iOS Pentesting

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

iOS Basics

iOS Basics

Mazingira ya Upimaji

Katika ukurasa huu unaweza kupata taarifa kuhusu iOS simulator, emulators na jailbreaking:

iOS Testing Environment

Uchambuzi wa Mwanzoni

Operesheni za Msingi za Testing za iOS

Wakati wa testing operesheni kadhaa zitatolewa (kuunganisha kwenye kifaa, kusoma/kuandika/kuupload/kudownload faili, kutumia zana kadhaa…). Kwa hiyo, kama haujui jinsi ya kufanya mojawapo ya vitendo hivi tafadhali, anza kusoma ukurasa:

iOS Basic Testing Operations

Tip

Kwa hatua zinazofuata app inapaswa kuwa imewekwa kwenye kifaa na inapaswa tayari kuwa imepata faili ya IPA ya programu.
Soma ukurasa wa Basic iOS Testing Operations ili kujifunza jinsi ya kufanya hili.

Uchambuzi wa Static wa Msingi

Baadhi ya decompilers za kuvutia za faili za iOS - IPA:

• https://github.com/LaurieWired/Malimite
• https://ghidra-sre.org/

Inashauriwa kutumia zana MobSF kufanya Uchambuzi wa Static otomatiki kwa faili ya IPA.

Utambuzi wa kinga zilizopo katika binary:

• PIE (Position Independent Executable): Iwapo imewezeshwa, application inaingia kwenye anwani ya kumbukumbu isiyotabirika kila inapozinduliwa, na kufanya iwe ngumu kutabiri anwani yake ya awali ya kumbukumbu.

otool -hv <app-binary> | grep PIE   # It should include the PIE flag

• Stack Canaries: Ili kuthibitisha uadilifu wa stack, thamani ya ‘canary’ inawekwa kwenye stack kabla ya kuita function na inathibitishwa tena mara function inapoisha.

otool -I -v <app-binary> | grep stack_chk   # It should include the symbols: stack_chk_guard and stack_chk_fail

• ARC (Automatic Reference Counting): Ili kuzuia hitilafu za kawaida za kuharibika kwa kumbukumbu

otool -I -v <app-binary> | grep objc_release   # It should include the _objc_release symbol

• Encrypted Binary: Binary inapaswa kuwa imefichwa

otool -arch all -Vl <app-binary> | grep -A5 LC_ENCRYPT   # The cryptid should be 1

Utambuzi wa Mifunctioni Nyeti/Isiyo Salama

• Weak Hashing Algorithms

# On the iOS device
otool -Iv <app> | grep -w "_CC_MD5"
otool -Iv <app> | grep -w "_CC_SHA1"

# On linux
grep -iER "_CC_MD5"
grep -iER "_CC_SHA1"

• Insecure Random Functions

# On the iOS device
otool -Iv <app> | grep -w "_random"
otool -Iv <app> | grep -w "_srand"
otool -Iv <app> | grep -w "_rand"

# On linux
grep -iER "_random"
grep -iER "_srand"
grep -iER "_rand"

• Insecure ‘Malloc’ Function

# On the iOS device
otool -Iv <app> | grep -w "_malloc"

# On linux
grep -iER "_malloc"

• Insecure and Vulnerable Functions

# On the iOS device
otool -Iv <app> | grep -w "_gets"
otool -Iv <app> | grep -w "_memcpy"
otool -Iv <app> | grep -w "_strncpy"
otool -Iv <app> | grep -w "_strlen"
otool -Iv <app> | grep -w "_vsnprintf"
otool -Iv <app> | grep -w "_sscanf"
otool -Iv <app> | grep -w "_strtok"
otool -Iv <app> | grep -w "_alloca"
otool -Iv <app> | grep -w "_sprintf"
otool -Iv <app> | grep -w "_printf"
otool -Iv <app> | grep -w "_vsprintf"

# On linux
grep -R "_gets"
grep -iER "_memcpy"
grep -iER "_strncpy"
grep -iER "_strlen"
grep -iER "_vsnprintf"
grep -iER "_sscanf"
grep -iER "_strtok"
grep -iER "_alloca"
grep -iER "_sprintf"
grep -iER "_printf"
grep -iER "_vsprintf"

Mbinu za kawaida za kugundua jailbreak

• File System Checks: Tafuta uwepo wa faili na saraka za kawaida za jailbreak, kama /Applications/Cydia.app au /Library/MobileSubstrate/MobileSubstrate.dylib.
• Sandbox Violations: Jaribu kufikia maeneo yaliyopigwa marufuku ya filesystem, ambayo yanapaswa kuzuiwa kwenye vifaa visivyo jailbroken.
• API Checks: Angalia kama inawezekana kutumia miito iliyozuiliwa kama fork() kuunda process mtoto au system() kuona kama /bin/sh ipo.
• Process Checks: Simamia uwepo wa processes zinazojulikana zinazohusiana na jailbreak, kama Cydia, Substrate, au ssh.
• Kernel Exploits: Angalia uwepo wa kernel exploits zinazotumiwa mara kwa mara katika jailbreaks.
• Environment Variables: Chunguza environment variables kwa dalili za jailbreak, kama DYLD_INSERT_LIBRARIES.
• Libraries Check: Angalia libs zilizopakiwa ndani ya process ya app.
• Check schemes: Kama canOpenURL(URL(string: "cydia://")).

Mbinu za kawaida za kugundua Anti-Debugging

• Check for Debugger Presence: Tumia sysctl au mbinu nyingine kuona kama debugger imeambatishwa.
• Anti-Debugging APIs: Tafuta miito ya anti-debugging APIs kama ptrace au SIGSTOP kama ptrace(PT_DENY_ATTACH, 0, 0, 0).
• Timing Checks: Pima muda unaotumika kwa operesheni fulani na angalia tofauti zinazoweza kuashiria debugging.
• Memory Checks: Chunguza memory kwa artifacts za debugger zinazojulikana au marekebisho.
• Environment Variables: Angalia environment variables ambazo zinaweza kuonyesha kikao cha debugging.
• Mach Ports: Gundua kama mach exception ports zimetumika na debuggers.

Anti-Debugging & Anti-Tamper Techniques (Layered Checks)

Apps za dunia halisi mara nyingi huweka tabaka za pre-exec, on-attach, na ukaguzi endelevu. Mifumo ya kawaida ya kutazama (na jinsi ya kuzizuia wakati wa testing):

• Private API side-channel fingerprinting: private launch APIs (mfano SBSLaunchApplicationWithIdentifierAndURLAndLaunchOptions) hutumika vibaya kuchunguza bundle IDs zilizowekwa (com.opa334.TrollStore, org.coolstar.SileoStore, com.tigisoftware.Filza, etc.) kwa msingi wa return codes/logging. Hook the call na sanitize arguments/return values ili kuiga kifaa safi.
• Self-attestation via code-signing state: csops() with CS_OPS_ENTITLEMENTS_BLOB huchukua entitlements; mabadiliko yasiyotarajiwa husababisha exit. Changanya hili na integrity checks (CRC32/MD5 of resources, certificate validation, Mach-O metadata like LC_ENCRYPTION_INFO_64) kugundua re-signing au patching. Instrument routines hizi na fanya matokeo “expected” wakati wa uchambuzi.
• Kill-on-attach: ptrace(PT_DENY_ATTACH) combined with abort()/exit() on attach. Pitia kwa kutuliza njia ya termination au kwa ku-hook ptrace ili ifanikiwe bila kuzuia.
• Crash forensics sabotage: overwrite CPU registers before crashing to destroy backtraces. Tumia breakpoints/hooks mapema kwenye njia ya kugundua badala ya kutegemea crash logs.
• Jetsam-based termination: shinikizo la kumbukumbu kwa makusudi kusababisha jetsam, ambayo haitoi crash log ya kawaida. Tazama allocations kubwa karibu na logic ya kugundua na zipunguze/katize ili kuhifadhi logs.
• Continuous checks with delayed enforcement: timers za heartbeat zinaendesha tena utambuzi na kutekeleza baadaye. Fuatilia timers/dispatch sources na uweke process hai kwa kupitisha njia ya kuua iliyocheleweshwa.

Uchambuzi wa Dynamic wa Msingi

Angalia uchambuzi wa dynamic unaofanywa na MobSF. Utahitaji kuvinjari kupitia view mbalimbali na kuingiliana nazo lakini itakuwa ikihook madarasa kadhaa wakati wa kufanya mambo mengine na itatayarisha ripoti mara utakapokamilika.

Orodha ya Apps zilizowekwa

Tumia amri frida-ps -Uai kubaini bundle identifier ya apps zilizowekwa:

$ frida-ps -Uai
PID  Name                 Identifier
----  -------------------  -----------------------------------------
6847  Calendar             com.apple.mobilecal
6815  Mail                 com.apple.mobilemail
-  App Store            com.apple.AppStore
-  Apple Store          com.apple.store.Jolly
-  Calculator           com.apple.calculator
-  Camera               com.apple.camera
-  iGoat-Swift          OWASP.iGoat-Swift

Basic Enumeration & Hooking

Jifunze jinsi ya enumerate the components of the application na jinsi ya kwa urahisi hook methods and classes kwa kutumia objection:

iOS Hooking With Objection

Muundo wa IPA

Muundo wa IPA file kwa msingi ni sawa na ule wa zipped package. Kwa kubadilisha extension yake kuwa .zip, inaweza kufunguliwa ili kufunua yaliyomo yake. Ndani ya muundo huu, a Bundle inawakilisha programu iliyofungwa kikamilifu tayari kwa usakinishaji. Ndani yake, utapata saraka inayoitwa <NAME>.app, ambayo inajumuisha rasilimali za programu.

• Info.plist: Faili hili linahifadhi maelezo maalum ya usanidi ya programu.
• _CodeSignature/: Saraka hii inajumuisha faili ya plist yenye saini, inayohakikisha uadilifu wa faili zote katika bundle.
• Assets.car: Archive iliyoshinikwa inayohifadhi faili za asset kama icons.
• Frameworks/: Folda hii ina maktaba asilia za programu, ambazo zinaweza kuwa katika fomu ya .dylib au .framework files.
• PlugIns/: Hii inaweza kujumuisha extension za programu, zinazojulikana kama faili za .appex, ingawa hazipo kila wakati. * Core Data: Inatumika kuhifadhi data ya kudumu ya programu yako kwa matumizi bila mtandao, kukasha data za muda, na kuongeza utendakazi wa undo kwenye app yako kwenye kifaa kimoja. Ili kusawazisha data kwenye vifaa vingi kwa akaunti moja ya iCloud, Core Data huiga moja kwa moja schema yako kwenye container ya CloudKit.
• PkgInfo: Faili ya PkgInfo ni njia mbadala ya kubainisha type na creator codes za programu yako au bundle.
• en.lproj, fr.proj, Base.lproj: Ni vifurushi vya lugha vinavyobeba rasilimali za lugha husika, pamoja na rasilimali ya chaguo-msingi endapo lugha haitumiwi.
• Usalama: Saraka _CodeSignature/ ina jukumu muhimu katika usalama wa app kwa kuthibitisha uadilifu wa faili zote zilizofungwa kupitia saini za kidigitali.
• Usimamizi wa Rasilimali: Faili Assets.car inatumia compression kusimamia rasilimali za picha kwa ufanisi, jambo muhimu kwa kuboresha utendaji wa programu na kupunguza ukubwa wake jumla.
• Frameworks na PlugIns: Saraka hizi zinaonyesha muundo wa moduli wa programu za iOS, zikimruhusu waendelezaji kuingiza maktaba za code zinazoweza kutumika tena (Frameworks/) na kuongeza utendakazi wa app (PlugIns/).
• Localization: Muundo unaunga mkono lugha nyingi, ukirahisisha kufikia watumiaji duniani kwa kujumuisha rasilimali za vifurushi maalum vya lugha.

Info.plist

The Info.plist inatumika kama jiwe la msingi kwa programu za iOS, ikijumuisha data muhimu za usanidi kwa mfumo wa jozi za key-value. Faili hili ni muhimu si tu kwa applications bali pia kwa app extensions na frameworks zilizopo ndani ya bundle. Imepangiliwa kwa XML au format ya binary na inahifadhi taarifa muhimu kuanzia ruhusa za app hadi usanidi wa usalama. Kwa uchambuzi wa kina wa keys zinazopatikana, unaweza kurejea kwenye Apple Developer Documentation.

Kwa wale wanaotaka kufanya kazi na faili hii katika muundo rahisi zaidi, uongofu wa XML unaweza kufanyika kwa urahisi kwa kutumia plutil kwenye macOS (inapatikana asilia kwenye toleo 10.2 na juu) au plistutil kwenye Linux. Amri za uongofu ni kama ifuatavyo:

• Kwa macOS:

$ plutil -convert xml1 Info.plist

• Kwa Linux:

$ apt install libplist-utils
$ plistutil -i Info.plist -o Info_xml.plist

Miongoni mwa habari nyingi ambazo faili ya Info.plist inaweza kufichua, vipengele vinavyostahili kuzingatiwa ni pamoja na mistari ya ruhusa za app (UsageDescription), miundo ya URL maalum (CFBundleURLTypes), na usanidi wa App Transport Security (NSAppTransportSecurity). Vipengele hivi, pamoja na vingine kama aina za hati maalum zilizotolewa/zilizoingizwa (UTExportedTypeDeclarations / UTImportedTypeDeclarations), vinaweza kupatikana kwa urahisi kwa kuchunguza faili au kutumia amri rahisi ya grep:

$ grep -i <keyword> Info.plist

Njia za Data

Katika mazingira ya iOS, saraka zimewekwa maalum kwa ajili ya system applications na user-installed applications. System applications ziko katika saraka /Applications, wakati apps zilizowekwa na mtumiaji zipo chini ya /var/mobile/containers/Data/Application/. Programu hizi zinapewa kitambulisho cha kipekee kinachojulikana kama 128-bit UUID, jambo linalofanya kazi ya kutafuta kwa mkono saraka ya app kuwa changamoto kutokana na nasibu ya majina ya saraka.

Warning

Kwa kuwa applications katika iOS lazima ziwe sandboxed, kila app pia itakuwa na saraka ndani ya $HOME/Library/Containers yenye app’s CFBundleIdentifier kama jina la saraka.

Hata hivyo, saraka zote mbili (data & container folders) zina faili .com.apple.mobile_container_manager.metadata.plist inayounganisha saraka zote mbili katika ufunguo MCMetadataIdentifier).

Ili kurahisisha kugundua saraka ya kusakinisha app iliyowekwa na mtumiaji, objection tool hutoa amri muhimu, env. Amri hii inaonyesha taarifa za kina za saraka kwa app husika. Chini kuna mfano wa jinsi ya kutumia amri hii:

OWASP.iGoat-Swift on (iPhone: 11.1.2) [usb] # env

Name               Path
-----------------  -------------------------------------------------------------------------------------------
BundlePath         /var/containers/Bundle/Application/3ADAF47D-A734-49FA-B274-FBCA66589E67/iGoat-Swift.app
CachesDirectory    /var/mobile/Containers/Data/Application/8C8E7EB0-BC9B-435B-8EF8-8F5560EB0693/Library/Caches
DocumentDirectory  /var/mobile/Containers/Data/Application/8C8E7EB0-BC9B-435B-8EF8-8F5560EB0693/Documents
LibraryDirectory   /var/mobile/Containers/Data/Application/8C8E7EB0-BC9B-435B-8EF8-8F5560EB0693/Library

Vinginevyo, jina la app linaweza kutafutwa ndani ya /private/var/containers kwa kutumia amri ya find:

find /private/var/containers -name "Progname*"

Amri kama ps na lsof pia zinaweza kutumika kubaini mchakato wa app na kuorodhesha faili zilizofunguliwa, mtiririko huo, zikitoa mwanga kuhusu njia za saraka zinazofanya kazi za programu:

ps -ef | grep -i <app-name>
lsof -p <pid> | grep -i "/containers" | head -n 1

Kabrasha la Bundle:

• AppName.app
• Hii ni Application Bundle kama ilivyoonekana hapo awali katika IPA, ina data muhimu za programu, yaliyomo yasiyotabadilika pamoja na binary iliyokusanywa ya programu.
• Kabrasha hili linaonekana kwa watumiaji, lakini watumiaji hawawezi kuandika ndani yake.
• Yaliyomo katika kabrasha hili hayahifadhiwi.
• Yaliyomo ya folda hii yanatumiwa kuhakiki saini ya code.

Kabrasha la Data:

• Documents/
• Inajumuisha data zote zilizotengenezwa na watumiaji. Mtumiaji wa mwisho wa programu ndiye anayeanzisha uundaji wa data hizi.
• Inaonekana kwa watumiaji na watumiaji wanaweza kuandika ndani yake.
• Yaliyomo katika kabrasha hili yamehifadhiwa.
• Programu inaweza kuzuia njia kutoka kwenye backup kwa kuweka NSURLIsExcludedFromBackupKey.
• Library/
• Inajumuisha faili zote ambazo si za mtumiaji binafsi, kama vile caches, preferences, cookies, na faili za usanidi za property list (plist).
• Programu za iOS kwa kawaida hutumia subdirectories za Application Support na Caches, lakini programu inaweza kuunda subdirectories maalum.
• Library/Caches/
• Inajumuisha faili za cache za muda.
• Haionekani kwa watumiaji na watumiaji hawawezi kuandika ndani yake.
• Yaliyomo katika kabrasha hili hayahifadhiwi.
• OS inaweza kufuta faili za kabrasha hili kiotomatiki wakati programu haifanyi kazi na nafasi ya kuhifadhi inakaribia kuisha.
• Library/Application Support/
• Inajumuisha mafaili ya kudumu muhimu kwa kuendesha app.
• Haionekani kwa watumiaji na watumiaji hawawezi kuandika ndani yake.
• Yaliyomo katika kabrasha hili yamehifadhiwa kwa.
• Programu inaweza kuzuia njia kutoka kwenye backup kwa kuweka NSURLIsExcludedFromBackupKey.
• Library/Preferences/
• Inatumika kuhifadhi mali ambazo zinaweza kuendelea hata baada ya programu kuanzishwa upya.
• Taarifa zinahifadhiwa, bila kusimbwa, ndani ya sandbox ya programu katika faili ya plist iitwayo [BUNDLE_ID].plist.
• Pande zote za key/value zilizohifadhiwa kutumia NSUserDefaults zinaweza kupatikana katika faili hii.
• tmp/
• Tumia kabrasha hili kuandika mafaili ya muda ambayo hayahitaji kudumu kati ya uzinduzi za programu.
• Ina faili za cache zisizo za kudumu.
• Haionekani kwa watumiaji.
• Yaliyomo katika kabrasha hili hayahifadhiwi.
• OS inaweza kufuta faili za kabrasha hili kiotomatiki wakati programu haifanyi kazi na nafasi ya kuhifadhi inakaribia kuisha.

Hebu tuangalie kwa undani zaidi kabrasha la Application Bundle la iGoat-Swift (.app) ndani ya kabrasha la Bundle (/var/containers/Bundle/Application/3ADAF47D-A734-49FA-B274-FBCA66589E67/iGoat-Swift.app):

OWASP.iGoat-Swift on (iPhone: 11.1.2) [usb] # ls
NSFileType      Perms  NSFileProtection    ...  Name
------------  -------  ------------------  ...  --------------------------------------
Regular           420  None                ...  rutger.html
Regular           420  None                ...  mansi.html
Regular           420  None                ...  splash.html
Regular           420  None                ...  about.html

Regular           420  None                ...  LICENSE.txt
Regular           420  None                ...  Sentinel.txt
Regular           420  None                ...  README.txt

Binary Reversing

Ndani ya folda <application-name>.app utapata faili ya binary iitwayo <application-name>. Hii ni faili ambayo itatekelezwa. Unaweza kufanya ukaguzi wa msingi wa binary kwa kutumia zana otool:

otool -Vh DVIA-v2 #Check some compilation attributes
magic  cputype cpusubtype  caps    filetype ncmds sizeofcmds      flags
MH_MAGIC_64    ARM64        ALL  0x00     EXECUTE    65       7112   NOUNDEFS DYLDLINK TWOLEVEL WEAK_DEFINES BINDS_TO_WEAK PIE

otool -L DVIA-v2 #Get third party libraries
DVIA-v2:
/usr/lib/libc++.1.dylib (compatibility version 1.0.0, current version 400.9.1)
/usr/lib/libsqlite3.dylib (compatibility version 9.0.0, current version 274.6.0)
/usr/lib/libz.1.dylib (compatibility version 1.0.0, current version 1.2.11)
@rpath/Bolts.framework/Bolts (compatibility version 1.0.0, current version 1.0.0)
[...]

Angalia ikiwa app imekodishwa

Angalia kama kuna output yoyote kwa:

otool -l <app-binary> | grep -A 4 LC_ENCRYPTION_INFO

Kutenganisha binary

Tenganisha text section:

otool -tV DVIA-v2
DVIA-v2:
(__TEXT,__text) section
+[DDLog initialize]:
0000000100004ab8    sub    sp, sp, #0x60
0000000100004abc    stp    x29, x30, [sp, #0x50]   ; Latency: 6
0000000100004ac0    add    x29, sp, #0x50
0000000100004ac4    sub    x8, x29, #0x10
0000000100004ac8    mov    x9, #0x0
0000000100004acc    adrp    x10, 1098 ; 0x10044e000
0000000100004ad0    add    x10, x10, #0x268

Ili kuchapisha Objective-C segment ya programu ya mfano, unaweza kutumia:

otool -oV DVIA-v2
DVIA-v2:
Contents of (__DATA,__objc_classlist) section
00000001003dd5b8 0x1004423d0 _OBJC_CLASS_$_DDLog
isa        0x1004423a8 _OBJC_METACLASS_$_DDLog
superclass 0x0 _OBJC_CLASS_$_NSObject
cache      0x0 __objc_empty_cache
vtable     0x0
data       0x1003de748
flags          0x80
instanceStart  8

Ili kupata msimbo wa Objective-C uliofupishwa, unaweza kutumia class-dump:

class-dump some-app
//
//     Generated by class-dump 3.5 (64 bit).
//
//     class-dump is Copyright (C) 1997-1998, 2000-2001, 2004-2013 by Steve Nygard.
//

#pragma mark Named Structures

struct CGPoint {
double _field1;
double _field2;
};

struct CGRect {
struct CGPoint _field1;
struct CGSize _field2;
};

struct CGSize {
double _field1;
double _field2;
};

Hata hivyo, chaguo bora za disassemble binary ni: Hopper na IDA.

Hifadhi ya Data

Ili kujifunza jinsi iOS inavyohifadhi data kwenye kifaa soma ukurasa huu:

iOS Basics

Warning

Mahali yafuatayo pa kuhifadhi taarifa yanapaswa kukaguliwa mara tu baada ya kusakinisha programu, baada ya kukagua vipengele vyote vya programu na hata baada ya kutoka kwa mtumiaji mmoja na kuingia kwa mwingine.
Lengo ni kupata taarifa nyeti zisizolindwa za programu (passwords, tokens), za mtumiaji wa sasa na za watumiaji waliokuwa wameingia hapo awali.

Plist

plist files are structured XML files that zina jozi za key-value. Ni njia ya kuhifadhi data ya kudumu, hivyo wakati mwingine unaweza kupata taarifa nyeti katika mafaili haya. Inashauriwa kukagua mafaili haya baada ya kusakinisha app na baada ya kuitumia kwa ukali ili kuona kama data mpya imeandikwa.

Njia ya kawaida zaidi ya kuhifadhi data kwenye mafaili ya plist ni kwa kutumia NSUserDefaults. Faili hili la plist linaokolewa ndani ya sandbox ya app katika Library/Preferences/<appBundleID>.plist

The NSUserDefaults class provides a programmatic interface for interacting with the default system. The default system allows an application to customize its behaviour according to user preferences. Data saved by NSUserDefaults can be viewed in the application bundle. Darasa hili huhifadhi data katika faili ya plist, lakini limetengenezwa kutumika kwa kiasi kidogo cha data.

Data hii haiwezi kufikiwa tena moja kwa moja kupitia kompyuta ya kuaminika, lakini inaweza kufikiwa kwa kufanya backup.

Unaweza dump taarifa zilizohifadhiwa kwa kutumia NSUserDefaults kwa kutumia objection’s ios nsuserdefaults get

Kupata mafaili yote ya plist yanayotumika na application unaweza kufikia /private/var/mobile/Containers/Data/Application/{APPID} na kuendesha:

find ./ -name "*.plist"

Ili kubadilisha faili kutoka kwa muundo wa XML au binary (bplist) kwenda XML, kuna mbinu mbalimbali kulingana na mfumo wako wa uendeshaji:

Kwa watumiaji wa macOS: Tumia amri ya plutil. Ni zana iliyojengwa ndani ya macOS (10.2+), iliyoundwa kwa kusudi hili:

$ plutil -convert xml1 Info.plist

Kwa watumiaji wa Linux: Sakinisha kwanza libplist-utils, kisha tumia plistutil kubadilisha faili yako:

$ apt install libplist-utils
$ plistutil -i Info.plist -o Info_xml.plist

Within an Objection Session: Kwa kuchambua programu za rununu, amri maalum inakuwezesha kubadilisha faili za plist moja kwa moja:

ios plist cat /private/var/mobile/Containers/Data/Application/<Application-UUID>/Library/Preferences/com.some.package.app.plist

Core Data

Core Data ni framework kwa kusimamia tabaka la modeli la vitu katika programu yako. Core Data can use SQLite as its persistent store, lakini framework yenyewe si hifadhidata.
CoreData haiifichi data zake kwa chaguo-msingi. Hata hivyo, safu ya ziada ya encryption inaweza kuongezwa kwa CoreData. Angalia the GitHub Repo kwa maelezo zaidi.

Unaweza kupata taarifa za SQLite Core Data za programu katika njia /private/var/mobile/Containers/Data/Application/{APPID}/Library/Application Support

Kama unaweza kufungua SQLite na kupata taarifa nyeti, basi umebaini mipangilio isiyo sahihi.

-(void)storeDetails {
AppDelegate * appDelegate = (AppDelegate *)(UIApplication.sharedApplication.delegate);

NSManagedObjectContext *context =[appDelegate managedObjectContext];

User *user = [self fetchUser];
if (user) {
return;
}
user = [NSEntityDescription insertNewObjectForEntityForName:@"User"
inManagedObjectContext:context];
user.email = CoreDataEmail;
user.password = CoreDataPassword;
NSError *error;
if (![context save:&error]) {
NSLog(@"Error in saving data: %@", [error localizedDescription]);

}else{
NSLog(@"data stored in core data");
}
}

YapDatabase

YapDatabase ni key/value store iliyojengwa juu ya SQLite.
Kwa kuwa Yap databases ni sqlite databases, unaweza kuzipata ukitumia amri iliyotajwa katika sehemu ya awali.

Other SQLite Databases

Ni kawaida kwa applications kuunda sqlite database zao wenyewe. Zinaweza kuhifadhi nyeti data ndani yao na kuiacha bila kuificha. Kwa hivyo, kila wakati inafaa kukagua kila database ndani ya directory ya application. Kwa hivyo nenda kwenye directory ya application ambapo data imehifadhiwa (/private/var/mobile/Containers/Data/Application/{APPID})

find ./ -name "*.sqlite" -or -name "*.db"

Firebase Real-Time Databases

Waendelezaji wanaweza kuhifadhi na kusawazisha data ndani ya NoSQL cloud-hosted database kupitia Firebase Real-Time Databases. Ikihifadhiwa kwa muundo wa JSON, data husawazishwa kwa wateja wote walio na muunganisho kwa wakati halisi.

Unaweza kuona jinsi ya kukagua Firebase databases zilizo pangwa vibaya hapa:

Firebase Database

Hifadhidata za Realm

Realm Objective-C na Realm Swift hutoa mbadala wenye nguvu kwa uhifadhi wa data, ambao haujatolewa na Apple. Kwa chaguo-msingi, zinahifadhi data bila usimbaji, na usimbaji unaweza kuwezeshwa kupitia usanidi maalum.

Databases ziko katika: /private/var/mobile/Containers/Data/Application/{APPID}. Ili kuchunguza faili hizi, mtu anaweza kutumia amri kama:

iPhone:/private/var/mobile/Containers/Data/Application/A079DF84-726C-4AEA-A194-805B97B3684A/Documents root# ls
default.realm  default.realm.lock  default.realm.management/  default.realm.note|

$ find ./ -name "*.realm*"

Ili kutazama mafaili haya ya database, chombo Realm Studio kinapendekezwa.

Ili kutekeleza encryption ndani ya Realm database, kipande cha msimbo kifuatacho kinaweza kutumika:

// Open the encrypted Realm file where getKey() is a method to obtain a key from the Keychain or a server
let config = Realm.Configuration(encryptionKey: getKey())
do {
let realm = try Realm(configuration: config)
// Use the Realm as normal
} catch let error as NSError {
// If the encryption key is wrong, `error` will say that it's an invalid database
fatalError("Error opening realm: \(error)")
}

Couchbase Lite Databases

Couchbase Lite inaelezewa kama nyepesi na imejumuishwa injini ya hifadhidata inayofuata mtazamo wa document-oriented (NoSQL). Imetengenezwa kuwa ya asili kwa iOS na macOS, inatoa uwezo wa kusawazisha data kwa urahisi.

Ili kubaini hifadhidata za Couchbase zinazowezekana kwenye kifaa, saraka ifuatayo inapaswa kuchunguzwa:

ls /private/var/mobile/Containers/Data/Application/{APPID}/Library/Application Support/

Cookies

iOS huhifadhi cookies za apps katika Library/Cookies/cookies.binarycookies ndani ya kila folda ya apps. Hata hivyo, developers wakati mwingine huamua kuzihifadhi kwenye keychain kwani cookie file inaweza kupatikana katika backups.

Ili kuchunguza cookie file unaweza kutumia this python script au kutumia objection’s ios cookies get.
Unaweza pia kutumia objection kugeuza mafaili haya kuwa muundo wa JSON na kuchunguza data.

...itudehacks.DVIAswiftv2.develop on (iPhone: 13.2.3) [usb] # ios cookies get --json
[
{
"domain": "highaltitudehacks.com",
"expiresDate": "2051-09-15 07:46:43 +0000",
"isHTTPOnly": "false",
"isSecure": "false",
"name": "username",
"path": "/",
"value": "admin123",
"version": "0"
}
]

Cache

Kwa chaguo-msingi NSURLSession inahifadhi data, such as HTTP requests and responses in the Cache.db database. Database hii inaweza kuwa na taarifa nyeti, ikiwa tokens, usernames au taarifa nyingine yoyote nyeti zimewekwa cached. Ili kupata cached information fungua data directory ya app (/var/mobile/Containers/Data/Application/<UUID>) na nenda /Library/Caches/<Bundle Identifier>. The WebKit cache is also being stored in the Cache.db file. Objection inaweza kufungua na kuingiliana na database kwa amri sqlite connect Cache.db, kwa kuwa ni normal SQLite database.

Inashauriwa kuzuia Caching ya data hii, kwa kuwa inaweza kuwa na taarifa nyeti katika request au response. Orodha ifuatayo inaonyesha njia tofauti za kufanikisha hili:

1. Inashauriwa kuondoa Cached responses baada ya logout. Hii inaweza kufanywa kwa kutumia method iliyotolewa na Apple iitwayo removeAllCachedResponses. Unaweza kuita method hii kama ifuatavyo:

URLCache.shared.removeAllCachedResponses()

Method hii itaondoa all cached requests and responses kutoka kwenye Cache.db file.

2. Ikiwa huna haja ya kutumia faida za cookies inashauriwa kutumia tu property ya configuration ya URLSession ya .ephemeral, ambayo itazima kuhifadhi cookies na Caches.

Apple documentation:

An ephemeral session configuration object is similar to a default session configuration (see default), except that the corresponding session object doesn’t store caches, credential stores, or any session-related data to disk. Instead, session-related data is stored in RAM. The only time an ephemeral session writes data to disk is when you tell it to write the contents of a URL to a file.

3. Cache inaweza pia kuzimwa kwa kuweka Cache Policy kuwa .notAllowed. Hii itazuia kuhifadhi Cache kwa namna yoyote, iwe kwa memory au disk.

Snapshots

Kila unapobonyeza home button, iOS inachukua snapshot ya skrini ya sasa ili kufanya transition kwenda application kwa njia laini zaidi. Hata hivyo, ikiwa sensitive data iko kwenye skrini ya sasa, itahifadhiwa kwenye image (ambayo inadumu hata baada ya reboots). Hizi ndizo snapshots ambazo unaweza pia kuzifikia kwa kubofya mara mbili home screen kubadili kati ya apps.

Isipokuwa iPhone imejailbroken, attacker anahitaji kuwa na access kwenye device akiwa unblocked ili kuona screenshots hizi. Kwa chaguo-msingi snapshot ya mwisho imetumwa kwenye application’s sandbox katika Library/Caches/Snapshots/ au Library/SplashBoard/Snapshots folder (the trusted computers can’t access the filesystem from iOX 7.0).

Njia moja ya kuzuia tabia hii mbaya ni kuweka skrini tupu au kuondoa data nyeti kabla ya kuchukua snapshot kwa kutumia function ApplicationDidEnterBackground().

The following is a sample remediation method that will set a default screenshot.

Swift:

private var backgroundImage: UIImageView?

func applicationDidEnterBackground(_ application: UIApplication) {
let myBanner = UIImageView(image: #imageLiteral(resourceName: "overlayImage"))
myBanner.frame = UIScreen.main.bounds
backgroundImage = myBanner
window?.addSubview(myBanner)
}

func applicationWillEnterForeground(_ application: UIApplication) {
backgroundImage?.removeFromSuperview()
}

Objective-C:

@property (UIImageView *)backgroundImage;

- (void)applicationDidEnterBackground:(UIApplication *)application {
UIImageView *myBanner = [[UIImageView alloc] initWithImage:@"overlayImage.png"];
self.backgroundImage = myBanner;
self.backgroundImage.bounds = UIScreen.mainScreen.bounds;
[self.window addSubview:myBanner];
}

- (void)applicationWillEnterForeground:(UIApplication *)application {
[self.backgroundImage removeFromSuperview];
}

Hii inabainisha picha ya background kuwa overlayImage.png kila wakati programu inapokuwa backgrounded. Inazuia sensitive data leaks kwa sababu overlayImage.png itatawala view ya sasa kila wakati.

Keychain

Kwa kufikia na kusimamia iOS keychain, zana kama Keychain-Dumper zinapatikana, zinazofaa kwa devices zilizojailbreak. Zaidi ya hayo, Objection hutoa amri ios keychain dump kwa madhumuni sawa.

Kuhifadhi Credentials

Darasa la NSURLCredential linafaa kwa kuhifadhi taarifa nyeti moja kwa moja katika keychain, likiepuka haja ya NSUserDefaults au wrappers nyingine. Ili kuhifadhi credentials baada ya kuingia, code ya Swift ifuatayo inatumiwa:

NSURLCredential *credential;
credential = [NSURLCredential credentialWithUser:username password:password persistence:NSURLCredentialPersistencePermanent];
[[NSURLCredentialStorage sharedCredentialStorage] setCredential:credential forProtectionSpace:self.loginProtectionSpace];

Ili kutoa cheti hizi zilizohifadhiwa, amri ya Objection ios nsurlcredentialstorage dump inatumiwa.

Kibodi za wahusika wa tatu na Cache ya Kibodi

Kuanzia iOS 8.0, watumiaji wanaweza kusakinisha extensions za kibodi za wahusika wa tatu, ambazo zinaweza kusimamiwa chini ya Settings > General > Keyboard > Keyboards. Ingawa kibodi hizi zinatoa utendaji ulioboreshwa, zinaweza kusababisha kurekodi vitufe vilivyobonyezwa na kutuma data kwa seva za nje, ingawa watumiaji wanaarifiwa kuhusu kibodi zinazohitaji ufikiaji wa mtandao. Apps zinaweza, na zinapaswa, kuzuia matumizi ya kibodi za wahusika wa tatu kwa kuingiza taarifa nyeti.

Mapendekezo ya Usalama:

• Inashauriwa kuzima kibodi za wahusika wa tatu kwa usalama ulioboreshwa.
• Kuwa mwangalifu na sifa za autocorrect na auto-suggestions za kibodi ya default ya iOS, ambazo zinaweza kuhifadhi taarifa nyeti katika faili za cache zilizoko katika Library/Keyboard/{locale}-dynamic-text.dat au /private/var/mobile/Library/Keyboard/dynamic-text.dat. Faili hizi za cache zinapaswa kukaguliwa mara kwa mara kwa ajili ya data nyeti. Inapendekezwa kuweka upya kamusi ya kibodi kupitia Settings > General > Reset > Reset Keyboard Dictionary ili kufuta data iliyohifadhi kwenye cache.
• Kukamata trafiki ya mtandao kunaweza kufichua kama kibodi ya wahusika wa tatu inatuma vitufe vya kibodi kwa mbali.

Kuzuia Cache ya Mashamba ya Maandishi

The UITextInputTraits protocol hutoa properties za kusimamia autocorrection na secure text entry, muhimu kwa kuzuia kuhifadhiwa kwa taarifa nyeti katika cache. Kwa mfano, kuzima autocorrection na kuwezesha secure text entry kunaweza kufikiwa na:

textObject.autocorrectionType = UITextAutocorrectionTypeNo;
textObject.secureTextEntry = YES;

Zaidi ya hayo, waendelezaji wanapaswa kuhakikisha kwamba viwanja vya maandishi, hasa vile vinavyotumika kuingiza taarifa nyeti kama nywila na PIN, haviwezi kuhifadhiwa kwenye cache kwa kuweka autocorrectionType kuwa UITextAutocorrectionTypeNo na secureTextEntry kuwa YES.

UITextField *textField = [[UITextField alloc] initWithFrame:frame];
textField.autocorrectionType = UITextAutocorrectionTypeNo;

Logs

Kurekebisha msimbo mara nyingi kunahusisha matumizi ya logging. Kuna hatari kwani logs zinaweza kuwa na taarifa nyeti. Hapo awali, katika iOS 6 na toleo za awali, logs zilikuwa zinapatikana kwa apps zote, zikisababisha hatari ya sensitive data leakage. Sasa, applications zimezuiliwa kufikia logs zao tu.

Licha ya vizingiti hivi, mshambuliaji mwenye ufikiaji wa kimwili kwa kifaa kilichofunguliwa bado anaweza kunufaika nayo kwa kuunganisha kifaa kwenye kompyuta na kusoma logs. Ni muhimu kutambua kwamba logs hubaki kwenye diski hata baada ya kuondolewa kwa app.

Ili kupunguza hatari, inashauriwa kuingiliana kwa kina na app, kuchunguza vipengele vyake vyote na maingizo ili kuhakikisha hakuna taarifa nyeti inayoandikwa kwenye logs bila kukusudi.

Unapokagua source code ya app kwa potential leaks, angalia taarifa za predefined na custom logging statements ukitumia maneno muhimu kama NSLog, NSAssert, NSCAssert, fprintf kwa functions za ndani, na marejeo yoyote ya Logging au Logfile kwa implementations zilizobinafsishwa.

Monitoring System Logs

Apps zina-log taarifa mbalimbali ambazo zinaweza kuwa nyeti. Ili kufuatilia logs hizi, zana na amri kama:

idevice_id --list   # To find the device ID
idevicesyslog -u <id> (| grep <app>)   # To capture the device logs

ni muhimu. Zaidi ya hayo, Xcode inatoa njia ya kukusanya console logs:

1. Fungua Xcode.
2. Unganisha kifaa cha iOS.
3. Elekea kwenye Window -> Devices and Simulators.
4. Chagua kifaa chako.
5. Sababisha tatizo unalolichunguza.
6. Tumia kitufe cha Open Console ili kuona logs katika dirisha jipya.

Kwa ajili ya logging za hali ya juu, kuungana na shell ya kifaa na kutumia socat kunaweza kutoa ufuatiliaji wa logs kwa wakati halisi:

iPhone:~ root# socat - UNIX-CONNECT:/var/run/lockdown/syslog.sock

Zifuatazo na amri za kuangalia shughuli za logs, ambazo zinaweza kuwa za thamani sana kwa kugundua matatizo au kubaini potential data leakage katika logs.

Backups

Auto-backup features zimejumuishwa ndani ya iOS, zikiruhusu uundaji wa nakala za data za kifaa kupitia iTunes (hadi macOS Catalina), Finder (kuanzia macOS Catalina), au iCloud. Backups hizi zinashughulikia takriban data zote za kifaa, isipokuwa vipengele vilivyo nyeti sana kama maelezo ya Apple Pay na mipangilio ya Touch ID.

Security Risks

Ujumuishaji wa installed apps and their data katika backups unaibua suala la potential data leakage na hatari kwamba backup modifications could alter app functionality. Inashauriwa not store sensitive information in plaintext ndani ya directory yoyote ya app au subdirectories zake ili kupunguza hatari hizi.

Excluding Files from Backups

Faili katika Documents/ na Library/Application Support/ zinahifadhiwa kwenye backups kwa chaguo-msingi. Waendelezaji wanaweza kuondoa faili maalumu au directories kutoka kwenye backups kwa kutumia NSURL setResourceValue:forKey:error: na NSURLIsExcludedFromBackupKey. Tabia hii ni muhimu kwa kulinda data nyeti isijajumuishwa katika backups.

Testing for Vulnerabilities

Ili kutathmini usalama wa backup wa app, anza kwa kutengeneza a backup kwa kutumia Finder, kisha upate hiyo backup kwa kufuata mwongozo kutoka kwa Apple’s official documentation. Changanua backup kutafuta data nyeti au mipangilio ambayo yanaweza kubadilishwa ili kuathiri tabia ya app.

Taarifa nyeti zinaweza kutafutwa kwa kutumia zana za command-line au programu kama iMazing. Kwa encrypted backups, uwepo wa encryption unaweza kuthibitishwa kwa kukagua funguo “IsEncrypted” katika faili “Manifest.plist” kwenye root ya backup.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
...
<key>Date</key>
<date>2021-03-12T17:43:33Z</date>
<key>IsEncrypted</key>
<true/>
...
</plist>

Kwa kushughulikia encrypted backups, Python scripts available in DinoSec’s GitHub repo, like backup_tool.py and backup_passwd.py, zinaweza kuwa muhimu, ingawa huenda zikahitaji marekebisho ili ziendane na matoleo ya hivi karibuni ya iTunes/Finder. The iOSbackup tool ni chaguo jingine kwa kufikia files ndani ya password-protected backups.

Kubadilisha Tabia ya App

Mfano wa kubadilisha tabia ya app kupitia mabadiliko ya backup unaonyeshwa katika the Bither bitcoin wallet app, ambapo UI lock PIN huhifadhiwa ndani ya net.bither.plist chini ya pin_code key. Kuondoa key hii kutoka plist na kurejesha backup kunafuta hitaji la PIN, ikitoa ufikiaji usio na vizingiti.

Muhtasari wa Upimaji wa Memory kwa Data Nyeti

Unapotoka na taarifa nyeti zilizohifadhiwa kwenye memory ya app, ni muhimu kupunguza muda wa kuonekana kwa data hizi. Kuna mbinu mbili kuu za kuchunguza yaliyomo kwenye memory: kuunda dump ya memory na kuchambua memory kwa wakati halisi. Mbinu zote mbili zina changamoto zao, ikiwa ni pamoja na uwezekano wa kukosa data muhimu wakati wa mchakato wa dump au uchambuzi.

Kupata na Kuchambua Dump ya Memory

Kwa vifaa vya jailbroken na non-jailbroken, zana kama objection na Fridump zinawezesha dumping ya memory ya mchakato wa app. Mara dump itakapofanywa, kuchambua data hii kunahitaji zana mbalimbali, kulingana na asili ya habari unayotafuta.

Ili kutoa strings kutoka dump ya memory, amri kama strings au rabin2 -zz zinaweza kutumika:

# Extracting strings using strings command
$ strings memory > strings.txt

# Extracting strings using rabin2
$ rabin2 -ZZ memory > strings.txt

Kwa uchambuzi wa kina zaidi, ikiwa ni pamoja na kutafuta aina maalum za data au mifumo, radare2 inatoa uwezo mpana wa utafutaji:

$ r2 <name_of_your_dump_file>
[0x00000000]> /?
...

Uchambuzi wa Kumbukumbu Wakati wa Uendeshaji

r2frida inatoa mbadala yenye nguvu kwa kuchunguza kumbukumbu za app kwa wakati halisi, bila kuhitaji memory dump. Zana hii inaruhusu utekelezaji wa amri za utafutaji moja kwa moja kwenye kumbukumbu za programu inayokimbia:

$ r2 frida://usb//<name_of_your_app>
[0x00000000]> /\ <search_command>

Broken Cryptography

Poor Key Management Processes

Baadhi ya developers huhifadhi sensitive data katika local storage na kui-encrypt kwa key iliyokuwa hardcoded/predictable katika code. Hii haipaswi kufanywa kwani reversing inaweza kuruhusu attackers kutoa taarifa za siri.

Use of Insecure and/or Deprecated Algorithms

Developers hawapaswi kutumia deprecated algorithms kutekeleza authorisation checks, store au send data. Baadhi ya algorithms hizi ni: RC4, MD4, MD5, SHA1… Ikiwa hashes zinatumiwa kuhifadhi passwords kwa mfano, zinapaswa kuwa brute-force resistant na kutumika pamoja na salt.

Check

Ukaguzi mkuu wa kufanya ni kuona kama unaweza kupata hardcoded passwords/secrets katika code, au kama hizo ni predictable, na kama code inatumia aina fulani ya weak cryptography algorithms.

Ni muhimu kujua kwamba unaweza monitor baadhi ya crypto libraries moja kwa moja ukitumia objection na:

ios monitor crypt

Kwa maelezo zaidi kuhusu iOS cryptographic APIs na maktaba tembelea https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06e-testing-cryptography

Uthibitishaji wa Ndani

Uthibitishaji wa ndani una jukumu muhimu, hasa linapohusu kulinda upatikanaji kwenye endpoint ya mbali kwa njia za kriptografia. Kiini hapa ni kwamba bila utekelezaji sahihi, mbinu za uthibitishaji wa ndani zinaweza kupitishwa/kuepukwa.

Apple’s Local Authentication framework na keychain hutoa APIs imara kwa waendelezaji kuwezesha madirisha ya uthibitishaji wa mtumiaji na kushughulikia kwa usalama data za siri, mtawalia. Secure Enclave inalinda fingerprint ID kwa Touch ID, wakati Face ID inategemea utambuzi wa uso bila kuathiri data za biometriki.

Ili kuingiza Touch ID/Face ID, waendelezaji wana chaguo mbili za API:

• LocalAuthentication.framework kwa uthibitishaji wa kiwango cha juu wa mtumiaji bila kupata data za biometriki.
• Security.framework kwa ufikiaji wa huduma za kiwango cha chini za keychain, ikilinda data za siri kwa uthibitishaji wa biometriki. Mifuko mbalimbali ya open-source hufanya ufikiaji wa keychain kuwa rahisi.

Caution

Hata hivyo, LocalAuthentication.framework na Security.framework zote zinaonyesha udhaifu, kwa kuwa kwa kawaida hurudisha thamani za boolean pekee bila kuwasilisha data kwa ajili ya michakato ya uthibitishaji, na kuwafanya wazi kwa kupitishwa (rejea Don’t touch me that way, by David Lindner et al).

Kutekeleza Uthibitishaji wa Ndani

Ili kumuuliza mtumiaji kuthibitisha, waendelezaji wanapaswa kutumia method ya evaluatePolicy ndani ya darasa LAContext, wakichagua kati ya:

• deviceOwnerAuthentication: Huita Touch ID au device passcode; inashindwa ikiwa hakuna imewezeshwa.
• deviceOwnerAuthenticationWithBiometrics: Inatoa ombi kwa Touch ID pekee.

Uthibitisho uliofanikiwa unaonyeshwa na kurudi kwa thamani ya boolean kutoka evaluatePolicy, jambo linaloashiria udhaifu wa usalama unaowezekana.

Uthibitishaji wa Ndani kwa kutumia Keychain

Kutekeleza uthibitishaji wa ndani katika apps za iOS kunahusisha matumizi ya keychain APIs kuhifadhi kwa usalama data za siri kama authentication tokens. Mchakato huu unahakikisha kwamba data inaweza kupatikana na mtumiaji pekee, kwa kutumia device passcode au uthibitishaji wa biometriki kama Touch ID.

Keychain inatoa uwezo wa kuweka items na sifa ya SecAccessControl, ambayo inalinda ufikiaji wa item hadi mtumiaji athibitishe kwa mafanikio kupitia Touch ID au device passcode. Kipengele hiki ni muhimu kwa kuimarisha usalama.

Hapa chini kuna mifano ya code katika Swift na Objective-C inayoonyesha jinsi ya kuhifadhi na kupata string kwenye/from keychain, ikitumia vipengele hivi vya usalama. Mifano inaonyesha hasa jinsi ya kuanzisha access control ili kudai uthibitishaji wa Touch ID na kuhakikisha data inapatikana tu kwenye kifaa ambacho ilianzishwa, kwa sharti kwamba device passcode imewekwa.

// From https://github.com/mufambisi/owasp-mstg/blob/master/Document/0x06f-Testing-Local-Authentication.md

// 1. create AccessControl object that will represent authentication settings

var error: Unmanaged<CFError>?

guard let accessControl = SecAccessControlCreateWithFlags(kCFAllocatorDefault,
kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly,
SecAccessControlCreateFlags.biometryCurrentSet,
&error) else {
// failed to create AccessControl object

return
}

// 2. define keychain services query. Pay attention that kSecAttrAccessControl is mutually exclusive with kSecAttrAccessible attribute

var query: [String: Any] = [:]

query[kSecClass as String] = kSecClassGenericPassword
query[kSecAttrLabel as String] = "com.me.myapp.password" as CFString
query[kSecAttrAccount as String] = "OWASP Account" as CFString
query[kSecValueData as String] = "test_strong_password".data(using: .utf8)! as CFData
query[kSecAttrAccessControl as String] = accessControl

// 3. save item

let status = SecItemAdd(query as CFDictionary, nil)

if status == noErr {
// successfully saved
} else {
// error while saving
}

// 1. create AccessControl object that will represent authentication settings
CFErrorRef *err = nil;

SecAccessControlRef sacRef = SecAccessControlCreateWithFlags(kCFAllocatorDefault,
kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly,
kSecAccessControlUserPresence,
err);

// 2. define keychain services query. Pay attention that kSecAttrAccessControl is mutually exclusive with kSecAttrAccessible attribute
NSDictionary* query = @{
(_ _bridge id)kSecClass: (__bridge id)kSecClassGenericPassword,
(__bridge id)kSecAttrLabel: @"com.me.myapp.password",
(__bridge id)kSecAttrAccount: @"OWASP Account",
(__bridge id)kSecValueData: [@"test_strong_password" dataUsingEncoding:NSUTF8StringEncoding],
(__bridge id)kSecAttrAccessControl: (__bridge_transfer id)sacRef
};

// 3. save item
OSStatus status = SecItemAdd((__bridge CFDictionaryRef)query, nil);

if (status == noErr) {
// successfully saved
} else {
// error while saving
}

Sasa tunaweza kuomba kipengee kilichohifadhiwa kutoka kwa keychain. Keychain services zitamwonyesha mtumiaji dialog ya authentication na kurudisha data or nil kulingana na iwapo fingerprint inayofaa ilitolewa au la.

// 1. define query
var query = [String: Any]()
query[kSecClass as String] = kSecClassGenericPassword
query[kSecReturnData as String] = kCFBooleanTrue
query[kSecAttrAccount as String] = "My Name" as CFString
query[kSecAttrLabel as String] = "com.me.myapp.password" as CFString
query[kSecUseOperationPrompt as String] = "Please, pass authorisation to enter this area" as CFString

// 2. get item
var queryResult: AnyObject?
let status = withUnsafeMutablePointer(to: &queryResult) {
SecItemCopyMatching(query as CFDictionary, UnsafeMutablePointer($0))
}

if status == noErr {
let password = String(data: queryResult as! Data, encoding: .utf8)!
// successfully received password
} else {
// authorization not passed
}

// 1. define query
NSDictionary *query = @{(__bridge id)kSecClass: (__bridge id)kSecClassGenericPassword,
(__bridge id)kSecReturnData: @YES,
(__bridge id)kSecAttrAccount: @"My Name1",
(__bridge id)kSecAttrLabel: @"com.me.myapp.password",
(__bridge id)kSecUseOperationPrompt: @"Please, pass authorisation to enter this area" };

// 2. get item
CFTypeRef queryResult = NULL;
OSStatus status = SecItemCopyMatching((__bridge CFDictionaryRef)query, &queryResult);

if (status == noErr){
NSData* resultData = ( __bridge_transfer NSData* )queryResult;
NSString* password = [[NSString alloc] initWithData:resultData encoding:NSUTF8StringEncoding];
NSLog(@"%@", password);
} else {
NSLog(@"Something went wrong");
}

Ugunduzi

Matumizi ya frameworks katika app yanaweza pia kugunduliwa kwa kuchambua orodha ya maktaba za dynamic zilizoshirikiwa kwenye binary ya app. Hii inaweza kufanywa kwa kutumia otool:

$ otool -L <AppName>.app/<AppName>

Ikiwa LocalAuthentication.framework inatumiwa katika app, matokeo yatakuwa na mistari yote miwili ifuatayo (kumbuka kwamba LocalAuthentication.framework inatumia Security.framework ndani yake):

/System/Library/Frameworks/LocalAuthentication.framework/LocalAuthentication
/System/Library/Frameworks/Security.framework/Security

If Security.framework inatumiwa, tu ile ya pili itaonyeshwa.

Local Authentication Framework Bypass

Objection

Kupitia Objection Biometrics Bypass, iliyopo kwenye this GitHub page, kuna mbinu ya kuvuka mekanismo ya LocalAuthentication. Kiini cha mbinu hii ni kutumia Frida kubadilisha kazi ya evaluatePolicy, kuhakikisha inatoa matokeo ya True kila mara, bila kujali kama uthibitishaji ulifanikiwa kweli. Hii ni hasa muhimu kwa kukwepa michakato ya uthibitishaji wa biometric iliyobughwa.

Ili kuanzisha bypass hii, amri ifuatayo inatumiwa:

...itudehacks.DVIAswiftv2.develop on (iPhone: 13.2.3) [usb] # ios ui biometrics_bypass
(agent) Registering job 3mhtws9x47q. Type: ios-biometrics-disable
...itudehacks.DVIAswiftv2.develop on (iPhone: 13.2.3) [usb] # (agent) [3mhtws9x47q] Localized Reason for auth requirement: Please authenticate yourself
(agent) [3mhtws9x47q] OS authentication response: false
(agent) [3mhtws9x47q] Marking OS response as True instead
(agent) [3mhtws9x47q] Biometrics bypass hook complete

Amri hii inaanzisha mfululizo ambapo Objection inasajili kazi ambayo kwa ufanisi hubadilisha matokeo ya ukaguzi wa evaluatePolicy kuwa True.

Frida

Mfano wa matumizi ya evaluatePolicy kutoka kwa DVIA-v2 application:

+(void)authenticateWithTouchID {
LAContext *myContext = [[LAContext alloc] init];
NSError *authError = nil;
NSString *myLocalizedReasonString = @"Please authenticate yourself";

if ([myContext canEvaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics error:&authError]) {
[myContext evaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics
localizedReason:myLocalizedReasonString
reply:^(BOOL success, NSError *error) {
if (success) {
dispatch_async(dispatch_get_main_queue(), ^{
[TouchIDAuthentication showAlert:@"Authentication Successful" withTitle:@"Success"];
});
} else {
dispatch_async(dispatch_get_main_queue(), ^{
[TouchIDAuthentication showAlert:@"Authentication Failed !" withTitle:@"Error"];
});
}
}];
} else {
dispatch_async(dispatch_get_main_queue(), ^{
[TouchIDAuthentication showAlert:@"Your device doesn't support Touch ID or you haven't configured Touch ID authentication on your device" withTitle:@"Error"];
});
}
}

Ili kufikia bypass ya Local Authentication, script ya Frida imeandikwa. Script hii inalenga ukaguzi wa evaluatePolicy, ikikamata callback yake ili kuhakikisha inarudisha success=1. Kwa kubadilisha tabia ya callback, authentication check inapitishwa kwa ufanisi.

Script ifuatayo imeingizwa ili kubadilisha matokeo ya evaluatePolicy method. Inabadilisha matokeo ya callback ili daima yaonyesha success.

// from https://securitycafe.ro/2022/09/05/mobile-pentesting-101-bypassing-biometric-authentication/
if(ObjC.available) {
console.log("Injecting...");
var hook = ObjC.classes.LAContext["- evaluatePolicy:localizedReason:reply:"];
Interceptor.attach(hook.implementation, {
onEnter: function(args) {
var block = new ObjC.Block(args[4]);
const callback = block.implementation;
block.implementation = function (error, value)  {

console.log("Changing the result value to true")
const result = callback(1, null);
return result;
};
},
});
} else {
console.log("Objective-C Runtime is not available!");
}

Ili kuingiza Frida script na kupitisha uthibitishaji wa biometriki, amri ifuatayo inatumiwa:

frida -U -f com.highaltitudehacks.DVIAswiftv2 --no-pause -l fingerprint-bypass-ios.js

Ufichuzi wa Utendaji Nyeti Kupitia IPC

Custom URI Handlers / Deeplinks / Custom Schemes

iOS Custom URI Handlers / Deeplinks / Custom Schemes

Universal Links

iOS Universal Links

UIActivity Sharing

iOS UIActivity Sharing

UIPasteboard

iOS UIPasteboard

App Extensions

iOS App Extensions

WebViews

iOS WebViews

Serialisation and Encoding

iOS Serialisation and Encoding

Network Communication

Ni muhimu kukagua kwamba hakuna mawasiliano yanayotokea bila usimbaji na pia kwamba programu inafanya ukaguzi sahihi wa cheti cha TLS cha server.
Ili kukagua aina hizi za matatizo unaweza kutumia proxy kama Burp:

iOS Burp Suite Configuration

Hostname check

Tatizo la kawaida linapotokea wakati wa kuthibitisha cheti cha TLS ni kukagua kwamba cheti kilisainiwa na trusted CA, lakini hakuna ukaguzi kama the hostname ya cheti ndiyo hostname inayofikiwa.
Ili kukagua tatizo hili kwa kutumia Burp, baada ya kuamini Burp CA kwenye iPhone, unaweza kuunda cheti kipya na Burp kwa different hostname na kukitumia. Ikiwa programu bado inafanya kazi, basi kuna udhaifu.

Certificate Pinning

Ikiwa programu inatumia SSL Pinning kikamilifu, basi programu itafanya kazi tu ikiwa cheti ndicho kilichotarajiwa. Wakati wa kujaribu programu hii inaweza kuwa tatizo kwa kuwa Burp itatoa cheti chake mwenyewe.
Ili kuvunja ulinzi huu ndani ya kifaa kilichojailbreak, unaweza kusanidi programu SSL Kill Switch au kusakinisha Burp Mobile Assistant

Unaweza pia kutumia objection’s ios sslpinning disable

Misc

• Katika /System/Library unaweza kupata frameworks zilizowekwa kwenye simu zinazotumika na system applications
• Programu zilizowekwa na mtumiaji kutoka App Store ziko ndani ya /User/Applications
• Na /User/Library inajumuisha data zilizo hifadhiwa na user level applications
• Unaweza kufikia /User/Library/Notes/notes.sqlite kusoma noti zilizohifadhiwa ndani ya application.
• Ndani ya jalada la programu iliyowekwa (/User/Applications/<APP ID>/) unaweza kupata faili kadhaa za kuvutia:
• iTunesArtwork: The icon used by the app
• iTunesMetadata.plist: Info of the app used in the App Store
• /Library/*: Inajumuisha preferences na cache. Katika /Library/Cache/Snapshots/* unaweza kupata snapshot iliyofanywa kwa application kabla ya kuituma background.

Hot Patching/Enforced Updateing

Waendelezaji wanaweza kwa mbali kufanya patch kwa installations zote za app yao mara moja bila kuwa lazima watume tena application kwenye App Store na kusubiri idhini.
Kwa madhumuni haya kawaida hutumika JSPatch. Lakini kuna chaguzi nyingine pia kama Siren na react-native-appstore-version-checker.
Hii ni mekanismo hatari ambayo inaweza kutumiwa vibaya na third party SDKs zenye nia mbaya; kwa hivyo inashauriwa kuangalia ni njia gani inatumika kwa automatic updating (kama ipo) na kuijaribu. Unaweza kujaribu kupakua toleo la awali la app kwa madhumuni haya.

Third Parties

Changamoto kubwa na 3rd party SDKs ni kukosekana kwa udhibiti wa kina juu ya functionalities zao. Waendelezaji wanakutana na chaguo: ama kuingiza SDK na kukubali sifa zake zote, pamoja na hatari za usalama na masuala ya faragha, au kukataa kabisa faida zake. Mara nyingi, waendelezaji hawawezi kufunga udhaifu ndani ya SDK hizi wenyewe. Zaidi ya hayo, kadri SDK zinavyopata uaminifu ndani ya jamii, baadhi zinaweza kuanza kuwa na malware.

Huduma zinazotolewa na third-party SDKs zinaweza kujumuisha user behavior tracking, kuonyesha matangazo, au kuboresha user experience. Hata hivyo, hii inaleta hatari kwani waendelezaji wanaweza wasiwe na ufahamu kamili wa code inayotekelezwa na libraries hizi, na kusababisha hatari za faragha na usalama. Ni muhimu kupunguza taarifa zinazoambatana na third-party services kwa yale tu yanayohitajika na kuhakikisha kwamba hakuna data nyeti inayoonekana.

Utekelezaji wa third-party services kawaida huja kwa njia mbili: library huru au SDK kamili. Ili kulinda faragha ya mtumiaji, data yoyote inayoshirikiwa na huduma hizi inapaswa kufanywa kuwa yasiyotambulika ili kuzuia kufichuliwa kwa Personal Identifiable Information (PII).

Ili kutambua libraries ambazo application inazitumia, agizo la otool linaweza kutumika. Zana hii inapaswa kutumwa dhidi ya application na kila shared library inayotumika ili kugundua libraries za ziada.

otool -L <application_path>

Udhaifu Zilizovutia na Masomo ya Kesi

Air Keyboard Remote Input Injection

Itunesstored Bookassetd Sandbox Escape

Zero Click Messaging Image Parser Chains

Marejeo na Rasilimali Zaidi

• https://blog.calif.io/p/taking-apart-ios-apps-anti-debugging
• https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06b-basic-security-testing#information-gathering
• iOS & Mobile App Pentesting - INE
• https://mas.owasp.org/MASTG/techniques/ios/MASTG-TECH-0057/
• https://mas.owasp.org/MASTG/techniques/ios/MASTG-TECH-0058/
• https://mas.owasp.org/MASTG/techniques/ios/MASTG-TECH-0059/
• https://mas.owasp.org/MASTG/iOS/0x06d-Testing-Data-Storage
• https://coderwall.com/p/kjb3lw/storing-password-in-keychain-the-smart-way
• https://mas.owasp.org/MASTG/tests/ios/MASVS-STORAGE/MASTG-TEST-0055/
• https://mas.owasp.org/MASTG/tests/ios/MASVS-STORAGE/MASTG-TEST-0053
• https://mas.owasp.org/MASTG/techniques/ios/MASTG-TECH-0060/
• https://mas.owasp.org/MASTG/tests/ios/MASVS-STORAGE/MASTG-TEST-0058
• https://mas.owasp.org/MASTG/tests/ios/MASVS-STORAGE/MASTG-TEST-0060
• https://mas.owasp.org/MASTG/Android/0x05f-Testing-Local-Authentication/
• https://mas.owasp.org/MASTG/tests/ios/MASVS-AUTH/MASTG-TEST-0064
• https://medium.com/securing/bypassing-your-apps-biometric-checks-on-ios-c2555c81a2dc
• https://mas.owasp.org/MASTG/tests/ios/MASVS-STORAGE/MASTG-TEST-0054
• https://github.com/ivRodriguezCA/RE-iOS-Apps/ IOS kozi ya bure(https://syrion.me/blog/ios-swift-antijailbreak-bypass-frida/)
• https://www.sans.org/reading-room/whitepapers/testing/ipwn-apps-pentesting-ios-applications-34577
• https://www.slideshare.net/RyanISI/ios-appsecurityminicourse
• https://github.com/prateek147/DVIA
• https://github.com/prateek147/DVIA-v2
• https://github.com/OWASP/MSTG-Hacking-Playground%20
• OWASP iGoat https://github.com/OWASP/igoat <<< toleo la Objective-C https://github.com/OWASP/iGoat-Swift <<< toleo la Swift
• https://github.com/authenticationfailure/WheresMyBrowser.iOS
• https://github.com/nabla-c0d3/ssl-kill-switch2

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.