3. Attacking iOS Applications (Part 2)
0 likes54 views
This document discusses attacking iOS applications by exploiting vulnerabilities in the iOS runtime, interprocess communication, and through injection attacks. Specifically, it covers instrumenting the iOS runtime using method swizzling, attacking applications using interprocess communication techniques like application extensions, and exploiting entry points like UIWebViews, client-side data stores, and file handling routines to perform injection attacks on iOS apps.
3. Attacking iOS Applications (Part 2)
- 1. CNIT 128 Hacking Mobile Devices 3. Attacking iOS Apps Part 2 Updated 12-12-22
- 2. Topics: Part 1 • Introduction to Transport Security • Identifying Insecure Storage • Patching iOS Applications with Hopper
- 3. Topics: Part 2 • Attacking the iOS Runtime • Understanding Interprocess Communication • Attacking Using Injection
- 5. The Runtime • Objective-C and Swift defer many decisions • From compile-and-link time • To runtime • By using re fl ection • Apps modify their own behavior at runtime • Dynamically load new classes • Change method implementations
- 6. Understanding Objective-C and Swift • Object-oriented languages • Objects encapsulate data in the form of classes • Classes contain • Instance variables • Methods • Properties
- 7. Interface File • De fi nes a class structure • Image from https://blog.teamtreehouse.com/an-introduction-to-objective-c
- 8. Methods • Instance methods can only be invoked • After creating an instance of the class • Class methods can be invoked • Without actually creating an instance of the class
- 9. Swift Class
- 10. Instrumenting the iOS Runtime • Tracing, debugging, or otherwise pro fi ling the execution of an app at runtime • Examples: • Bypassing jailbreak detection • Stealing encryption keys • Force-loading view controllers • Attacking local authentication • Pivoting to internal networks • Demonstrating the risks of malware • Inspecting a custom encryption protocol
- 11. Instrumenting Objective-C • Objective-C is by far easiest to instrument • To invoke a function • Pass it a message • Through the runtime's objc_msgSend() function • To instrument it, simulate calls to objc_msgSend()
- 12. Method Swizzling • Replace the implementation of a method at runtime • A class maintains a dispatch table • With a map of selectors to implementations • Selector: name of method • Implementation: pointer to function • Replacing pointers achieves swizzling
- 13. Instrumenting Swift • Swift uses direct function calls and vtable lookups • Requires more e ff ort to instrument
- 14. Cydia Substrate • Runtime manipulation framework • Created by saurik • Can instrument apps on iOS • Inherent in most jailbreaks • Pre-installed with Cydia
- 15. Tweaks • Also called substrate extensions • Developed using the Cydia Substrate C API • Compiled as dynamic libraries • Placed in /Library/MobileSubstrate/ DynamicLibraries • Loaded into an app by MobileLoader
- 16. Filters • Prevent your extension being loaded into every new process • Filters are plist fi les • In binary plist, XML, or JSON format • Name is same as your tweak, with .plist fi le extension
- 17. mdsectweak. plist Filters by bundle identi fi er <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/ PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Filter</key> <dict> <key>Bundles</key> <array> <string>com.mdsec.lab1-1a</string> </array> </dict> </dict> </plist>
- 18. Tweak Development Environments • iOSOpenDev • Limited to OS X • Theos • Works on iOS, OS X, and Linux • Recommended • Captain Hook • Dated, limited to OS X
- 19. Key Functions in Substrate API • MSHookFunction • MSFindSymbol • MSGetImageByName • MSHookMessageEx
- 20. Key Functions • MSHookFunction • Hooks native C or C++ code functions • Uses a trampoline to divert the execution fl ow to a replacement function • MSFindSymbol • Finds symbols by name • Not possible with stripped apps
- 21. Key Functions • MSGetImageByName • Loads a dynamic library • If it's not already loaded • MSHookMessageEx • Implements method swizzling for functions that inherit from NSObject
- 22. Example • Line 4: oldStat points to original stat() function, which shows a fi le's status • Lines 6-13: Replacement stat • If path argument is /bin/bash, print an error message
- 23. Example • Line 15: MSInitialize loads its contents fi rst when the app loads • Line 16: MSHookFunction has three arguments • Symbol to replace, new function, old function
- 24. Cycript • A runtime instrumentation tool for iOS apps • Blends JavaScript and Objective-C • Can access and manipulate objects in a running app • Able to • Brute-force local authentication • Steal encryption keys from populated objects • Force loading of view containers
- 25. Pivoting to Internal Networks • BYOD (Bring Your Own Device) • MDM (Mobile Device Management) • Apps that let you connect to company resources from a phone • If vulnerable, allow an attacker into the internal network
- 26. Kaseya BYOD
- 27. Attacking Kaseya BYOD • Kaseya gateway provides service to internal resources • Can be accessed by Kaseya Secure Browser • With no further authentication • Compromise of mobile device exposes internal resources
- 28. Instrumentation with Frida • Frida is a standalone instrumentation framework • Does not use Substrate • No modi fi cation to the device required • Other than running the frida-server binary • Controlled by a client over USB or the network
- 29. Dynamic Linker • In Linux, the LD_PRELOAD environment variable • Dynamically loads a library into a process • In Mac OS or iOS, use DLYD_INSERT_LIBRARIES
- 31. Sandbox • iOS apps run in an isolated sandbox • Interprocess communication is prohibited • Exceptions • Pasteboard • Registered protocol handlers • Application extensions
- 32. Attacking Protocol Handlers • To open the App Store app, use • itms-apps://itunes.apple.com/app/ id<num> • You can de fi ne a custom URL scheme in your app's Info.plist fi le, such as • myvoip://dialer/?call=123
- 33. • In an iframe on a web page • <iframe src="myvoip://dialer/? call=0044906123123 "></iframe> • This happened with Skype Automatic Loading
- 34. Application Extensions • Some are pre-de fi ned by Apple • Today -- extend the Today view of the noti fi cation center • Share -- to share content with other apps • Custom Keyboard
- 36. 1Password • Uses an extension so other apps can query credentials, such as Twitteri fi c • A malicious app could request credentials for any domain • But user must manually approve the use of the credential, which o ff ers some protection from abuse
- 38. iOS Entry Points • Input enters through: • Web applications • URL schemes • File types • AirDrop • iBeacons • Bluetooth • Wi-Fi • Pasteboards • Application extensions
- 39. Injecting into UIWebViews • UIWebView renders web content from • HTML • PDF • RTF • O ffi ce documents • iWork documents • Built on WebKit, like Safari and MobileSafari
- 40. UIWebViews • Supports JavaScript • Cannot be disabled • XSS attacks are possible • Can steal content, such as the Address Book
- 41. Skype XSS • Skype iOS app allowed script injection into a user's full name • Could access the local fi le system • And upload the address book
- 42. Injecting into Client-Side Data Stores • SQLite databases • Vulnerable to SQL injection • Exposes data, but not usually command injection
- 43. Injecting into XML • "Billion Laughs" DoS attack • Multiple nested XML entities • Expanding them uses excessive resources • If parsing of external entities is allowed • Could be used to attack web apps on the local network
- 44. Injection into File-Handling Routines • Less common, but some apps have this injection vulnerability • User controls a fi lename • Directory traversal attacks • Example: • Joe can upload a pro fi le pic to Documents/joe/ joepic.png • Joe can change the fi lename to • ../jane/janepic.png to read or write to another user's folder