Hey all in this whole series we will discuss how to do penetration testing using iPhones.It focuses specifically on the techniques and tools that will help security professionals understand penetration testing methods for iPhone applications.
The iPhone provides developers with a platform to develop two types of applications.
1. Web based applications – which uses JavaScript, CSS and HTML-5 technologies
2. Native iOS applications- which are developed using Objective-C and Cocoa touch API
We will mainly concentrate on pentesting methodology of native iOS applications along with that we will also discuss some of the techniques based on web-based iOS applications.
On the basis of provisioning profile, application distribution models are categorized in 5 types.
1. Single device distribution:
Development issued by Apple are tied to a devices called UDID (Unique Device ID). This provisioning profile allows running a developer’s application on the device. As it is tied to a particular device, the provisioning profile does not work on other devices. It is used during single device testing.
2 Ad Hoc distribution:
Ad Hoc issued by Apple are tied to the UDID’s of up to 100 other devices, including the iPad, iPhone or iPod touch. The developer has to supply the UDID of 100 devices during the subscription process. This model allows developers to test their application on a wide range of devices.
3. In-house distribution:
Enterprise provisioning profiles issued by Apple permit the installation of applications on devices without configuring their UDIDs. This distribution is generally used by enterprises to distribute applications internally to their employees.
4. Over the air (OTA) distribution:
This model is designed to allow enterprise developers to send applications to individual users in their organization through e-mail or by hosting the application on a web server. The main problem with this kind of distribution is if someone outside the organization gets access to the link then they too can also install the application.
5. App Store distribution:
This is a centralized mechanism for distributing Apple signed applications. Upon submitting the application to Apple, Apple verifies it against the App Store review guidelines and approves it if the application follows all the review guidelines. After approval, Apple will re-sign the application with an Apple signing certificate and make it available for download in the App Store.
The main things while assessing the security of iPhone applications are -
To make an environment and do penetration testing we need to install some tools.These tools are not approved by Apple. Code signing restrictions in iOS do not allow us to install the required tools on the device. To bypass the code signing restrictions and run our tools we have to JailBreak the iPhone.
Jailbreaking: It gives us full access to the device and allows us to run code which is not signed by Apple. Tools like Pwnage, readsn0w and greenposi0n can be used to JailBreak the iPhone.
After jailbreaking,those unsigned applications can be downloaded from Cydia.
Cydia: It is a parallel App Store for unsigned applications. JailBreaking puts your phone at great risk to some security vulnerabilities because the device allows any application to run even if it is not approved by Apple. Though we can assess the security of an application on a non-JailBroken iPhone, it is not possible to give complete coverage. JailBreaking makes the pen tester’s work easier and helps to provide full coverage of an application.
Tools Required for pentesting
OpenSSH – Allows us to connect to the iPhone remotely over SSH
Adv-cmds : Comes with a set of process commands like ps, kill, finger…
Sqlite3 : Sqlite database client
GNU Debugger: For run time analysis & reverse engineering
Syslogd : To view iPhone logs
Veency: Allows to view the phone on the workstation with the help of veency client
Tcpdump: To capture network traffic on phone
com.ericasadun.utlities: plutil to view property list files
Grep: For searching
Odcctools: otool – object file displaying tool
Crackulous: Decrypt iPhone apps
Hackulous: To install decrypted apps
iPhone does not give us a terminal to see inside directories. Upon OpenSSH installation on the device, we can connect to the SSH server on the phone from any SSH client (ex:Putty, CyberDuck, WinScp). This gives us flexibility to browse through folders and execute commands on the iPhone. An iPhone has two users by default. One is mobile and the other is a root user. All the applications installed on the phone run with mobile user privileges. But using SSH we can log into the iPhone as a root user, which will give us full access to the device. The default password for both the user accounts (root, mobile) is alpine
Note--> You may change the default SSH passwords of your device.
If your phone and the workstation are connected to Wi-Fi, you can directly SSH to the iPhone by typing in the IP address and username/password and if your phone and the workstation are not on Wi-Fi, you can still do SSH via the USB cable with the help of an iPhone tunnel.
Once we have a SSH connection, we can run commands directly on the iPhone. As iOS is a trimmed version of Mac OS , many of the MAC OS commands will work on the iPhone.
Application traffic analysis
Pen testing iPhone applications isn’t all that different because client-side applications still interact with the server-side components over a network using some protocols. So it also involves network pentesting and web application pentesting. The primary goal in traffic analysis is to capture and analyze the network traffic to find vulnerabilities.
iPhone applications may transmit data to the server in any of these communication mechanisms:
Clear text transmission, such as http
Encrypted channel, such as https
Custom protocols or Low level streams
As we know applications are still using clear text transmission protocols like http. Mobile applications are more prone to MITM attacks because most people access them over WIFI. An attacker who has access to the same Wi-Fi can run tools like FireSheep and hijack user sessions. As plain text transport protocols are vulnerable to MITM attacks, applications which transmit sensitive data must use encrypted communication protocols like https.
So during pen testing observe whether the application is transmitting any sensitive data over the encrypted channel or not. Application traffic can be captured by configuring the proxy settings available in iPhone. Upon setting up a proxy, the iPhone routes its traffic through the configured proxy.
2. Tap on the Settings app. When the Settings app loads, you will be at the General Settings category.
3. Tap on the Wi-Fi settings category .
Now tap on the icon to access the specific settings of the wireless connection.
4. You will now be at the Wi-Fi network settings screen for the connected network.
5. Tap on the Manual button and fill in the fields under HTTP Proxy.
Note= Make sure you slide Authentication to ON and input your login credentials. You can find your credentials and the Server's IP adress in the Client area under My Details.
Default Port is: port 9339
6. When you are done setting up your proxy server, tap on the Wi-Fi Networks button and then go back to your Home screen to start using the iPhone with these new settings.
Note--> To capture the SSL traffic of these applications during pen testing, first we have to add a proxy CA certificate to the iPhone trusted certificates list. Later if the application receives a proxy certificate it will not display any certificate error because we told our iPhone to trust that certificate. This will allow us to capture the https traffic. The same technique is applicable to other protocols which work on certificates.
Apart from http and https protocols iPhone applications may also use custom protocols or low level socket communication APIs (NSStreams, CFStreams). The MITM techniques explained above would not work to capture the network traffic of these applications. In order to capture the low level traffic of these applications download and install tcpdump from Cydia on iPhone. Upon installation of tcpdump, connect the iPhone over SSH and run the commands below to capture traffic and write it into a .pcap file.
Connect to the phone using a GUI SSH client like Cyberduck. Browse to the folders and copy the recently created .pcap file to your workstation. Next, open the .pcap file using a traffic capture tool like Wireshark. Use your protocol analyzing skills and identify the custom protocol. The same techniques can be used for the applications which do not respect the iPhone proxy settings. In these cases, DNS spoofing techniques can be used to perform MITM and for traffic capture.
Once you capture the traffic, typical web application pen testing attacks are done on the application server. Now you can look for SQL injection, authentication, authorization, session management, cryptography weaknesses and many more web related vulnerabilities.
It's enough for part 1, in part 2 we will discuss privacy issues and local data storage.
Hope you all enjoyed this tutorial and if you have any problem or question then you may ask in comments.
Background
The introduction of the iPhone, Apple has sold more than 110 million iPhones. The smartphone platform has created a new business and companies want to make their services available and famous on mobile devices in order to reach out to users very quickly and easily. The iPhone has enough power and performance to do most of the stuff you can do on a laptop or notebook and span a range of categories from education and productivity to games and entertainment along with many different apps.The iPhone provides developers with a platform to develop two types of applications.
1. Web based applications – which uses JavaScript, CSS and HTML-5 technologies
2. Native iOS applications- which are developed using Objective-C and Cocoa touch API
We will mainly concentrate on pentesting methodology of native iOS applications along with that we will also discuss some of the techniques based on web-based iOS applications.
Application Distribution model
iOS developers use Apple Xcode developer tools and test their applications within the iOS simulator. A simulator simulates an environment but it does not mimic many of the features and functionalities available on real devices. An iOS simulator compiles iOS applications to a local native code which is different from the Android emulator that compiles to ARM instructions. Though simulators allow basic development and testing, it is not sufficient for many applications which require the use of full hardware power, performance and features which are only available on real devices. To test these types of applications on real devices, developers have to subscribe to Apple’s iOS Developer Program because the iPhone is only allowed to run Apple signed applications. Mandatory Code Signing mechanism implemented in iOS requires that all the native code running on the device should be signed by a known or trusted certificate. Upon subscription to the iOS Developers Program, Apple issues a signed provisioning profile that configures the iOS device to permit the execution of code signed by a developer certificate. Developers can apply for this program as an individual, company or university.On the basis of provisioning profile, application distribution models are categorized in 5 types.
1. Single device distribution:
Development issued by Apple are tied to a devices called UDID (Unique Device ID). This provisioning profile allows running a developer’s application on the device. As it is tied to a particular device, the provisioning profile does not work on other devices. It is used during single device testing.
2 Ad Hoc distribution:
Ad Hoc issued by Apple are tied to the UDID’s of up to 100 other devices, including the iPad, iPhone or iPod touch. The developer has to supply the UDID of 100 devices during the subscription process. This model allows developers to test their application on a wide range of devices.
3. In-house distribution:
Enterprise provisioning profiles issued by Apple permit the installation of applications on devices without configuring their UDIDs. This distribution is generally used by enterprises to distribute applications internally to their employees.
4. Over the air (OTA) distribution:
This model is designed to allow enterprise developers to send applications to individual users in their organization through e-mail or by hosting the application on a web server. The main problem with this kind of distribution is if someone outside the organization gets access to the link then they too can also install the application.
5. App Store distribution:
This is a centralized mechanism for distributing Apple signed applications. Upon submitting the application to Apple, Apple verifies it against the App Store review guidelines and approves it if the application follows all the review guidelines. After approval, Apple will re-sign the application with an Apple signing certificate and make it available for download in the App Store.
Penetration Testing using iPhone
Now we are going to discuss on iOS applications rather than the iPhone operating system itself.Actually understanding the iOS platform and its security technology will help penetration testers properly assess the security of iPhone applications.The main things while assessing the security of iPhone applications are -
- Application traffic analysis
- Privacy Issues
- Local Data Storage
- Caching
- Reverse Engineering
- Unmanaged code
- URL Schemes
- Push Notifications
To make an environment and do penetration testing we need to install some tools.These tools are not approved by Apple. Code signing restrictions in iOS do not allow us to install the required tools on the device. To bypass the code signing restrictions and run our tools we have to JailBreak the iPhone.
Jailbreaking: It gives us full access to the device and allows us to run code which is not signed by Apple. Tools like Pwnage, readsn0w and greenposi0n can be used to JailBreak the iPhone.
After jailbreaking,those unsigned applications can be downloaded from Cydia.
Cydia: It is a parallel App Store for unsigned applications. JailBreaking puts your phone at great risk to some security vulnerabilities because the device allows any application to run even if it is not approved by Apple. Though we can assess the security of an application on a non-JailBroken iPhone, it is not possible to give complete coverage. JailBreaking makes the pen tester’s work easier and helps to provide full coverage of an application.
Tools Required for pentesting
OpenSSH – Allows us to connect to the iPhone remotely over SSH
Adv-cmds : Comes with a set of process commands like ps, kill, finger…
Sqlite3 : Sqlite database client
GNU Debugger: For run time analysis & reverse engineering
Syslogd : To view iPhone logs
Veency: Allows to view the phone on the workstation with the help of veency client
Tcpdump: To capture network traffic on phone
com.ericasadun.utlities: plutil to view property list files
Grep: For searching
Odcctools: otool – object file displaying tool
Crackulous: Decrypt iPhone apps
Hackulous: To install decrypted apps
iPhone does not give us a terminal to see inside directories. Upon OpenSSH installation on the device, we can connect to the SSH server on the phone from any SSH client (ex:Putty, CyberDuck, WinScp). This gives us flexibility to browse through folders and execute commands on the iPhone. An iPhone has two users by default. One is mobile and the other is a root user. All the applications installed on the phone run with mobile user privileges. But using SSH we can log into the iPhone as a root user, which will give us full access to the device. The default password for both the user accounts (root, mobile) is alpine
Note--> You may change the default SSH passwords of your device.
If your phone and the workstation are connected to Wi-Fi, you can directly SSH to the iPhone by typing in the IP address and username/password and if your phone and the workstation are not on Wi-Fi, you can still do SSH via the USB cable with the help of an iPhone tunnel.
Once we have a SSH connection, we can run commands directly on the iPhone. As iOS is a trimmed version of Mac OS , many of the MAC OS commands will work on the iPhone.
Application traffic analysis
Pen testing iPhone applications isn’t all that different because client-side applications still interact with the server-side components over a network using some protocols. So it also involves network pentesting and web application pentesting. The primary goal in traffic analysis is to capture and analyze the network traffic to find vulnerabilities.
iPhone applications may transmit data to the server in any of these communication mechanisms:
Clear text transmission, such as http
Encrypted channel, such as https
Custom protocols or Low level streams
As we know applications are still using clear text transmission protocols like http. Mobile applications are more prone to MITM attacks because most people access them over WIFI. An attacker who has access to the same Wi-Fi can run tools like FireSheep and hijack user sessions. As plain text transport protocols are vulnerable to MITM attacks, applications which transmit sensitive data must use encrypted communication protocols like https.
So during pen testing observe whether the application is transmitting any sensitive data over the encrypted channel or not. Application traffic can be captured by configuring the proxy settings available in iPhone. Upon setting up a proxy, the iPhone routes its traffic through the configured proxy.
Configuring proxy
1. Turn on your iPhone2. Tap on the Settings app. When the Settings app loads, you will be at the General Settings category.
3. Tap on the Wi-Fi settings category .
Now tap on the icon to access the specific settings of the wireless connection.
4. You will now be at the Wi-Fi network settings screen for the connected network.
5. Tap on the Manual button and fill in the fields under HTTP Proxy.
Note= Make sure you slide Authentication to ON and input your login credentials. You can find your credentials and the Server's IP adress in the Client area under My Details.
Default Port is: port 9339
6. When you are done setting up your proxy server, tap on the Wi-Fi Networks button and then go back to your Home screen to start using the iPhone with these new settings.
Note--> To capture the SSL traffic of these applications during pen testing, first we have to add a proxy CA certificate to the iPhone trusted certificates list. Later if the application receives a proxy certificate it will not display any certificate error because we told our iPhone to trust that certificate. This will allow us to capture the https traffic. The same technique is applicable to other protocols which work on certificates.
Apart from http and https protocols iPhone applications may also use custom protocols or low level socket communication APIs (NSStreams, CFStreams). The MITM techniques explained above would not work to capture the network traffic of these applications. In order to capture the low level traffic of these applications download and install tcpdump from Cydia on iPhone. Upon installation of tcpdump, connect the iPhone over SSH and run the commands below to capture traffic and write it into a .pcap file.
Connect to the phone using a GUI SSH client like Cyberduck. Browse to the folders and copy the recently created .pcap file to your workstation. Next, open the .pcap file using a traffic capture tool like Wireshark. Use your protocol analyzing skills and identify the custom protocol. The same techniques can be used for the applications which do not respect the iPhone proxy settings. In these cases, DNS spoofing techniques can be used to perform MITM and for traffic capture.
Once you capture the traffic, typical web application pen testing attacks are done on the application server. Now you can look for SQL injection, authentication, authorization, session management, cryptography weaknesses and many more web related vulnerabilities.
It's enough for part 1, in part 2 we will discuss privacy issues and local data storage.
Hope you all enjoyed this tutorial and if you have any problem or question then you may ask in comments.
Nice <3
ReplyDelete