iOS app security

58
iOS app security -analyze and defense Hokila Cocoaheads Taipei 2013.10

description

Cocoaheads Taipei 2013.10

Transcript of iOS app security

Page 1: iOS app security

iOS app security-analyze and defense

Hokila

Cocoaheads Taipei 2013.10

Page 3: iOS app security

所以今天是來致(ㄉㄚˇ )敬(ㄌ⼀一ㄢˇ )

( ˘•ω•˘ )

Page 4: iOS app security

不會講這些

Page 5: iOS app security

不會講這些

如何破解神魔之塔 / 百萬亞瑟⺩王 / 全⺠民打棒球

Page 6: iOS app security

不會講這些

如何破解神魔之塔 / 百萬亞瑟⺩王 / 全⺠民打棒球

免費使⽤用Splashtop / KKBOX / WhosCall

Page 7: iOS app security

會講這些

● iOS app native leak● network monitor● IAP crack● Analyze tools● Encode /decode● Good Habits

Page 8: iOS app security

絕對講不完我猜可以講⼀一⼩小時

Page 9: iOS app security

還好之前講過了

2012.12 Cocoaheads TaipeiIn App Purchase 攻防戰

youtu.be/g2tWRPdweeY

Page 10: iOS app security

1.基本功○ iOS app 資料結構○ API分析

2. 脫離新⼿手○ 同時監看多個畫⾯面○ 常⾒見漏洞&防禦⽅方法

3.必殺技(屁孩愛⽤用)○ IAP Free /LocalAppStore○ iGameGardian /⼋八⾨門神器○ Flex

Page 11: iOS app security

OWASP Mobile Top 10 Risk (2013-M1)M1. 不安全的資料儲存(Insecure Data Storage)

M2. 弱伺服器端的控制(Weak Server Side Controls)

M3. 傳輸層保護不⾜足(Insufficient Transport Layer Protection)

M4. 客⼾戶端注⼊入(Client Side Injection)

M5. 粗糙的授權與認證(Poor Authorization and Authentication)

M6. 不適當的會話處理(Improper Session Handling)

M7. 安全決策是經由不受信任的輸⼊入(Security Decisions Via Untrusted Inputs)

M8. 側通道資料洩漏(Side Channel Data Leakage)

M9. 加密失效(Broken Cryptography)

M10. 敏感資訊洩漏(Sensitive Informaiton Disclosure)

Page 12: iOS app security
Page 13: iOS app security

Ref: File System Programming Guide

app itself

temporary files,clean when app restartNSTemporaryDirectory

app /user dataautomatically backed up by iCloud.

Cache

Prefences NSUSerDefault

Library

Application Support good place for configuration/template

Data that can be downloaded again or regenerated

Cookie store cookies for sandbox webView

Page 14: iOS app security

info.plist

Page 15: iOS app security

info.plist

Page 16: iOS app security

iphone configuration utility

iTool(2012)

console log

Page 17: iOS app security

DEMO

Page 18: iOS app security

會看到app沒有埋好的logframework ⾃自⼰己帶的log

system notificationmemory warming

Page 19: iOS app security

User Defaults,secure?

Page 20: iOS app security

User Defaults,secure?

Page 21: iOS app security

dump keychain database (jb necessary)

keychain locate at /var/Keychains/keychain-2.dbApple says “keychain is a secure place to store keys and passwords”

Page 22: iOS app security

API Charles / ⽂文化部open data /iCulture

DEMO

Page 23: iOS app security
Page 24: iOS app security

1. Charles (Mac Windows) $

2. ZAP (Mac Windows) Free

3. Fiddler (Windows) Free

4. Wire Shark (Mac Windows) Free

Page 25: iOS app security

⾄至少要同時看

● device screen● console log● plist、db● API request/response

Page 26: iOS app security

⼀一些發現

其他app verify資料正確性的作法

某些遊戲讓你抽卡多選1,但是結果在你進⼊入抽卡畫⾯面時就決定了

竟然有app把db放在google doc和dropbox (⽽而且還不少)

讓我萬萬沒想到的是......(這邊不能打出來)

Page 27: iOS app security

class dump-z

https://code.google.com/p/networkpx/

● dumping class info from an iOS app● guess class utility

Page 28: iOS app security

DEMO

Page 29: iOS app security

破解⼯工具 IAP Free/LocalAppStore欺騙app 購買成功

Page 30: iOS app security

破解⼯工具 IAP Free/LocalAppStore欺騙app 購買成功

iGameGardin /⼋八⾨門神器搜尋記憶體位置,修改value

Page 31: iOS app security

破解⼯工具 IAP Free/LocalAppStore欺騙app 購買成功

iGameGardin /⼋八⾨門神器搜尋記憶體位置,修改value

Flex鎖定function 回傳值例 -(BOOL)isTransactionSucess ⼀一定回傳YES

Page 32: iOS app security

破解⼯工具 IAP Free/LocalAppStore欺騙app 購買成功

iGameGardin /⼋八⾨門神器搜尋記憶體位置,修改value

Flex鎖定function 回傳值例 -(BOOL)isTransactionSucess ⼀一定回傳YES

對於developer來說,就是app裡⾯面.....

Page 33: iOS app security

有內奸

Page 34: iOS app security

再安全的OS也有不安全的app啊啊啊啊啊怎麼辦

不要太相信server/model 的data適時的關⼼心,請問您是內奸嗎?是的話殺爆他

綜合來說,這就是....

King Of Design Pattern:MVCmodel 和view可以不⼀一樣

use encrypt ,not hash要hash也記得要加salt

Page 35: iOS app security

計中計中計中計

Page 36: iOS app security

這是⼀一個很基本的API

GET http://xxx.yyy/getUserData.php

response(string)name(array)xxlist

(string)itemname(int)quantity(string)status

paeameters(string)userID

Page 37: iOS app security

POST http://xxx.yyy/getUserData.php public

response(string)name(array)xxlist

(string)itemname(int)quantity(string)status(int)status

parameters(string)token(string)call_file_name (string)userID

Page 38: iOS app security

POST http://xxx.yyy/getUserData.php public

response(string)name(array)xxlist

(string)itemname(int)quantity(string)status(int)status

parameters(string)token(string)call_file_name (string)userID

公⼦子獻頭

Page 39: iOS app security

SSL POST http://xxx.yyy/public

response(string)name(array)xxlist

(string)itemname(int)quantity(int)status(object)item

parameters(string)token(string)call_file_name (string)userID

struct object(string)itemname(int)quantity(int)status

base64 encode

讓對⽅方知道你的下兩步,在第三步衝康他

Page 40: iOS app security

In-App Purchase Programming Guide

base64

Page 41: iOS app security

SSL POST http://xxx.yyy/public

response(string)name(array)xxlist

(object)item

parameters(string)token(string)call_file_name (string)userID

還能怎麼改?

Page 42: iOS app security

SSL POST http://xxx.yyy/public

response(string)name(array)xxlist

(object)item

parameters(string)token(string)call_file_name (string)userID

還能怎麼改?

Accept = "*/*";Accept-Language = zh-TW;Connection = close;User-Agent = "Something special~~";

Page 43: iOS app security

確定資料正確

public entry access tokenSSL

status codeobject ,not clear dictionaryand...?

Page 44: iOS app security

King Of Design Pattern:MVC

UILabel

Model memory View

APIplistdb

NSStringNSNumber

Money20002000

08f90c1a417155361a5c4b8d297e0d78

encrypt()

Page 45: iOS app security

King Of Design Pattern:MVC

UILabel

Model memory View

APIplistdb

NSStringNSNumber

Money20002000

08f90c1a417155361a5c4b8d297e0d78

encrypt()

need protection!!

Page 46: iOS app security

double_check

http://xxx.yyy/buyresponse(string)status(string)itemID(int)quantity(int)leftmoney

paeameters(string)user(string)itemID

Page 47: iOS app security

double_check

http://xxx.yyy/buyresponse(string)status(string)itemID(int)quantity(int)leftmoney

paeameters(string)user(string)itemID

http://xxx.yyy/double_checkresponse(string)status (OK /Reject)

paeameters(string)user(string)itemID

Page 48: iOS app security

use encrypt ,not hashsha1、md5、base64

這些你敢⽤用?

實驗證明,⼀一個經過訓練的QA可以⾁肉眼反解出1~100的md5 hash

Page 49: iOS app security

use encrypt ,not hashhash⾄至少要加salt

md5($salt.$pass.$username)

md5($salt.md5($pass)) md5($salt.md5($pass).$salt)

sha1($salt.$pass)

sha1($salt.$username.$pass.$salt)

sha1($salt.md5($pass))

encrypt

Page 50: iOS app security

use encrypt ,not hashhash⾄至少要加salt

md5($salt.$pass.$username)

md5($salt.md5($pass)) md5($salt.md5($pass).$salt)

sha1($salt.$pass)

sha1($salt.$username.$pass.$salt)

sha1($salt.md5($pass))

encrypt DES1977誕⽣生、1999被破

Page 51: iOS app security

use encrypt ,not hashhash⾄至少要加salt

md5($salt.$pass.$username)

md5($salt.md5($pass)) md5($salt.md5($pass).$salt)

sha1($salt.$pass)

sha1($salt.$username.$pass.$salt)

sha1($salt.md5($pass))

encrypt DES1977誕⽣生、1999被破

AES-128 AES-256 當今最潮 passwd = AESEncrypt(“string”,” key”)

Page 52: iOS app security

So....

public data可以不⽤用加密,但是private data⼀一定要加密

要檢查user有沒有作弊,但不要太頻繁的去檢查資料

需要server的service絕對都可以檔(播⾳音樂、遠端遙控)

發現別⼈人app有漏洞,記得回報開發者

Page 53: iOS app security

So....

public data可以不⽤用加密,但是private data⼀一定要加密

要檢查user有沒有作弊,但不要太頻繁的去檢查資料

需要server的service絕對都可以檔(播⾳音樂、遠端遙控)

發現別⼈人app有漏洞,記得回報開發者

think as a service,not an app.這樣想會找到很多漏洞

Page 54: iOS app security

One more thing

Page 55: iOS app security

video on niconico youtube

Page 56: iOS app security

video on niconico youtube

availiable today

Page 57: iOS app security

Thanks &Bye~~

Hokila

mail [email protected] josihokila.blogspot.comFB fb.me/hokilaj

Page 58: iOS app security

Thanks &Bye~~

Hokila

mail [email protected] josihokila.blogspot.comFB fb.me/hokilaj