penTestIphone
Pentesting iPhone & iPad Apps
#Days 2011 – October 28
1
Who are we?
• Annika Meyer
President, co-founder of ADVTOOLS
• Sebastien Andrivet
Director, co-founder of ADVTOOLS
2
ADVTOOLS
• Swiss company founded in 2002 in
Geneva
•...
Pentesting iPhone & iPad Apps
#Days 2011 – October 28
1
Who are we?
• Annika Meyer
President, co-founder of ADVTOOLS
• Sebastien Andrivet
Director, co-founder of ADVTOOLS
2
ADVTOOLS
• Swiss company founded in 2002 in
Geneva
• Specialized in Information Security
& Problems Diagnosis
Pentesting
Security Audits
Forensics
Training
3
Agenda
• Overviews
• Previous researches
• iPhone/iPad application pentest
Our methodology
• Live demonstrations
• Q&A
4
iOS Application Types
• Web Applications
HTML + CSS + Javascript
Run inside Safari
• Native Applications:
Written in Objective-C (+ C/C++)
Compiled into CPU code: ARM for actual
devices, x86 for iOS Simulator
• MonoTouch, Adobe Flash, …
Written in high-level language
Compiled into CPU code
5
iOS Applications
• Distributed as “.ipa” files
in fact simply zip files
• Deployed as “.app” directories
like on Mac OS X
• Executable code is:
encrypted with FairPlay DRM (AES)
signed with Apple’s signature
decryption with GDB or Crackulous
6
Objective-C
• Objective-C = C + Smalltalk
• Object oriented language
• Created in early 1980s by Stepstone
• Objective-C 2.0 released with Leopard
(Mac OS X 10.5)
• Can be mixed with C and C++
7
Reverse Engineering
• Not so obvious at first:
ARM instruction set
Objective-C & objc_msgSend
Generated code sometimes strange
Few (working) scripts and tools
• Finally not so difficult
• Your best friend:
Hex-Rays IDA Pro (Win, Mac, Linux)
8
Data storage
• plist files (Property lists)
Used and abused
Binary (depreciated) or XML
• Sqlite 3
From time to time
• Keychain
• Binary data files (aka unknown)
9
iTunes & Backups
• Every time you connect your device to
your computer, a backup is made
• Contains almost all data
• By default, not encrypted.
• To mitigate security problems:
10
Previous researches
• In general, out of date
• Often inaccurate
• But contain interesting information
• We will give here only some examples
11
Foundstone (McAfee / Intel)
http://www.mcafee.com/us/resources/white-papers/foundstone/wp-pen-
testing-iphone-ipad-apps.pdf
12
Nicolas Seriot
http://seriot.ch/resources/talks_papers/iPhonePrivacy.pdf 13
TippingPoint (now HP)
http://dvlabs.tippingpoint.com/blog/2009/03/06/reverse-engineering-iphone-
appstore-binaries
14
ARTeam
http://www.accessroot.com/arteam/site/download.php?view.222
http://www.accessroot.com/arteam/site/download.php?view.308
15
Pentesting iOS Applications
• Step 1: Preparing a device
• Step 2: Preparing a workstation
• Step 3: Preparing a network
• Step 4: Pentesting
• Step 5: Report
16
Step 1: Preparing a device
• Dedicated iPhone or iPad
• Jailbreaking
Easier if you jailbreak
Forbidden by Apple if you are a developer
Dangerous: jailbreaking is disabling most of the
security features of iOS
• Install tools
17
Tools
• APT 0.7 Strict
• adv-cmds
• Darwin CC Tools
• GNU Debugger
• inetutils
• lsof
• MobileTerminal
• netcat
• network-cmds
• nmap
• OpenSSH
• tcpdump
• top
• wget
18
iOS Default Passwords
• By default, there are two users:
root
mobile
• Passwords = alpine
• Be sure to change them:
passwd
passwd mobile
19
Step 2 : Workstation
• Windows:
OK
• Mac OS X (Lion or Snow Leopard)
Better
• Linux, FreeBSD, …
Good luck!
Possible but you will need a Windows to run
some tools (virtual machine…)
20
Some Tools
• Windows:
SecureCRT or Putty, WinSCP
plist Editor for Windows
• Mac OS X:
ssh, SecureCRT, Cyberduck
XCode
• Windows / Mac:
SQLite Database Browser
Apple iPhone Configuration Utility
Wireshark
Burp, Webscarab …
IDA Pro (+ ARM decompiler)
21
Our Tools
• ADVsock2pipe
Remote network captures (Windows)
• ADVinterceptor 2.0
Communications interception
DNS & Web Servers
• Available on GitHub under GPLv3
https://github.com/ADVTOOLS
22
Step 3: Network
Internet Wifi
Firewall
LAN
23
Step 4: Pentesting
• Step A: Install app. from iTunes
• Step B: Reconnaissance (passive)
B.1: Network capture
B.2: Interception
B.3: Artifacts
B.4: Decrypt + Reverse engineering
• Step C: Attack (active)
C.1: Interception + tampering
24
B.1: Network Capture
tcpdump
+
netcat
ADVsock2pipe
Windows
pipe
tcp
25
B.2: Interception
Proxy method
Burp Suite Pro
WebScarab
…
Proxy
26
B.2: Interception
ADVinterceptor
ADVinterceptor 2
(DNS Server,
Web Server,…)
DNS
HTTP
HTTPS
etc.
27
Inject SSL Certificates
• Root from Burp or ADVinterceptor
• Use Apple iPhone Configuration
28
Demos
Wifi
2G/3G
Wifi
Internet
Windows 7 on Mac Book
VNC Client Shell
SSH Client
(SecureCRT)
3G+Wifi
29
Q&A
30
Thank you
To contact us:
annika@advtools.com
sebastien@advtools.com
Twitter:
@AndrivetSeb
@ADVTOOLS
www.advtools.com
31
本文档为【penTestIphone】,请使用软件OFFICE或WPS软件打开。作品中的文字与图均可以修改和编辑,
图片更改请在作品中右键图片并更换,文字修改请直接点击文字进行修改,也可以新增和删除文档中的内容。
该文档来自用户分享,如有侵权行为请发邮件ishare@vip.sina.com联系网站客服,我们会及时删除。
[版权声明] 本站所有资料为用户分享产生,若发现您的权利被侵害,请联系客服邮件isharekefu@iask.cn,我们尽快处理。
本作品所展示的图片、画像、字体、音乐的版权可能需版权方额外授权,请谨慎使用。
网站提供的党政主题相关内容(国旗、国徽、党徽..)目的在于配合国家政策宣传,仅限个人学习分享使用,禁止用于任何广告和商用目的。