iOS App Security Testing :: Session 1 

Agenda

  • Setting up iOS pen-testing platform
  • Understanding the iOS filesystem & Assessment
  • Insecure data storage
  • Basics of Cycript
  • Client side injection

Set up iOS pen-testing platform

Jailbreak device:

  1. Jailbreak the device by downloading the software from pangu http://en.pangu.io/ 
  2. Click on "Start" and follow the process to jailbreak your device
  3. Cydia appears in the apps, once your device is jailbroken

Latest version of iOS (currently it's 9.1) can't be jailbreak

Setting up mobile auditing platform

  1. Install OpenSSH, MobileTerminal & Bigboss recommended tools from Cydia app 
  2. SSH the device for the root user. The default password is "alpine" 
  3. Install class-dump from https://code.google.com/p/networkpx/wiki/class_dump_z 
  4. Run the following commands to get the latest packages: 
  • apt-update
  • apt-upgrade 

Understanding the iOS filesystem

 

  • System Apps Path: /Applications
  • Store Apps Path: /var/mobile/Containers/Bundle/Application/

iOS Assessment - Overview

Insecure Data Storage

  • Plist
  • NSUserDefaults
  • Core data (Sqlite)
  • Keychain
  • Webkit Caching
  • Realm
  • Couchbase Lite
  • YapDatabase

Basics of Cycript

Cycript allows developers to explore and modify running applications on either iOS or Mac OS X using a hybrid of Objective-C++ and JavaScript syntax through an interactive console that features syntax highlighting and tab completion.

Why is it required for Security Testing?

  • Hooking
  • To identify methods used in the app
  • To modify the values of variable during runtime
  • Ability to execute Obj C & Javascript code
  • Method Swizzling

How does it work?

  • Install Cycript from cydia 
  • SSH the device and find the app's process using this command: ps -u <<user>> | grep "<<app_name>>
  • Hook into the process using this command: cycript -p <<PID>

Client Side Injection

Data injection attacks are as real in mobile apps as they are in web apps, although the attack scenarios tend to differ (e.g., exploiting URL schemes to send premium text messages or toll phone calls).

SQL Injection Example

Tools & Commands Info

Class-dump-z Installation 1. Go to https://code.google.com/p/networkpx/wiki/class_dump_z and copy the download link 
2. SSH into device and run this command: wget <<class-dump-z download link>>
3. Once this is done, go inside the folder iphone_armv6 and copy the class-dump-z executable into /usr/bin directory
Keychain 1. SSH your device and run this command: wget https://github.com/ptoomey3/Keychain-Dumper/archive --no-check-certificate
2. Navigate inside Keychain_Dumper directory and run the executable by using the command ./keychain_dumper 
Cycript 1. Go to http://www.cycript.org/debs/ and download the latest deb file 
2. Copy the package to your device and install it using dpkg with this command: dpkg -i <<deb_package_name>>
3. Once the package is installed run cycript in terminal 

Tools

Commands

SSH ssh root@<<device_ip_address>>
password: alpine
Copy over Shell scp <<source_path>> root@<<device_ip_address>><<destination_path>>
Convert plist to xml plutil -convert xml1 <<plist_file>>
Find application PID a. ps aux | grep "app_name"
b. ps -u mobile | grep "app_name"
Sqlite Sqlite3 <<sqlite_db>>
Extract .tar files tar -xvzf <<tar_file>>

Thank you

iOS Application Security - Part 1

By Yogesh Sharma

iOS Application Security - Part 1

  • 2,448