Auditting iPhone and iPad applications - PowerPoint PPT Presentation

1 / 70
About This Presentation
Title:

Auditting iPhone and iPad applications

Description:

Auditting iPhone and iPad applications Ilja van Sprundel Directory traversal Poison NULL byte ../../../../blahblah\0 This works, because ... – PowerPoint PPT presentation

Number of Views:60
Avg rating:3.0/5.0
Slides: 71
Provided by: cansecwes
Category:

less

Transcript and Presenter's Notes

Title: Auditting iPhone and iPad applications


1
Auditting iPhone and iPad applications
  • Ilja van Sprundel ltivansprundel_at_ioactive.comgt

2
Who am I?
  • Ilja van Sprundel
  • IOActive
  • netric
  • blogs.23.nu/ilja

3
What this talk isnt about
  • is
  • common security issues seen in 3rd party iOS
    applications
  • possible fix or mitigation of them
  • document how to exploit them in some cases
  • isnt
  • bugs in iOS itself
  • to some extend it does cover some api shortcomings

4
Introduction
  • Mobile app market exploded over the last 2 years
  • lots of demand for security reviews of iPhone and
    iPad apps over the last year or so
  • Very little has been published
  • Ive done a number of them in the last 10 months
  • notes of what Ive learned so far

5
Application environment
  • native applications
  • iOS, port of MacOSX to arm cpu
  • obj-c (strict c superset)
  • obj-c classes take care of most low level
    handling (memory allocations, ....)

6
Transport security
  • fair amount of iOS apps need to do secure
    transactions
  • online banking, online trading, ...
  • They will use SSL
  • use of https// urls passed to NSURLRequest /
    NSURLConnection
  • api uses a set of default ciphers

7
Transport security
8
Transport security
  • TLS_RSA_WITH_DES_CBC_SHA
  • TLS_RSA_EXPORT_WITH_RC40_MD5
  • TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
  • TLS_DHE_RSA_WITH_DES_CBC_SHA
  • TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA

9
Transport security
  • on by default
  • no (documented) way to turn it off
  • this is (kinda) documented

from apples Secure Coding Guide (2010-02-12),
page 29
10
Transport security
  • SSL apis on iOS arent granular enough
  • developer should be able to set ciphersuites
  • cant fix it, but you can mitigate it
  • include an ssl library and use that one (e.g.
    CyaSSL and MatrixSSL are build for embedded use)

11
Transport security
  • documentation said secure trasport programming
    not available, use CFNetwork
  • CFNetwork doesnt allow setting ciphersuites
    (AFAIK)
  • it does have apis for some other things
  • allow expired certs
  • allow expired roots
  • allow any root
  • dont validate certificate chain

12
Transport security
NSMutableDictionary settings
NSMutableDictionary alloc initsettings
setObjectNSNumber numberWithBoolYES
forKey(NSString )kCFStreamSSLAllowsExpiredCertif
icatessettings setObjectNSNumber
numberWithBoolYES forKey(NSString
)kCFStreamSSLAllowsExpiredRootssettings
setObjectNSNumber numberWithBoolYES
forKey(NSString )kCFStreamSSLAllowsAnyRootset
tings setObjectNSNumber numberWithBoolNO
forKey(NSString )kCFStreamSSLValidatesCertific
ateChainCFReadStreamSetProperty((CFReadStreamRef
)inputStream, kCFStreamPropertySSLSettings
, (CFDictionaryRef)settings)CFWriteStreamSetPrope
rty((CFWriteStreamRef)outputStream,
kCFStreamPropertySSLSettings, (CFDictionaryRef)set
tings)
13
Transport security
  • Luckily none of that is on by default!
  • takes quite some work to screw this up for a
    developer
  • however its not unthinkable wait, we shipped
    that debug code ???

14
url handlers / IPC
  • By design iPhone does not allow sharing between
    applications
  • application developers sometimes need to share
    anyway
  • developers (initially)found a way around this
  • This now appears to be supported by apple
    (according to developer.apple.com)

15
url handlers / IPC
  • Application can register a url handler
  • other application would call url, with data
  • rather simple IPC mechanism
  • http//mobileorchard.com/apple-approved-iphone-int
    er-process-communication/

16
url handlers / IPC
  • info.plist file
  • code looks like

- (BOOL)application(UIApplication )application
handleOpenURL(NSURL )url viewController
handleURLurl return YES
17
url handlers / IPC
  • any webpage can call that link too
  • any webpage can now also do IPC with the
    application
  • this IPC mechanism clearly had unintended
    consequences

18
url handlers / IPC
  • so the browser can call the url handlers too
  • wouldnt it be neat if we could get it done
    without tricking a user into visiting a webpage
    from their mobile safari ?

19
url handlers / IPC
  • iOS 3 (and beyond) has this neat wifi hotspot
    feature
  • if it connects to a wifi network, and detects
    redirection, it assumes its a wifi hotspot
  • pops up mobile safari, and goes to the redirected
    page
  • see http//support.apple.com/kb/HT3867

20
url handlers / IPC
  • looks like this

21
url handlers / IPC
  • Attack is quite simple
  • you must be on the same lan
  • knock iOS device off the network
  • when it rejoins, forge the redirect to your
    webpage

22
url handlers / IPC
  • on by default
  • you can turn it off (on iOS 4)

23
url handlers / IPC
  • Starting from iOS 4.2 there is newer api that
    should be used
  • applicationopenURLsourceApplicationannotation
  • from the documentation

24
url handlers / IPC
  • OpenURL is a much more elegant api for IPC
  • shows you whos calling (so you can reject the
    browser for example)
  • allows passing of object instead of serializing
    over url arguments

25
UIWebView
  • can be used to build gui (mostly in web-like
    environments)
  • basically renders html (can do javascript!)
  • a browser window more or less

26
UIWebView
  • Vulnerable to attack (if used as a gui)
  • if attacker can inject unescaped data
  • will lead to Cross site scripting

27
UIWebView
  • by default there is no bridge from UIWebViews
    javascript to actual obj-c
  • most iOS apps developers that use UIWebView (for
    guis) would like there to be one
  • url handler, only valid for that specific
    UIWebView
  • shouldStartLoadingWithRequest method

28
UIWebView
  • that url handler can do anything you want it to
    do
  • most UIWebViews url handler are used to handle
    some internals, arguments are considered trusted!
  • even worse, a lot of them serialize/unserialize a
    methodname and parameters !

29
UIWebView
30
UIWebView
  • if used simply as a browser
  • can do a lot more than render html and interact
    with a webapplications
  • can parse and render a large number of file
    formats (and will not prompt user first!)

31
UIWebView
  • Excel (xls)
  • keynote (.key.zip) (and also zip files)
  • numbers (.numbers.zip)
  • Pages (.pages.zip)
  • pdf (.pdf)
  • powerpoint (.ppt)
  • word (.doc)
  • rtf (.rtf) / rtf dictionary (.rtfd.zip)
  • keynote 09 (.key)
  • numbers 09 (.numbers)
  • pages 09 (.pages)

32
UIWebView
  • Very long list
  • enormously difficult file formats to parse
  • once parsed it gets rendered
  • as html
  • in the current DOM
  • apple apis, but they are in proc !
  • on by default
  • no way to turn this off

33
UIWebView
  • does a number of other things
  • e.g. try to detect phone numbers and turns them
    into tell// urls
  • you can turn this off
  • set detectPhoneNumbers property to NO

34
UIWebView
  • mitigation render out of proc
  • give url to safari instead of rendering in
    UIWebView
  • attack surface reduction
  • if a bug gets exploited now, your application is
    no longer affected.

35
UIImage
  • Wide attack surface very similar to UIWebViews
  • UIImage is a general image class
  • can handle a _LOT_ of image file formats

36
UIImage
  • tiff
  • jpeg
  • png
  • bmp
  • ico
  • cur
  • xbm
  • gif

37
UIImage
  • not to mention some extensions that work with
    various image file formats
  • exif
  • ICC profiles

38
UIImage
  • Huge attack surface
  • there is no property to specify which one you
    want and which you dont want

39
UIImage
  • 2 possible workaround
  • UIImage allows using CGImageRef
  • use more low-level Core Graphics library to
    specifically load jpg or png
  • then feed the CGImageRef to UIImage

40
UIImage
  • or you could just look at the first couple of
    bytes of the image file
  • each graphics format is trivial to detect based
    on some magic bytes in the begining
  • for example
  • png signature 137 80 78 71 13 10 26 10 (decimal)
  • jpg signature 4A 46 49 46
  • GIF signature 47 49 46 38 39 61 or 47 49 46 38
    37 61
  • BMP first 2 bytes BM

41
header / xml injection
  • not iOS specific, however rampant in mobile apps
  • mostly with regards to interacting with
    webservices
  • devs implement their own http handing stuff
  • forget things like escaping \r, \n, , ...

42
header / xml injection
  • Consider the following example

- (NSData )HTTPHdrData NSMutableString
metadataString NSMutableString
string metadataString appendString_at_"Content-
Disposition form-data" if (self.name) metad
ataString appendFormat_at_" name\"_at_\"",
self.name if (self.fileName) metadataString
appendFormat_at_" filename\"_at_\"",
self.fileName metadataString
appendString_at_"\r\n" if (self.contentType) m
etadataString appendFormat_at_"Content-Type
_at_\r\n", self.contentType return result
43
header / xml injection
  • iOS has some decent apis for this
  • NSMutableURLRequest
  • addValueforHTTPHeaderField
  • setValueforHTTPHeaderField
  • not vulnerable to injection
  • although they do fail silently if injection is
    detected

44
Format string bugs
  • iPhone apps use obj-c
  • which is native code
  • however, if you stick to the obj-c syntax and the
    classes provided, chances of overflows and the
    like are small (the provided classes can do
    almost anything you want)
  • provided classes also have format based functions

45
Format string bugs
  • these formatstring functions can also lead to
    formatstring bugs
  • seems most iOS apps are riddled with it
  • most iOS apps developers dont seem to know this
    is a problem

46
Format string bugs
  • vulnerable obj-c methods
  • NSLog()
  • NSString stringWithFormat
  • NSString initWithFormat
  • NSMutableString appendFormat
  • NSAlert informativeTextWithFormat
  • NSPredicate predicateWithFormat
  • NSException format
  • NSRunAlertPanel

47
Format string bugs
  • obj-c is a superset of c
  • so all c fmt functions could also be abused in
    iOS apps
  • printf
  • snprintf
  • fprintf
  • ...

48
exploiting NS format string bugs
  • These arent the format string bugs youre
    looking for
  • NS object format functions are slightly
    different from the printf style ones
  • They dont support n
  • cant write to arbitrary addresses ?

49
(No Transcript)
50
(No Transcript)
51
(No Transcript)
52
Exploiting bugs
53
(No Transcript)
54
(No Transcript)
55
(No Transcript)
56
(No Transcript)
57
(No Transcript)
58
(No Transcript)
59
(No Transcript)
60
(No Transcript)
61
(No Transcript)
62
(No Transcript)
63
binary protocol handling
  • said before
  • obj-c superset of c
  • stick to NS objects, mostly safe
  • binary protocol handling is sort of the exception
  • no good obj-c classes for that
  • developers have to fall back to old c-style
    binary protocol parsing.

64
Directory traversal
  • iOS has similar file apis as MacOSX
  • same types of desktop/server os file issues
  • NSFileManager

65
Directory traversal
  • classic dir traversal
  • ../../../../ will work.

NSString file NSString alloc
initWithFormat _at_"_at_/_at_", NSTemporaryDirectory(),
attackerControlledString NSFileManager m
NSFileManager defaultManager m
createFileAtPathtext contentsnsd
attributesnil
66
Directory traversal
  • Poison NULL byte
  • ../../../../blahblah\0
  • This works, because NSStrings dont use 0-bytes
    to terminate a string, but the iOS kernel does.

NSString file NSString alloc
initWithFormat _at_"_at_/_at_.ext", NSTemporaryDirector
y(), attackerControlledString NSFileManager m
NSFileManager defaultManager m
createFileAtPathtext contentsnsd
attributesnil
67
NSXMLParser
  • NSXMLParser is the class used to parse xml files
  • it handles DTDs by default
  • billion laughs
  • no way to turn it off
  • doesnt resolve external entities by default
  • can be turned on

68
NSXMLParser
  • Theres kindof a hairy workaround.
  • 6 callbacks can be defined, that will be called
    if a DTD is encountered.
  • foundElementDeclarationWithName
  • foundAttributeDeclarationWithName
  • foundInternalEntityDeclarationWithName
  • foundExternalEntityDeclarationWithName
  • foundNotationDeclarationWithName
  • foundUnparsedEntityDeclarationWithName

69
NSXMLParser
- (void) parser(NSXMLParser)parser
foundExternalEntityDeclarationWithName(NSString)
entityName self abort_at_"DTD"
- (void) parser(NSXMLParser)parser
foundAttributeDeclarationWithName(NSString)attri
buteName ... self abort_at_"DTD"
- (void) parser(NSXMLParser)parser
foundElementDeclarationWithName(NSString)element
Name model(NSString)model self
abort_at_"DTD" - (void)
parser(NSXMLParser)parser foundInternalEntityDec
larationWithName(NSString)name
value(NSString)value self
abort_at_"DTD" - (void)
parser(NSXMLParser)parser foundUnparsedEntityDec
larationWithName(NSString)name ...
self abort_at_"DTD" - (void)
parser(NSXMLParser)parser foundNotationDeclarati
onWithName(NSString)name publicID(NSString)pub
licID ... self abort_at_"DTD"
70
NSXMLParser
  • This works, but its hairy and error prone
  • it would be nice if NSXMLParser had a parseDTD
    attribute

71
Questions ?
Write a Comment
User Comments (0)
About PowerShow.com