A deck of slides which I have used for my presentation @ Clubhack 2012, India.
iOS applications share common set of classes and highly depends on the operating system solutions for data communication, storage and encryption. Solely depending on the Apple implementation made them less complex but it affects security of the applications. Though iOS comes with a great set of security features like code signing, ASLR, DEP, sand boxing and Data Protection, all of them are subject to attack. Relying only on the iOS security could lead to demise the sensitive data stored within the application when the iOS is compromised. Application security can be improved by understanding the weaknesses in the current implementation and incorporating own code that work better.
The presentation illustrates several types of iOS application attacks like run time manipulation, custom code injection, SSL session hijacking and forensic data leakage. It gives an insight into the iOS Keychain & data protection API and explains the techniques to circumvent it. The presentation will provide guidelines and suggests best practices for secure iOS application development.
I want to thank my friend TC for helping me in developing couple of apps for the demos.
Apple is not releasing the updates for Mac OS Lion Developer edition, so DP4 vm became older now and the latest version of Xcode (4.5) is not working on it. To install the Mountain Lion on Vmware follow the steps provided below.
Mountain Lion VM:
1) Download VMware workstation 8 – Torrent Link
2) Enable hardware virtualization in the computer BIOS – If you don’t know how to do this, Read this link
3) Download Mac OS X Mountain Lion Vmware Image – Torrent Link
4) Vmware does not support the virtualization of OS X. To unlock the Vmware, extract the Mountain Lion Vmware image and go to ‘VMware Unlocker – Mac OS X Guest\VMware 8.x Series\VMware Workstation Unlocker – Windows’ folder. Right click on the ‘Install.bat’ and run it as administrator. It patches the Vmware and allows the installation of Mac OS X.
5) In the extracted vmware image, click on the .vmx file and it will load the Mountain Lion VM.
1. Edit virtual machine settings, go to ‘Cd/Dvd’ and use ‘VMware Unlocker – Mac OS X Guest\VMware 8.x Series\Tools\darwin.iso’ as iso image.
2. Power On the virtual machine and click on Finder. Click on the iSO image listed on the right side and install the vmware tools. Vmware tools installation displays ‘The Installation Failed’ message and that is expected.
3. Restart the VM and now it supports the Full screen mode.
1. Open Mac AppStore and login with iTunes account.
2. Search for Xcode and install it. It installs the Xcode 4.5 & iOS 6 simulator.
Note: I tried updating the VM to Mountain Lion 10.8.2 but not succeeded.
On iOS, every file is encrypted with an unique encryption key as illustrated in the image. The content of a file is encrypted with a per-file key, which is wrapped with a class key (data protection class key) and stored in a file’s metadata, which is in turn encrypted with the file system key (EMF key). The file system key is generated from the hardware UID. UID is unique per device and it is embedded in hardware and inaccessible to code running on CPU.
Imagine a file which is encrypted only with the file system key, upon physical access to the device custom ramdisk techniques (ex: msft_guy automated custom ramdisk) can be used to steal the file from passcode protected devices. To overcome this problem Data protection was introduced. Data protection protects the data at rest on iOS devices using encryption keys that are tied to the device passcode and UID. So if the file is protected with a data protection class and the user sets a passcode for the device, an attacker cannot access the file using custom ram disk technique until he knows the passcode. In simple, data protection provides another layer of security to files by encrypting them with a passcode generated key.
File protection is enabled by setting an accessibility constant to NSFileProtectionKey file attribute. Later the files are encrypted with a protection class key respective to the accessibility constant marked for that file.
Ex: If a file is marked with NSProtectionComplete accessibility constant then the file is encrypted with Class 1 protection class key and it is available only when the user unlocks the device. If a file is created without specifying any accessibility constant then the file is marked as NSProtectionNone and it is accessible even the device is locked . List of accessibility constants available for files are shown in the below table.
I wrote a program (FileDP), when executed takes a file as input and displays the accessibility constant of that file. The accessibility constant determines the type of class key. This would help during iOS application security assessments, to identify whether the sensitive files are protected with data protection or not.
Extracting data protection accessibility constant from files:
1. Download FileDP.
2. Copy FileDP to the iPhone over SSH using cyberduck or winscp.
3. Open the terminal or putty and connect to the iPhone over SSH.
4. On ssh terminal, use the below command to provide executable permissions to FileDP.
chmod 777 FileDP
5. Use the below command to list the Data protection accessibility constant of a file or for all the files in the directory.
./FileDP -[F/D] [FilePath/DirecotryPath]
After running FileDP against an iOS application directory, I have noticed that the app preferences plist is not protected by data protection and it is marked as NSProtectionNone. The preferences plist is used by many applications to store configuration details and sensitive details like username’s, session cookies and authentication tokens. The preferences plist is usually generated by XCode and the user has no control on the file attributes.
Ex: Facebook preferences plist – com.Facebook.Facebook.plist contains user authentication tokens and cookies. The below image shows that it is marked as NSFileProtectionNone.
SSH into a Jailbroken iPhone allows to browse files & folders on the device easily. When the iPhone and the computer are connected to the same WiFi network, it is easy to do SSH using any SSH client. SSH into the iPhone is also possible over USB cable and this comes handy in cases when the iPhone is not connected to the network. Steps below explains the procedure to SSH into the iPhone over USB cable.
Steps to SSH into iPhone through USB Cable (windows):
1. Jailbreak the iPhone and install OpenSSH from Cydia.
2. Download Python 2.6 and install it to c:\python26 folder.
3. Download usbmuxd file and extract it to C drive using winrar.
4. Connect the iPhone to windows machine over USB cable.
5. Open command prompt and type the below commands.
C:\> cd usbmuxd-1.0.8 C:\usbmuxd-1.0.8>cd python-client C:\usbmuxd-1.0.8\python-client>\Python26\python.exe tcprelay.py -t 22:2222
6. Download putty and open it.
7. On putty, enter Host Name as 127.0.0.1 and Port as 2222. Select connection type as SSH and click Open.
8. Now you are connected to iPhone over SSH. Type the username as root and the password as alpine to log into the iPhone.
Note: Usbmuxd is a python module. So it works in Mac OS and other platforms as well. But the only limitation is, we can open only one SSH connection at a time.