Presentation is loading. Please wait.

Presentation is loading. Please wait.

Auditting iPhone and iPad applications

Published byGabriela Borkowska Modified over 6 years ago

Similar presentations

Presentation on theme: "Auditting iPhone and iPad applications"— Presentation transcript:

1 Auditting iPhone and iPad applications
Ilja van Sprundel

2 Who am I? Ilja van Sprundel IOActive netric blogs.23.nu/ilja

3 What this talk is[n’t] about
common security issues seen in 3rd party iOS applications possible fix or mitigation of them document how to exploit them in some cases isn’t: bugs in iOS itself to some extend it does cover some api shortcomings

4 Introduction Mobile app market exploded over the last 2 years
lots of demand for security reviews of iPhone and iPad apps over the last year or so Very little has been published I’ve done a number of them in the last 10 months notes of what I’ve learned so far

5 Application environment
native applications iOS, port of MacOSX to arm cpu obj-c (strict c superset) obj-c classes take care of most low level handling (memory allocations, ....)

6 Transport security fair amount of iOS apps need to do secure transactions online banking, online trading, ... They will use SSL use of urls passed to NSURLRequest / NSURLConnection api uses a set of default ciphers:

7 Transport security

8 Transport security TLS_RSA_WITH_DES_CBC_SHA
TLS_RSA_EXPORT_WITH_RC40_MD5 TLS_RSA_EXPORT_WITH_DES40_CBC_ SHA TLS_DHE_RSA_WITH_DES_CBC_SHA TLS_DHE_RSA_EXPORT_WITH_DES40_ CBC_SHA

9 from apple’s Secure Coding Guide (2010-02-12), page 29
Transport security on by default no (documented) way to turn it off this is (kinda) documented: from apple’s Secure Coding Guide ( ), page 29

10 Transport security SSL api’s on iOS aren’t granular enough
developer should be able to set ciphersuites can’t fix it, but you can mitigate it include an ssl library and use that one (e.g. CyaSSL and MatrixSSL are build for embedded use)

11 Transport security documentation said secure trasport programming not available, use CFNetwork CFNetwork doesn’t allow setting ciphersuites (AFAIK) it does have api’s for some other things: allow expired certs allow expired roots allow any root don’t validate certificate chain

12 Transport security NSMutableDictionary *settings = [[NSMutableDictionary alloc] init];[settings setObject:[NSNumber numberWithBool:YES] forKey:(NSString *)kCFStreamSSLAllowsExpiredCertificates];[settings setObject:[NSNumber numberWithBool:YES] forKey:(NSString *)kCFStreamSSLAllowsExpiredRoots];[settings setObject:[NSNumber numberWithBool:YES] forKey:(NSString *)kCFStreamSSLAllowsAnyRoot];[settings setObject:[NSNumber numberWithBool:NO] forKey:(NSString *)kCFStreamSSLValidatesCertificateChain];CFReadStreamSetProperty((CFReadStreamRef)inputStream, kCFStreamPropertySSLSettings, (CFDictionaryRef)settings);CFWriteStreamSetProperty((CFWriteStreamRef)outputStream, kCFStreamPropertySSLSettings, (CFDictionaryRef)settings);

13 Transport security Luckily none of that is on by default!
takes quite some work to screw this up for a developer however it’s not unthinkable: “wait, we shipped that debug code ???”

14 url handler’s / IPC By design iPhone does not allow sharing between applications application developers sometimes need to share anyway developers (initially)found a way around this This now appears to be supported by apple (according to developer.apple.com)

15 url handler’s / IPC Application can register a url handler
other application would call url, with data rather simple IPC mechanism approved-iphone-inter-process- communication/

16 url handler’s / IPC info.plist file: code looks like:
- (BOOL)application:(UIApplication *)application handleOpenURL:(NSURL *)url { [viewController handleURL:url]; return YES; }

17 url handler’s / IPC any webpage can call that link too
any webpage can now also do IPC with the application this IPC mechanism clearly had unintended consequences

18 url handler’s / IPC so the browser can call the url handlers too
wouldn’t it be neat if we could get it done without tricking a user into visiting a webpage from their mobile safari ?

19 url handler’s / IPC iOS 3 (and beyond) has this neat wifi hotspot feature if it connects to a wifi network, and detects redirection, it assumes it’s a wifi hotspot pops up mobile safari, and goes to the redirected page see

20 url handler’s / IPC looks like this:

21 url handler’s / IPC Attack is quite simple you must be on the same lan
knock iOS device off the network when it rejoins, forge the redirect to your webpage

22 url handler’s / IPC on by default you can turn it off (on iOS 4)

23 url handler’s / IPC Starting from iOS 4.2 there is newer api that should be used application:openURL:sourceApplication: annotation from the documentation:

24 url handler’s / IPC OpenURL is a much more elegant api for IPC
shows you who’s calling (so you can reject the browser for example) allows passing of object instead of serializing over url arguments

25 UIWebView can be used to build gui (mostly in web- like environments)
basically renders html (can do javascript!) a browser window more or less

26 UIWebView Vulnerable to attack (if used as a gui)
if attacker can inject unescaped data will lead to Cross site scripting

27 UIWebView by default there is no bridge from UIWebView’s javascript to actual obj-c most iOS apps developers that use UIWebView (for gui’s) would like there to be one url handler, only valid for that specific UIWebView shouldStartLoadingWithRequest: method

28 UIWebView that url handler can do anything you want it to do
most UIWebView’s url handler are used to handle some internals, arguments are considered trusted! even worse, a lot of them serialize/unserialize a methodname and parameters !

29 UIWebView

30 UIWebView if used simply as a browser
can do a lot more than render html and interact with a webapplications can parse and render a large number of file formats (and will not prompt user first!)

31 UIWebView Excel (xls) keynote (.key.zip) (and also zip files)
numbers (.numbers.zip) Pages (.pages.zip) pdf (.pdf) powerpoint (.ppt) word (.doc) rtf (.rtf) / rtf dictionary (.rtfd.zip) keynote ’09 (.key) numbers ’09 (.numbers) pages ’09 (.pages)

32 UIWebView Very long list enormously difficult file formats to parse
once parsed it gets rendered as html in the current DOM apple api’s, but they are in proc ! on by default no way to turn this off

33 UIWebView does a number of other things:
e.g. try to detect phone numbers and turns them into tell:// url’s you can turn this off set detectPhoneNumbers property to NO

34 UIWebView mitigation: render out of proc
give url to safari instead of rendering in UIWebView attack surface reduction if a bug gets exploited now, your application is no longer affected.

35 UIImage Wide attack surface very similar to UIWebView’s
UIImage is a general image class can handle a _LOT_ of image file formats

36 UIImage tiff jpeg png bmp ico cur xbm gif

37 UIImage not to mention some extensions that work with various image file formats: exif ICC profiles

38 UIImage Huge attack surface
there is no property to specify which one you want and which you don’t want

39 UIImage 2 possible workaround UIImage allows using CGImageRef
use more low-level Core Graphics library to specifically load jpg or png then feed the CGImageRef to UIImage

40 UIImage or you could just look at the first couple of bytes of the image file each graphics format is trivial to detect based on some magic bytes in the begining for example: png signature: (decimal) jpg signature: 4A GIF signature: or BMP: first 2 bytes: “BM”

41 header / xml injection not iOS specific, however rampant in mobile apps mostly with regards to interacting with webservices dev’s implement their own http handing stuff forget things like escaping \r, \n, “, ...

42 header / xml injection Consider the following example:
- (NSData *)HTTPHdrData { NSMutableString *metadataString = [NSMutableString string]; [metadataString form-data"]; if (self.name) [metadataString self.name]; if (self.fileName) [metadataString self.fileName]; [metadataString if (self.contentType) [metadataString self.contentType]; return result; }

43 header / xml injection iOS has some decent api’s for this
NSMutableURLRequest addValue:forHTTPHeaderField setValue:forHTTPHeaderField not vulnerable to injection although they do fail silently if injection is detected

44 Format string bugs iPhone apps use obj-c which is native code
however, if you stick to the obj-c syntax and the classes provided, chances of overflows and the like are small (the provided classes can do almost anything you want) provided classes also have format based functions

45 Format string bugs these formatstring functions can also lead to formatstring bugs seems most iOS apps are riddled with it most iOS apps developers don’t seem to know this is a problem

46 Format string bugs vulnerable obj-c methods NSLog()
[NSString stringWithFormat:] [NSString initWithFormat:] [NSMutableString appendFormat:] [NSAlert informativeTextWithFormat:] [NSPredicate predicateWithFormat:] [NSException format:] NSRunAlertPanel

47 Format string bugs obj-c is a superset of c
so all c fmt functions could also be abused in iOS apps: printf snprintf fprintf ...

48

49

50

51 Exploiting bugs

52

53

54

55

56

57

58

59

60

61

62 binary protocol handling
said before obj-c superset of c stick to NS* objects, mostly safe binary protocol handling is sort of the exception no good obj-c classes for that developers have to fall back to old c-style binary protocol parsing.

63 Directory traversal iOS has similar file api’s as MacOSX
same types of desktop/server os file issues NSFileManager

64 Directory traversal classic dir traversal: ../../../../ will work.
NSString *file = [[NSString alloc] initWithFormat: NSTemporaryDirectory(), attackerControlledString]; NSFileManager *m = [NSFileManager defaultManager]; [m createFileAtPath:text contents:nsd attributes:nil];

65 Directory traversal Poison NULL byte ../../../../blahblah\0
This works, because NSStrings don’t use 0- bytes to terminate a string, but the iOS kernel does. NSString *file = [[NSString alloc] initWithFormat: NSTemporaryDirectory(), attackerControlledString]; NSFileManager *m = [NSFileManager defaultManager]; [m createFileAtPath:text contents:nsd attributes:nil];

66 NSXMLParser NSXMLParser is the class used to parse xml files
it handles DTD’s by default billion laughs no way to turn it off doesn’t resolve external entities by default can be turned on

67 NSXMLParser There’s kindof a hairy workaround.
6 callbacks can be defined, that will be called if a DTD is encountered. foundElementDeclarationWithName foundAttributeDeclarationWithName foundInternalEntityDeclarationWithName foundExternalEntityDeclarationWithName foundNotationDeclarationWithName foundUnparsedEntityDeclarationWithName

68 NSXMLParser - (void) parser:(NSXMLParser*)parser foundExternalEntityDeclarationWithName:(NSString*)entityName { [self } - (void) parser:(NSXMLParser*)parser foundAttributeDeclarationWithName:(NSString*)attributeName { [self } - (void) parser:(NSXMLParser*)parser foundElementDeclarationWithName:(NSString*)elementName model:(NSString*)model { [self } - (void) parser:(NSXMLParser*)parser foundInternalEntityDeclarationWithName:(NSString*)name value:(NSString*)value { [self } - (void) parser:(NSXMLParser*)parser foundUnparsedEntityDeclarationWithName:(NSString*)name { [self } - (void) parser:(NSXMLParser*)parser foundNotationDeclarationWithName:(NSString*)name publicID:(NSString*)publicID { [self }

69 NSXMLParser This works, but it’s hairy and error prone
it would be nice if NSXMLParser had a parseDTD attribute

70 Questions ?

Download ppt "Auditting iPhone and iPad applications"

Similar presentations

Programming Paradigms and languages

Programming Paradigms and languages
Using Evernote and Google Docs in your web or mobile application (and potentially Dropbox and Skydrive) By Peter Messenger Senior Developer – Triple Point.

Using Evernote and Google Docs in your web or mobile application (and potentially Dropbox and Skydrive) By Peter Messenger Senior Developer – Triple Point.
Web Server Programming

Web Server Programming
The Web Warrior Guide to Web Design Technologies

The Web Warrior Guide to Web Design Technologies
 How Safe Are Smart Phones? By Sean Breslin. Can We Trust Our Phones?  Our cell phone, for most of us, is always by our side  If it is always with.

 How Safe Are Smart Phones? By Sean Breslin. Can We Trust Our Phones?  Our cell phone, for most of us, is always by our side  If it is always with.
Blackbox Reversing of XSS Filters Alexander Sotirov ekoparty 2008.

Blackbox Reversing of XSS Filters Alexander Sotirov ekoparty 2008.
1 Frameworks. 2 Framework Set of cooperating classes/interfaces –Structure essential mechanisms of a problem domain –Programmer can extend framework classes,

1 Frameworks. 2 Framework Set of cooperating classes/interfaces –Structure essential mechanisms of a problem domain –Programmer can extend framework classes,
Microsoft ASP.NET AJAX - AJAX as it has to be Presented by : Rana Vijayasimha Nalla CSCE Grad Student.

Microsoft ASP.NET AJAX - AJAX as it has to be Presented by : Rana Vijayasimha Nalla CSCE Grad Student.
October 16, 2007HighEdWebDev2007 Single Source Website for Full Spectrum Access Rick Ells University of Washington

October 16, 2007HighEdWebDev2007 Single Source Website for Full Spectrum Access Rick Ells University of Washington
Introducing HTML & XHTML:. Goals  Understand hyperlinking  Understand how tags are formed and used.  Understand HTML as a markup language  Understand.

Introducing HTML & XHTML:. Goals  Understand hyperlinking  Understand how tags are formed and used.  Understand HTML as a markup language  Understand.
Christopher M. Pascucci Basic Structural Concepts of.NET Browser – Server Interaction.

Christopher M. Pascucci Basic Structural Concepts of.NET Browser – Server Interaction.
OWASP Mobile Top 10 Why They Matter and What We Can Do

OWASP Mobile Top 10 Why They Matter and What We Can Do
Web server and web browser It’s a take and give policy in between client and server through HTTP(Hyper Text Transport Protocol) Server takes a request.

Web server and web browser It’s a take and give policy in between client and server through HTTP(Hyper Text Transport Protocol) Server takes a request.
1 Introduction to Tool chains. 2 Tool chain for the Sitara Family (but it is true for other ARM based devices as well) A tool chain is a collection of.

1 Introduction to Tool chains. 2 Tool chain for the Sitara Family (but it is true for other ARM based devices as well) A tool chain is a collection of.
4.1 JavaScript Introduction

4.1 JavaScript Introduction
JavaScript: Control Structures September 27, 2005 Slides modified from Internet & World Wide Web: How to Program. 2004 (3rd) edition. By Deitel, Deitel,

JavaScript: Control Structures September 27, 2005 Slides modified from Internet & World Wide Web: How to Program (3rd) edition. By Deitel, Deitel,
Delving into the Internet and Networks. In the beginning  ARPANET – set up for the military to have another network of communication  Pre-cursor to.

Delving into the Internet and Networks. In the beginning  ARPANET – set up for the military to have another network of communication  Pre-cursor to.
November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University

November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University
©2008 Gotham Digital Science Secure Parameter Filter (SPF) (AKA Protecting Vulnerable Applications with IIS7) Justin Clarke, Andrew Carey Nairn.

©2008 Gotham Digital Science Secure Parameter Filter (SPF) (AKA Protecting Vulnerable Applications with IIS7) Justin Clarke, Andrew Carey Nairn.
CNIT 133 Interactive Web Pags – JavaScript and AJAX JavaScript Environment.

CNIT 133 Interactive Web Pags – JavaScript and AJAX JavaScript Environment.

Similar presentations

Ads by Google