checkerios6.1.3越狱
ios6.1.3越狱 时间:2021-05-24 阅读:()
Copyright2015KRvWAssociates,LLCKenvanWyk,ken@krvw.
com,@KRvWPenTestingiOSAppsFIRST2015KenvanWyk,@KRvWBerlin,Germany14-19June2015Copyright2015KRvWAssociates,LLCTopicswe'llcoverWe'llfocusonhowtobreaktypicaliOSapps–iOStopics–ApplicationtopicsSimpleanalysis–Surfaceofapp–Staticanalysis–DynamicanalysisDeeperanalysis–Exploreappbinary–Run-timeexplorationandexploitation3Copyright2015KRvWAssociates,LLCToolsMosttoolswe'lluseareeitheropensourceorinexpensive–iExplorerforexploringfilesystemonaniOSdevice–iOSdeviceandaUSBcablePreferablyjailbrokenCydiaCycript4Copyright2015KRvWAssociates,LLCClearupsomemisconceptionsApple'siOShasbeenahugesuccessforApple–TogetherwithAndroid,theyhavere-definedmobiletelephonyApplehasmadegreatadvancesinsecurity–Theyarestillfarfromreallygood–Notevensureifthey'reprettygoodSoftwaredevelopersstillmakesillymistakes5Copyright2015KRvWAssociates,LLCSystemHardeningFeaturesAttacksurfacereductionStrippeddownOS–No/bin/shPrivilegeseparationCodesigningDataexecutionprevention(DEP)–Vitalforreturnorientedprogramming–NoarchitecturalseparationofdataandcodesegmentsAddressspacelayoutrandomization(ASLR)6Copyright2015KRvWAssociates,LLCApplicationsandboxingBypolicy,appsareonlypermittedtoaccessresourcesintheirsandbox–Inter-appcommsarebyestablishedAPIsonlyURLs,keychains(limited)–Filei/oin~/DocumentsonlyTheserulesdon'talwaysapplytoApple'sownapps7Copyright2015KRvWAssociates,LLCHardwareencryptionEachiOSdevice(asof3GS)hashardwarecryptomodule–UniqueAES-256keyforeveryiOSdevice–SensitivedatahardwareencryptedSoundsbrilliant,right–Well.
.
.
8Copyright2015KRvWAssociates,LLCiOScryptokeysGIDkey-GroupIDkeyUIDkey-UniqueperdevDkey-DefaultfilekeyEMF!
-EncryptsentirefilesystemandHFSjournalClasskeys-Oneperprotectionclass–SomederivedfromUID+Passcode9Copyright2015KRvWAssociates,LLCiOSNAND(SSD)mappingBlock0-LowlevelbootloaderBlock1-Effaceablestorage–Lockerforcryptokeys,includingDkeyandEMF!
Blocks2-7-NVRAMparametersBlocks8-15-FirmwareBlocks8-(N-15)-FilesystemBlocks(N-15)-N-Last15blocksreservedbyApple10Copyright2015KRvWAssociates,LLCBuilt-infileprotectionclassesiOS(since4)supportsfileprotectionclasses–NSFileProtectionComplete–NSFileProtectionCompleteUnlessOpen–NSFileProtectionCompleteUntilFirstUserAuthentication–NSFileProtectionNoneAllbutNonearederived11Copyright2015KRvWAssociates,LLCBuilt-infileprotectionlimitationsPros–Easytouse,withkeymanagementdonebyiOS–Powerfulfunctionality–Alwaysavailable–ZeroperformancehitCons–ForComplete,cryptokeyingincludesUDID+Passcode4digitPINproblem12Copyright2015KRvWAssociates,LLCKeychainsKeychainAPIprovidedforstorageofsmallamountsofsensitivedata–Logincredentials,passwords,etc.
–CreditcarddataoftenfoundhereStoredinaSQLitedatabase–EncryptedusinghardwareAESwithderivedkey13Copyright2015KRvWAssociates,LLCJailbreaksApple'sprotectionarchitectureisbasedonamassivedigitalsignaturehierarchy–Startingfrombootloader–ThroughapploaderJailbreaksoftwarebreaksthathierarchy–Currentbreaksupto8.
1.
2DFUmodeallowsUSBvectorforbootloader–OlderiPhonesmostly,but…14Copyright2015KRvWAssociates,LLCKeyboarddataAll"keystrokes"arestored–Usedforauto-correctfeature–NicespellcheckerKeydatacanbeharvestedusingforensicsprocedures–Passwords,creditcards.
.
.
–Needleinhaystack15Copyright2015KRvWAssociates,LLCScreensnapshotsDevicesroutinelygrabscreensnapshotsandstoreinJPG–Usedforminimizingappanimation–ItlooksprettyWHAT!
–It'saproblem–Requireslocalaccesstodevice,butstill.
.
.
16Copyright2015KRvWAssociates,LLCLet'sconsiderthebasicsWe'llcoverthese(fromthemobiletop10)–ProtectingsecretsAtrestIntransit–Input/outputvalidation–Authentication–Sessionmanagement–Accesscontrol–Privacyconcerns17Copyright2015KRvWAssociates,LLCExamplesAirlineapp–StoresfrequentflyerdatainplaintextXMLfileHealthcareapp–StorespatientdatainplistfileButit'sbase64encodedforyourprotection…Bankingapp–FrameworkcacherevealedsensitiveaccountdataConsumerticketapp–AcceptedSSLfromselfsignedkey–Exposedcreditcarddata18Copyright2015KRvWAssociates,LLCSQLliteexampleLet'slookatadatabaseappthatstoressensitivedataintoaSQLitedb–We'llrecoverittriviallybylookingattheunencrypteddatabasefile19Copyright2015KRvWAssociates,LLCProtectingsecretsatrestEncryptionistheanswer,butit'snotquitesosimple–Wheredidyouputthatkey–Surelyyoudidn'thardcodeitintoyourapp–Surelyyou'renotcountingontheusertogenerateandrememberastrongkeyKeymanagementisanon-triviallysolvedproblem20Copyright2015KRvWAssociates,LLCStaticanalysisofanappExplorefolders–.
/Documents–.
/Library/Caches/*–.
/Library/Cookies–.
/Library/PreferencesAppbundle–Hexdumpofbinary–plistfilesWhatelse21Copyright2015KRvWAssociates,LLCToolstouseMactools–Finder–iExplorer–hexdump–strings–otool–otx(otx.
osxninja.
com)–class-dump(iphone.
freecoder.
org/classdump_en.
html)–Emacs(editor)Xcodeadditionaltools–Clang(buildandanalyze)Findsmemoryleaksandothers22Copyright2015KRvWAssociates,LLCExercise-coffeeshopattackThisoneistrivial,butlet'stakealookInthisiGoatexercise,theuser'scredentialsaresentplaintext–SimplewebserverrunningonMacresponds–IfthiswereonapublicWiFi,anetworksnifferwouldbepainlesstolaunch23Copyright2015KRvWAssociates,LLCMostcommonSSLmistakeWe'veallheardofCAsbeingattacked–That'sallimportant,but.
.
.
–(Certificatepinningcanhelp.
)FailingtoproperlyverifyCAsignaturechain–BiggestSSLproblembyfar–Studyshowed1/3ofAndroidappsfelltothis24Copyright2015KRvWAssociates,LLCTestingforSSLproblemsGoalistoensureclientperformsstrongcertificateverificationMITMonthenetsetup–Appproxyonlaptop(e.
g.
,Burpsuite)–GenerateSSLcertsignedbyyourownCA–PutyourCAcertontestiOSdeviceRemembertoremovefakeCAbeforeleavinglabenvironment!
25Copyright2015KRvWAssociates,LLCButthat'snotenough26Copyright2015KRvWAssociates,LLCObjCRun-timeisflawedUnlikeinC,"functions"arenotcalled–Messagesarepassed–ObjectsdynamicallyallocatedWithinprocessspace,dynamictamperingalsopossible–Messagetraffic–Objects27Copyright2015KRvWAssociates,LLCReverseengineeringAttackerwantstolearnhowyourappworks–DeepinternaldetailsAttackerwantstoattempttotrickyourappintomisbehaving–TamperwithruntimeHowJailbrokendeviceandsomefreetools–Andalotoftime28Copyright2015KRvWAssociates,LLCPrerequisitetoolsandenvMacwithOSXandXcodeJailbrokendevice–evasi0nworksgreatCydiaandfriends–Cydiainstalledwithevasi0n–ShellaccessOpenSSH-installwithCydia–Debuggergdb-installwithCydiaBareminimumessentials29Copyright2015KRvWAssociates,LLCAnalysistechniquesStaticanalysis–Observeattributesoftheexecutable,appfiles–Yes,encrypted(appstore)appstooDynamicanalysis–RuntheappandlearnhowitworksTampering–Tricktherun-timeenv30Copyright2015KRvWAssociates,LLCStaticanalysisAnybinarycanbeexamined–Usuallyrevealamaptoclasses,objects,text,symbols,etc.
Commontools–otool–class-dump-z–nmExamples–Linkedlibs,methodsotool-Lappnameotool-lappname–Listofclassesclass-dump-zappname–Symboltablenmappname31Copyright2015KRvWAssociates,LLCIt'sCunderneaththehoodBeneaththatniceOOPObjClayerliesaCfoundation–PrettymucheverythinginObjCcanbedoneinCPrimitivesfordoingalltheOOstuffobjc_msgSend(),objc_getClass()areprimeexamplesThismatterstouswhenanalyzingstaticallyordynamically32Copyright2015KRvWAssociates,LLCEncryptedbinariestooBasicprocess–Useapploadertodecrypt–Calculatememoryoffsets–StoreprocesstodiskddisyourfriendWillalsoneedplutilandgdbHOWTOavailable–http://www.
mandalorian.
com/2013/05/decrypting-ios-binaries/33Copyright2015KRvWAssociates,LLCLet'stakealook34Copyright2015KRvWAssociates,LLCDynamicanalysisWhatcanwelearnfromobservingitrunning–Alot–Allthosemessages–Memorycontents–CPUregistersYoudon'thaveanythingtohide,right35Copyright2015KRvWAssociates,LLCAttackingarunningappManintheapp(MITA)–Themostdangerousformofon-hostdynamicattack–InternalaccesstoeverythingThatObjCrun-timemessagingarchitectureisgoingtohauntus36Copyright2015KRvWAssociates,LLCAfewmoretoolsForthese,you'llwant–gdb–Cycript(seeslide)–Networkproxy(e.
g.
,Burpsuite)–SSLstrip(optional)37Copyright2015KRvWAssociates,LLCMessageeavesdroppingUsegdbtobuildasimplebuteffectivemessageeavesdropper–Examplegdb-q-pPIDbreakobj_msgSendcommandsx/a$r0x/s$r1c38Copyright2015KRvWAssociates,LLCCycript"CycriptallowsdeveloperstoexploreandmodifyrunningapplicationsoneitheriOSorMacOSXusingahybridofObjective-C++andJavaScriptsyntaxthroughaninteractiveconsolethatfeaturessyntaxhighlightingandtabcompletion"—Fromhttp://www.
cycript.
orgItisanamazingutilityfordynamicallyprobingarunningapp39Copyright2015KRvWAssociates,LLCFunwithCycriptBasics#cycriptcy#varmyString=[[NSStringalloc]cy>initWithString:@"Helloworld"];"Helloworld"cy#[myStringlength];11CombinationofJavaScriptandObjCsyntaxgivesamazingcapabilities40Copyright2015KRvWAssociates,LLCCycript(2)Safariexample#cycript-pPIDcy#varapp=[UIApplicationsharedApplication];""cy#[appopenURL:[NSURLURLWithString:cy>@"http://www.
first.
org"]];1cy#app.
networkActivityIndicatorVisible=YES41Copyright2015KRvWAssociates,LLCCycriptingforfunandprofitBreakclient-sidelogic–AlterPINs,booleans,semaphores–ReplacemethodsProberunningappdata–Canbeverbose,butyougeteverythinginanobjectcy#functionappls(a){varx={};for(iin*a){try{x[i]=(*a)[i];}catch(e){}}returnx;}cy#appls(object);42Copyright2015KRvWAssociates,LLCClient-sidelogicYoudidn'tthinkyoucouldtrustclient-sidelogic,didyou43Copyright2015KRvWAssociates,LLCTamperingNowlet'sgobeyondmereobservationReplaceexistingmethods–Changeaddressingdb–DynamiclinkerattackPutyourlibraryinDYLD_INSERT_LIBRARIESAutomatedynamiclinking–MobileSubstrate44Copyright2015KRvWAssociates,LLCNothingiswhatitappearsNowwecanchangetheentireuniverseyourapprunsin(Ifthisdoesn'tseembad,gowatchTheMatrix)45Copyright2015KRvWAssociates,LLCCopyright2013KRvWAssociates,LLCResourcesHackingandSecuringiOSApplications,JonathanZdziarski,O'Reilly,2012Evasi0n,popularjailbreakingtool,http://www.
evad3rs.
com/46Copyright2015KRvWAssociates,LLCHardeningUseractionsandclientconfigurationsArchitecturalconsiderationsHardeningtipsButremember,nothingisperfect.
47Copyright2015KRvWAssociates,LLCUseractionsandconfigurationsStrongpasscodeshelpMDMscanmanageconfigurationsofentirefleets48Copyright2015KRvWAssociates,LLCArchitecturalconsiderationsDesignchoicesmakeahugedifference–ClientcannotbetrustedSensitivedataSensitivefunctionsSecuritycontrols–ClientshouldprovidepresentationlayerMinimalfunctionalityProcessingshouldbeserver49Copyright2015KRvWAssociates,LLCHardeningtipsNon-obviousnames–ObfuscatefunctionalpurposeDisabledebugging#defineDENY_DEBUG31ptrace(DENY_DEBUG,0,0,0);Complicatedisassembly–Compileroptimizer–Stripsymbols50Copyright2015KRvWAssociates,LLCHardeningtips(2)Sensitivecode–Onserver,but…–WriteinCorASM–Compile+linkin-line–ExpandloopsmanuallyForceyourattackertosinglestepthroughDon'tgiveawayanything51Copyright2015KRvWAssociates,LLCHardening(3)Datastorage–EncryptDataProtectionAPIforconsumergradeKeysonserver–CommonCryptoLibSecurefilewipingSQLitedatawiping–Updatebeforedelete52Copyright2015KRvWAssociates,LLCTamperdetectionHowdoweknow–Run-timeintegritychecksMemoryoffsetsofsensitiveobjects–SandboxintegrityAttempttoforkSizeandchecksumof/etc/fstabSymboliclinksin/ApplicationsCommonjailbreakfilesandapps–/Applications/Cydia.
app–HoneypotsinappThereain'tahorsethatcan'tberodeoramanthatcan'tbethrowed.
53Copyright2015KRvWAssociates,LLCTamperresponseWhattodo–Remotewipe–Phonehome–Logeverything–Wipeuserdata,keys–Disablenetworkaccess–Etcetera54Copyright2015KRvWAssociates,LLCCopyright2014KRvWAssociates,LLCCopyright2015KRvWAssociates,LLCKennethR.
vanWykKRvWAssociates,LLCKen@KRvW.
comhttp://www.
KRvW.
com@KRvW55
com,@KRvWPenTestingiOSAppsFIRST2015KenvanWyk,@KRvWBerlin,Germany14-19June2015Copyright2015KRvWAssociates,LLCTopicswe'llcoverWe'llfocusonhowtobreaktypicaliOSapps–iOStopics–ApplicationtopicsSimpleanalysis–Surfaceofapp–Staticanalysis–DynamicanalysisDeeperanalysis–Exploreappbinary–Run-timeexplorationandexploitation3Copyright2015KRvWAssociates,LLCToolsMosttoolswe'lluseareeitheropensourceorinexpensive–iExplorerforexploringfilesystemonaniOSdevice–iOSdeviceandaUSBcablePreferablyjailbrokenCydiaCycript4Copyright2015KRvWAssociates,LLCClearupsomemisconceptionsApple'siOShasbeenahugesuccessforApple–TogetherwithAndroid,theyhavere-definedmobiletelephonyApplehasmadegreatadvancesinsecurity–Theyarestillfarfromreallygood–Notevensureifthey'reprettygoodSoftwaredevelopersstillmakesillymistakes5Copyright2015KRvWAssociates,LLCSystemHardeningFeaturesAttacksurfacereductionStrippeddownOS–No/bin/shPrivilegeseparationCodesigningDataexecutionprevention(DEP)–Vitalforreturnorientedprogramming–NoarchitecturalseparationofdataandcodesegmentsAddressspacelayoutrandomization(ASLR)6Copyright2015KRvWAssociates,LLCApplicationsandboxingBypolicy,appsareonlypermittedtoaccessresourcesintheirsandbox–Inter-appcommsarebyestablishedAPIsonlyURLs,keychains(limited)–Filei/oin~/DocumentsonlyTheserulesdon'talwaysapplytoApple'sownapps7Copyright2015KRvWAssociates,LLCHardwareencryptionEachiOSdevice(asof3GS)hashardwarecryptomodule–UniqueAES-256keyforeveryiOSdevice–SensitivedatahardwareencryptedSoundsbrilliant,right–Well.
.
.
8Copyright2015KRvWAssociates,LLCiOScryptokeysGIDkey-GroupIDkeyUIDkey-UniqueperdevDkey-DefaultfilekeyEMF!
-EncryptsentirefilesystemandHFSjournalClasskeys-Oneperprotectionclass–SomederivedfromUID+Passcode9Copyright2015KRvWAssociates,LLCiOSNAND(SSD)mappingBlock0-LowlevelbootloaderBlock1-Effaceablestorage–Lockerforcryptokeys,includingDkeyandEMF!
Blocks2-7-NVRAMparametersBlocks8-15-FirmwareBlocks8-(N-15)-FilesystemBlocks(N-15)-N-Last15blocksreservedbyApple10Copyright2015KRvWAssociates,LLCBuilt-infileprotectionclassesiOS(since4)supportsfileprotectionclasses–NSFileProtectionComplete–NSFileProtectionCompleteUnlessOpen–NSFileProtectionCompleteUntilFirstUserAuthentication–NSFileProtectionNoneAllbutNonearederived11Copyright2015KRvWAssociates,LLCBuilt-infileprotectionlimitationsPros–Easytouse,withkeymanagementdonebyiOS–Powerfulfunctionality–Alwaysavailable–ZeroperformancehitCons–ForComplete,cryptokeyingincludesUDID+Passcode4digitPINproblem12Copyright2015KRvWAssociates,LLCKeychainsKeychainAPIprovidedforstorageofsmallamountsofsensitivedata–Logincredentials,passwords,etc.
–CreditcarddataoftenfoundhereStoredinaSQLitedatabase–EncryptedusinghardwareAESwithderivedkey13Copyright2015KRvWAssociates,LLCJailbreaksApple'sprotectionarchitectureisbasedonamassivedigitalsignaturehierarchy–Startingfrombootloader–ThroughapploaderJailbreaksoftwarebreaksthathierarchy–Currentbreaksupto8.
1.
2DFUmodeallowsUSBvectorforbootloader–OlderiPhonesmostly,but…14Copyright2015KRvWAssociates,LLCKeyboarddataAll"keystrokes"arestored–Usedforauto-correctfeature–NicespellcheckerKeydatacanbeharvestedusingforensicsprocedures–Passwords,creditcards.
.
.
–Needleinhaystack15Copyright2015KRvWAssociates,LLCScreensnapshotsDevicesroutinelygrabscreensnapshotsandstoreinJPG–Usedforminimizingappanimation–ItlooksprettyWHAT!
–It'saproblem–Requireslocalaccesstodevice,butstill.
.
.
16Copyright2015KRvWAssociates,LLCLet'sconsiderthebasicsWe'llcoverthese(fromthemobiletop10)–ProtectingsecretsAtrestIntransit–Input/outputvalidation–Authentication–Sessionmanagement–Accesscontrol–Privacyconcerns17Copyright2015KRvWAssociates,LLCExamplesAirlineapp–StoresfrequentflyerdatainplaintextXMLfileHealthcareapp–StorespatientdatainplistfileButit'sbase64encodedforyourprotection…Bankingapp–FrameworkcacherevealedsensitiveaccountdataConsumerticketapp–AcceptedSSLfromselfsignedkey–Exposedcreditcarddata18Copyright2015KRvWAssociates,LLCSQLliteexampleLet'slookatadatabaseappthatstoressensitivedataintoaSQLitedb–We'llrecoverittriviallybylookingattheunencrypteddatabasefile19Copyright2015KRvWAssociates,LLCProtectingsecretsatrestEncryptionistheanswer,butit'snotquitesosimple–Wheredidyouputthatkey–Surelyyoudidn'thardcodeitintoyourapp–Surelyyou'renotcountingontheusertogenerateandrememberastrongkeyKeymanagementisanon-triviallysolvedproblem20Copyright2015KRvWAssociates,LLCStaticanalysisofanappExplorefolders–.
/Documents–.
/Library/Caches/*–.
/Library/Cookies–.
/Library/PreferencesAppbundle–Hexdumpofbinary–plistfilesWhatelse21Copyright2015KRvWAssociates,LLCToolstouseMactools–Finder–iExplorer–hexdump–strings–otool–otx(otx.
osxninja.
com)–class-dump(iphone.
freecoder.
org/classdump_en.
html)–Emacs(editor)Xcodeadditionaltools–Clang(buildandanalyze)Findsmemoryleaksandothers22Copyright2015KRvWAssociates,LLCExercise-coffeeshopattackThisoneistrivial,butlet'stakealookInthisiGoatexercise,theuser'scredentialsaresentplaintext–SimplewebserverrunningonMacresponds–IfthiswereonapublicWiFi,anetworksnifferwouldbepainlesstolaunch23Copyright2015KRvWAssociates,LLCMostcommonSSLmistakeWe'veallheardofCAsbeingattacked–That'sallimportant,but.
.
.
–(Certificatepinningcanhelp.
)FailingtoproperlyverifyCAsignaturechain–BiggestSSLproblembyfar–Studyshowed1/3ofAndroidappsfelltothis24Copyright2015KRvWAssociates,LLCTestingforSSLproblemsGoalistoensureclientperformsstrongcertificateverificationMITMonthenetsetup–Appproxyonlaptop(e.
g.
,Burpsuite)–GenerateSSLcertsignedbyyourownCA–PutyourCAcertontestiOSdeviceRemembertoremovefakeCAbeforeleavinglabenvironment!
25Copyright2015KRvWAssociates,LLCButthat'snotenough26Copyright2015KRvWAssociates,LLCObjCRun-timeisflawedUnlikeinC,"functions"arenotcalled–Messagesarepassed–ObjectsdynamicallyallocatedWithinprocessspace,dynamictamperingalsopossible–Messagetraffic–Objects27Copyright2015KRvWAssociates,LLCReverseengineeringAttackerwantstolearnhowyourappworks–DeepinternaldetailsAttackerwantstoattempttotrickyourappintomisbehaving–TamperwithruntimeHowJailbrokendeviceandsomefreetools–Andalotoftime28Copyright2015KRvWAssociates,LLCPrerequisitetoolsandenvMacwithOSXandXcodeJailbrokendevice–evasi0nworksgreatCydiaandfriends–Cydiainstalledwithevasi0n–ShellaccessOpenSSH-installwithCydia–Debuggergdb-installwithCydiaBareminimumessentials29Copyright2015KRvWAssociates,LLCAnalysistechniquesStaticanalysis–Observeattributesoftheexecutable,appfiles–Yes,encrypted(appstore)appstooDynamicanalysis–RuntheappandlearnhowitworksTampering–Tricktherun-timeenv30Copyright2015KRvWAssociates,LLCStaticanalysisAnybinarycanbeexamined–Usuallyrevealamaptoclasses,objects,text,symbols,etc.
Commontools–otool–class-dump-z–nmExamples–Linkedlibs,methodsotool-Lappnameotool-lappname–Listofclassesclass-dump-zappname–Symboltablenmappname31Copyright2015KRvWAssociates,LLCIt'sCunderneaththehoodBeneaththatniceOOPObjClayerliesaCfoundation–PrettymucheverythinginObjCcanbedoneinCPrimitivesfordoingalltheOOstuffobjc_msgSend(),objc_getClass()areprimeexamplesThismatterstouswhenanalyzingstaticallyordynamically32Copyright2015KRvWAssociates,LLCEncryptedbinariestooBasicprocess–Useapploadertodecrypt–Calculatememoryoffsets–StoreprocesstodiskddisyourfriendWillalsoneedplutilandgdbHOWTOavailable–http://www.
mandalorian.
com/2013/05/decrypting-ios-binaries/33Copyright2015KRvWAssociates,LLCLet'stakealook34Copyright2015KRvWAssociates,LLCDynamicanalysisWhatcanwelearnfromobservingitrunning–Alot–Allthosemessages–Memorycontents–CPUregistersYoudon'thaveanythingtohide,right35Copyright2015KRvWAssociates,LLCAttackingarunningappManintheapp(MITA)–Themostdangerousformofon-hostdynamicattack–InternalaccesstoeverythingThatObjCrun-timemessagingarchitectureisgoingtohauntus36Copyright2015KRvWAssociates,LLCAfewmoretoolsForthese,you'llwant–gdb–Cycript(seeslide)–Networkproxy(e.
g.
,Burpsuite)–SSLstrip(optional)37Copyright2015KRvWAssociates,LLCMessageeavesdroppingUsegdbtobuildasimplebuteffectivemessageeavesdropper–Examplegdb-q-pPIDbreakobj_msgSendcommandsx/a$r0x/s$r1c38Copyright2015KRvWAssociates,LLCCycript"CycriptallowsdeveloperstoexploreandmodifyrunningapplicationsoneitheriOSorMacOSXusingahybridofObjective-C++andJavaScriptsyntaxthroughaninteractiveconsolethatfeaturessyntaxhighlightingandtabcompletion"—Fromhttp://www.
cycript.
orgItisanamazingutilityfordynamicallyprobingarunningapp39Copyright2015KRvWAssociates,LLCFunwithCycriptBasics#cycriptcy#varmyString=[[NSStringalloc]cy>initWithString:@"Helloworld"];"Helloworld"cy#[myStringlength];11CombinationofJavaScriptandObjCsyntaxgivesamazingcapabilities40Copyright2015KRvWAssociates,LLCCycript(2)Safariexample#cycript-pPIDcy#varapp=[UIApplicationsharedApplication];""cy#[appopenURL:[NSURLURLWithString:cy>@"http://www.
first.
org"]];1cy#app.
networkActivityIndicatorVisible=YES41Copyright2015KRvWAssociates,LLCCycriptingforfunandprofitBreakclient-sidelogic–AlterPINs,booleans,semaphores–ReplacemethodsProberunningappdata–Canbeverbose,butyougeteverythinginanobjectcy#functionappls(a){varx={};for(iin*a){try{x[i]=(*a)[i];}catch(e){}}returnx;}cy#appls(object);42Copyright2015KRvWAssociates,LLCClient-sidelogicYoudidn'tthinkyoucouldtrustclient-sidelogic,didyou43Copyright2015KRvWAssociates,LLCTamperingNowlet'sgobeyondmereobservationReplaceexistingmethods–Changeaddressingdb–DynamiclinkerattackPutyourlibraryinDYLD_INSERT_LIBRARIESAutomatedynamiclinking–MobileSubstrate44Copyright2015KRvWAssociates,LLCNothingiswhatitappearsNowwecanchangetheentireuniverseyourapprunsin(Ifthisdoesn'tseembad,gowatchTheMatrix)45Copyright2015KRvWAssociates,LLCCopyright2013KRvWAssociates,LLCResourcesHackingandSecuringiOSApplications,JonathanZdziarski,O'Reilly,2012Evasi0n,popularjailbreakingtool,http://www.
evad3rs.
com/46Copyright2015KRvWAssociates,LLCHardeningUseractionsandclientconfigurationsArchitecturalconsiderationsHardeningtipsButremember,nothingisperfect.
47Copyright2015KRvWAssociates,LLCUseractionsandconfigurationsStrongpasscodeshelpMDMscanmanageconfigurationsofentirefleets48Copyright2015KRvWAssociates,LLCArchitecturalconsiderationsDesignchoicesmakeahugedifference–ClientcannotbetrustedSensitivedataSensitivefunctionsSecuritycontrols–ClientshouldprovidepresentationlayerMinimalfunctionalityProcessingshouldbeserver49Copyright2015KRvWAssociates,LLCHardeningtipsNon-obviousnames–ObfuscatefunctionalpurposeDisabledebugging#defineDENY_DEBUG31ptrace(DENY_DEBUG,0,0,0);Complicatedisassembly–Compileroptimizer–Stripsymbols50Copyright2015KRvWAssociates,LLCHardeningtips(2)Sensitivecode–Onserver,but…–WriteinCorASM–Compile+linkin-line–ExpandloopsmanuallyForceyourattackertosinglestepthroughDon'tgiveawayanything51Copyright2015KRvWAssociates,LLCHardening(3)Datastorage–EncryptDataProtectionAPIforconsumergradeKeysonserver–CommonCryptoLibSecurefilewipingSQLitedatawiping–Updatebeforedelete52Copyright2015KRvWAssociates,LLCTamperdetectionHowdoweknow–Run-timeintegritychecksMemoryoffsetsofsensitiveobjects–SandboxintegrityAttempttoforkSizeandchecksumof/etc/fstabSymboliclinksin/ApplicationsCommonjailbreakfilesandapps–/Applications/Cydia.
app–HoneypotsinappThereain'tahorsethatcan'tberodeoramanthatcan'tbethrowed.
53Copyright2015KRvWAssociates,LLCTamperresponseWhattodo–Remotewipe–Phonehome–Logeverything–Wipeuserdata,keys–Disablenetworkaccess–Etcetera54Copyright2015KRvWAssociates,LLCCopyright2014KRvWAssociates,LLCCopyright2015KRvWAssociates,LLCKennethR.
vanWykKRvWAssociates,LLCKen@KRvW.
comhttp://www.
KRvW.
com@KRvW55
- checkerios6.1.3越狱相关文档
- slowios6.1.3越狱
- x001a54e8ios6.1.3越狱
- 支持ios6.1.3越狱
- 支持ios6.1.3越狱
- 连接ios6.1.3越狱
- 编码ios6.1.3越狱
无法忍受旧版不兼容PHP7+主题 更换新主题
今天父亲节我们有没有陪伴家人一起吃个饭,还是打个电话问候一下。前一段时间同学将网站账户给我说可以有空更新点信息确保他在没有时间的时候还能保持网站有一定的更新内容。不过,他这个网站之前采用的主题也不知道来源哪里,总之各种不合适,文件中很多都是他多年来手工修改的主题拼接的,并非完全适应WordPress已有的函数,有些函数还不兼容最新的PHP版本,于是每次出现问题都要去排查。于是和他商量后,就抽时间把...
LOCVPS-2021年6月香港便宜vps宽带升级,充值就送代金券,其它八折优惠!
LOCVPS怎么样?LOCVPS是一家成立于2011年的稳定老牌国人商家,目前提供中国香港、韩国、美国、日本、新加坡、德国、荷兰等区域VPS服务器,所有机房Ping延迟低,国内速度优秀,非常适合建站和远程办公,所有机房Ping延迟低,国内速度优秀,非常适合做站。XEN架构产品的特点是小带宽无限流量、不超售!KVM架构是目前比较流行的虚拟化技术,大带宽,生态发展比较全面!所有大家可以根据自己业务需求...
AlphaVPS(€3.99/月)VPS年付15欧,AMD EYPC+NVMe系列起
AlphaVPS是一家保加利亚本土主机商(DA International Group Ltd),提供VPS主机及独立服务器租用等,数据中心包括美国(洛杉矶/纽约)、德国、英国和保加利亚等,公司办公地点跟他们提供的保加利亚数据中心在一栋楼内,自有硬件,提供IPv4+IPv6,支持PayPal或者信用卡等方式付款。商家提供的大硬盘VPS主机,提供128GB-2TB磁盘,最低年付15欧元起,也可以选择...
ios6.1.3越狱为你推荐
-
徐州微信5lowercasecssitunes备份如何用iTunes备份iPhonecsshack怎样找css hack 的最新使用方法firefoxflash插件Firefox浏览器怎么激活adobe flash插件google分析如何添加google analysiswin7还原系统电脑怎么恢复出厂设置win7旗舰版电信版iphone4s4和苹果iPhone 4S 电信版有什么区别google统计怎样将Google分析转换成中文显示Google中文专题交流苹果5.1.1越狱你好,iphone5.1.1完美越狱,电脑上为什么连不上呢?只能显示充电,谢谢