IOS Application Security Testing Cheat Sheet

IOS Application Security Testing Cheat Sheet

[hide]

DRAFT CHEAT SHEET - WORK IN PROGRESS

Introduction

This cheat sheet provides a checklist of tasks to be performed when testing an iOS application.

When assessing a mobile application several areas should be taken into account: client software, the communication channel and the server side infrastructure.

Testing an iOS application usually requires a jailbroken device. (A device that not pose any restrictions on the software that can be installed on it.)

Information gathering

  • Observe application behavior
  • Determine the application’s data states (at rest, in transit or on display) and sensitivity
  • Identify access methods
  • Identify what frameworks are in use
  • Identify server side APIs that are in use
  • Identify what protocols are in use
  • Identify other applications or services with which the application interacts
  • Decrypt Appstore binaries: the .ipa will be decrypted at runtime by the kernel’s mach loader. Cydia has several applications available: Crackulous, AppCrack and Clutch. Also, you can use GDB. The “cryptid” field of the LC_ENCRYPTION_INFO identifies if the application is encrypted or not. Use otool –l <app name> | grep –A 4 LC_ENCRYPTION_INFO
  • Determine the architecture the application was compiled for: otool –f <app name> or lipo -info <app>.
  • Get information about what functions, classes and methods are referenced in the application and in the dynamically loaded libraries. Use nm <app name>
  • List the dynamic dependencies. Use otool –L <app name>
  • Dump the load commands for the application. Use otool –l <app name>
  • Dump the runtime information from the compiled application. Identify each class compiled into the program and its associated methods, instance variables and properties. Use class-dump-z <app name>. That can be put that into a .h file which can be used later to create hooks for method swizzling or to simply make the methods of the app easier to read.
  • Dump the keychain using dump_keychain to reveal application specific credentials and passwords if stored in the keychain.

Determine the security features in place:

  • Locate the PIE (Position Independent Executable) - an app compiled without PIE (using the “–fPIE –pie” flag) will load the executable at a fixed address. Check this using the command: otool –hv <app name>
  • Stack smashing protection - specify the –fstack-protector-all compiler flag. A “canary” is placed on the stack to protect the saved base pointer, saved instruction pointer and function arguments. It will be verified upon the function return to see if it has been overwritten. Check this using: otool –I –v <app name> | grep stack . If the application was compiled with the stack smashing protection two undefined symbols will be present: “___stack_chk_fail” and “___stack_chk_guard”.

Application traffic analysis

  • Analyze error messages
  • Analyze cacheable information
  • Transport layer security (TLS version; NSURLRequest object )
  • Attack XML processors
  • SQL injection
  • Privacy issues (sensitive information disclosure)
  • Improper session handling
  • Decisions via untrusted inputs
  • Broken cryptography
  • Unmanaged code
  • URL Schemes
  • Push notifications
  • Authentication
  • Authorization
  • Session management
  • Data storage
  • Data validation (input, output)
  • Transport Layer protection – are the certificates validated, does the application implement Certificate Pinning
  • Denial of service
  • Business logic
  • UDID or MAC ID usage (privacy concerns)

Runtime analysis

  • Disassemble the application (gdb)
  • Analyze file system interaction
  • Use the .h file generated with class-dump-z to create a method swizzling hook of some interesting methods to either examine the data as it flow through or create a "stealer" app.
  • Analyze the application with a debugger (gdb): inspecting objects in memory and calling functions and methods; replacing variables and methods at runtime.
  • Investigate CFStream and NSStream
  • Investigate protocol handlers (application: openURL - validates the source application that instantiated the URL request) for example: try to reconfigure the default landing page for the application using a malicious iframe.
  • Buffer overflows and memory corruption
  • Client side injection
  • Runtime injections
  • Having access to sources, test the memory by using Xcode Schemes

Insecure data storage

  • Investigate log files(plugging the device in and pulling down logs with Xcode Organizer)
  • Insecure data storage in application folder (var/mobile/Applications), caches, in backups (iTunes)
  • Investigate custom created files
  • Analyze SQLlite database
  • Investigate property list files
  • Investigate file caching
  • Insecure data storage in keyboard cache
  • Investigate Cookies.binarycookies
  • Analyze iOS keychain (/private/var/Keychains/keychain-2.db) – when it is accessible and what information it contains; data stored in the keychain can only be accessible if the attacker has physical access to the device.
  • Check for sensitive information in snapshots
  • Audit data protection of files and keychain entries (To determine when a keychain item should be readable by an application check the data protection accessibility constants)

Tools

Tool Link Description
Mallory proxy http://intrepidusgroup.com/insight/mallory/ Proxy for Binary protocols
Charles/Burp proxy http://www.charlesproxy.com/  ;

http://www.portswigger.net/burp/

 Proxy for HTTP and HTTPS
OpenSSH http://www.openssh.com/ Connect to the iPhone remotely over SSH
Sqlite3 http://www.sqlite.org/ Sqlite database client
GNU Debugger http://www.gnu.org/software/gdb/ For run time analysis & reverse engineering
Syslogd https://developer.apple.com/library/mac/#documentation/Darwin/Reference/ManPages/man8/syslogd.8.html View iPhone logs
Tcpdump http://www.tcpdump.org/ Capture network traffic on phone
Otool http://developer.apple.com/library/mac/#documentation/Darwin/Reference/ManPages/man1/otool.1.html Odcctools: otool – object file displaying tool
Cycript  http://www.cycript.org/ A language designed to interact with Objective-C classes
SSL Kill switch https://github.com/iSECPartners/ios-ssl-kill-switch Blackbox tool to disable SSL certificate validation - including certificate pinning in NSURL 
Plutil http://scw.us/iPhone/plutil/ To view Plist files
nm   Analysis tool to display the symbol table, which includes names of functions and methods, as well as their load addresses.
sysctl https://developer.apple.com/library/mac/#documentation/Darwin/Reference /ManPages/man8/sysctl.8.html A utility to read and change kernel state variables
dump_keychain https://github.com/emonti/iOS_app_re_tools A utility to dump the keychain
Filemon http://www.newosxbook.com/files/filemon.iOS Monitor realtime iOS file system
FileDP http://www.securitylearn.net/2012/10/18/extracting-data-protection-class-from-files-on-ios/ Audits data protection of files
BinaryCookieReader http://securitylearn.net/wp-content/uploads/tools/iOS/BinaryCookieReader.py Read cookies.binarycookies files 
lsof ARM Binary https://github.com/u35tpus/iosrep/tree/master/lsof list of all open files and the processes that opened them 
lsock ARM Binary http://www.newosxbook.com/index.php?page=downloads monitor socket connections 
PonyDebugger Injected https://github.com/dtrukr/PonyDebuggerInjected Injected via Cycript to enable remote debugging 
Weak Class Dump https://raw.github.com/limneos/weak_classdump/master/weak_classdump.cy Injected via Cycript to do class-dump (for when you cant un-encrypt the binary) 
TrustME https://github.com/intrepidusgroup/trustme Lower level tool to disable SSL certificate validation - including certificate pinning (for everything else but NSURL)
Mac Robber http://www.sleuthkit.org/mac-robber/download.php C code, forensic tool for imaging filesystems and producing a timeline 
USBMux Proxy https://github.com/st3fan/usbmux-proxy command line tool to connect local TCP port sto ports on an iPhone or iPod Touch device over USB. 
iFunBox http://www.i-funbox.com/ Filesystem access (no jailbreak needed), USBMux Tunneler, .ipa installer
iNalyzer https://appsec-labs.com/iNalyzer/ iOS Penetration testing framework
removePIE https://github.com/peterfillmore/removePIE Disables ASLR of an application
snoop-it https://code.google.com/p/snoop-it/ A tool to assist security assessments and dynamic analysis of iOS Apps, includes runtime views of obj-c classes and methods, and options to modify those values
idb https://github.com/dmayer/idb A GUI (and cmdline) tool to simplify some common tasks for iOS pentesting and research.
Damn Vulnerable iOS Application http://damnvulnerableiosapp.com/ A purposefully vulnerable iOS application for learning iOS application assessment skills.
introspy https://github.com/iSECPartners/Introspy-iOS A security profiling tool revolved around hooking security based iOS APIs and logging their output for security analysis

转载自:

https://www.owasp.org/index.php/IOS_Application_Security_Testing_Cheat_Sheet

时间: 2024-12-18 05:08:03

IOS Application Security Testing Cheat Sheet的相关文章

XSS (Cross Site Scripting) Prevention Cheat Sheet(XSS防护检查单)

本文是 XSS防御检查单的翻译版本 https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet 介绍 本文描述了一种恰当地使用输出转码或者转义(encoding or escaping)防御XSS攻击的简单积极模式. 尽管存在巨量XSS攻击方式,遵守一些简单的规则能够彻底防住这类严重的攻击. 本文不探讨XSS攻击的商业和技术影响. reflected and stored XSS 可以

The iOS Design Cheat Sheet 界面设计速参

http://ivomynttinen.com/blog/the-ios-7-design-cheat-sheet/ With the release of iOS 7, app designers and developers will need to adjust their visual language to match the new "flat" design of iOS. In addition to the grid system, the dimensions of

A Cheat Sheet for HTTP Libraries in C++

Unfortunately, standard C++ library provides no tools for working with HTTP protocol. Therefore, when we want to run some REST service, parse a webpage or write a simple bot or web crawler, we always wonder which library is better and faster in use.

[转]Swift Cheat Sheet

原文:http://kpbp.github.io/swiftcheatsheet/ A quick cheat sheet and reference guide for Apple's Swift language. This guide intends to cover all the key features of Swift, including Strings, Arrays, Dictionaries and Flow Control. Swift is a new programm

IOS Application生命周期

应用程序的状态 Not running(未运行):程序没启动 Inactive(未激活):程序在前台运行,不过没有接收到事件.在没有事件处理情况下程序通常停留在这个状态 Active(激活):程序在前台运行而且接收到了事件.这也是前台的一个正常的模式 Backgroud(后台):序在后台而且能执行代码,大多数程序进入这个后台后会在在这个状态上停留一会.时间到之后会进入挂起状态(Suspended).有的程序经过特殊的请求后可以长期处于Backgroud状态 Suspended(挂起):程序在后台

MySQL SQL Injection Cheat Sheet

MySQL SQL Injection Cheat Sheet Some useful syntax reminders for SQL Injection into MySQL databases- This post is part of a series of SQL Injection Cheat Sheets.  In this series, I've endevoured to tabulate the data to make it easier to read and to u

OWASP(Open Web Application Security Project) Top 10 for JavaScript

Injection Injection flaws, such as SQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker's hostile data can trick the interpreter into executing unintended commands or accessing u

转:PostgreSQL Cheat Sheet

PostgreSQL Cheat Sheet CREATE DATABASE CREATE DATABASE dbName; CREATE TABLE (with auto numbering integer id) CREATE TABLE tableName ( id serial PRIMARY KEY, name varchar(50) UNIQUE NOT NULL, dateCreated timestamp DEFAULT current_timestamp ); Add a pr

A printf format reference page (cheat sheet)

Summary: This page is a printf formatting cheat sheet. I originally created this cheat sheet for my own purposes, and then thought I would share it here. A cool thing about the printf formatting syntax is that the specifiers you can use are very simi