iOS Application Security Review Methodology

1. iOS Sandbox

Entitlement

An entitlement is a list of configurations included in the application’s signature.

对于Sandbox限制, 提供额外的支持, 如 iCloud, push notifications.

Containers

iOS App 只能在 container 中运行, App 启动时, App 的 process 会加载两个 ENV variable - HOME and CFFIXED_USER_HOME, 以确保其不能访问真正的 system HOME.

Powerbox

Powerbox 令到 App 有机会访问 sandbox 之外的 file. 如某个 App 要访问系统的照片, 只要用户允许了, App 就能访问.

XPC Services

iOS implements an interprocess communication technology (IPC), 简称 XPC. XPC service 仅能被 App 所访问, 并且其 lifetime 受系统控制.

2. Remote API

  • Plain Text Communication with Remote API
  • Lack of SSL Certificate Pinning
  • SSL Misconfiguration

用Burp 测试 MiTM是否成功, Cert Pinning 是否有 implement.

3. Static Analysis

Tool 1: Needle

Github

Tool 2: Dumpdecrypted

所有 App Store 的 App 都被加密了, 需要先解密.

DYLD_INSERT_LIBRARIES=/usr/lib/dumpdecrypted.dylib /private/var/mobile/Containers/Bundle/Application/2E2A51E9-B964-41B6-B360-34AD21CE2BE3/Yelp.app/Yelp  

检测所用的 architectures

lipo -info Yelp.decrypted  

or

otool -vh Yelp.decrypted  

下载解密后的 App 到本地, 再使用 RE Tools (e.g. Hopper, IDA) 分析

scp root@192.168.2.3:/private/var/root/Yelpv7 .  

The decryption process can be achieved manually by loading the application, attaching gdb to the process and dumping the memory location of unencrypted program to file. It is an option to consider in case available tools fail to do so.

Check for PList files

Use iFunbox.

Check for Keychain Data and SQLite DB

Use Keychain-Dumper.

It is recommendable that data stored in the keychain is encrypted with an extra encryption at the top of the keychain provided by the operating system.

Check for HTTP Caching Responses

检查Cache.db 是否遗留 sensitive data.

If the application makes use of the built-in NSURLRequest to perform HTTP requests, the responses might be cached on disk in the Cache.db SQLite file relative to the application. It the remote API/Web Server does not return Cache-Control header in the responses, sensitive information might end up being stored on the device. Note that the cache data stored in this file is not encrypted in any way.

MobSF

Github

4. Dynamic Analysis

In order to achieve:

  • bypass jailbreak detection
  • steal encryption keys or sensitive data
  • load ViewControllers to bypass certain controls
  • attack local authentication (if present)
  • pivot into internal networks when accessing corporate apps
  • check custom encryption

Instrumentation

Instrumentation: The process of exploring and modifying apps at runtime.

  • Cycript
  • Frida
  • Cydia substrate
  • GDB
  • dynamic linker to override functions (LD_PRELOAD)

Cycript

文章展示了, 如何用 Cycript bypass authentication check.

Snoop-it

Goglecode

Snoop-it Method Invoke Module, 可以做类似 Cycript 的动态invoke method.

IDB

Github

introspy-ios / introspy-analyzer

Introspy-iOS helps to automate the runtime analysis of the application and potentially identify security issues. Introspy-iOS (tracer) hooks and inspect sensitive API called by the application. It stores the results in a local SQLite database on the device.

Introspy-Analyzer is a tool that helps with formatting the tracer data and generate a HTML report. Below an example of result of the tools hooked into Yelp application.

官方仅支持 iOS9.3.3以下(ref)

Snapshot

When an application is put in background, by pressing the device home button, iOS takes a screenshot of the current application screen. The screenshots are stored until the next device reboot.

  • Needle
  • iFunbox

Jailbreak Detection

Anti-Debugging Protection

As another security in-depth measure, an application might detect that it is running in debug mode with a debugger attached, such as GDB, and gracefully stop running.

Keyboard Cache

When text is typed in input fields inside iOS applications, the data is cached for autocorrection, with the exclusion of password type fileds and other specific strings.

Buffer Overflow / Format Strings / Memory Corruption

iOS applications can be vulnerable to memory corruption vulnerabilities, such as buffer overflows and format strings. When doing a review, it is worth to try fuzzing user input and check for application crashes, that might indicate the application is vulnerable. If the testing device is jailbroken, a further crash analysis with a debugger can be performed.

Reference

iOS Application Security Review Methodology