"The bigger and more popular you are, the more attacks you are going to receive"
One of the most popular mobile operating system is iOS. Currently, there are millions of iOS apps with billions of downloads. Along with popularity, there are many insecurities introduced in iOS applications. These insecurities make the user himself a threat. We will cover all the important aspects of iOS application security. We will start from basic iOS app development concepts and then move towards the concepts related to the iOS application security.
In this chapter, we will look at the following topics:
Basics of iOS and app development
Developing and deploying iOS apps
The iOS security model
The iOS security architecture
The iOS secure boot chain
The iOS application signing
The iOS application sandboxing
OWASP Top 10 Mobile Risks
Apple's mobile version of OS X operating system, which is used on Apple computers, is iOS. The iOS operating system is used on a wide range of Apple devices, including iPhone, iPad, iPod, and so on. It is derived from OS X and Unix-based operating system. In the next chapter, when we will access the iOS operating system that is running on
iDevice, you will find that iOS almost has the same environment as Unix-based OS, for example, the
/home directory, and so on.
The iOS apps are mainly developed in Objective-C. Recently, Apple introduced one more language called Swift. There are still millions of apps in App Store that are developed in Objective-C. For the scope of this book, we will focus on native apps (developed in Objective-C) and hybrid apps (developed in Objective-C with web view).
There are two parts of iOS app penetration testing (pentesting). One is black box security testing where we don't have access to the source code of application and second is white box security testing, where the client provide access to the source code. Most companies are very reluctant to release their source code as it is some of their most sensitive intellectual property. In some cases, if you are a part of a product development team, you may get access to the application's source code.
It's not a must requirement to know the iOS app development for the pentesting process but it's good to have at least the basic knowledge of it. Knowing the iOS app development will make it easier to work when the client has shared their Xcode project for white box and black box pentesting. So, in this chapter, you will learn some basics of iOS app development by developing and deploying a simple
Hello World application.
First things first, you will require Xcode to develop an iOS application and it will run only on a Mac machine.
If you are a beginner, it is good to start with the Basics of iOS and application development section. However, if you are a pro in iOS development, you may skip this section and directly jump to the iOS security model section. Note that we will just see the overview of development and not all the concepts related to app development as our focus is understanding application level security and not learning iOS app development.
We will explain all the hardware and software requirements for security assessment of iOS application in lab setup in depth. However, in order to develop and test the iOS application, you will require the following minimum hardware and software setup to start development with this section:
Start Xcode from your OS X. It is just as easy as clicking on the Xcode icon.
Select Create a new Xcode project and choose the Single View Application project as shown in the following screenshot:
Provide details such as the name of your application. Here, let's say
Now, you are all set to develop your iOS app. As shown in the following screenshot, on the left side is the navigation bar. It has all the files that are used in the project. The central area is the actual editorial area, where we will design the view of app and write the backend code. The right-hand side of the area is the utility area.
Select the Main.storyboard file from the left-hand side and choose the Label object from list of objects provided on the right-hand side. Refer to the following screenshot:
Developing and executing the
Hello World application is very simple and straightforward process. If you are familiar with object-oriented concepts, then developing iOS applications should be easy for you.
You can also deploy this app to iDevice to test. Before introducing Xcode 7, you need to enroll in Apple Developer Program for $99 in order to run the app on iDevice. However, with Xcode 7 version, Apple allows you to deploy and run any number of apps with limited capabilities on any of your devices simply by logging in with your Apple ID. However, if you want to distribute your apps among a team or, let's say, you are an iOS security trainer and need to distribute your vulnerable apps sample among your students, you will have to enroll for the Apple Developer Program. You can visit https://developer.apple.com/programs/enroll/ for more information.
Once you have the provision profile, you are ready to run the app on iDevice. You can also download this Xcode project from online supporting files and run this app with one click.
In the section that we just saw, we executed the application on simulator. Now, let's run the same application on iDevice. While pentesting, we will mostly use iDevice as a target and not the simulator. The iDevice makes it easier to perform security assessment of the application.
Start Xcode with the
Hello Worldapplication and select your iDevice as a target, as follows:
Downloading the example code
You can download the example code files for all the Packt books that you have purchased from your account at http://www.packtpub.com. If you purchased this book elsewhere, you can visit http://www.packtpub.com/support and register in order to have the files e-mailed to you directly.
You will notice the application icon on iDevice, as follows:
While creating Xcode project, you must have observed different files, such as storyboard, controller, and so on as shown in following screenshot. The iOS applications are based on the Model-View-Controller (MVC) design. This concept is really useful while performing dynamic analysis of an iOS application:
Let's take a sample application as shown in the following that takes user input as password, checks with the backend value, and displays whether the password is correct or incorrect.
View: View displays the information that is contained in the Model. The UIkit framework contains classes to draw typical interface elements such as tables (lists), buttons, textfields, sliders, and so on.
Remember, View and Model do not communicate directly, they work via Controller. The following is the UI part of application that is nothing but View of application:
Model: Model contains the data. The Model objects obtain the data either from a database or the files that could be located locally or externally. The data can be obtained from hardcoded values or web services. Model also represents the logic that manipulates and processes the data, as follows:
NSString *password = [NSStringstringWithFormat:@"secret_password"];
secret_passwordis hardcoded value that is nothing but Model.
Controller: It acts as a mediator between Model and View. Now, here Enter Password is an action. So, whenever the user enters the password from View and hits enter, the request goes to Controller that checks the data in Model and if the password does not match, it informs the Controller and then Controller notifies it to View. Controller asks Model to validate the user password and once it gets the response from Model, it will notify the View whether the user has entered the correct password or not. Hence, View shows the Incorrect Password message, as shown in the following screenshot:
In June 2015, Apple released its latest iOS security model. You can find the latest version of this guide at https://www.apple.com/business/docs/iOS_Security_Guide.pdf.
If we look at iOS security guide, iOS provides security right from the hardware level, as shown in the following figure:
Security architecture is layered as hardware level, OS level, and application level
Encryption right from hardware/firmware level
Data protection using encryption
The iOS secure boot chain system uses secure boot chain mechanism to provide security in the booting process. We have seen many rootkits and malware that infect at boot level. The iOS secure boot chain ensures that low-level software is not compromised and iOS is running on validated iDevice.
The following figure is the block diagram for an iOS secure boot chain:
This is implicitly trusted
It is known as a hardware root of trust
This code is contained in the processor and cannot be updated or changed
This also contains the Apple root certificate with authentic public key and uses it to verify that the low-level boot loader is properly signed and has not been tampered before loading
Low-level boot loader
This is the lowest level of code that can be updated
It also verifies the signatures of firmware of iBoot before loading it
All applications running on iDevice are signed by Apple
The developer signs the apps and submits application to Apple
Apple verifies it (performs some rudimentary checks, not vulnerability assessment of app)
If app meets with Apple requirements, Apple signs the application
Finally the app is available on Apple App Store
Apple's process of checking iOS apps before signing the application is not transparent. Case studies show that Apple does not perform thorough vulnerability assessment of any app. As shown in the following figure, iOS kernel loads applications signed by Apple:
The following figure showcases the iOS application sandboxing concept:
There are certain features such as URL schemes through which they can transfer the data but with limited conditions.
To conduct a security assessment of the iOS application, you need to follow some standard criteria from industry. Open Web Application Security Project (OWASP) Top 10 Mobile Risks is the list of vulnerabilities that are usually found in iOS applications.
You can always find latest top ten list for mobile at https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risks.
The major difference between the latest OWASP Top 10 Mobile Risks and its earlier versions is the introduction of a new vulnerability in the list, that is, the lack of binary protection, which is the replacement of sensitive information disclosure.
The latest OWASP Top 10 Mobile Risks, Year 2014 list covers the following vulnerabilities:
Nowadays, most of the apps are hybrid apps where they use native app code or web view to design UI and in backend, they use web APIs to communicate with the server. As there are web apps in backend, so almost all attacks that target web applications are applicable to iOS apps as well. If you have never checked web attacks, I would encourage you to go through OWASP Top 10 Web Application Risks at https://www.owasp.org/index.php/Top_10_2013-Top_10.
Insecure data storage is all about storing the data insecurely on the device. Many times, an application uses simple plist files or unencrypted database to store sensitive information such as passwords or other user-related information.
This is the most frequent and, sometimes, very easy-to-find vulnerability. An application should never store sensitive data such as the users' personal, financial, or healthcare information in plain text format. If app developers are storing sensitive information, it may be non-compliant with various compliance standards such as Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA), and so on. We will look into this vulnerability in detail, such as various formats of storage, and how to look into this data in the upcoming chapters.
Insufficient transport layer protection is all about how to send your data across the network. Mobile apps are frequent victims of coffee shop attacks and if an application is sending sensitive data, such as credentials, access tokens, and so on, over HTTP, then any attacker sniffing over the network can easily catch or modify it.
Even if the developer is sending data over HTTPS; however, if he does not validate the sever-side certificates, then it is vulnerable to SSL pinning such as attacks where the attacker performs man-in-the-middle (MITM) attacks with self-signed certificates.
Side channel data leakage arises when a developer places sensitive information or data in a location on the mobile where it is easily accessible by other application. Thus, resulting in a side channel data leakage.
In one of my financial application assessment, the application was taking credit card details from the user and had not implemented any security mechanism to deal with side channel data leakage. Now, in iOS, whenever we background the app, it takes its screenshot and stores it on the device.
An attacker having physical access can easily download application files and access the screenshot that was revealing the victim's credit card details.
Similar to application screenshots, there are various ways such as device logs, pasteboard, cookies, and so on, where the application may leak sensitive data.
In my security assessment, I have reported the login bypass vulnerability in many of the top applications, where the authenticating user was only at the client side. If you put proxy and change the server-side response, you are more likely to be logged in with wrong passwords.
So, as this case study suggests, never reply only on client-side controls for authentication. If you are using OAuth-like authentication schemas, make sure you store tokens on the client device securely. Attacker can easily bypass login on the victim device with leaked tokens.
Nowadays, most of the applications use web APIs to authenticate the users rather than storing credentials locally on the device. In such a scenario, all your web application security attacks are applicable, such as:
Broken cryptography is all about using insecure cryptographic functions to encrypt or hash user data on a device. Are you using MD5 to hash the user's password? Are you not adding any salt to the hashed data? Is your app leaking encryption keys somewhere in the local code? These are a few examples where we need to implement secure cryptographic functions with proper implementation schemas.
Have you ever done SQL injection attack in web app? If yes, then you are good to go with similar attacks in an iOS application. If the developers are not sanitizing user input, then these apps are vulnerable to injection attacks as well. We will perform a SQL injection-like attacks on iOS application in Chapter 3, Identifying the Flaws in Local Storage.
Security decisions via untrusted input is about performing actions without proper validation or authorization check of the user. Does your application have functionality to call any number? Do you prompt the user before initiating a call? Are you checking whether the caller is a logged-in user? If not, you are more likely vulnerable to security decisions via untrusted input attack.
Improper session handling is managing the user's session token insecurely. Many times, the developers do not invalidate session tokens at user logout. So, the attacker can reuse these tokens for unauthorized logins.
Lack of binary protections is about checking protections of binary. Checking whether the application allows attackers to reverse engineer the application source code is very important in case of application handling, as the user's sensitive data should not allow the attackers to entirely decompile the application. We can also check whether binary has implemented any protection for stack smashing attacks or implemented address space layout randomization (ASLR) in order to prevent memory corruption attacks.
We will study these concepts practically with more details in the upcoming chapters.
Now, we have established what is meant by an iOS security. We started from absolute basics of what is an iOS operating system and where it's used? You studied the basics of an iOS app development in order to get familiar with the development process and perform code analysis. You learned how to develop a
Hello World app and then stepped into some important iOS security concepts such as the iOS security model, iOS security architecture, iOS secure boot chain, iOS application signing, iOS application sandboxing, and so on. We are now good to start exploiting the vulnerabilities in iOS application. In the next chapter, we will do the lab setup that is needed for iOS app pentesting and will start looking for iOS vulnerabilities in the upcoming chapters.