Title: Auditting iPhone and iPad applications
1Auditting iPhone and iPad applications
- Ilja van Sprundel ltivansprundel_at_ioactive.comgt
2Who am I?
- Ilja van Sprundel
- IOActive
- netric
- blogs.23.nu/ilja
3What this talk isnt about
- is
- common security issues seen in 3rd party iOS
applications - possible fix or mitigation of them
- document how to exploit them in some cases
- isnt
- bugs in iOS itself
- to some extend it does cover some api shortcomings
4Introduction
- Mobile app market exploded over the last 2 years
- lots of demand for security reviews of iPhone and
iPad apps over the last year or so - Very little has been published
- Ive done a number of them in the last 10 months
- notes of what Ive learned so far
5Application environment
- native applications
- iOS, port of MacOSX to arm cpu
- obj-c (strict c superset)
- obj-c classes take care of most low level
handling (memory allocations, ....)
6Transport security
- fair amount of iOS apps need to do secure
transactions - online banking, online trading, ...
- They will use SSL
- use of https// urls passed to NSURLRequest /
NSURLConnection - api uses a set of default ciphers
7Transport security
8Transport security
- TLS_RSA_WITH_DES_CBC_SHA
- TLS_RSA_EXPORT_WITH_RC40_MD5
- TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
- TLS_DHE_RSA_WITH_DES_CBC_SHA
- TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
9Transport security
- on by default
- no (documented) way to turn it off
- this is (kinda) documented
from apples Secure Coding Guide (2010-02-12),
page 29
10Transport security
- SSL apis on iOS arent granular enough
- developer should be able to set ciphersuites
- cant fix it, but you can mitigate it
- include an ssl library and use that one (e.g.
CyaSSL and MatrixSSL are build for embedded use)
11Transport security
- documentation said secure trasport programming
not available, use CFNetwork - CFNetwork doesnt allow setting ciphersuites
(AFAIK) - it does have apis for some other things
- allow expired certs
- allow expired roots
- allow any root
- dont validate certificate chain
12Transport security
NSMutableDictionary settings
NSMutableDictionary alloc initsettings
setObjectNSNumber numberWithBoolYES
forKey(NSString )kCFStreamSSLAllowsExpiredCertif
icatessettings setObjectNSNumber
numberWithBoolYES forKey(NSString
)kCFStreamSSLAllowsExpiredRootssettings
setObjectNSNumber numberWithBoolYES
forKey(NSString )kCFStreamSSLAllowsAnyRootset
tings setObjectNSNumber numberWithBoolNO
forKey(NSString )kCFStreamSSLValidatesCertific
ateChainCFReadStreamSetProperty((CFReadStreamRef
)inputStream, kCFStreamPropertySSLSettings
, (CFDictionaryRef)settings)CFWriteStreamSetPrope
rty((CFWriteStreamRef)outputStream,
kCFStreamPropertySSLSettings, (CFDictionaryRef)set
tings)
13Transport security
- Luckily none of that is on by default!
- takes quite some work to screw this up for a
developer - however its not unthinkable wait, we shipped
that debug code ???
14url handlers / IPC
- By design iPhone does not allow sharing between
applications - application developers sometimes need to share
anyway - developers (initially)found a way around this
- This now appears to be supported by apple
(according to developer.apple.com)
15url handlers / IPC
- Application can register a url handler
- other application would call url, with data
- rather simple IPC mechanism
- http//mobileorchard.com/apple-approved-iphone-int
er-process-communication/
16url handlers / IPC
- info.plist file
- code looks like
- (BOOL)application(UIApplication )application
handleOpenURL(NSURL )url viewController
handleURLurl return YES
17url handlers / IPC
- any webpage can call that link too
- any webpage can now also do IPC with the
application - this IPC mechanism clearly had unintended
consequences
18url handlers / IPC
- so the browser can call the url handlers too
- wouldnt it be neat if we could get it done
without tricking a user into visiting a webpage
from their mobile safari ?
19url handlers / IPC
- iOS 3 (and beyond) has this neat wifi hotspot
feature - if it connects to a wifi network, and detects
redirection, it assumes its a wifi hotspot - pops up mobile safari, and goes to the redirected
page - see http//support.apple.com/kb/HT3867
20url handlers / IPC
21url handlers / IPC
- Attack is quite simple
- you must be on the same lan
- knock iOS device off the network
- when it rejoins, forge the redirect to your
webpage
22url handlers / IPC
- on by default
- you can turn it off (on iOS 4)
23url handlers / IPC
- Starting from iOS 4.2 there is newer api that
should be used - applicationopenURLsourceApplicationannotation
- from the documentation
24url handlers / IPC
- OpenURL is a much more elegant api for IPC
- shows you whos calling (so you can reject the
browser for example) - allows passing of object instead of serializing
over url arguments
25UIWebView
- can be used to build gui (mostly in web-like
environments) - basically renders html (can do javascript!)
- a browser window more or less
26UIWebView
- Vulnerable to attack (if used as a gui)
- if attacker can inject unescaped data
- will lead to Cross site scripting
27UIWebView
- by default there is no bridge from UIWebViews
javascript to actual obj-c - most iOS apps developers that use UIWebView (for
guis) would like there to be one - url handler, only valid for that specific
UIWebView - shouldStartLoadingWithRequest method
28UIWebView
- that url handler can do anything you want it to
do - most UIWebViews url handler are used to handle
some internals, arguments are considered trusted! - even worse, a lot of them serialize/unserialize a
methodname and parameters !
29UIWebView
30UIWebView
- if used simply as a browser
- can do a lot more than render html and interact
with a webapplications - can parse and render a large number of file
formats (and will not prompt user first!)
31UIWebView
- Excel (xls)
- keynote (.key.zip) (and also zip files)
- numbers (.numbers.zip)
- Pages (.pages.zip)
- pdf (.pdf)
- powerpoint (.ppt)
- word (.doc)
- rtf (.rtf) / rtf dictionary (.rtfd.zip)
- keynote 09 (.key)
- numbers 09 (.numbers)
- pages 09 (.pages)
32UIWebView
- Very long list
- enormously difficult file formats to parse
- once parsed it gets rendered
- as html
- in the current DOM
- apple apis, but they are in proc !
- on by default
- no way to turn this off
33UIWebView
- does a number of other things
- e.g. try to detect phone numbers and turns them
into tell// urls - you can turn this off
- set detectPhoneNumbers property to NO
34UIWebView
- mitigation render out of proc
- give url to safari instead of rendering in
UIWebView - attack surface reduction
- if a bug gets exploited now, your application is
no longer affected.
35UIImage
- Wide attack surface very similar to UIWebViews
- UIImage is a general image class
- can handle a _LOT_ of image file formats
36UIImage
- tiff
- jpeg
- png
- bmp
- ico
- cur
- xbm
- gif
37UIImage
- not to mention some extensions that work with
various image file formats - exif
- ICC profiles
38UIImage
- Huge attack surface
- there is no property to specify which one you
want and which you dont want
39UIImage
- 2 possible workaround
- UIImage allows using CGImageRef
- use more low-level Core Graphics library to
specifically load jpg or png - then feed the CGImageRef to UIImage
40UIImage
- or you could just look at the first couple of
bytes of the image file - each graphics format is trivial to detect based
on some magic bytes in the begining - for example
- png signature 137 80 78 71 13 10 26 10 (decimal)
- jpg signature 4A 46 49 46
- GIF signature 47 49 46 38 39 61 or 47 49 46 38
37 61 - BMP first 2 bytes BM
41header / xml injection
- not iOS specific, however rampant in mobile apps
- mostly with regards to interacting with
webservices - devs implement their own http handing stuff
- forget things like escaping \r, \n, , ...
42header / xml injection
- Consider the following example
- (NSData )HTTPHdrData NSMutableString
metadataString NSMutableString
string metadataString appendString_at_"Content-
Disposition form-data" if (self.name) metad
ataString appendFormat_at_" name\"_at_\"",
self.name if (self.fileName) metadataString
appendFormat_at_" filename\"_at_\"",
self.fileName metadataString
appendString_at_"\r\n" if (self.contentType) m
etadataString appendFormat_at_"Content-Type
_at_\r\n", self.contentType return result
43header / xml injection
- iOS has some decent apis for this
- NSMutableURLRequest
- addValueforHTTPHeaderField
- setValueforHTTPHeaderField
- not vulnerable to injection
- although they do fail silently if injection is
detected
44Format string bugs
- iPhone apps use obj-c
- which is native code
- however, if you stick to the obj-c syntax and the
classes provided, chances of overflows and the
like are small (the provided classes can do
almost anything you want) - provided classes also have format based functions
45Format string bugs
- these formatstring functions can also lead to
formatstring bugs - seems most iOS apps are riddled with it
- most iOS apps developers dont seem to know this
is a problem
46Format string bugs
- vulnerable obj-c methods
- NSLog()
- NSString stringWithFormat
- NSString initWithFormat
- NSMutableString appendFormat
- NSAlert informativeTextWithFormat
- NSPredicate predicateWithFormat
- NSException format
- NSRunAlertPanel
47Format string bugs
- obj-c is a superset of c
- so all c fmt functions could also be abused in
iOS apps - printf
- snprintf
- fprintf
- ...
48exploiting NS format string bugs
- These arent the format string bugs youre
looking for - NS object format functions are slightly
different from the printf style ones - They dont support n
- cant write to arbitrary addresses ?
49(No Transcript)
50(No Transcript)
51(No Transcript)
52Exploiting bugs
53(No Transcript)
54(No Transcript)
55(No Transcript)
56(No Transcript)
57(No Transcript)
58(No Transcript)
59(No Transcript)
60(No Transcript)
61(No Transcript)
62(No Transcript)
63binary protocol handling
- said before
- obj-c superset of c
- stick to NS objects, mostly safe
- binary protocol handling is sort of the exception
- no good obj-c classes for that
- developers have to fall back to old c-style
binary protocol parsing.
64Directory traversal
- iOS has similar file apis as MacOSX
- same types of desktop/server os file issues
- NSFileManager
65Directory traversal
- classic dir traversal
- ../../../../ will work.
NSString file NSString alloc
initWithFormat _at_"_at_/_at_", NSTemporaryDirectory(),
attackerControlledString NSFileManager m
NSFileManager defaultManager m
createFileAtPathtext contentsnsd
attributesnil
66Directory traversal
- Poison NULL byte
- ../../../../blahblah\0
- This works, because NSStrings dont use 0-bytes
to terminate a string, but the iOS kernel does.
NSString file NSString alloc
initWithFormat _at_"_at_/_at_.ext", NSTemporaryDirector
y(), attackerControlledString NSFileManager m
NSFileManager defaultManager m
createFileAtPathtext contentsnsd
attributesnil
67NSXMLParser
- NSXMLParser is the class used to parse xml files
- it handles DTDs by default
- billion laughs
- no way to turn it off
- doesnt resolve external entities by default
- can be turned on
68NSXMLParser
- Theres kindof a hairy workaround.
- 6 callbacks can be defined, that will be called
if a DTD is encountered. - foundElementDeclarationWithName
- foundAttributeDeclarationWithName
- foundInternalEntityDeclarationWithName
- foundExternalEntityDeclarationWithName
- foundNotationDeclarationWithName
- foundUnparsedEntityDeclarationWithName
69NSXMLParser
- (void) parser(NSXMLParser)parser
foundExternalEntityDeclarationWithName(NSString)
entityName self abort_at_"DTD"
- (void) parser(NSXMLParser)parser
foundAttributeDeclarationWithName(NSString)attri
buteName ... self abort_at_"DTD"
- (void) parser(NSXMLParser)parser
foundElementDeclarationWithName(NSString)element
Name model(NSString)model self
abort_at_"DTD" - (void)
parser(NSXMLParser)parser foundInternalEntityDec
larationWithName(NSString)name
value(NSString)value self
abort_at_"DTD" - (void)
parser(NSXMLParser)parser foundUnparsedEntityDec
larationWithName(NSString)name ...
self abort_at_"DTD" - (void)
parser(NSXMLParser)parser foundNotationDeclarati
onWithName(NSString)name publicID(NSString)pub
licID ... self abort_at_"DTD"
70NSXMLParser
- This works, but its hairy and error prone
- it would be nice if NSXMLParser had a parseDTD
attribute
71Questions ?