This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "IOS Application Security Testing Cheat Sheet"

From OWASP
Jump to: navigation, search
(add note about running otool against binary not ipa)
(Migration to GitHub of the project)
 
(3 intermediate revisions by 2 users not shown)
Line 1: Line 1:
== DRAFT CHEAT SHEET - WORK IN PROGRESS ==
+
__NOTOC__
 +
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div>
  
== Introduction ==
+
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
 +
| valign="top"  style="border-right: 1px dotted gray;padding-right:25px;" |
 +
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
  
<p>This cheat sheet provides a checklist of tasks to be performed when testing an iOS application.</p>
+
After an exchange with the leaders of the [https://github.com/OWASP/owasp-mstg OWASP Mobile Security Testing Guide (MSTG)] project, it was decided to replace the content of this cheat sheet by a reference to the dedicated content on the MSTG project.
<p>When assessing a mobile application several areas should be taken into account: client software, the communication channel and the server side infrastructure.</p>
 
<p>Testing an iOS application usually requires a jailbroken device. (A device that not pose any restrictions on the software that can be installed on it.)</p>
 
  
[[File:2-18-2013 4-47-36 AM.png]]
+
The explanation is simple:  
 +
# It's an OWASP project too.
 +
# The MSTG project is active.
 +
# It focus on Android and iOS areas.
 +
# It provides good and up-to-date advices about how to handle mobile threats for the both platforms.
 +
# MSTG content came from various specialists in the mobile domain.
  
== Information gathering ==
+
Consult this [https://github.com/OWASP/owasp-mstg#ios-testing-guide section] for information about iOS platform.
<ul>
 
<li>Observe application behavior</li>
 
<li>Determine the application’s data states (at rest, in transit or on display) and sensitivity </li>
 
<li>Identify access methods</li>
 
<li>Identify what frameworks are in use</li>
 
<li>Identify server side APIs that are in use</li>
 
<li>Identify what protocols are in use</li>
 
<li>Identify other applications or services with which the application interacts</li>
 
<li>Decrypt Appstore binaries: the .ipa will be decrypted at runtime by the kernel’s mach loader. Cydia has several applications available: Crackulous, AppCrack and Clutch. Also, you can use GDB. The “cryptid” field of the LC_ENCRYPTION_INFO identifies if the application is encrypted or not. Use otool –l <app name> | grep –A 4 LC_ENCRYPTION_INFO</li>
 
<li>Determine the architecture the application was compiled for: otool –f <app name> or lipo -info <app>.</li>
 
<li>Get information about what functions, classes and methods are referenced in the application and in the dynamically loaded libraries. Use nm <app name></li>
 
<li>List the dynamic dependencies. Use otool –L <app name>
 
<li>Dump the load commands for the application. Use otool –l <app name></li>
 
<li>Dump the runtime information from the compiled application. Identify each class compiled into the program and its associated methods, instance variables and properties. Use class-dump-z <app name>. That can be put that into a .h file which can be used later to create hooks for method swizzling or to simply make the methods of the app easier to read.</li>
 
<li>Dump the keychain using dump_keychain to reveal application specific credentials and passwords if stored in the keychain. </li>
 
</ul>
 
Determine the security features in place:
 
<ul>
 
<li>Locate the PIE (Position Independent Executable) - an app compiled without PIE (using the “–fPIE –pie” flag) will load the executable at a fixed address. Check this using the command: otool –hv <app name> (otool should be run against the app *binary* after unzipping the ipa, it should not be run directly against the ipa)</li>
 
<li>Stack smashing protection - specify the –fstack-protector-all compiler flag. A “canary” is placed on the stack to protect the saved base pointer, saved instruction pointer and function arguments. It will be verified upon the function return to see if it has been overwritten. Check this using: otool –I –v <app name> | grep stack . If the application was compiled with the stack smashing protection two undefined symbols will be present: “___stack_chk_fail” and “___stack_chk_guard”.</li>
 
</ul>
 
 
 
== Application traffic analysis ==
 
<ul>
 
<li>Analyze error messages</li>
 
<li>Analyze cacheable information</li>
 
<li>Transport layer security (TLS version; NSURLRequest object )</li>
 
<li>Attack XML processors</li>
 
<li>SQL injection</li>
 
<li>Privacy issues (sensitive information disclosure)</li>
 
<li>Improper session handling</li>
 
<li>Decisions via untrusted inputs</li>
 
<li>Broken cryptography</li>
 
<li>Unmanaged code</li>
 
<li>URL Schemes</li>
 
<li>Push notifications</li>
 
<li>Authentication</li>
 
<li>Authorization</li>
 
<li>Session management</li>
 
<li>Data storage</li>
 
<li>Data validation (input, output)</li>
 
<li>Transport Layer protection – are the certificates validated, does the application implement Certificate Pinning</li>
 
<li>Denial of service</li>
 
<li>Business logic</li>
 
<li>UDID or MAC ID usage (privacy concerns)</li>
 
</ul>
 
 
 
== Runtime analysis ==
 
<ul>
 
<li>Disassemble the application (gdb)</li>
 
<li>Analyze file system interaction</li>
 
<li>Use the .h file generated with class-dump-z to create a method swizzling hook of some interesting methods to either examine the data as it flow through or create a "stealer" app.</li>
 
<li>Analyze the application with a debugger (gdb): inspecting objects in memory and calling functions and methods; replacing variables and methods at runtime.</li>
 
<li>Investigate CFStream and NSStream</li>
 
<li>Investigate protocol handlers (application: openURL - validates the source application that instantiated the URL request) for example: try to reconfigure the default landing page for the application using a malicious iframe.</li>
 
<li>Buffer overflows and memory corruption</li>
 
<li>Client side injection</li>
 
<li>Runtime injections</li>
 
<li>Having access to sources, test the memory by using Xcode Schemes</li>
 
</ul>
 
 
 
== Insecure data storage ==
 
<ul>
 
<li>Investigate log files(plugging the device in and pulling down logs with Xcode Organizer)</li>
 
<li>Insecure data storage in application folder (var/mobile/Applications), caches, in backups (iTunes)</li>
 
<li>Investigate custom created files</li>
 
<li>Analyze SQLlite database</li>
 
<li>Investigate property list files</li>
 
<li>Investigate file caching</li>
 
<li>Insecure data storage in keyboard cache</li>
 
<li>Investigate Cookies.binarycookies</li>
 
<li>Analyze iOS keychain (/private/var/Keychains/keychain-2.db) – when it is accessible and what information it contains; data stored in the keychain can only be accessible if the attacker has physical access to the device.</li>
 
<li>Check for sensitive information in snapshots</li>
 
<li>Audit data protection of files and keychain entries (To determine when a keychain item should be readable by an application check the data protection accessibility constants)</li>
 
</ul>
 
 
 
== Tools ==
 
<table border=1>
 
<tr>
 
<th>Tool</th>
 
<th>Link</th>
 
<th>Description</th>
 
</tr>
 
<tr>
 
<td>Mallory proxy</td>
 
<td>http://intrepidusgroup.com/insight/mallory/</td>
 
<td>Proxy for Binary protocols</td>
 
</tr>
 
<tr>
 
<td>Charles/Burp proxy</td>
 
<td>http://www.charlesproxy.com/  ;
 
http://www.portswigger.net/burp/
 
</td>
 
<td>Proxy for HTTP and HTTPS</td>
 
</tr>
 
<tr>
 
<td>OpenSSH</td>
 
<td>http://www.openssh.com/</td>
 
<td>Connect to the iPhone remotely over SSH</td>
 
</tr>
 
<tr>
 
<td>Sqlite3</td>
 
<td>http://www.sqlite.org/</td>
 
<td>Sqlite database client</td>
 
</tr>
 
<tr>
 
<td>GNU Debugger</td>
 
<td>http://www.gnu.org/software/gdb/</td>
 
<td>For run time analysis & reverse engineering</td>
 
</tr>
 
<tr>
 
<td>Syslogd</td>
 
<td>https://developer.apple.com/library/mac/#documentation/Darwin/Reference/ManPages/man8/syslogd.8.html</td>
 
<td>View iPhone logs</td>
 
</tr>
 
<tr>
 
<td>Tcpdump</td>
 
<td>http://www.tcpdump.org/</td>
 
<td>Capture network traffic on phone</td>
 
</tr>
 
<tr>
 
<td>Otool</td>
 
<td>http://developer.apple.com/library/mac/#documentation/Darwin/Reference/ManPages/man1/otool.1.html</td>
 
<td>Odcctools: otool – object file displaying tool</td>
 
</tr>
 
<tr>
 
<td>Cycript </td>
 
<td>http://www.cycript.org/</td>
 
<td>A language designed to interact with Objective-C classes</td>
 
</tr>
 
<tr>
 
<td>SSL Kill switch</td>
 
<td>https://github.com/iSECPartners/ios-ssl-kill-switch</td>
 
<td>Blackbox tool to disable SSL certificate validation - including certificate pinning in NSURL </td>
 
</tr>
 
<tr>
 
<td>Plutil</td>
 
<td>http://scw.us/iPhone/plutil/</td>
 
<td>To view Plist files</td>
 
</tr>
 
<tr>
 
<td>nm</td>
 
<td></td>
 
<td>Analysis tool to display the symbol table, which includes names of functions and methods, as well as their load addresses.</td>
 
</tr>
 
<tr>
 
<td>sysctl</td>
 
<td>https://developer.apple.com/library/mac/#documentation/Darwin/Reference /ManPages/man8/sysctl.8.html</td>
 
<td>A utility to read and change kernel state variables</td>
 
</tr>
 
<tr>
 
<td>dump_keychain</td>
 
<td>https://github.com/emonti/iOS_app_re_tools </td>
 
<td>A utility to dump the keychain</td>
 
</tr>
 
<tr>
 
<td>Filemon</td>
 
<td>http://www.newosxbook.com/files/filemon.iOS</td>
 
<td>Monitor realtime iOS file system</td>
 
</tr>
 
<tr>
 
<td>FileDP</td>
 
<td>http://www.securitylearn.net/2012/10/18/extracting-data-protection-class-from-files-on-ios/</td>
 
<td>Audits data protection of files</td>
 
</tr>
 
<tr>
 
<td>BinaryCookieReader</td>
 
<td>http://securitylearn.net/wp-content/uploads/tools/iOS/BinaryCookieReader.py</td>
 
<td>Read cookies.binarycookies files  </td>
 
</tr>
 
<tr>
 
<td>lsof ARM Binary</td>
 
<td>https://github.com/u35tpus/iosrep/tree/master/lsof</td>
 
<td> list of all open files and the processes that opened them  </td>
 
</tr>
 
<tr>
 
<td>lsock ARM Binary</td>
 
<td>http://www.newosxbook.com/index.php?page=downloads</td>
 
<td> monitor socket connections </td>
 
</tr>
 
<tr>
 
<td>PonyDebugger Injected</td>
 
<td>https://github.com/dtrukr/PonyDebuggerInjected</td>
 
<td> Injected via Cycript to enable remote debugging </td>
 
</tr>
 
<tr>
 
<td>Weak Class Dump</td>
 
<td>https://raw.github.com/limneos/weak_classdump/master/weak_classdump.cy</td>
 
<td> Injected via Cycript to do class-dump (for when you cant un-encrypt the binary) </td>
 
</tr>
 
<tr>
 
<td>TrustME</td>
 
<td>https://github.com/intrepidusgroup/trustme</td>
 
<td> Lower level tool to disable SSL certificate validation - including certificate pinning (for everything else but NSURL)</td>
 
</tr>
 
<tr>
 
<td>Mac Robber</td>
 
<td>http://www.sleuthkit.org/mac-robber/download.php</td>
 
<td> C code, forensic tool for imaging filesystems and producing a timeline </td>
 
</tr>
 
<tr>
 
<td>USBMux Proxy</td>
 
<td>https://github.com/st3fan/usbmux-proxy</td>
 
<td> command line tool to connect local TCP port sto ports on an iPhone or iPod Touch device over USB. </td>
 
</tr>
 
<tr>
 
<td>iFunBox</td>
 
<td>http://www.i-funbox.com/</td>
 
<td>Filesystem access (no jailbreak needed), USBMux Tunneler, .ipa installer</td>
 
</tr>
 
<tr>
 
<td>iNalyzer</td>
 
<td>https://appsec-labs.com/iNalyzer/</td>
 
<td>iOS Penetration testing framework</td>
 
</tr>
 
<tr>
 
<td>removePIE</td>
 
<td>https://github.com/peterfillmore/removePIE</td>
 
<td>Disables ASLR of an application</td>
 
</tr>
 
<tr>
 
<td>snoop-it</td>
 
<td>https://code.google.com/p/snoop-it/</td>
 
<td>A tool to assist security assessments and dynamic analysis of iOS Apps, includes runtime views of obj-c classes and methods, and options to modify those values</td>
 
</tr>
 
<tr>
 
<td>idb</td>
 
<td>https://github.com/dmayer/idb</td>
 
<td>A GUI (and cmdline) tool to simplify some common tasks for iOS pentesting and research.</td>
 
</tr>
 
<tr>
 
<td>Damn Vulnerable iOS Application</td>
 
<td>http://damnvulnerableiosapp.com/</td>
 
<td>A purposefully vulnerable iOS application for learning iOS application assessment skills.</td>
 
</tr>
 
<tr>
 
<td>introspy</td>
 
<td>https://github.com/iSECPartners/Introspy-iOS</td>
 
<td>A security profiling tool revolved around hooking security based iOS APIs and logging their output for security analysis</td>
 
</tr>
 
<tr>
 
<td>MEMSCAN</td>
 
<td>https://github.com/hexploitable/memscan</td>
 
<td>A tool which allows you to easily dump iOS process memory to disk as well as searching memory for specified byte signatures</td>
 
</tr>
 
</table>
 
 
 
== Related Articles ==
 
<ul>
 
<li>http://www.slideshare.net/jasonhaddix/pentesting-ios-applications</li>
 
<li>https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Security_Testing_Guide</li>
 
<li>http://pen-testing.sans.org/blog/pen-testing/2011/10/13/mobile-application-assessments-attack-vectors-and-arsenal-inventory#</li>
 
<li>http://www.securitylearn.net/2012/09/07/penetration-testing-of-iphone-applications-part-3/</li>
 
<li>Jonathan Zdziarski “Hacking and securing iOS applications” (ch. 6,7,8)</li>
 
<li>http://www.mdsec.co.uk/research/iOS_Application_Insecurity_wp_v1.0_final.pdf</li>
 
</ul>
 
 
 
= Authors and Primary Editors  =
 
Oana Cornea - oanacornea123[at]gmail.com
 
 
 
Jason Haddix - jason.haddix[at]hp.com
 
 
 
= Other Cheatsheets =
 
{{Cheatsheet_Navigation}}
 
 
 
[[Category:Cheatsheets]]
 

Latest revision as of 09:41, 16 February 2019

Cheatsheets-header.jpg

Last revision (mm/dd/yy): 02/16/2019

After an exchange with the leaders of the OWASP Mobile Security Testing Guide (MSTG) project, it was decided to replace the content of this cheat sheet by a reference to the dedicated content on the MSTG project.

The explanation is simple:

  1. It's an OWASP project too.
  2. The MSTG project is active.
  3. It focus on Android and iOS areas.
  4. It provides good and up-to-date advices about how to handle mobile threats for the both platforms.
  5. MSTG content came from various specialists in the mobile domain.

Consult this section for information about iOS platform.