iOS Pentesting

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Angalia mpango wa usajili!

Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.

Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Mazingira ya Upimaji

Kwenye ukurasa huu unaweza kupata taarifa kuhusu the iOS simulator, emulators na jailbreaking:

iOS Testing Environment

Wakati wa upimaji operesheni kadhaa zitatakiwa (kuunganisha kifaa, kusoma/kuandika/kupakilia/kupakua faili, kutumia baadhi ya zana…). Kwa hivyo, ikiwa haujui jinsi ya kufanya mojawapo ya vitendo hivi tafadhali, anza kusoma ukurasa:

iOS Basic Testing Operations

Tip

Kwa hatua zilizofuata app inapaswa kuwa imewekwa kwenye kifaa na inapaswa tayari kuwa imepata IPA file ya application.
Read the Basic iOS Testing Operations page to learn how to do this.

Basic Static Analysis

Baadhi ya decompilers za faili za iOS - IPA zenye kuvutia:

Inashauriwa kutumia zana MobSF kufanya Uchambuzi wa Static otomatiki kwa faili ya IPA.

Utambuzi wa protections zilizopo katika binary:

PIE (Position Independent Executable): Ikiwa imewezeshwa, application inalowdika kwenye anwani ya kumbukumbu nasibu kila inapozinduliwa, na hivyo kufanya iwe ngumu kutabiri anwani yake ya awali ya kumbukumbu.

otool -hv <app-binary> | grep PIE   # It should include the PIE flag

Stack Canaries: Ili kuthibitisha uadilifu wa stack, thamani ya ‘canary’ imewekwa kwenye stack kabla ya kupiga function na inathibitishwa tena mara function inapomaliza.

otool -I -v <app-binary> | grep stack_chk   # It should include the symbols: stack_chk_guard and stack_chk_fail

ARC (Automatic Reference Counting): Ili kuzuia dosari za kawaida za uharibifu wa kumbukumbu

otool -I -v <app-binary> | grep objc_release   # It should include the _objc_release symbol

Encrypted Binary: Binary inapaswa kuwa encrypted

otool -arch all -Vl <app-binary> | grep -A5 LC_ENCRYPT   # The cryptid should be 1

Utambuzi wa Functions Nyeti/Isizokuwa Salama

Algorithimu za Hash dhaifu

# On the iOS device
otool -Iv <app> | grep -w "_CC_MD5"
otool -Iv <app> | grep -w "_CC_SHA1"

# On linux
grep -iER "_CC_MD5"
grep -iER "_CC_SHA1"

Insecure Random Functions

# On the iOS device
otool -Iv <app> | grep -w "_random"
otool -Iv <app> | grep -w "_srand"
otool -Iv <app> | grep -w "_rand"

# On linux
grep -iER "_random"
grep -iER "_srand"
grep -iER "_rand"

Insecure ‘Malloc’ Function

# On the iOS device
otool -Iv <app> | grep -w "_malloc"

# On linux
grep -iER "_malloc"

Functions Zisizo Salama na Zenye Uraibu

# On the iOS device
otool -Iv <app> | grep -w "_gets"
otool -Iv <app> | grep -w "_memcpy"
otool -Iv <app> | grep -w "_strncpy"
otool -Iv <app> | grep -w "_strlen"
otool -Iv <app> | grep -w "_vsnprintf"
otool -Iv <app> | grep -w "_sscanf"
otool -Iv <app> | grep -w "_strtok"
otool -Iv <app> | grep -w "_alloca"
otool -Iv <app> | grep -w "_sprintf"
otool -Iv <app> | grep -w "_printf"
otool -Iv <app> | grep -w "_vsprintf"

# On linux
grep -R "_gets"
grep -iER "_memcpy"
grep -iER "_strncpy"
grep -iER "_strlen"
grep -iER "_vsnprintf"
grep -iER "_sscanf"
grep -iER "_strtok"
grep -iER "_alloca"
grep -iER "_sprintf"
grep -iER "_printf"
grep -iER "_vsprintf"

Mbinu za kawaida za Kugundua Jailbreak

File System Checks: Angalia uwepo wa faili na directories zinazojulikana za jailbreak, kama /Applications/Cydia.app au /Library/MobileSubstrate/MobileSubstrate.dylib.
Sandbox Violations: Jaribu kufikia maeneo yaliyokuzwa ya file system, ambayo yanapaswa kuzuiwa kwenye vifaa visivyo jailbroken.
API Checks: Angalia kama inawezekana kutumia antizo kama fork() kuunda mchakato wa mtoto au system() kuona kama /bin/sh ipo.
Process Checks: Angalia uwepo wa mchakato unaohusiana na jailbreak, kama Cydia, Substrate, au ssh.
Kernel Exploits: Angalia uwepo wa kernel exploits zinazotumika mara kwa mara katika jailbreaks.
Environment Variables: Tazama environment variables kwa dalili za jailbreak, kama DYLD_INSERT_LIBRARIES.
Libraries Check: Angalia libs zilizo load-ikiwa kwenye mchakato wa app.
Check schemes: Kama canOpenURL(URL(string: "cydia://")).

Mbinu za kawaida za kugundua Anti-Debugging

Check for Debugger Presence: Tumia sysctl au mbinu nyingine kukagua kama debugger imeambatishwa.
Anti-Debugging APIs: Angalia wito kwa anti-debugging APIs kama ptrace au SIGSTOP kama ptrace(PT_DENY_ATTACH, 0, 0, 0).
Timing Checks: Pima muda wa kutekeleza baadhi ya operesheni na tafuta tofauti zinazoweza kuonyesha debugging.
Memory Checks: Angalia kumbukumbu kwa vitu au mabadiliko yanayojulikana ya debugger.
Environment Variables: Angalia environment variables zinazoweza kuonyesha kikao cha debugging.
Mach Ports: Gundua kama mach exception ports zinatumiwa na debuggers.

Basic Dynamic Analysis

Tazama uchambuzi wa dynamic unaofanywa na MobSF. Utahitaji kuvinjari maoni mbalimbali na kuingiliana nayo; itakuwa inafanya hooking ya madarasa kadhaa na mambo mengine na itatayarisha ripoti ukimaliza.

Orodha ya Apps Zilizowekwa

Tumia amri frida-ps -Uai kubaini bundle identifier ya apps zilizowekwa:

$ frida-ps -Uai
PID  Name                 Identifier
----  -------------------  -----------------------------------------
6847  Calendar             com.apple.mobilecal
6815  Mail                 com.apple.mobilemail
-  App Store            com.apple.AppStore
-  Apple Store          com.apple.store.Jolly
-  Calculator           com.apple.calculator
-  Camera               com.apple.camera
-  iGoat-Swift          OWASP.iGoat-Swift

Uorodheshaji wa Msingi & Hooking

Jifunze jinsi ya kuorodhesha vipengele vya programu na jinsi ya ku-hook mbinu na madarasa kwa urahisi kwa objection:

iOS Hooking With Objection

Muundo wa IPA

Muundo wa IPA file kwa msingi ni ule wa zipped package. Kwa kubadilisha jina la extension yake kuwa .zip, inaweza kutolewa ili kuonyesha yaliyomo yake. Ndani ya muundo huu, Bundle inawakilisha programu iliyojaa tayari kwa kusakinishwa. Ndani yake, utapata direktori inayoitwa <NAME>.app, ambayo inajumuisha rasilimali za programu.

Info.plist: Faili hili linashikilia maelezo maalum ya usanidi ya programu.
_CodeSignature/: Direktori hii ina faili ya plist ambayo ina saini, kuhakikisha uadilifu wa faili zote ndani ya bundle.
Assets.car: Archive iliyoshinikizwa inayohifadhi faili za asset kama icons.
Frameworks/: Folda hii inahifadhi maktaba asilia za programu, ambazo zinaweza kuwa katika mfumo wa .dylib au .framework files.
PlugIns/: Hii inaweza kujumuisha extensions za programu, zinazojulikana kama .appex files, ingawa mara nyingi hazipo. * Core Data: Inatumika kuhifadhi data ya kudumu ya programu kwa matumizi bila mtandao, kuweka cache ya data ya muda, na kuongeza uwezo wa undo kwenye kifaa kimoja. Ili kusawazisha data kati ya vifaa vingi vinavyotumia akaunti moja ya iCloud, Core Data inaakisi moja kwa moja schema yako kwenye CloudKit container.
PkgInfo: Faili ya PkgInfo ni njia mbadala ya kubainisha type na creator codes za programu au bundle yako.
en.lproj, fr.proj, Base.lproj: Ni language packs zinazojumuisha rasilimali kwa lugha hizo maalum, na rasilimali za default endapo lugha haitegemezwi.
Usalama: Direktori ya _CodeSignature/ ina jukumu muhimu katika usalama wa app kwa kuthibitisha uadilifu wa faili zote zilizomo kupitia saini za digital.
Usimamizi wa Asset: Faili ya Assets.car inatumia compression kudhibiti kwa ufanisi asset za picha, muhimu kwa kuboresha utendaji wa programu na kupunguza ukubwa wake.
Frameworks and PlugIns: Directory hizi zinaonyesha modularity ya applications za iOS, zikiruhusu watengenezaji kujumuisha maktaba za kodi zinazoweza kutumika tena (Frameworks/) na kuongeza utendaji wa app (PlugIns/).
Localization: Muundo unasaidia lugha nyingi, ukirahisisha upatikanaji wa kimataifa wa programu kwa kujumuisha rasilimali za language packs maalum.

Info.plist

Info.plist ni msingi kwa ajili ya applications za iOS, ikijumuisha data muhimu ya usanidi kwa njia ya jozi za ufunguo-thamani (key-value pairs). Faili hili ni muhimu sio tu kwa applications bali pia kwa app extensions na frameworks zilizomo ndani ya bundle. Limeundwa kwa XML au formato ya binary na linashikilia taarifa muhimu kuanzia ruhusa za app hadi usanidi wa usalama. Kwa uchambuzi wa kina wa keys zinapatikana, unaweza rejea Apple Developer Documentation.

Kwa wale wanaotaka kufanya kazi na faili hili kwa format rahisi zaidi, uongofu wa XML unaweza kufanywa kwa urahisi kwa kutumia plutil kwenye macOS (inapatikana asili kwenye matoleo 10.2 na baadaye) au plistutil kwenye Linux. Amri za uongofu ni kama ifuatavyo:

For macOS:

$ plutil -convert xml1 Info.plist

Kwa Linux:

$ apt install libplist-utils
$ plistutil -i Info.plist -o Info_xml.plist

Miongoni mwa taarifa nyingi ambazo faili Info.plist inaweza kufichua, vipengele vinavyostahili kutajwa ni pamoja na ruhusa za app (UsageDescription), mipangilio ya URL maalum (CFBundleURLTypes), na usanidi wa App Transport Security (NSAppTransportSecurity). Vipengele hivi, pamoja na vingine kama aina za nyaraka maalum zilizopelekwa / zilizopokelewa (UTExportedTypeDeclarations / UTImportedTypeDeclarations), vinaweza kupatikana kwa urahisi kwa kukagua faili au kutumia amri rahisi ya grep:

$ grep -i <keyword> Info.plist

Njia za Data

Katika mazingira ya iOS, direktori zimewekwa maalum kwa ajili ya programu za mfumo na programu zilizowekwa na mtumiaji. Programu za mfumo ziko kwenye /Applications direktori, wakati programu zilizowekwa na mtumiaji ziko chini ya /var/mobile/containers/Data/Application/. Programu hizi zinapewa kitambulisho cha kipekee kinachojulikana kama 128-bit UUID, jambo linalofanya kazi ya kutafuta kwa mkono folda ya programu kuwa changamoto kutokana na nasibu ya majina ya direktori.

Warning

Kwa kuwa programu kwenye iOS lazima ziwe ndani ya sandbox, kila app pia itakuwa na folda ndani ya $HOME/Library/Containers yenye jina la folda kuwa CFBundleIdentifier ya app.

Hata hivyo, zote mbili (data & container folders) zina faili .com.apple.mobile_container_manager.metadata.plist ambayo inaunganisha folda zote mbili kwenye key MCMetadataIdentifier).

Ili kuwezesha kugundua direktori ya usakinishaji ya app iliyowekwa na mtumiaji, objection tool inatoa amri muhimu, env. Amri hii inaonyesha taarifa za kina za direktori kwa app inayohusika. Chini kuna mfano wa jinsi ya kutumia amri hii:

OWASP.iGoat-Swift on (iPhone: 11.1.2) [usb] # env

Name               Path
-----------------  -------------------------------------------------------------------------------------------
BundlePath         /var/containers/Bundle/Application/3ADAF47D-A734-49FA-B274-FBCA66589E67/iGoat-Swift.app
CachesDirectory    /var/mobile/Containers/Data/Application/8C8E7EB0-BC9B-435B-8EF8-8F5560EB0693/Library/Caches
DocumentDirectory  /var/mobile/Containers/Data/Application/8C8E7EB0-BC9B-435B-8EF8-8F5560EB0693/Documents
LibraryDirectory   /var/mobile/Containers/Data/Application/8C8E7EB0-BC9B-435B-8EF8-8F5560EB0693/Library

Vinginevyo, jina la app linaweza kutafutwa ndani ya /private/var/containers kwa kutumia amri ya find:

find /private/var/containers -name "Progname*"

Amri kama ps na lsof pia zinaweza kutumika kutambua mchakato wa app na kuorodhesha faili zilizo wazi, mtawalia, na kutoa mwanga kuhusu njia za saraka zinazotumika za programu:

ps -ef | grep -i <app-name>
lsof -p <pid> | grep -i "/containers" | head -n 1

Bundle directory:

AppName.app
Hii ni Application Bundle kama ilivyoonekana hapo awali ndani ya IPA, ina data muhimu za programu, maudhui yasiyobadilika pamoja na binary iliyokusanywa ya programu.
Kabrasha hili linaonekana kwa watumiaji, lakini watumiaji hawawezi kuandika ndani yake.
Yaliyomo katika kabrasha hili hayahifadhiwi kwenye backup.
Yaliyomo kwenye folda hii yanatumika kukagua saini ya code.

Data directory:

Documents/
Inajumuisha data yote iliyotengenezwa na mtumiaji. Mtumiaji wa mwisho wa programu ndiye anayeanzisha uundaji wa data hii.
Inaonekana kwa watumiaji na watumiaji wanaweza kuandika ndani yake.
Yaliyomo katika kabrasha hili yahifadhiwa kwenye backup.
App inaweza kuzima njia kwa kuweka NSURLIsExcludedFromBackupKey.
Library/
Inajumuisha faili ambazo sio maalum kwa mtumiaji, kama caches, preferences, cookies, na faili za usanidi za property list (plist).
iOS apps kwa kawaida hutumia subdirectories za Application Support na Caches, lakini app inaweza kuunda subdirectories maalum.
Library/Caches/
Inajumuisha faili za cache za nusu-mara.
Haionekani kwa watumiaji na watumiaji hawawezi kuandika ndani yake.
Yaliyomo katika kabrasha hili hayahifadhiwi kwenye backup.
OS inaweza kufuta faili za kabrasha hili moja kwa moja wakati app haifanyi kazi na nafasi ya uhifadhi inapokuwa kidogo.
Library/Application Support/
Inajumuisha faili zinazoendelea muhimu kwa kuendesha app.
Haionekani kwa watumiaji na watumiaji hawawezi kuandika ndani yake.
Yaliyomo katika kabrasha hili yahifadhiwa kwenye backup.
App inaweza kuzima njia kwa kuweka NSURLIsExcludedFromBackupKey.
Library/Preferences/
Inatumiwa kuhifadhi mali ambazo zinaweza kuendelea hata baada ya programu kuanzishwa upya.
Taarifa zinaokolewa, bila kusimbwa, ndani ya sandbox ya programu katika faili ya plist inayoitwa [BUNDLE_ID].plist.
Viunganishi vyote vya key/value vilivyohifadhiwa kwa kutumia NSUserDefaults vinaweza kupatikana katika faili hii.
tmp/
Tumia kabrasha hili kuandika faili za muda ambazo hazihitaji kuendelea kati ya uanzishaji wa app.
Inajumuisha faili za cache zisizo endelevu.
Haionekani kwa watumiaji.
Yaliyomo katika kabrasha hili hayahifadhiwi kwenye backup.
OS inaweza kufuta faili za kabrasha hili moja kwa moja wakati app haifanyi kazi na nafasi ya uhifadhi inapokuwa kidogo.

Tuchukue muda tuangalie kwa undani kabrasha la Application Bundle (.app) la iGoat-Swift ndani ya Bundle directory (/var/containers/Bundle/Application/3ADAF47D-A734-49FA-B274-FBCA66589E67/iGoat-Swift.app):

OWASP.iGoat-Swift on (iPhone: 11.1.2) [usb] # ls
NSFileType      Perms  NSFileProtection    ...  Name
------------  -------  ------------------  ...  --------------------------------------
Regular           420  None                ...  rutger.html
Regular           420  None                ...  mansi.html
Regular           420  None                ...  splash.html
Regular           420  None                ...  about.html

Regular           420  None                ...  LICENSE.txt
Regular           420  None                ...  Sentinel.txt
Regular           420  None                ...  README.txt

Binary Reversing

Ndani ya folda <application-name>.app utapata faili ya binary liitwalo <application-name>. Huu ndio faili itakayofanywa executed. Unaweza kufanya ukaguzi wa msingi wa binary kwa kutumia chombo otool:

otool -Vh DVIA-v2 #Check some compilation attributes
magic  cputype cpusubtype  caps    filetype ncmds sizeofcmds      flags
MH_MAGIC_64    ARM64        ALL  0x00     EXECUTE    65       7112   NOUNDEFS DYLDLINK TWOLEVEL WEAK_DEFINES BINDS_TO_WEAK PIE

otool -L DVIA-v2 #Get third party libraries
DVIA-v2:
/usr/lib/libc++.1.dylib (compatibility version 1.0.0, current version 400.9.1)
/usr/lib/libsqlite3.dylib (compatibility version 9.0.0, current version 274.6.0)
/usr/lib/libz.1.dylib (compatibility version 1.0.0, current version 1.2.11)
@rpath/Bolts.framework/Bolts (compatibility version 1.0.0, current version 1.0.0)
[...]

Angalia kama app imesimbwa

Tazama kama kuna matokeo kwa:

otool -l <app-binary> | grep -A 4 LC_ENCRYPTION_INFO

Disassembling the binary

Disassemble sehemu ya text:

otool -tV DVIA-v2
DVIA-v2:
(__TEXT,__text) section
+[DDLog initialize]:
0000000100004ab8    sub    sp, sp, #0x60
0000000100004abc    stp    x29, x30, [sp, #0x50]   ; Latency: 6
0000000100004ac0    add    x29, sp, #0x50
0000000100004ac4    sub    x8, x29, #0x10
0000000100004ac8    mov    x9, #0x0
0000000100004acc    adrp    x10, 1098 ; 0x10044e000
0000000100004ad0    add    x10, x10, #0x268

Ili kuchapisha Objective-C sehemu ya programu ya mfano, unaweza kutumia:

otool -oV DVIA-v2
DVIA-v2:
Contents of (__DATA,__objc_classlist) section
00000001003dd5b8 0x1004423d0 _OBJC_CLASS_$_DDLog
isa        0x1004423a8 _OBJC_METACLASS_$_DDLog
superclass 0x0 _OBJC_CLASS_$_NSObject
cache      0x0 __objc_empty_cache
vtable     0x0
data       0x1003de748
flags          0x80
instanceStart  8

Ili kupata msimbo wa Objective-C mfupi zaidi, unaweza kutumia class-dump:

class-dump some-app
//
//     Generated by class-dump 3.5 (64 bit).
//
//     class-dump is Copyright (C) 1997-1998, 2000-2001, 2004-2013 by Steve Nygard.
//

#pragma mark Named Structures

struct CGPoint {
double _field1;
double _field2;
};

struct CGRect {
struct CGPoint _field1;
struct CGSize _field2;
};

struct CGSize {
double _field1;
double _field2;
};

Hata hivyo, chaguzi bora za disassemble the binary ni: Hopper na IDA.

Uhifadhi wa Data

Ili kujifunza jinsi iOS inavyohifadhi data kwenye kifaa soma ukurasa huu:

iOS Basics

Warning

Maeneo yafuatayo ya kuhifadhi taarifa yanapaswa kukaguliwa mara tu baada ya kusakinisha application, baada ya kukagua functionalities zote za application na hata baada ya kutoka (logout) kwa mtumiaji mmoja na kuingia (login) kwa mwingine.
Lengo ni kupata taarifa nyeti zisizo na ulinzi za application (passwords, tokens), za mtumiaji wa sasa na za watumiaji waliokuwa wameingia awali.

Plist

plist files ni faili za muundo wa XML ambazo zina key-value pairs. Ni njia ya kuhifadhi data ya kudumu, hivyo wakati mwingine unaweza kupata taarifa nyeti katika faili hizi. Inashauriwa kukagua faili hizi baada ya kusakinisha app na baada ya kuitumia kwa ukali ili kuona kama data mpya imeandikwa.

Njia ya kawaida kuhifadhi data katika plist files ni kwa kutumia NSUserDefaults. Faili hii ya plist imehifadhiwa ndani ya sandbox ya app katika Library/Preferences/<appBundleID>.plist

The NSUserDefaults class provides a programmatic interface for interacting with the default system. The default system allows an application to customize its behaviour according to user preferences. Data saved by NSUserDefaults can be viewed in the application bundle. This class stores data in a plist file, but it’s meant to be used with small amounts of data.

Data hii haiwezi kupatikana moja kwa moja kupitia kompyuta ya kuaminika, lakini inaweza kupatikana kwa kufanya backup.

Unaweza dump the information saved using NSUserDefaults using objection’s ios nsuserdefaults get

Ili kupata plist zote zinazotumiwa na application unaweza kufikia /private/var/mobile/Containers/Data/Application/{APPID} na kisha endesha:

find ./ -name "*.plist"

Ili kubadilisha faili kutoka kwa muundo wa XML or binary (bplist) kwenda XML, kuna njia mbalimbali kulingana na mfumo wako wa uendeshaji:

Kwa watumiaji wa macOS: Tumia amri ya plutil. Ni zana iliyojengwa ndani ya macOS (10.2+), iliyoundwa kwa madhumuni haya:

$ plutil -convert xml1 Info.plist

Kwa Watumiaji wa Linux: Sakinisha libplist-utils kwanza, kisha tumia plistutil kubadilisha faili yako:

$ apt install libplist-utils
$ plistutil -i Info.plist -o Info_xml.plist

Within an Objection Session: Kwa kuchambua programu za rununu, amri maalum inakuwezesha kubadilisha faili za plist moja kwa moja:

ios plist cat /private/var/mobile/Containers/Data/Application/<Application-UUID>/Library/Preferences/com.some.package.app.plist

Core Data

Core Data ni mfumo wa kusimamia safu ya modeli za vitu katika programu yako. Core Data can use SQLite as its persistent store, lakini mfumo wenyewe si hifadhidata.
CoreData haifanyi usimbaji wa data zake kwa chaguo-msingi. Hata hivyo, safu ya ziada ya usimbaji inaweza kuongezwa kwenye CoreData. Angalia the GitHub Repo kwa maelezo zaidi.

Unaweza kupata taarifa za SQLite Core Data za programu katika njia /private/var/mobile/Containers/Data/Application/{APPID}/Library/Application Support

Ikiwa unaweza kufungua SQLite na kupata taarifa nyeti, basi umegundua ukosefu wa usanidi.

-(void)storeDetails {
AppDelegate * appDelegate = (AppDelegate *)(UIApplication.sharedApplication.delegate);

NSManagedObjectContext *context =[appDelegate managedObjectContext];

User *user = [self fetchUser];
if (user) {
return;
}
user = [NSEntityDescription insertNewObjectForEntityForName:@"User"
inManagedObjectContext:context];
user.email = CoreDataEmail;
user.password = CoreDataPassword;
NSError *error;
if (![context save:&error]) {
NSLog(@"Error in saving data: %@", [error localizedDescription]);

}else{
NSLog(@"data stored in core data");
}
}

YapDatabase

YapDatabase ni hifadhi ya key/value iliyojengwa juu ya SQLite.
Kwa kuwa Yap databases ni sqlite databases unaweza kuzitafuta kwa kutumia amri iliyotajwa katika sehemu iliyotangulia.

Databases nyingine za SQLite

Ni kawaida kwa applications kutengeneza database zao za sqlite. Huenda zinakuwa zinaweka taarifa nyeti ndani yao na kuziacha bila kusimbwa. Kwa hivyo, ni muhimu kukagua kila database ndani ya saraka ya application. Nenda kwenye saraka ya application ambapo data imehifadhiwa (/private/var/mobile/Containers/Data/Application/{APPID})

find ./ -name "*.sqlite" -or -name "*.db"

Firebase Real-Time Databases

Waendelezaji wanaweza kuhifadhi na kusawazisha data ndani ya hifadhidata ya NoSQL iliyohifadhiwa kwenye wingu kupitia Firebase Real-Time Databases. Ikihifadhiwa katika muundo wa JSON, data inasasishwa kwa wateja wote waliounganishwa kwa wakati halisi.

Unaweza kuona jinsi ya kukagua Firebase databases zilizo na usanidi mbaya hapa:

Firebase Database

Realm databases

Realm Objective-C and Realm Swift hutoa mbadala wenye nguvu kwa uhifadhi wa data, ambao haupatikani kutoka kwa Apple. Kwa chaguo-msingi, zina kuhifadhi data bila kusimbwa, huku usimbaji ukiwezekana kupitia usanidi maalumu.

Hifadhidata ziko katika: /private/var/mobile/Containers/Data/Application/{APPID}. Kuchunguza faili hizi, mtu anaweza kutumia amri kama:

iPhone:/private/var/mobile/Containers/Data/Application/A079DF84-726C-4AEA-A194-805B97B3684A/Documents root# ls
default.realm  default.realm.lock  default.realm.management/  default.realm.note|

$ find ./ -name "*.realm*"

Ili kuangalia faili hizi za database, zana ya Realm Studio inashauriwa.

Ili kutekeleza encryption katika Realm database, kifupi cha code kifuatacho kinaweza kutumika:

// Open the encrypted Realm file where getKey() is a method to obtain a key from the Keychain or a server
let config = Realm.Configuration(encryptionKey: getKey())
do {
let realm = try Realm(configuration: config)
// Use the Realm as normal
} catch let error as NSError {
// If the encryption key is wrong, `error` will say that it's an invalid database
fatalError("Error opening realm: \(error)")
}

Couchbase Lite Databases

Couchbase Lite imeelezewa kama nyepesi na iliyoingizwa injini ya hifadhidata inayofuata mbinu ya document-oriented (NoSQL). Imetengenezwa ili iwe asili kwa iOS na macOS, inatoa uwezo wa kusawazisha data bila mshono.

Ili kubaini database za Couchbase zinazowezekana kwenye kifaa, saraka ifuatayo inapaswa kuchunguzwa:

ls /private/var/mobile/Containers/Data/Application/{APPID}/Library/Application Support/

Cookies

iOS huweka cookies za apps katika Library/Cookies/cookies.binarycookies ndani ya kila folda ya app. Hata hivyo, waendelezaji wakati mwingine huchagua kuzihifadhi kwenye keychain, kwa sababu faili la cookie lililotajwa linaweza kupatikana katika chelezo.

Ili kuchunguza faili ya cookies unaweza kutumia this python script au tumia objection’s ios cookies get.
Unaweza pia kutumia objection ili kubadilisha faili hizi kuwa muundo wa JSON na kuchunguza data.

...itudehacks.DVIAswiftv2.develop on (iPhone: 13.2.3) [usb] # ios cookies get --json
[
{
"domain": "highaltitudehacks.com",
"expiresDate": "2051-09-15 07:46:43 +0000",
"isHTTPOnly": "false",
"isSecure": "false",
"name": "username",
"path": "/",
"value": "admin123",
"version": "0"
}
]

Cache

Kwa chaguo-msingi NSURLSession huhifadhi data, kama vile HTTP requests and responses in the Cache.db database. Hifadhidata hii inaweza kuwa na sensitive data, ikiwa tokens, usernames au taarifa nyingine nyeti zimehifadhiwa. Ili kupata taarifa zilizohifadhiwa fungua saraka ya data ya app (/var/mobile/Containers/Data/Application/<UUID>) na nenda /Library/Caches/<Bundle Identifier>. The WebKit cache is also being stored in the Cache.db file. Objection inaweza kufungua na kuingiliana na hifadhidata kwa amri sqlite connect Cache.db, kwa sababu ni hifadhidata ya SQLite ya kawaida.

Inapendekezwa kuzima Caching this data, kwani inaweza kuwa na taarifa nyeti katika request au response. Orodha ifuatayo inaonyesha njia mbalimbali za kufikia hili:

Inapendekezwa kuondoa Cached responses baada ya logout. Hii inaweza kufanywa kwa kutumia method inayotolewa na Apple iitwayo removeAllCachedResponses Unaweza kuita method hii kama ifuatavyo:

URLCache.shared.removeAllCachedResponses()

Method hii itaondoa maombi yote yaliyohifadhiwa na responses kutoka kwenye faili Cache.db.

Ikiwa hauhitaji kutumia faida ya cookies itapendekezwa kutumia tu property ya configuration ya URLSession ya .ephemeral, ambayo itazima kuokoa cookies na Caches.

Apple documentation:

An ephemeral session configuration object is similar to a default session configuration (see default), except that the corresponding session object doesn’t store caches, credential stores, or any session-related data to disk. Instead, session-related data is stored in RAM. The only time an ephemeral session writes data to disk is when you tell it to write the contents of a URL to a file.

Cache inaweza pia kuzimwa kwa kuweka Cache Policy kuwa .notAllowed. Hii itazuia kuhifadhi Cache kwa namna yoyote, iwe kwa kumbukumbu ya muda au kwenye diski.

Snapshots

Kila unapobonyeza kitufe cha home, iOS huchukua snapshot ya skrini ya sasa ili kuweza kufanya transition kwa njia laini zaidi kwenda kwenye application. Hata hivyo, ikiwa taarifa nyeti zipo kwenye skrini ya sasa, zita hifadhiwa kwenye picha (ambayo inaendelea kuwepo hata baada ya reboots). Hizi ndizo snapshots ambazo unaweza pia kuzifikia kwa kubofya mara mbili kitufe cha home ili kubadilisha kati ya apps.

Isipokuwa iPhone imejailbreak, mshawishi anahitaji kuwa na ufikiaji wa kifaa ukiwa uofia ili kuona hizi screenshots. Kwa chaguo-msingi snapshot ya mwisho huhifadhiwa kwenye sandbox ya application katika Library/Caches/Snapshots/ au Library/SplashBoard/Snapshots folda (kompyuta zilizothibitishwa hazina uwezo wa kufikia filesystem tangu iOX 7.0).

Njia moja ya kuzuia tabia hii mbaya ni kuweka skrini tupu au kuondoa taarifa nyeti kabla ya kuchukua snapshot kwa kutumia function ya ApplicationDidEnterBackground().

Ifuatayo ni mfano wa method ya kurekebisha ambayo itaweka screenshot ya chaguo-msingi.

Swift:

private var backgroundImage: UIImageView?

func applicationDidEnterBackground(_ application: UIApplication) {
let myBanner = UIImageView(image: #imageLiteral(resourceName: "overlayImage"))
myBanner.frame = UIScreen.main.bounds
backgroundImage = myBanner
window?.addSubview(myBanner)
}

func applicationWillEnterForeground(_ application: UIApplication) {
backgroundImage?.removeFromSuperview()
}

Objective-C:

@property (UIImageView *)backgroundImage;

- (void)applicationDidEnterBackground:(UIApplication *)application {
UIImageView *myBanner = [[UIImageView alloc] initWithImage:@"overlayImage.png"];
self.backgroundImage = myBanner;
self.backgroundImage.bounds = UIScreen.mainScreen.bounds;
[self.window addSubview:myBanner];
}

- (void)applicationWillEnterForeground:(UIApplication *)application {
[self.backgroundImage removeFromSuperview];
}

Hii inaweka picha ya background kuwa overlayImage.png kila wakati programu inapokuwa backgrounded. Inazuia data nyeti leaks kwa sababu overlayImage.png itatawala mtazamo wa sasa kila mara.

Keychain

Kwa kufikia na kusimamia iOS keychain, zana kama Keychain-Dumper zinapatikana, zinazofaa kwa jailbroken devices. Zaidi ya hayo, Objection inatoa amri ios keychain dump kwa madhumuni yanayofanana.

Storing Credentials

Darasa la NSURLCredential ni bora kwa kuhifadhi taarifa nyeti moja kwa moja kwenye keychain, kuepuka haja ya NSUserDefaults au vifuniko vingine. Ili kuhifadhi credentials baada ya login, msimbo ufuatao wa Swift unatumika:

NSURLCredential *credential;
credential = [NSURLCredential credentialWithUser:username password:password persistence:NSURLCredentialPersistencePermanent];
[[NSURLCredentialStorage sharedCredentialStorage] setCredential:credential forProtectionSpace:self.loginProtectionSpace];

Ili kutoa cheti za uthibitishaji zilizohifadhiwa hizi, amri ya Objection ios nsurlcredentialstorage dump inatumiwa.

Kibodi zilizobinafsishwa na Cache ya Kibodi

Kuanzia iOS 8.0 na baadaye, watumiaji wanaweza kusakinisha viendelezo vya kibodi zilizobinafsishwa, ambavyo vinadhibitiwa chini ya Settings > General > Keyboard > Keyboards. Ingawa kibodi hizi zinaongeza uwezo, zinaweka hatari ya kurekodi vitufe vya kibodi (keystroke logging) na kutuma data kwa server za nje, ingawa watumiaji wanaarifiwa kuhusu kibodi zinazohitaji ufikiaji wa mtandao. Programu zinaweza, na zinapaswa, kupunguza/kuzuia matumizi ya kibodi zilizobinafsishwa kwa kuingiza taarifa nyeti.

Mapendekezo ya Usalama:

Inashauriwa kuzima kibodi za wahusika wa tatu kwa usalama ulioboreshwa.
Jihadharini na vipengele vya autocorrect na auto-suggestions vya kibodi ya chaguo-msingi ya iOS, ambavyo vinaweza kuhifadhi taarifa nyeti katika faili za cache zilizoko Library/Keyboard/{locale}-dynamic-text.dat au /private/var/mobile/Library/Keyboard/dynamic-text.dat. Faili hizi za cache zinapaswa kukaguliwa mara kwa mara kwa ajili ya data nyeti. Kupangilia upya kamusi ya kibodi kupitia Settings > General > Reset > Reset Keyboard Dictionary kunapendekezwa ili kufuta data iliyohifadhiwa kwenye cache.
Kukamata trafiki ya mtandao kunaweza kufichua ikiwa kibodi iliyobinafsishwa inatumia kutuma kubofya vitufe kwa njia ya mbali.

Kuzuia Kuhifadhiwa kwa Cache kwa Viwanja vya Maandishi

The UITextInputTraits protocol offers properties to manage autocorrection and secure text entry, essential for preventing sensitive information caching. For example, disabling autocorrection and enabling secure text entry can be achieved with:

textObject.autocorrectionType = UITextAutocorrectionTypeNo;
textObject.secureTextEntry = YES;

Aidha, waendelezaji wanapaswa kuhakikisha kuwa sehemu za maandishi, hasa zile za kuingiza taarifa nyeti kama passwords na PINs, haziruhusu caching kwa kuweka autocorrectionType kuwa UITextAutocorrectionTypeNo na secureTextEntry kuwa YES.

UITextField *textField = [[UITextField alloc] initWithFrame:frame];
textField.autocorrectionType = UITextAutocorrectionTypeNo;

Logs

Kurekebisha code mara nyingi kunahusisha matumizi ya logging. Kuna hatari kwa sababu logs yanaweza kuwa na taarifa nyeti. Hapo awali, kwenye iOS 6 na toleo za awali, logs zilikuwa zinapatikana kwa apps zote, zikisababisha hatari ya sensitive data leakage. Sasa, applications zimezuiliwa kuingia tu kwenye logs zao.

Licha ya vizuizi hivi, attacker with physical access wa kifaa kilichofunguliwa anaweza bado kutumia hili kwa kuunganisha kifaa kwenye kompyuta na reading the logs. Ni muhimu kutambua kwamba logs zinabaki kwenye disk hata baada ya kuondolewa kwa app.

Ili kupunguza hatari, inashauriwa thoroughly interact with the app, ukichunguza functionalities na inputs zote ili kuhakikisha hakuna taarifa nyeti inayorekodiwa kwenye logs bila kukusudiwa.

Unapopitia source code ya app kwa potential leaks, tafuta kauli za predefined na custom logging statements ukitumia maneno muhimu kama NSLog, NSAssert, NSCAssert, fprintf kwa built-in functions, na marejeo yoyote ya Logging au Logfile kwa custom implementations.

Monitoring System Logs

Apps zinarekodi vipengele mbalimbali vya taarifa ambavyo vinaweza kuwa nyeti. Ili kufuatilia logs hizi, zana na amri kama:

idevice_id --list   # To find the device ID
idevicesyslog -u <id> (| grep <app>)   # To capture the device logs

zinasaidia. Aidha, Xcode hutoa njia ya kukusanya logi za konsoli:

Fungua Xcode.
Unganisha kifaa cha iOS.
Nenda kwenye Window -> Devices and Simulators.
Chagua kifaa chako.
Sababisha tatizo unalolichunguza.
Tumia kitufe cha Open Console ili kuona logi katika dirisha jipya.

Kwa ufuatiliaji wa logi wa juu zaidi, kuunganisha kwenye shell ya kifaa na kutumia socat kunaweza kutoa ufuatiliaji wa logi kwa wakati halisi:

iPhone:~ root# socat - UNIX-CONNECT:/var/run/lockdown/syslog.sock

Ikifuatiwa na amri za kuangalia shughuli za log, ambazo zinaweza kuwa za thamani sana katika utambuzi wa matatizo au kutambua potential data leakage katika logi.

Backups

Auto-backup features zimejumuishwa ndani ya iOS, zikirahisisha utengenezaji wa nakala za data za kifaa kupitia iTunes (hadi macOS Catalina), Finder (kuanzia macOS Catalina onward), au iCloud. Backups hizi zinajumuisha takriban data zote za kifaa, isipokuwa vipengele vyenye siri kubwa kama maelezo ya Apple Pay na usanidi wa Touch ID.

Security Risks

Ujumuishaji wa installed apps and their data katika backups unaibua suala la potential data leakage na hatari kwamba backup modifications could alter app functionality. Inashauriwa not store sensitive information in plaintext ndani ya saraka yoyote ya app au saraka ndogo zake ili kupunguza hatari hizi.

Excluding Files from Backups

Faili zilizopo katika Documents/ na Library/Application Support/ zinagawiwa backup kwa chaguo-msingi. Waundaji wanaweza kuuzuia faili maalum au saraka zisijajumuishwa katika backups kwa kutumia NSURL setResourceValue:forKey:error: na NSURLIsExcludedFromBackupKey. Tabia hii ni muhimu kwa kulinda data nyeti isijajumuishwa katika backups.

Testing for Vulnerabilities

Ili kutathmini usalama wa backup wa app, anzisha kwa kuunda backup kwa kutumia Finder, kisha uipate kwa kufuata mwongozo kutoka kwa Apple’s official documentation. Chunguza backup kwa ajili ya data nyeti au usanidi unaoweza kubadilishwa ili kuathiri tabia ya app.

Maelezo nyeti yanaweza kutafutwa kwa kutumia zana za command-line au programu kama iMazing. Kwa backups zilizosenziwa (encrypted), uwepo wa encryption unaweza kuthibitishwa kwa kuangalia ufunguo “IsEncrypted” katika faili “Manifest.plist” kwenye mzizi wa backup.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
...
<key>Date</key>
<date>2021-03-12T17:43:33Z</date>
<key>IsEncrypted</key>
<true/>
...
</plist>

Ili kushughulikia backups zilizofichwa (encrypted), script za Python zilizopo kwenye DinoSec’s GitHub repo, kama backup_tool.py na backup_passwd.py, zinaweza kuwa msaada, ingawa zinaweza kuhitaji marekebisho ili ziwe sambamba na matoleo ya hivi karibuni ya iTunes/Finder. Zana ya iOSbackup tool ni chaguo jingine la kufikia faili ndani ya backups zinazolindwa kwa password.

Kurekebisha Tabia ya App

Mfano wa kubadilisha tabia ya app kupitia marekebisho ya backup unaonyeshwa katika Bither bitcoin wallet app, ambapo UI lock PIN imehifadhiwa ndani ya net.bither.plist chini ya ufunguo pin_code. Kuondoa ufunguo huu kutoka kwa plist na kurejesha backup kunafuta hitaji la PIN, na kutoa ufikiaji usio na vizuizi.

Muhtasari juu ya Upimaji wa Kumbukumbu kwa Data Nyeti

Unaposhughulika na taarifa nyeti zilizohifadhiwa kwenye memory ya application, ni muhimu kupunguza muda wa kufichuka kwa data hii. Kuna mbinu kuu mbili za kuchunguza yaliyomo kwenye memory: creating a memory dump na analyzing the memory in real time. Mbinu zote mbili zina changamoto, zikiwemo uwezekano wa kukosa data muhimu wakati wa mchakato wa dump au uchambuzi.

Kuchukua na Kuchambua Memory Dump

Kwa vifaa vya jailbroken na visivyo jailbroken, zana kama objection na Fridump zinawezesha dumping ya memory ya mchakato wa app. Mara itakapodumped, kuchambua data hii kunahitaji zana mbalimbali, kulingana na asili ya taarifa unazotafuta.

To extract strings kutoka kwenye memory dump, amri kama strings au rabin2 -zz zinaweza kutumika:

# Extracting strings using strings command
$ strings memory > strings.txt

# Extracting strings using rabin2
$ rabin2 -ZZ memory > strings.txt

Kwa uchambuzi wa kina zaidi, ikiwa ni pamoja na kutafuta aina maalum za data au mifumo, radare2 inatoa uwezo mpana wa utafutaji:

$ r2 <name_of_your_dump_file>
[0x00000000]> /?
...

Uchambuzi wa Kumbukumbu Wakati wa Uendeshaji

r2frida inatoa mbadala wenye nguvu kwa kukagua kumbukumbu ya app kwa wakati halisi, bila kuhitaji memory dump. Chombo hiki kinawezesha utekelezaji wa amri za utafutaji moja kwa moja kwenye kumbukumbu ya programu inayokimbia:

$ r2 frida://usb//<name_of_your_app>
[0x00000000]> /\ <search_command>

Broken Cryptography

Taratibu Duni za Usimamizi wa Funguo

Baadhi ya watengenezaji huhifadhi data nyeti kwenye local storage na kui-encrypt kwa funguo hardcoded/predictable katika code. Hii haipaswi kufanywa kwani reversing inaweza kuruhusu attackers kutoa taarifa za siri.

Matumizi ya Algorithms Hatari na/au Zilizopitwa na Wakati

Watengenezaji hawapaswi kutumia deprecated algorithms kufanya idhini za checks, store au send data. Baadhi ya algorithms hizi ni: RC4, MD4, MD5, SHA1… Ikiwa hashes zinatumiwa kuhifadhi nywila kwa mfano, hashes za brute-force resistant zinapaswa kutumika pamoja na salt.

Kagua

Uchunguzi muhimu wa kufanya ni kuona kama unaweza kupata hardcoded passwords/secrets ndani ya code, au kama hizo ni predictable, na kama code inatumia aina fulani ya weak cryptography algorithms.

Ni muhimu kujua kwamba unaweza monitor baadhi ya crypto libraries moja kwa moja ukitumia objection kwa:

ios monitor crypt

For more information about iOS cryptographic APIs and libraries access https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06e-testing-cryptography

Uthibitishaji wa Ndani

Local authentication ina jukumu muhimu, hasa linapokuja suala la kulinda upatikanaji kwenye endpoint ya mbali kupitia mbinu za kriptografia. Kiini hapa ni kwamba bila utekelezaji sahihi, mekanizimu za uthibitishaji wa ndani zinaweza kupitishwa.

Apple’s Local Authentication framework and the keychain hutoa API imara kwa waendelezaji kurahisisha mazungumzo ya uthibitishaji wa mtumiaji na kushughulikia kwa usalama data za siri mtawaliwa. Secure Enclave inalinda fingerprint ID kwa Touch ID, wakati Face ID inategemea utambuzi wa uso bila kuhatarisha data za biometriki.

Ili kuingiza Touch ID/Face ID, waendelezaji wana chaguo mbili za API:

LocalAuthentication.framework kwa uthibitishaji wa mtumiaji wa ngazi ya juu bila kupata data za biometriki.
Security.framework kwa upatikanaji wa huduma za keychain za ngazi ya chini, ukilinda data za siri kwa uthibitishaji wa biometriki. Various open-source wrappers zinafanya upatikanaji wa keychain kuwa rahisi.

Caution

Hata hivyo, zote LocalAuthentication.framework na Security.framework zinaonyesha udhaifu, kwani kwa ujumla hurejesha thamani za boolean bila kusafirisha data kwa ajili ya michakato ya uthibitishaji, na hivyo kufanya zenyewe kuwa rahisi kupitishwa (rejea Don’t touch me that way, by David Lindner et al).

Kutekeleza Uthibitishaji wa Ndani

Ili kuomba mtumiaji awathibitishe, waendelezaji wanapaswa kutumia njia ya evaluatePolicy ndani ya darasa la LAContext, wakichagua kati ya:

deviceOwnerAuthentication: Inatoa ombi la Touch ID au passcode ya kifaa, na inashindwa ikiwa hakuna kati ya hizo imewezeshwa.
deviceOwnerAuthenticationWithBiometrics: Inatoa ombi mahsusi la Touch ID/Face ID.

Uthibitishaji uliofanikiwa unaonyeshwa kwa thamani ya boolean inayorejeshwa na evaluatePolicy, jambo linaloongeza kiashiria cha uwezekano wa tatizo la usalama.

Uthibitishaji wa Ndani kwa kutumia Keychain

Kutekeleza local authentication katika apps za iOS kunahusisha matumizi ya keychain APIs kuhifadhi kwa usalama data za siri kama authentication tokens. Mchakato huu unahakikisha kuwa data inaweza kufikiwa tu na mtumiaji, kwa kutumia passcode ya kifaa au uthibitishaji wa biometri kama Touch ID.

Keychain ina uwezo wa kuweka vitu kwa kutumia sifa ya SecAccessControl, ambayo inapunguza upatikanaji wa kipengee hadi mtumiaji athibitishe kwa mafanikio kupitia Touch ID au passcode ya kifaa. Kipengele hiki ni muhimu kwa kuongeza usalama.

Hapo chini kuna mifano ya code katika Swift na Objective-C inayoonyesha jinsi ya kuhifadhi na kupata string kwenye/ kutoka keychain, ikitumia vipengele hivi vya usalama. Mifano inatoa jinsi ya kusanidi access control ili kuhitaji uthibitishaji wa Touch ID na kuhakikisha data inapatikana tu kwenye kifaa ambayo ilianzishwa, kwa sharti passcode ya kifaa imewekwa.

// From https://github.com/mufambisi/owasp-mstg/blob/master/Document/0x06f-Testing-Local-Authentication.md

// 1. create AccessControl object that will represent authentication settings

var error: Unmanaged<CFError>?

guard let accessControl = SecAccessControlCreateWithFlags(kCFAllocatorDefault,
kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly,
SecAccessControlCreateFlags.biometryCurrentSet,
&error) else {
// failed to create AccessControl object

return
}

// 2. define keychain services query. Pay attention that kSecAttrAccessControl is mutually exclusive with kSecAttrAccessible attribute

var query: [String: Any] = [:]

query[kSecClass as String] = kSecClassGenericPassword
query[kSecAttrLabel as String] = "com.me.myapp.password" as CFString
query[kSecAttrAccount as String] = "OWASP Account" as CFString
query[kSecValueData as String] = "test_strong_password".data(using: .utf8)! as CFData
query[kSecAttrAccessControl as String] = accessControl

// 3. save item

let status = SecItemAdd(query as CFDictionary, nil)

if status == noErr {
// successfully saved
} else {
// error while saving
}

// 1. create AccessControl object that will represent authentication settings
CFErrorRef *err = nil;

SecAccessControlRef sacRef = SecAccessControlCreateWithFlags(kCFAllocatorDefault,
kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly,
kSecAccessControlUserPresence,
err);

// 2. define keychain services query. Pay attention that kSecAttrAccessControl is mutually exclusive with kSecAttrAccessible attribute
NSDictionary* query = @{
(_ _bridge id)kSecClass: (__bridge id)kSecClassGenericPassword,
(__bridge id)kSecAttrLabel: @"com.me.myapp.password",
(__bridge id)kSecAttrAccount: @"OWASP Account",
(__bridge id)kSecValueData: [@"test_strong_password" dataUsingEncoding:NSUTF8StringEncoding],
(__bridge id)kSecAttrAccessControl: (__bridge_transfer id)sacRef
};

// 3. save item
OSStatus status = SecItemAdd((__bridge CFDictionaryRef)query, nil);

if (status == noErr) {
// successfully saved
} else {
// error while saving
}

Sasa tunaweza kuomba kitu kilichohifadhiwa kutoka kwenye keychain. Keychain services itawasilisha dirisha la uthibitisho kwa mtumiaji na itarejesha data au nil kulingana na ikiwa fingerprint inayofaa ilitolewa au la.

// 1. define query
var query = [String: Any]()
query[kSecClass as String] = kSecClassGenericPassword
query[kSecReturnData as String] = kCFBooleanTrue
query[kSecAttrAccount as String] = "My Name" as CFString
query[kSecAttrLabel as String] = "com.me.myapp.password" as CFString
query[kSecUseOperationPrompt as String] = "Please, pass authorisation to enter this area" as CFString

// 2. get item
var queryResult: AnyObject?
let status = withUnsafeMutablePointer(to: &queryResult) {
SecItemCopyMatching(query as CFDictionary, UnsafeMutablePointer($0))
}

if status == noErr {
let password = String(data: queryResult as! Data, encoding: .utf8)!
// successfully received password
} else {
// authorization not passed
}

// 1. define query
NSDictionary *query = @{(__bridge id)kSecClass: (__bridge id)kSecClassGenericPassword,
(__bridge id)kSecReturnData: @YES,
(__bridge id)kSecAttrAccount: @"My Name1",
(__bridge id)kSecAttrLabel: @"com.me.myapp.password",
(__bridge id)kSecUseOperationPrompt: @"Please, pass authorisation to enter this area" };

// 2. get item
CFTypeRef queryResult = NULL;
OSStatus status = SecItemCopyMatching((__bridge CFDictionaryRef)query, &queryResult);

if (status == noErr){
NSData* resultData = ( __bridge_transfer NSData* )queryResult;
NSString* password = [[NSString alloc] initWithData:resultData encoding:NSUTF8StringEncoding];
NSLog(@"%@", password);
} else {
NSLog(@"Something went wrong");
}

Utambuzi

Matumizi ya frameworks katika app pia yanaweza kutambulishwa kwa kuchambua orodha ya shared dynamic libraries ya binary ya app. Hii inaweza kufanywa kwa kutumia otool:

$ otool -L <AppName>.app/<AppName>

Ikiwa LocalAuthentication.framework inatumiwa katika app, pato litajumuisha mistari yote miwili ifuatayo (kumbuka kwamba LocalAuthentication.framework inatumia Security.framework ndani yake):

/System/Library/Frameworks/LocalAuthentication.framework/LocalAuthentication
/System/Library/Frameworks/Security.framework/Security

If Security.framework inatumiwa, tu ya pili itaonyeshwa.

Local Authentication Framework Bypass

Objection

Kupitia Objection Biometrics Bypass, iliyopo kwenye this GitHub page, kuna mbinu ya kushinda mfumo wa LocalAuthentication. Msingi wa mbinu hii ni kutumia Frida kubadilisha kazi ya evaluatePolicy, kuhakikisha inarudisha True mara zote, bila kujali kama uthibitisho umefanikiwa kwa kweli. Hii ni muhimu hasa kwa kuepuka michakato ya uthibitisho wa biometric yenye kasoro.

Ili kuamsha bypass hii, amri ifuatayo inatumika:

...itudehacks.DVIAswiftv2.develop on (iPhone: 13.2.3) [usb] # ios ui biometrics_bypass
(agent) Registering job 3mhtws9x47q. Type: ios-biometrics-disable
...itudehacks.DVIAswiftv2.develop on (iPhone: 13.2.3) [usb] # (agent) [3mhtws9x47q] Localized Reason for auth requirement: Please authenticate yourself
(agent) [3mhtws9x47q] OS authentication response: false
(agent) [3mhtws9x47q] Marking OS response as True instead
(agent) [3mhtws9x47q] Biometrics bypass hook complete

Amri hii inaanzisha mfululizo ambapo Objection inasajili kazi ambayo kwa ufanisi hubadilisha matokeo ya ukaguzi wa evaluatePolicy kuwa True.

Frida

Mfano wa matumizi ya evaluatePolicy kutoka kwa DVIA-v2 application:

+(void)authenticateWithTouchID {
LAContext *myContext = [[LAContext alloc] init];
NSError *authError = nil;
NSString *myLocalizedReasonString = @"Please authenticate yourself";

if ([myContext canEvaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics error:&authError]) {
[myContext evaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics
localizedReason:myLocalizedReasonString
reply:^(BOOL success, NSError *error) {
if (success) {
dispatch_async(dispatch_get_main_queue(), ^{
[TouchIDAuthentication showAlert:@"Authentication Successful" withTitle:@"Success"];
});
} else {
dispatch_async(dispatch_get_main_queue(), ^{
[TouchIDAuthentication showAlert:@"Authentication Failed !" withTitle:@"Error"];
});
}
}];
} else {
dispatch_async(dispatch_get_main_queue(), ^{
[TouchIDAuthentication showAlert:@"Your device doesn't support Touch ID or you haven't configured Touch ID authentication on your device" withTitle:@"Error"];
});
}
}

Ili kufanikisha bypass ya Local Authentication, script ya Frida imeandikwa. Script hii inalenga ukaguzi wa evaluatePolicy, ikikamata callback yake ili kuhakikisha inarudisha success=1. Kwa kubadilisha tabia ya callback, ukaguzi wa uthibitisho unabypass kwa ufanisi.

Script iliyopo hapa chini imeinjected ili kubadilisha matokeo ya evaluatePolicy method. Inabadilisha matokeo ya callback ili kila mara yaonyesha success.

// from https://securitycafe.ro/2022/09/05/mobile-pentesting-101-bypassing-biometric-authentication/
if(ObjC.available) {
console.log("Injecting...");
var hook = ObjC.classes.LAContext["- evaluatePolicy:localizedReason:reply:"];
Interceptor.attach(hook.implementation, {
onEnter: function(args) {
var block = new ObjC.Block(args[4]);
const callback = block.implementation;
block.implementation = function (error, value)  {

console.log("Changing the result value to true")
const result = callback(1, null);
return result;
};
},
});
} else {
console.log("Objective-C Runtime is not available!");
}

Ili inject Frida script na bypass uthibitishaji wa biometriki, amri ifuatayo inatumiwa:

frida -U -f com.highaltitudehacks.DVIAswiftv2 --no-pause -l fingerprint-bypass-ios.js

Ufichuzi wa Utendaji Nyeti Kupitia IPC

Network Communication

Ni muhimu kukagua kwamba hakuna mawasiliano yanayotokea bila encryption na pia kwamba programu inafanya uthibitisho sahihi wa TLS certificate ya server.
Ili kukagua aina hizi za matatizo unaweza kutumia proxy kama Burp:

iOS Burp Suite Configuration

Hostname check

Tatizo moja la kawaida wakati wa kuthibitisha TLS certificate ni kuthibitisha kuwa certificate ilisainiwa na trusted CA, lakini kutoangalia kama hostname ya certificate ni hostname inayofikiwa.
Ili kukagua tatizo hili ukitumia Burp, baada ya kuamini Burp CA kwenye iPhone, unaweza kuunda certificate mpya na Burp kwa hostname tofauti na kuiweka. Ikiwa programu bado inafanya kazi, basi, kuna udhaifu.

Certificate Pinning

Ikiwa programu inatumia SSL Pinning kwa usahihi, programu itaweza kufanya kazi tu ikiwa certificate ni ile inayotarajiwa. Unapofanya testing ya programu hili linaweza kuwa tatizo kwani Burp itahudumia certificate yake mwenyewe.
Ili kupitisha ulinzi huu ndani ya kifaa kilicho jailbroken, unaweza kusakinisha programu SSL Kill Switch au kusakinisha Burp Mobile Assistant

Unaweza pia kutumia objection’s ios sslpinning disable

Mengine

Katika /System/Library unaweza kupata frameworks zilizosakinishwa kwenye simu zinazotumiwa na system applications
Programu zilizowekwa na mtumiaji kutoka App Store ziko ndani ya /User/Applications
Na /User/Library inahifadhi data zilizo hifadhiwa na program za ngazi ya mtumiaji
Unaweza kufikia /User/Library/Notes/notes.sqlite ili kusoma notes zilizohifadhiwa ndani ya programu.
Ndani ya folda ya programu iliyosakinishwa (/User/Applications/<APP ID>/) unaweza kupata faili zenye kusisimua:
iTunesArtwork: Ikoni inayotumika na app
iTunesMetadata.plist: Taarifa za app zinazotumika kwenye App Store
/Library/*: Ina preferences na cache. Katika /Library/Cache/Snapshots/* unaweza kupata snapshot iliyofanywa kwa programu kabla ya kuituma background.

Hot Patching/Enforced Updateing

Waundaji wanaweza kuweka patch kwa kila usakinishaji wa app yao mara moja kwa mbali bila kuwasilisha tena programu kwenye App Store na kusubiri idhini.
Kwa kusudi hili kawaida hutumika JSPatch. Lakini kuna chaguzi nyingine pia kama Siren na react-native-appstore-version-checker.
Hii ni njia hatari inayoweza kutumiwa vibaya na third party SDKs zenye nia mbaya kwa hivyo inashauriwa kukagua ni njia gani inayotumiwa kwa automatic updating (ikiwa ipo) na kuifanya test. Unaweza kujaribu kupakua toleo la awali la app kwa kusudi hili.

Third Parties

Changamoto kubwa na 3rd party SDKs ni ukosefu wa udhibiti wa kina juu ya kazi zao. Waundaji wanakabiliwa na chaguo: ama kuingiza SDK na kukubali sifa zake zote, pamoja na udhaifu wa usalama na masuala ya faragha, au kuyakatisha kabisa faida zake. Mara nyingi, waundaji hawawezi kutengeneza patch kwa udhaifu ndani ya SDK hizi wenyewe. Zaidi ya hayo, kadri SDKs zinavyozidi kupata kuaminika katika jumuiya, baadhi zinaweza kuanza kuwa na malware.

Huduma zinazotolewa na third-party SDKs zinaweza kujumuisha ufuatiliaji wa tabia za watumiaji, kuonyesha matangazo, au kuboresha uzoefu wa mtumiaji. Hata hivyo, hii inaweka hatari kwa kuwa waundaji wanaweza wasiwe wakifahamu kikamilifu code inayotekelezwa na maktaba hizi, na kusababisha hatari za faragha na usalama. Ni muhimu kupunguza taarifa zinazoshirikiwa na huduma za wahusika wa tatu kuwa tu zile zinazohitajika na kuhakikisha hakuna data nyeti inayoonekana.

Utekelezaji wa huduma za wahusika wa tatu kwa kawaida huja kwa fomu mbili: maktaba huru au SDK kamili. Ili kulinda faragha ya mtumiaji, data yoyote inayoshirikiwa na huduma hizi inapaswa kuwa anonymized ili kuzuia uzingazi wa Personal Identifiable Information (PII).

Ili kubaini maktaba ambazo programu inazitumia, unaweza kutumia amri otool. Chombo hiki kinapaswa kukimbizwa dhidi ya programu na kila shared library inayotumiwa ili kugundua maktaba za ziada.

otool -L <application_path>

Udhaifu Zenye Kuvutia & Masomo ya Kesi

Air Keyboard Remote Input Injection

Itunesstored Bookassetd Sandbox Escape

Zero Click Messaging Image Parser Chains

Marejeo & Rasilimali Zaidi

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Angalia mpango wa usajili!

Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.

Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.