Uploaded by The C Craft Tree

iOS Application Security And Static Analysis

advertisement
iOS Application Security And Static
Analysis
Application security refers to the strategies used to protect mobile
applications, online apps, and APIs (Application Programming
Interfaces) from hackers. In the mobile device market, iOS is the most
popular operating system. Because of their popularity, a variety of
apps have been developed, making them excellent targets for
attackers.
Today, we’ll look at how to perform static security pentesting on iOS
apps, starting with bypassing SSL pinning and a few potential security
flaws.
Bypassing SSL Pinning on iOS Device
The technique of linking a host with its certificate/public key is
known as SSL Certificate Pinning. You pin a certificate or public key
to a host after you have it. In other words, you set the app to refuse
any certificates or public keys save one or a few predetermined ones.
Bypassing SSL Pinning using Frida :Frida:- Frida is a Dynamic instrumentation toolkit for developers,
reverse-engineers, and security researchers that allows you to inject
JavaScript snippets or your own libraries into native Windows,
macOS, iOS, Android, and QNX programmes.
Install Frida from Github :- https://github.com/frida/frida
Install Frida on your Jailbroken iOS Device also through Cydia.
Step 1:- Run command frida-ps -Uia to list all the running app’s on the
device.
Great. That is all the info you require.
Step 2:- Now Run the command frida–codeshare
federicodotta/ios13-pinning-bypass -f -U –no-pause.
Here, Identifier is the bundle id of the application for which you want
to bypass SSL Pinning. So to get the identifier run the command in
step 1 .
Step 3:- After the process is completed successfully. Configure your
iOS device with burp suite and try to intercept the traffic of the app
for which you bypassed SSL Pinning.
Below is the example of amazon application:-
Extracting the ipa file from any iOS Device
You can use Imazing to extract the ipa file of any application installed
on your iphone , whether your device is jailbroken or not.
Install the application in your iOS device now go to Imazing, connect
your device to your mac/windows and go to manage apps. There you
will see a list of all the applications installed on your device and in the
front of all app names you will see a download button as shown in the
image below. Now Click on that button and the ipa of that application
will be downloaded on your Pc.
MobSF
Mobile Security Framework (MobSF) is an automated, all-in-one
mobile application (Android/iOS/Windows) pen-testing, malware
analysis and security assessment framework capable of performing
static and dynamic analysis.
Plist
Plist stands for Property List. It is a flexible and easy format for
storing application data. It’s what we’d refer to as an iOS app’s
manifest. Sometimes you can find sensitive data in these files like
Gmap api keys etc.
You can see Plist files in MobSf also or you can use the Objection
Framework command.
Objection Command → ios plist cat Info.plist
Keychain Dump
Keychain is a secure storage container on an iOS device that is used to
store sensitive information such as usernames, passwords, network
passwords, and auth tokens..It allows you to save account names,
passwords, and credit card data safely and securely.
Insecure Transport Layer ( App Transport Security )
If App Transport Security is disabled on the domain i.e :{‘NSAllowsArbitraryLoads’: True}’,While ATS safeguards are
maintained everywhere in your programme, disabling ATS might
allow unsafe contact with specific servers or unsecured loads for web
views or media.
NsUserdefault File
It is also a simple plist file in your app package which can be used to
set and get data very easily. Its structure resembles that of a
dictionary, and the user defaults are sometimes referred to as a
key-value store.
Hardcoded Api Keys
Most of the apps need private/sensitive values, such as secrets ,
passwords & Api Keys which are stored in the application’s source
code to setup third party SDKs or backend Api’s.
During the build process or while using developer tools, such as
interacting with an Apple Developer account, some secrets may be
required.
Binary Analysis using otool
You can use otool (object file displaying tool) for further binary
analysis of the application. The otool command displays sections of
object files or libraries that you specify. You can check using otool
that if the application is using weak hashing algorithms
,Banned/deprecated api’s, malloc function or insecure random number
generators.
Commands to check these are given below:To Check for weak hashing algorithms: –
● Open the terminal and take the ssh of your Iphone.
● Command:- ssh root@
● cd /var/containers/Bundle/Application//
● otool -Iv | grep -w _CC_MD5
● otool -Iv | grep -w _CC_SHA1
To Check for Banned/Deprecated Api’s :● Open the terminal and take the ssh of your Iphone.
● Command:- ssh root@<IP>
● cd /var/containers/Bundle/Application/<APP_ID>/<app>
● otool -Iv <app> | grep -w _stat
● otool -Iv <app> | grep -w _sscanf
● otool -Iv <app> | grep -w _strncpy
● otool -Iv <app> | grep -w _strle
Similarly is for malloc function and Insecure random number
generator.
Source Blog :https://detoxtechnologies.com/ios-application-security-overview/
IOS Static Analysis || IOS Application Security || IOS Application
Security Solutions || IOS Security Overview || IOS Application
Security Testing
Download