Pentesting iPhone & iPad Apps
Hack In Paris 2011 June 17
�Who are we?
Flora Bottaccio
Security Analyst at ADVTOOLS
Sebastien Andrivet
Director, co-founder of ADVTOOLS
�ADVTOOLS
Swiss company founded in 2002 in Geneva Specialized in Information Security & Problems Diagnosis
Pentesting Security Audits Forensics Secure Development
�Agenda
Overviews Previous researches iPhone/iPad application pentest
Our methodology
Live demonstrations Q&A
�iOS Application Types
Web Applications
HTML + CSS + Javascript Run inside Safari
Native Applications:
Written in Objective-C (+ C/C++) Compiled into CPU code: ARM for actual devices, x86 for iOS Simulator
MonoTouch, Adobe Flash,
Written in high-level language Compiled into CPU code
�iOS Applications
Distributed as .ipa files
in fact simply zip files
Deployed as .app directories
like on Mac OS X
Executable code is:
encrypted with FairPlay DRM (AES) signed with Apples signature decryption with GDB or Crackulous
�Objective-C
Objective-C = C + Smalltalk Object oriented language Created in early 1980s by Stepstone Objective-C 2.0 released with Leopard (Mac OS X 10.5) Can be mixed with C and C++
�Reverse Engineering
Not so obvious at first:
ARM instruction set Objective-C & objc_msgSend Generated code sometimes strange Few (working) scripts and tools
Finally not so difficult Your best friend:
Hex-Rays IDA Pro (Win, Mac, Linux)
�Data storage
plist files (Property lists)
Used and abused Binary (depreciated) or XML
Sqlite 3
From time to time
Keychain Binary data files (aka unknown)
�iTunes & Backups
Every time you connect your device to your computer, a backup is made Contains almost all data By default, not encrypted To mitigate security problems:
�Previous researches
In general, out of date Often inaccurate But contain interesting information We will give here only some examples
�Foundstone (McAfee / Intel)
Disappointing Assumes a lot In particular, assumes you have the source code If you have the sources, you make a code review, not a pentest
�Nicolas Seriot
Not exactly on the same subject (about privacy) Excellent source of info However, a little out of date (everything is quickly out of date with Apple devices)
�DVLabs (TippingPoint / HP)
Our starting point for decryption of apps Old (2009), some assumptions no more valid
�ARTeam
About cracking, not pentesting Brilliant But very old now (2008 & 2009)
�Previous Researches
Some interesting documents available Nothing specifically about pentesting iOS application and that is realistic and useable This is one of the reasons we make this presentation today
�Pentesting iOS Applications
Step 1: Preparing a device Step 2: Preparing a workstation Step 3: Preparing a network Step 4: Pentesting Step 5: Report
�Step 1: Device
Dedicated iPhone or iPad Jailbreak
Avoid iPad 2 for the moment
Install tools
�Tools
Cydia APT 0.7 Strict adv-cmds Darwin CC Tools GNU Debugger inetutils lsof MobileTerminal netcat network-cmds nmap OpenSSH tcpdump top wget Crackulous
�Default Passwords
By default, there are two users:
root mobile
Passwords = alpine Be sure to change them:
passwd passwd mobile
�Step 2 : Workstation
Windows:
OK
Mac OS X (Snow Leopard)
Better
Linux, FreeBSD,
Good luck! Possible but you will need a Windows to run some tools (virtual machine)
�Some Tools
Windows:
SecureCRT or Putty, WinSCP plist Editor for Windows
Mac OS X:
ssh, SecureCRT, Cyberduck XCode
Windows / Mac:
SQLite Database Browser Apple iPhone Configuration Utility Wireshark Burp / Webscarab / IDA Pro (+ ARM decompiler)
�Our Tools
ADVsock2pipe
Remote network captures (Windows)
ADVinterceptor 2.0
Communications interception DNS & Web Servers
Will be released in June, 2011 GPLv3
�Step 3: Network
Wifi
Internet
Firewall
LAN
�Step 4: Pentesting
Step A: Install app. from iTunes Step B: Reconnaissance (passive)
B.1: Network capture B.2: Interception B.3: Artifacts B.4: Decrypt + Reverse engineering
Step C: Attack (active)
C.1: Interception + tampering
�B.1: Network Capture
tcpdump + netcat
tcp ADVsock2pipe Windows pipe
�B.2: Interception Proxy method
Proxy
Burp Suite Pro WebScarab
�B.2: Interception ADVinterceptor
DNS HTTP HTTPS ADVinterceptor 2 (DNS Server, Web Server,)
etc.
�Inject SSL Certificates
Root from Burp or ADVinterceptor Use Apple iPhone Configuration
�Demos
3G+Wifi
Wifi 2G/3G
Internet
Wifi
VNC Client
Shell
SSH Client (SecureCRT)
Windows 7 on Mac Book
�Demos
Goal is to illustrate the previous points, not to make a complete pentest This is also to show the catastrophic level of security of some iOS apps
�Demo # 1
An application that stores securely password Data are encrypted except the password
�Demo # 2
Network capture with
tcpdump netcap ADVsock2pipe Wireshark
�Demo # 3
French application (passengers) Interception with proxy method & Burp Password in clear inside the SSL tunnel: not really a problem Password also in clear in a file (Property List): not good
���Demo # 4
French retailer Interception with
ADVinterceptor + Burp
No SSL First message (CheckLogin)
Password encrypted with CRC64
Second message (Login)
Password in clear!
��Thank you
To contact us:
www.advtools.com
