 46 38 37 61 BMP: first 2 bytes: BM

41 header / xml injection

header / xml injection

not iOS specific, however rampant in mobile apps mostly with regards to interacting with webservices devs implement their own http handing stuff forget things like escaping \r, \n, , ...

42 header / xml injection

header / xml injection

Consider the following example:

- (NSData *)HTTPHdrData { NSMutableString *metadataString = [NSMutableString string]; [metadataString appendString:@"Content-Disposition: form-data"]; if (self.name) [metadataString appendFormat:@"; name=\"%@\"", self.name]; if (self.fileName) [metadataString appendFormat:@"; filename=\"%@\"", self.fileName]; [metadataString appendString:@"\r\n"]; if (self.contentType) [metadataString appendFormat:@"Content-Type: %@\r\n", self.contentType]; return result; }

43 header / xml injection

header / xml injection

iOS has some decent apis for this NSMutableURLRequest addValue:forHTTPHeaderField setValue:forHTTPHeaderField not vulnerable to injection although they do fail silently if injection is detected

44 Format string bugs

Format string bugs

iPhone apps use obj-c which is native code however, if you stick to the obj-c syntax and the classes provided, chances of overflows and the like are small (the provided classes can do almost anything you want) provided classes also have format based functions

45 Format string bugs

Format string bugs

these formatstring functions can also lead to formatstring bugs seems most iOS apps are riddled with it most iOS apps developers dont seem to know this is a problem

46 Format string bugs

Format string bugs

vulnerable obj-c methods NSLog() [NSString stringWithFormat:] [NSString initWithFormat:] [NSMutableString appendFormat:] [NSAlert informativeTextWithFormat:] [NSPredicate predicateWithFormat:] [NSException format:] NSRunAlertPanel

47 Format string bugs

Format string bugs

obj-c is a superset of c so all c fmt functions could also be abused in iOS apps: printf snprintf fprintf ...

48 exploiting NS* format string bugs

exploiting NS* format string bugs

These arent the format string bugs youre looking for NS* object format functions are slightly different from the printf* style ones They dont support %n cant write to arbitrary addresses ?

49 Auditting iPhone and iPad applications
50 Auditting iPhone and iPad applications
51 Auditting iPhone and iPad applications
52 Exploiting bugs

Exploiting bugs

53 Auditting iPhone and iPad applications
54 Auditting iPhone and iPad applications
55 Auditting iPhone and iPad applications
56 Auditting iPhone and iPad applications
57 Auditting iPhone and iPad applications
58 Auditting iPhone and iPad applications
59 Auditting iPhone and iPad applications
60 Auditting iPhone and iPad applications
61 Auditting iPhone and iPad applications
62 Auditting iPhone and iPad applications
63 binary protocol handling

binary protocol handling

said before obj-c superset of c stick to NS* objects, mostly safe binary protocol handling is sort of the exception no good obj-c classes for that developers have to fall back to old c-style binary protocol parsing.

64 Directory traversal

Directory traversal

iOS has similar file apis as MacOSX same types of desktop/server os file issues NSFileManager

65 Directory traversal

Directory traversal

classic dir traversal: ../../../../ will work.

NSString *file = [[NSString alloc] initWithFormat: @"%@/%@", NSTemporaryDirectory(), attackerControlledString]; NSFileManager *m = [NSFileManager defaultManager]; [m createFileAtPath:text contents:nsd attributes:nil];

66 Directory traversal

Directory traversal

Poison NULL byte ../../../../blahblah\0 This works, because NSStrings dont use 0-bytes to terminate a string, but the iOS kernel does.

NSString *file = [[NSString alloc] initWithFormat: @"%@/%@.ext", NSTemporaryDirectory(), attackerControlledString]; NSFileManager *m = [NSFileManager defaultManager]; [m createFileAtPath:text contents:nsd attributes:nil];

67 NSXMLParser

NSXMLParser

NSXMLParser is the class used to parse xml files it handles DTDs by default billion laughs no way to turn it off doesnt resolve external entities by default can be turned on

68 NSXMLParser

NSXMLParser

Theres kindof a hairy workaround. 6 callbacks can be defined, that will be called if a DTD is encountered. foundElementDeclarationWithName foundAttributeDeclarationWithName foundInternalEntityDeclarationWithName foundExternalEntityDeclarationWithName foundNotationDeclarationWithName foundUnparsedEntityDeclarationWithName

69 NSXMLParser

NSXMLParser

- (void) parser:(NSXMLParser*)parser foundExternalEntityDeclarationWithName:(NSString*)entityName { [self abort:@"DTD"]; } - (void) parser:(NSXMLParser*)parser foundAttributeDeclarationWithName:(NSString*)attributeName ... { [self abort:@"DTD"]; } - (void) parser:(NSXMLParser*)parser foundElementDeclarationWithName:(NSString*)elementName model:(NSString*)model { [self abort:@"DTD"]; } - (void) parser:(NSXMLParser*)parser foundInternalEntityDeclarationWithName:(NSString*)name value:(NSString*)value { [self abort:@"DTD"]; } - (void) parser:(NSXMLParser*)parser foundUnparsedEntityDeclarationWithName:(NSString*)name ... { [self abort:@"DTD"]; } - (void) parser:(NSXMLParser*)parser foundNotationDeclarationWithName:(NSString*)name publicID:(NSString*)publicID ... { [self abort:@"DTD"]; }

70 NSXMLParser

NSXMLParser

This works, but its hairy and error prone it would be nice if NSXMLParser had a parseDTD attribute

71 Questions

Questions

Auditting iPhone and iPad applications
http://900igr.net/prezentacija/anglijskij-jazyk/auditting-iphone-and-ipad-applications-150695.html
c

29
900igr.net > > > Auditting iPhone and iPad applications