Tuesday, February 12, 2013

Security Testing iOS Apps Part 1


While for the last decade or so our day-to-day security work has been mostly about web applications, we are now seeing a gradual shift in demand to mobile apps. This is a nice thing because honestly, after testing over 9,000 web applications it does get a little monotonous.

By now we have acquired a good level of experience with mobile app testing and we thought it would be a good idea to share some of it with others who might want to get into the field. This the first part of a multi-part blog series on security testing of mobile apps. Because my personal focus is on iOS, I will do the iOS part, and will leave Android to one of my colleagues (yes, other mobile OSes exist but we have never been asked to test apps on any of them).

In our first article we will focus on specialized know-how and skills required to get started. Later articles will discuss common test setups and security issues found in iOS apps.

How to prepare yourself


Mobile apps are almost always a client or front-end to something. So usually, you will be testing a complete client/server architecture with the mobile app being the client, and connecting to some kind of JSON / XML / web service. iOS apps are real compiled binaries - as a consequence, for a security test like this you need good know-how about the pitfalls of typical (web-)server applications, as well as about low-level issues that may occur in the app (including memory management problems, heap overflows, use-after-free vulns, etc.). Since all IOS devices run on ARM processors, being able to understand ARM assembler is also required. Anyway, if you come from an application security background you likely have dealt with most of these things before.

However, there are also some iOS specific topics you should learn about:

1. Objective-C


If you haven't developed for an Apple OS chances are you've never heard of Objective-C before. It is the main programming language used for writing Software on OS X and IOS, and this is basically the only place where it is used.

Objective-C is a superset of C but uses some specific concepts that have to be learned. Instead of normal method calls, there is message passing with a confusing syntax. Also, there are other concepts like delegation, which you should read up on, because otherwise understanding Objective-C code or disassemblies of IOS binaries will be difficult.

Also, if you are going to test iOS apps, you should at least have written and deployed a Hello World app for iOS yourself.  Download XCode and the iOS SDK (you will need this anyway) and follow Apple's tutorial.

2. iOS security


This is important from several aspects. First, Apple does everything to maintain complete control of its devices and this includes locking down iOS to prevent you, the tester, from doing your work. In some cases, the first thing you have to worry about is to BREAK Apple's security mechanisms so you can get an inside look at the app you are testing and its interaction with the OS. Doing low-level stuff such as debugging a heap overflow exploit simply isn't possible without jailbreaking the device first. Fortunately, you usually won't have to develop your own jailbreak though because the jailbreak community provides this service to you for free.

On the other hand, iOS offers many security features and APIs to developers that you should understand. Most importantly, because secure data storage is such an important issue with mobile apps, you should read up on file data protection and the iOS keychain.

Encryption and code signing plays an important role in iOS. Every iOS device is outfitted with an AES 256 crypto engine that is extensively used by the OS. The keys are fused into the application processor and cannot be read, so certain cryptographic operations can only be performed directly on the device. This is relevant if you want to decrypt binaries copied from a device (more on that later). Also, every single file on an iOS device is encrypted per default according to the "protection class" it belongs to, using different combinations of the device keys and class keys derived from them. It is important to understand the different ways encryption is used in iOS if you want to assess the way an app is handling sensitive data.

Apple has released a quite comprehensive paper covering most of these topics, and you might also consider reading the iOS hacker's handbook (see below). Make sure you are comfortable with the basics before you consider testing iOS apps.

3. iOS OS architecture


iOS is derived from OS X and is running the same Darwin core OS. It's basically Unix with some Apple-proprietary layers on top of it. Standard tools, such as a shell and SSH server, are missing in the default firmware, but are easily added to a jailbroken device. For a start, get a jailbroken device, install SSHD via Cydia and explore the OS for a while to get a feel for the file system, the way applications and data are stored, and other OS internals.

Here are some more pointers to get you started:




  • iOS hacker's handbook. This comprehensive book by hacking-superstar Charlie Miller et. al. explains the basics as well as things like low-level debugging, fuzzing, and exploitation on the OS level. I can highly recommend this.

In the next article, I will discuss the tools and basic setup required for testing an app.