Post on 19-Aug-2014
description
iOS app security-analyze and defense
Hokila
Cocoaheads Taipei 2013.10
源起Android Taipei (2013 August)
Android Apps Security Taien Wang
Ruby Tuesday (2013.9.10)別再偷我App裡的⾦金幣:Server端IAP的處理與驗證Kevin Wang
所以今天是來致(ㄉㄚˇ )敬(ㄌ⼀一ㄢˇ )
的
( ˘•ω•˘ )
不會講這些
不會講這些
如何破解神魔之塔 / 百萬亞瑟⺩王 / 全⺠民打棒球
不會講這些
如何破解神魔之塔 / 百萬亞瑟⺩王 / 全⺠民打棒球
免費使⽤用Splashtop / KKBOX / WhosCall
會講這些
● iOS app native leak● network monitor● IAP crack● Analyze tools● Encode /decode● Good Habits
絕對講不完我猜可以講⼀一⼩小時
還好之前講過了
2012.12 Cocoaheads TaipeiIn App Purchase 攻防戰
youtu.be/g2tWRPdweeY
1.基本功○ iOS app 資料結構○ API分析
2. 脫離新⼿手○ 同時監看多個畫⾯面○ 常⾒見漏洞&防禦⽅方法
3.必殺技(屁孩愛⽤用)○ IAP Free /LocalAppStore○ iGameGardian /⼋八⾨門神器○ Flex
OWASP Mobile Top 10 Risk (2013-M1)M1. 不安全的資料儲存(Insecure Data Storage)
M2. 弱伺服器端的控制(Weak Server Side Controls)
M3. 傳輸層保護不⾜足(Insufficient Transport Layer Protection)
M4. 客⼾戶端注⼊入(Client Side Injection)
M5. 粗糙的授權與認證(Poor Authorization and Authentication)
M6. 不適當的會話處理(Improper Session Handling)
M7. 安全決策是經由不受信任的輸⼊入(Security Decisions Via Untrusted Inputs)
M8. 側通道資料洩漏(Side Channel Data Leakage)
M9. 加密失效(Broken Cryptography)
M10. 敏感資訊洩漏(Sensitive Informaiton Disclosure)
Ref: File System Programming Guide
app itself
temporary files,clean when app restartNSTemporaryDirectory
app /user dataautomatically backed up by iCloud.
Cache
Prefences NSUSerDefault
Library
Application Support good place for configuration/template
Data that can be downloaded again or regenerated
Cookie store cookies for sandbox webView
info.plist
info.plist
iphone configuration utility
iTool(2012)
console log
DEMO
會看到app沒有埋好的logframework ⾃自⼰己帶的log
system notificationmemory warming
User Defaults,secure?
User Defaults,secure?
dump keychain database (jb necessary)
keychain locate at /var/Keychains/keychain-2.dbApple says “keychain is a secure place to store keys and passwords”
API Charles / ⽂文化部open data /iCulture
DEMO
1. Charles (Mac Windows) $
2. ZAP (Mac Windows) Free
3. Fiddler (Windows) Free
4. Wire Shark (Mac Windows) Free
⾄至少要同時看
● device screen● console log● plist、db● API request/response
⼀一些發現
其他app verify資料正確性的作法
某些遊戲讓你抽卡多選1,但是結果在你進⼊入抽卡畫⾯面時就決定了
竟然有app把db放在google doc和dropbox (⽽而且還不少)
讓我萬萬沒想到的是......(這邊不能打出來)
class dump-z
https://code.google.com/p/networkpx/
● dumping class info from an iOS app● guess class utility
DEMO
破解⼯工具 IAP Free/LocalAppStore欺騙app 購買成功
破解⼯工具 IAP Free/LocalAppStore欺騙app 購買成功
iGameGardin /⼋八⾨門神器搜尋記憶體位置,修改value
破解⼯工具 IAP Free/LocalAppStore欺騙app 購買成功
iGameGardin /⼋八⾨門神器搜尋記憶體位置,修改value
Flex鎖定function 回傳值例 -(BOOL)isTransactionSucess ⼀一定回傳YES
破解⼯工具 IAP Free/LocalAppStore欺騙app 購買成功
iGameGardin /⼋八⾨門神器搜尋記憶體位置,修改value
Flex鎖定function 回傳值例 -(BOOL)isTransactionSucess ⼀一定回傳YES
對於developer來說,就是app裡⾯面.....
有內奸
再安全的OS也有不安全的app啊啊啊啊啊怎麼辦
不要太相信server/model 的data適時的關⼼心,請問您是內奸嗎?是的話殺爆他
綜合來說,這就是....
King Of Design Pattern:MVCmodel 和view可以不⼀一樣
use encrypt ,not hash要hash也記得要加salt
計中計中計中計
這是⼀一個很基本的API
GET http://xxx.yyy/getUserData.php
response(string)name(array)xxlist
(string)itemname(int)quantity(string)status
paeameters(string)userID
POST http://xxx.yyy/getUserData.php public
response(string)name(array)xxlist
(string)itemname(int)quantity(string)status(int)status
parameters(string)token(string)call_file_name (string)userID
POST http://xxx.yyy/getUserData.php public
response(string)name(array)xxlist
(string)itemname(int)quantity(string)status(int)status
parameters(string)token(string)call_file_name (string)userID
公⼦子獻頭
SSL POST http://xxx.yyy/public
response(string)name(array)xxlist
(string)itemname(int)quantity(int)status(object)item
parameters(string)token(string)call_file_name (string)userID
struct object(string)itemname(int)quantity(int)status
base64 encode
讓對⽅方知道你的下兩步,在第三步衝康他
In-App Purchase Programming Guide
base64
SSL POST http://xxx.yyy/public
response(string)name(array)xxlist
(object)item
parameters(string)token(string)call_file_name (string)userID
還能怎麼改?
SSL POST http://xxx.yyy/public
response(string)name(array)xxlist
(object)item
parameters(string)token(string)call_file_name (string)userID
還能怎麼改?
Accept = "*/*";Accept-Language = zh-TW;Connection = close;User-Agent = "Something special~~";
確定資料正確
public entry access tokenSSL
status codeobject ,not clear dictionaryand...?
King Of Design Pattern:MVC
UILabel
Model memory View
APIplistdb
NSStringNSNumber
Money20002000
08f90c1a417155361a5c4b8d297e0d78
encrypt()
King Of Design Pattern:MVC
UILabel
Model memory View
APIplistdb
NSStringNSNumber
Money20002000
08f90c1a417155361a5c4b8d297e0d78
encrypt()
need protection!!
double_check
http://xxx.yyy/buyresponse(string)status(string)itemID(int)quantity(int)leftmoney
paeameters(string)user(string)itemID
double_check
http://xxx.yyy/buyresponse(string)status(string)itemID(int)quantity(int)leftmoney
paeameters(string)user(string)itemID
http://xxx.yyy/double_checkresponse(string)status (OK /Reject)
paeameters(string)user(string)itemID
use encrypt ,not hashsha1、md5、base64
這些你敢⽤用?
實驗證明,⼀一個經過訓練的QA可以⾁肉眼反解出1~100的md5 hash
use encrypt ,not hashhash⾄至少要加salt
md5($salt.$pass.$username)
md5($salt.md5($pass)) md5($salt.md5($pass).$salt)
sha1($salt.$pass)
sha1($salt.$username.$pass.$salt)
sha1($salt.md5($pass))
encrypt
use encrypt ,not hashhash⾄至少要加salt
md5($salt.$pass.$username)
md5($salt.md5($pass)) md5($salt.md5($pass).$salt)
sha1($salt.$pass)
sha1($salt.$username.$pass.$salt)
sha1($salt.md5($pass))
encrypt DES1977誕⽣生、1999被破
use encrypt ,not hashhash⾄至少要加salt
md5($salt.$pass.$username)
md5($salt.md5($pass)) md5($salt.md5($pass).$salt)
sha1($salt.$pass)
sha1($salt.$username.$pass.$salt)
sha1($salt.md5($pass))
encrypt DES1977誕⽣生、1999被破
AES-128 AES-256 當今最潮 passwd = AESEncrypt(“string”,” key”)
So....
public data可以不⽤用加密,但是private data⼀一定要加密
要檢查user有沒有作弊,但不要太頻繁的去檢查資料
需要server的service絕對都可以檔(播⾳音樂、遠端遙控)
發現別⼈人app有漏洞,記得回報開發者
So....
public data可以不⽤用加密,但是private data⼀一定要加密
要檢查user有沒有作弊,但不要太頻繁的去檢查資料
需要server的service絕對都可以檔(播⾳音樂、遠端遙控)
發現別⼈人app有漏洞,記得回報開發者
think as a service,not an app.這樣想會找到很多漏洞
One more thing
video on niconico youtube
video on niconico youtube
availiable today
Thanks &Bye~~
Hokila
mail hokila.jan@splashtop.comblog josihokila.blogspot.comFB fb.me/hokilaj
Thanks &Bye~~
Hokila
mail hokila.jan@splashtop.comblog josihokila.blogspot.comFB fb.me/hokilaj