Video and slides synchronized, mp3 and slide download available at URL https://bit.ly/2xQjjXl.
Ivan Rodriguez walks through some of the most common vulnerabilities on iOS apps and shows how to exploit them. All these vulnerabilities have been found on real production apps of companies that have (or don't have) a bug bounty program. This talk is useful for those connected with mobile app development or those who do use mobile apps to work with sensitive data. Filmed at qconsf.com.
Ivan Rodriguez is a Software Engineer at Google by day and a security researcher at night. He has found many vulnerabilities on different mobile applications and reported them through the popular bug bounty platforms HackerOne and Bugcrowd. He worked for many years as a mobile developer before changing his career and focusing on application security.
2. InfoQ.com: News & Community Site
• Over 1,000,000 software developers, architects and CTOs read the site world-
wide every month
• 250,000 senior developers subscribe to our weekly newsletter
• Published in 4 languages (English, Chinese, Japanese and Brazilian
Portuguese)
• Post content from our QCon conferences
• 2 dedicated podcast channels: The InfoQ Podcast, with a focus on
Architecture and The Engineering Culture Podcast, with a focus on building
• 96 deep dives on innovative topics packed as downloadable emags and
minibooks
• Over 40 new content items per week
Watch the video with slide
synchronization on InfoQ.com!
https://www.infoq.com/presentations/
exploiting-ios-vulnerabilities/
3. Purpose of QCon
- to empower software development by facilitating the spread of
knowledge and innovation
Strategy
- practitioner-driven conference designed for YOU: influencers of
change and innovation in your teams
- speakers and topics driving the evolution and innovation
- connecting and catalyzing the influencers and innovators
Highlights
- attended by more than 12,000 delegates since 2007
- held in 9 cities worldwide
Presented at QCon San Francisco
www.qconsf.com
5. DISCLAIMER
the views and opinions expressed on this talk are
solely my own and do not reflect the views or
opinions of my employer.
@ivRodriguezCA
6. ivan_rodriguez.me
• security researcher and software engineer
• focused on iOS reverse engineering and mobile bug bounty programs
• i blog at ivrodriguez.com
• find me on twitter: @ivRodriguezCA
• find me on github: /ivRodriguezCA
@ivRodriguezCA
7. agenda
• reverse engineering an iOS app.
• tools and methods.
• common iOS vulnerabilities (all found on real world applications).
• how to fix and prevent these vulnerabilities.
• resources / conclusions.
• questions.
@ivRodriguezCA
8. reverse engineering an iOS app
• iOS apps are encrypted with an algorithm called FairPlay.
• we need a jailbroken device.
• we don’t “decrypt” the apps, we just dump them from memory.
• transfer them to a desktop where we do the reverse engineering.
@ivRodriguezCA
9. reverse engineering an iOS app
• how we dump the app from memory?
> dump memory <filename> <start_address> <end_address>
@ivRodriguezCA
10. reverse engineering an iOS app
• how we dump the app from memory?
> dump memory <filename> <start_address> <end_address>
• we can use tools to automate this.
@ivRodriguezCA
11. reverse engineering an iOS app
• some of the tools we can use:
- dumpdecrypted: https://github.com/stefanesser/dumpdecrypted
- bfinject: https://github.com/BishopFox/bfinject
- frida-ios-dump: https://github.com/AloneMonkey/frida-ios-dump
@ivRodriguezCA
45. how to fix vulnerability # 2
• URL Schemes + WebViews are dangerous and you should be careful
when you pair them.
• don’t load HTML code from user-controlled content.
• if you need to dynamically react to URL Schemes have a set of
whitelisted actions.
@ivRodriguezCA
64. how to fix vulnerability # 3
• vet and test your 3rd party frameworks, specially if they handle your
network requests.
• be careful when implementing your own certificate validation logic.
• if you want to implement HPKP you can useTrustKit:
- https://github.com/datatheorem/TrustKit
@ivRodriguezCA
65. how to fix vulnerability # 3
@ivRodriguezCA
source: https://cheatsheetseries.owasp.org/cheatsheets/Pinning_Cheat_Sheet.html
77. how to fix vulnerability # 4
• do not use UIWebView anymore, use WKWebView instead.
• if you absolutely have to use UIWebView:
- do not use - (void)loadRequest:(NSURLRequest *)request for local files.
- Use - (void)loadHTMLString:(NSString *)string baseURL:(NSURL *)baseURL with an URL
object created with [URLWithString:@“about:blank”].
-
@ivRodriguezCA
78. conclusions
• add security assessments to your release cycles.
• keep your 3rd party libraries up to date.
• be careful copy-pasting code from online sources.
• have a public bounty program or at least public channels for
responsible disclosures.
@ivRodriguezCA
79. resources
• OWASP - Mobile Application SecurityVerification Standard
https://github.com/OWASP/owasp-masvs
• OWASP -The Mobile SecurityTesting Guide
https://github.com/OWASP/owasp-mstg
• Resources Page of my course
https://github.com/ivRodriguezCA/RE-iOS-Apps/blob/master/
Resources.md
@ivRodriguezCA
80. resources
• for a more detailed guide visit:
https://github.com/ivRodriguezCA/RE-iOS-Apps
@ivRodriguezCA