View
1
Download
0
Category
Preview:
Citation preview
Reversing an iOS App
With Threat Modeling Insights.
2
In today‘s Presentation…
Mobile Penetration Testing Basics
Mobile OWASP Top 10 2016
Software Engineering of an iOS App
Reversing the iOS App
How to prevent Security Issues with Threat Modeling
Dipl.-Ing. Daniel Mrskos, BSc | snapsec.at3
Mobile Penetration Testing Basics
(SECURE) Software Development Life Cycle
Dipl.-Ing. Daniel Mrskos, BSc | snapsec.at5
DevSecOps
Dipl.-Ing. Daniel Mrskos, BSc | snapsec.at6
Phases of Mobile Penetration Tests
Preparation
Intelligence Gathering
Mapping the Application
Exploitation
Reporting
Dipl.-Ing. Daniel Mrskos, BSc | snapsec.at7
Testing Principles
White-Box Testing
Black-Box Testing
Gray-Box Testing
Dipl.-Ing. Daniel Mrskos, BSc | snapsec.at8
SAST VS. DAST
• Manual Code Review• Automated Source Code Analysis
Static Source Code Analysis
• Automated Scanning Tools à FALSE-POSITIVES!
• Clipboard• Fuzzing à “Spray and Pray!“• Penetration Testing
Dynamic Source Code Analysis
Dipl.-Ing. Daniel Mrskos, BSc | snapsec.at9
What Tools and Gear do you need?
macOS
Xcode and its simulator
Some jailbroken iPhones…
USB Cable for Connection
Cydia, Needle, Frida and a Reverse Enginnering Tool (e.g. Hopper), Burp Suite (Pro), Wireshark
Dipl.-Ing. Daniel Mrskos, BSc | snapsec.at10
OWASP Mobile Top 10 2016
OWASP Mobile Top 10 – Part 1
M1 – Improper Plattform Usage
M2 – Insecure Data Storage
M3 – Insecure Communication
M4 – Insecure Authentication
M5– Insecure Cryptography
Dipl.-Ing. Daniel Mrskos, BSc | snapsec.at12
OWASP Mobile Top 10 – Part 2
M6 – Insecure Authorization
M7 – Client Code Quality
M8 – Code Tampering
M9 – Reverse Engineering à The all time winner
M10 – Extraneous Functionality
Dipl.-Ing. Daniel Mrskos, BSc | snapsec.at13
Software Engineering of an iOS App
Types of Apps
Native Apps
Web Apps
Hybrid Apps
Progressiv Web Apps
Dipl.-Ing. Daniel Mrskos, BSc | snapsec.at15
What you need to develop an iOS App
macOS
Xcode
Some kind of an idea
A tiny little bit of software engineering skills
Dipl.-Ing. Daniel Mrskos, BSc | snapsec.at16
Coding our first iOS App in Swift
Dipl.-Ing. Daniel Mrskos, BSc | snapsec.at 17
Deploying our first iOS App to the Simulator
Dipl.-Ing. Daniel Mrskos, BSc | snapsec.at 18
Testing our first iOS App in the Simulator
Dipl.-Ing. Daniel Mrskos, BSc | snapsec.at 19
Shipping to the Customer JBecause it seems really secure!
Hang on a minute!„There is something missing, is not it?“
„What is this security thing? It is overrated^^“
21
Reversing the iOS App
”Reversing will always win the fight”
Preparing the IPADipl.-Ing. Daniel Mrskos, BSc | snapsec.at 23
Unzip the IPA for HopperDipl.-Ing. Daniel Mrskos, BSc | snapsec.at 24
Loading the Binary in Hopper
Dipl.-Ing. Daniel Mrskos, BSc | snapsec.at 25
Searching for the string „wrong“
Dipl.-Ing. Daniel Mrskos, BSc | snapsec.at 26
Examing data stored as CString
Dipl.-Ing. Daniel Mrskos, BSc | snapsec.at 27
Finding the unlock key stored in plain text
Dipl.-Ing. Daniel Mrskos, BSc | snapsec.at 28
Trying out the found unlock key J
Dipl.-Ing. Daniel Mrskos, BSc | snapsec.at 29
Let’s take a look at the Code to identify the Issue
Dipl.-Ing. Daniel Mrskos, BSc | snapsec.at 30
How to prevent Security Issues with Threat
Modeling
31
Drawing a Data Flow Diagram of the Application
Dipl.-Ing. Daniel Mrskos, BSc | snapsec.at32
Using STRIDE per Interaction to Identify Threats in our Scenario
Dipl.-Ing. Daniel Mrskos, BSc | snapsec.at33
Interaction S T R I D E
User sends key X X X X
Checking the plaintext key
X
Design Issue found: Key is stored in plaintext!
Using Attack Libraries to identify Threats as well
Dipl.-Ing. Daniel Mrskos, BSc | snapsec.at34
Threat Modeling combined with iOS App Development
Dipl.-Ing. Daniel Mrskos, BSc | snapsec.at35
Thanks for your attention!
• #GotAnyQuestions?hello@snapsec.at
• #InteresstedInMobilePentesting?OWASP MSTG
• #ThanksToFHSTPfhstp.ac.at
Dipl.-Ing. Daniel Mrskos, BSc | snapsec.at
Recommended