1. iOS Sandbox
An entitlement is a list of configurations included in the application’s signature.
对于Sandbox限制, 提供额外的支持, 如 iCloud, push notifications.
iOS App 只能在 container 中运行, App 启动时, App 的 process 会加载两个 ENV variable -
CFFIXED_USER_HOME, 以确保其不能访问真正的 system HOME.
Powerbox 令到 App 有机会访问 sandbox 之外的 file. 如某个 App 要访问系统的照片, 只要用户允许了, App 就能访问.
iOS implements an interprocess communication technology (IPC), 简称 XPC. XPC service 仅能被 App 所访问, 并且其 lifetime 受系统控制.
2. Remote API
- Plain Text Communication with Remote API
- Lack of SSL Certificate Pinning
- SSL Misconfiguration
用Burp 测试 MiTM是否成功, Cert Pinning 是否有 implement.
3. Static Analysis
Tool 1: Needle
Tool 2: Dumpdecrypted
所有 App Store 的 App 都被加密了, 需要先解密.
lipo -info Yelp.decrypted
otool -vh Yelp.decrypted
下载解密后的 App 到本地, 再使用 RE Tools (e.g. Hopper, IDA) 分析
scp firstname.lastname@example.org:/private/var/root/Yelpv7 .
The decryption process can be achieved manually by loading the application, attaching
gdbto the process and dumping the memory location of unencrypted program to file. It is an option to consider in case available tools fail to do so.
Check for PList files
Check for Keychain Data and SQLite DB
It is recommendable that data stored in the keychain is encrypted with an extra encryption at the top of the keychain provided by the operating system.
Check for HTTP Caching Responses
Cache.db 是否遗留 sensitive data.
If the application makes use of the built-in
NSURLRequestto perform HTTP requests, the responses might be cached on disk in the
Cache.dbSQLite file relative to the application. It the remote API/Web Server does not return
Cache-Controlheader in the responses, sensitive information might end up being stored on the device. Note that the cache data stored in this file is not encrypted in any way.
4. Dynamic Analysis
In order to achieve:
- bypass jailbreak detection
- steal encryption keys or sensitive data
- load ViewControllers to bypass certain controls
- attack local authentication (if present)
- pivot into internal networks when accessing corporate apps
- check custom encryption
Instrumentation: The process of exploring and modifying apps at runtime.
- Cydia substrate
- dynamic linker to override functions (LD_PRELOAD)
文章展示了, 如何用 Cycript bypass authentication check.
Snoop-it Method Invoke Module, 可以做类似 Cycript 的动态invoke method.
introspy-ios / introspy-analyzer
Introspy-iOS helps to automate the runtime analysis of the application and potentially identify security issues. Introspy-iOS (tracer) hooks and inspect sensitive API called by the application. It stores the results in a local SQLite database on the device.
Introspy-Analyzer is a tool that helps with formatting the tracer data and generate a HTML report. Below an example of result of the tools hooked into Yelp application.
When an application is put in background, by pressing the device home button, iOS takes a screenshot of the current application screen. The screenshots are stored until the next device reboot.
As another security in-depth measure, an application might detect that it is running in debug mode with a debugger attached, such as GDB, and gracefully stop running.
When text is typed in input fields inside iOS applications, the data is cached for autocorrection, with the exclusion of password type fileds and other specific strings.
Buffer Overflow / Format Strings / Memory Corruption
iOS applications can be vulnerable to memory corruption vulnerabilities, such as buffer overflows and format strings. When doing a review, it is worth to try fuzzing user input and check for application crashes, that might indicate the application is vulnerable. If the testing device is jailbroken, a further crash analysis with a debugger can be performed.