Assessing iOS Applications – setting up a test environment and grabbing low hanging fruit

This guide should serve as an introduction for those wishing to get into iOS application security testing. It demonstrates grabbing low hanging fruit. This guide will not cover all aspects of iOS application security and therefore should not be used as a fully fledged methodology. The line between web application assessments and mobile assessments is blurred as both consist of client/server models and most apps (if not all) speak HTTP (and hopefully some HTTPS). Many of the vulnerabilities you find will therefore require an intelligent web application security specialist's brain behind that Burp proxy. Incidentally, we have tons of them here at SpiderLabs! :)

Alas, let's get on with the show.

Ingredients

1x Jailbroken iPhone/iPad (Cydia)

1x Macbook Pro (to create a wireless network) OR a wirelessnetwork

1x Burp
 Proxy (or similar)

1x Self-signed Certificate (to MiTM HTTPS traffic)

Prepare iPhone/iPad

Cydia should already be installed if the device is jailbroken. OpenCydia, select Sources and add a new source; "http://cydia.hackulo.us".

Install OpenSSH, Installous 4 and Clutch.

Installing the app

If the app is on iTunes then this is easy - find it on the AppStore, download, sync device. If the app isn't on iTunes then the likelihood is that your client will send you a .IPA file. You can double click this file and it will load in iTunes - sync device as before.

WARNING: iTunes may force you to wipe the device if it is synced with another computer. If so, there is a way around this that doesn't involve syncing. Don't click on the .IPA and don't open iTunes. Instead, scp the .IPA file over to /User/Documents/Installous/Downloads/ on the device and install that way using Installous.

If your client sends you a .XCArchive package, don't worry, not all is lost. Assuming you're on OS X, sort out your X code path else you'll get this error.

Error: No developer directory foundat /Developer. Run /usr/bin/xcode-select to update the developer directorypath.

To fix, do the following:

sudo xcode-select -switch/Applications/Xcode.app/Contents/Developer

Now go to your .XCArchive file, right click and "Show Package Contents" and navigate to where the iOS .app file is - jot this down, you'll need it for the next bit.

Now armed with the .app file location you can bust out xcrun (our magic wand in this case) and create the .IPA file/package.Replace the path to your .app (what you jotted down before) in the command below. Note to specify "-sdk iphoneos" even if it is for the iPad.

/usr/bin/xcrun -sdk iphoneos PackageApplication"/absolute/path/to/MyApp.xcarchive/Products/Applications/MyApp.app"-o "/absolute/path/to/MyApp.ipa"

You can now scp the .IPA to your iPad and use Installous (within Cydia) to install as usual.

Finding the app

SSH to the device, the app will be installed in /var/mobile/Applications/<ID>/.

HINT: Look for the date when trying to locate the app, or justdo a find.

Connect to the wireless network

Connect the device to the wireless network - be it the Macbook Pro's "Internet Sharing" wireless network or an actual wireless network. Ensure that the Macbook Pro which will intercept requests/responses(via Burp) is on the same network.

Install the self-signed certificate

On the intercepting Macbook Pro we will export Burp's certificate via Firefox. Set Burp up as a proxy on TCP port 8080 (listening on ALL interfaces). Open Firefox, visit any HTTPS site, view the exception message, view certificate, highlight "PortSwigger CA" in the certificate hierarchy and not the site. Export as .CER. Mail it to yourself, open the e-mail on the device, click on the attachment and install it.

Important: Make sure you export the "PortSwigger CA" line item and not the random website below (twitter.com in this case).

Setting up the proxy

Ensure that Burp is listening on ALL interfaces, or at least one that the device could see over the network. On the device, go to Network, Wi-Fi, click on the blue arrow to the right of the connected wireless network, scroll down to "HTTP Proxy" and select Manual. Insert the details of the Macbook Pro with Burp running, IP and TCP port 8080.

Testing the proxy works

Open Safari on the device and test that Burp captures the HTTP traffic correctly. If it works then load up the iOS application and you will be able to see traffic.

Decrypting apps from iTunes

If you downloaded your client's app from iTunes then you will need to remove the encryption before you analyse it with strings, etc. Tore move iTunes encryption you can use gdb, or you can use an app called Clutch(which you installed earlier in Cydia). Clutch puts cracked apps in /var/root/Documents/Cracked/.Scp the .IPA file off the device to the Macbook Pro to analyse.

Looking for strings in the binary

Unzip the .IPA file (it's a package really) that you received from the previous step. Go to the extracted folder, e.g./BAH.app/<BAH> and use "strings" on the binary: stringsBAH > stringsdump.txt. Review stringsdump.txt for any useful stuff.HINT: grep "password", "secret", "http://","encrypt", etc, etc.

Looking at classes, objects, libraries

Use class-dump against the binary and discover information: ./class-dumpbinary or otool: ./otool -ov binary. Things here will become useful during runtime manipulation - variables, view classes, etc.

App files

Apps are installed in /var/mobile/Applications/<ID>/.Inside <APP>.app are application resource files including the binary. Have a look for cached data, databases, etc. A typical app file structure looks like:

/var/mobile/Applications/<ID>/App.app/


/var/mobile/Applications/<ID>/Library/Caches/


/var/mobile/Applications/<ID>/Library/Cookies/


/var/mobile/Applications/<ID>/Library/Preferences/


/var/mobile/Applications/<ID>/tmp/


/var/mobile/Applications/<ID>/Documents/


various .plist files


various .sqlite files

Keychain

Apple's Keychain also worth a look for sensitive data relating to the app: /var/Keychains/keychain-2.db. Use the KeychainDumper tool at https://github.com/ptoomey3/Keychain-Dumper/blob/master/keychain_dumper to dump allKeychain items (using a wildcard entitlements.xml). If you don't trust the binary you can also download the source and build it yourself.

Finito.

What I covered is finding low hanging fruit. Testing past this point will depend on what the app does, its complexity, etc. A lot of testing can be done via Burp as it will interface with web services in many cases, speak HTTP(S) (JSON goodness) and the OWASP Top 10 will apply. Other things to look for; how the app is sent to the background (snapshots), file protection, how it uses the pasteboard, how input/output is handled (UI Web View), etc. There is also a whole world related to runtime manipulation... another blog post!