Hacking and Securing iOS Applications

Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
1. Everything You Know Is Wrong . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
The Myth of a Monoculture 2
The iOS Security Model 5
Components of the iOS Security Model 5
Storing the Key with the Lock 7
Passcodes Equate to Weak Security 9
Forensic Data Trumps Encryption 10
External Data Is at Risk, Too 11
Hijacking Traffic 11
Data Can Be Stolen...Quickly 12
Trust No One, Not Even Your Application 13
Physical Access Is Optional 14
Summary 15
Part I. Hacking
2. The Basics of Compromising iOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Why It’s Important to Learn How to Break Into a Device 19
Jailbreaking Explained 20
Developer Tools 20
End User Jailbreaks 23
Jailbreaking an iPhone 23
DFU Mode 25
Tethered Versus Untethered 26
Compromising Devices and Injecting Code 26
Building Custom Code 28
Analyzing Your Binary 29
Testing Your Binary 32
Daemonizing Code 34

Deploying Malicious Code with a Tar Archive 37
Deploying Malicious Code with a RAM Disk 38
Exercises 50
Summary 51
3. Stealing the Filesystem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Full Disk Encryption 53
Solid State NAND 54
Disk Encryption 54
Where iOS Disk Encryption Has Failed You 56
Copying the Live Filesystem 56
The DataTheft Payload 57
Customizing launchd 65
Preparing the RAM disk 70
Imaging the Filesystem 71
Copying the Raw Filesystem 73
The RawTheft Payload 73
Customizing launchd 78
Preparing the RAM disk 79
Imaging the Filesystem 79
Exercises 80
The Role of Social Engineering 81
Disabled Device Decoy 81
Deactivated Device Decoy 82
Malware Enabled Decoy 83
Password Engineering Application 84
Summary 84
4. Forensic Trace and Data Leakage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Extracting Image Geotags 88
Consolidated GPS Cache 89
SQLite Databases 91
Connecting to a Database 91
SQLite Built-in Commands 92
Issuing SQL Queries 93
Important Database Files 93
Address Book Contacts 93
Address Book Images 95
Google Maps Data 97
Calendar Events 101
Call History 103
Email Database 103
Notes 105

Photo Metadata 105
SMS Messages 105
Safari Bookmarks 106
SMS Spotlight Cache 106
Safari Web Caches 107
Web Application Cache 107
WebKit Storage 107
Voicemail 107
Reverse Engineering Remnant Database Fields 108
SMS Drafts 110
Property Lists 110
Important Property List Files 111
Other Important Files 115
Summary 117
5. Defeating Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Sogeti’s Data Protection Tools 119
Installing Data Protection Tools 120
Building the Brute Forcer 120
Building Needed Python Libraries 121
Extracting Encryption Keys 122
The KeyTheft Payload 122
Customizing Launchd 123
Preparing the RAM disk 124
Preparing the Kernel 125
Executing the Brute Force 125
Decrypting the Keychain 128
Decrypting Raw Disk 130
Decrypting iTunes Backups 131
Defeating Encryption Through Spyware 132
The SpyTheft Payload 133
Daemonizing spyd 137
Customizing Launchd 137
Preparing the RAM disk 138
Executing the Payload 139
Exercises 139
Summary 140
6. Unobliterating Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Scraping the HFS Journal 142
Carving Empty Space 144
Commonly Recovered Data 144
Application Screenshots 144

Deleted Property Lists 146
Deleted Voicemail and Voice Recordings 146
Deleted Keyboard Cache 146
Photos and Other Personal Information 146
Summary 147
7. Manipulating the Runtime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Analyzing Binaries 150
The Mach-O Format 150
Introduction to class-dump-z 154
Symbol Tables 155
Encrypted Binaries 156
Calculating Offsets 158
Dumping Memory 159
Copy Decrypted Code Back to the File 161
Resetting the cryptid 161
Abusing the Runtime with Cycript 163
Installing Cycript 164
Using Cycript 164
Breaking Simple Locks 166
Replacing Methods 172
Trawling for Data 174
Logging Data 177
More Serious Implications 177
Exercises 185
SpringBoard Animations 185
Call Tapping...Kind Of 186
Making Screen Shots 187
Summary 187
8. Abusing the Runtime Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Breaking Objective-C Down 189
Instance Variables 191
Methods 191
Method Cache 192
Disassembling and Debugging 193
Eavesdropping 197
The Underlying Objective-C Framework 199
Interfacing with Objective-C 201
Malicious Code Injection 203
The CodeTheft Payload 203
Injection Using a Debugger 204
Injection Using Dynamic Linker Attack 206

Full Device Infection 207
Summary 208
9. Hijacking Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
APN Hijacking 209
Payload Delivery 212
Removal 214
Simple Proxy Setup 214
Attacking SSL 215
SSLStrip 216
Paros Proxy 217
Browser Warnings 219
Attacking Application-Level SSL Validation 222
The SSLTheft Payload 222
Hijacking Foundation HTTP Classes 228
The POSTTheft Payload 228
Analyzing Data 231
Driftnet 232
Building 233
Running 234
Exercises 234
Summary 236
Part II. Securing
10. Implementing Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
Password Strength 241
Beware Random Password Generators 244
Introduction to Common Crypto 244
Stateless Operations 245
Stateful Encryption 249
Master Key Encryption 252
Geo-Encryption 257
Geo-Encryption with Passphrase 260
Split Server-Side Keys 262
Securing Memory 264
Wiping Memory 265
Public Key Cryptography 266
Exercises 270
11. Counter Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
Secure File Wiping 273

DOD 5220.22-M Wiping 274
Objective-C 275
Wiping SQLite Records 277
Keyboard Cache 282
Randomizing PIN Digits 283
Application Screenshots 284
12. Securing the Runtime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
Tamper Response 287
Wipe User Data 288
Disable Network Access 289
Report Home 289
Enable Logging 289
False Contacts and Kill Switches 290
Process Trace Checking 291
Blocking Debuggers 293
Runtime Class Integrity Checks 295
Validating Address Space 295
Inline Functions 306
Complicating Disassembly 312
Optimization Flags 313
Stripping 317
They’re Fun! They Roll! -funroll-loops 323
Exercises 326
13. Jailbreak Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
Sandbox Integrity Check 328
Filesystem Tests 329
Existence of Jailbreak Files 329
Size of /etc/fstab 331
Evidence of Symbolic Linking 331
Page Execution Check 332
14. Next Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
Thinking Like an Attacker 333
Other Reverse Engineering Tools 333
Security Versus Code Management 334
A Flexible Approach to Security 335
Other Great Books 336