penTestIphone

Pentesting iPhone & iPad Apps #Days 2011 – October 28 1 Who are we? • Annika Meyer President, co-founder of ADVTOOLS • Sebastien Andrivet Director, co-founder of ADVTOOLS 2 ADVTOOLS • Swiss company founded in 2002 in Geneva • Specialized in Information Security & Problems Diagnosis Pentesting Security Audits  Forensics  Training 3 Agenda • Overviews • Previous researches • iPhone/iPad application pentest Our methodology • Live demonstrations • Q&A 4 iOS Application Types • Web Applications HTML + CSS + Javascript Run inside Safari • Native Applications: Written in Objective-C (+ C/C++) Compiled into CPU code: ARM for actual devices, x86 for iOS Simulator • MonoTouch, Adobe Flash, … Written in high-level language Compiled into CPU code 5 iOS Applications • Distributed as “.ipa” files  in fact simply zip files • Deployed as “.app” directories  like on Mac OS X • Executable code is: encrypted with FairPlay DRM (AES)  signed with Apple’s signature decryption with GDB or Crackulous 6 Objective-C • Objective-C = C + Smalltalk • Object oriented language • Created in early 1980s by Stepstone • Objective-C 2.0 released with Leopard (Mac OS X 10.5) • Can be mixed with C and C++ 7 Reverse Engineering • Not so obvious at first: ARM instruction set Objective-C & objc_msgSend Generated code sometimes strange  Few (working) scripts and tools • Finally not so difficult • Your best friend: Hex-Rays IDA Pro (Win, Mac, Linux) 8 Data storage • plist files (Property lists) Used and abused Binary (depreciated) or XML • Sqlite 3  From time to time • Keychain • Binary data files (aka unknown) 9 iTunes & Backups • Every time you connect your device to your computer, a backup is made • Contains almost all data • By default, not encrypted. • To mitigate security problems: 10 Previous researches • In general, out of date • Often inaccurate • But contain interesting information • We will give here only some examples 11 Foundstone (McAfee / Intel) http://www.mcafee.com/us/resources/white-papers/foundstone/wp-pen- testing-iphone-ipad-apps.pdf 12 Nicolas Seriot http://seriot.ch/resources/talks_papers/iPhonePrivacy.pdf 13 TippingPoint (now HP) http://dvlabs.tippingpoint.com/blog/2009/03/06/reverse-engineering-iphone- appstore-binaries 14 ARTeam http://www.accessroot.com/arteam/site/download.php?view.222 http://www.accessroot.com/arteam/site/download.php?view.308 15 Pentesting iOS Applications • Step 1: Preparing a device • Step 2: Preparing a workstation • Step 3: Preparing a network • Step 4: Pentesting • Step 5: Report 16 Step 1: Preparing a device • Dedicated iPhone or iPad • Jailbreaking Easier if you jailbreak  Forbidden by Apple if you are a developer Dangerous: jailbreaking is disabling most of the security features of iOS • Install tools 17 Tools • APT 0.7 Strict • adv-cmds • Darwin CC Tools • GNU Debugger • inetutils • lsof • MobileTerminal • netcat • network-cmds • nmap • OpenSSH • tcpdump • top • wget 18 iOS Default Passwords • By default, there are two users:  root mobile • Passwords = alpine • Be sure to change them: passwd passwd mobile 19 Step 2 : Workstation • Windows: OK • Mac OS X (Lion or Snow Leopard) Better • Linux, FreeBSD, … Good luck! Possible but you will need a Windows to run some tools (virtual machine…) 20 Some Tools • Windows:  SecureCRT or Putty, WinSCP  plist Editor for Windows • Mac OS X:  ssh, SecureCRT, Cyberduck  XCode • Windows / Mac:  SQLite Database Browser  Apple iPhone Configuration Utility  Wireshark  Burp, Webscarab …  IDA Pro (+ ARM decompiler) 21 Our Tools • ADVsock2pipe Remote network captures (Windows) • ADVinterceptor 2.0 Communications interception DNS & Web Servers • Available on GitHub under GPLv3 https://github.com/ADVTOOLS 22 Step 3: Network Internet Wifi Firewall LAN 23 Step 4: Pentesting • Step A: Install app. from iTunes • Step B: Reconnaissance (passive) B.1: Network capture B.2: Interception B.3: Artifacts B.4: Decrypt + Reverse engineering • Step C: Attack (active) C.1: Interception + tampering 24 B.1: Network Capture tcpdump + netcat ADVsock2pipe Windows pipe tcp 25 B.2: Interception Proxy method Burp Suite Pro WebScarab … Proxy 26 B.2: Interception ADVinterceptor ADVinterceptor 2 (DNS Server, Web Server,…) DNS HTTP HTTPS etc. 27 Inject SSL Certificates • Root from Burp or ADVinterceptor • Use Apple iPhone Configuration 28 Demos Wifi 2G/3G Wifi Internet Windows 7 on Mac Book VNC Client Shell SSH Client (SecureCRT) 3G+Wifi 29 Q&A 30 Thank you To contact us: annika@advtools.com sebastien@advtools.com Twitter: @AndrivetSeb @ADVTOOLS www.advtools.com 31