iOS Pentesting

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Angalia mpango wa usajili!

Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.

Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Mazingira ya Upimaji

Katika ukurasa huu unaweza kupata taarifa kuhusu iOS simulator, emulators na jailbreaking:

iOS Testing Environment

Wakati wa upimaji operesheni kadhaa zitatangazwa (kuunganisha kwenye kifaa, kusoma/kuandika/kuupload/ku-download mafaili, kutumia zana fulani…). Kwa hiyo, ikiwa hupati jinsi ya kufanya moja ya vitendo hivi tafadhali, anza kusoma ukurasa:

iOS Basic Testing Operations

Tip

Kwa hatua zinazofuata app inapaswa kuwa imewekwa kwenye kifaa na inapaswa tayari kuwa imepata IPA file ya programu.
Soma ukurasa wa Operesheni za Msingi za Upimaji wa iOS ili kujifunza jinsi ya kufanya hivyo.

Uchambuzi wa Msingi wa Static

Baadhi ya decompilers za iOS - IPA files zinazoonekana kuvutia:

Inashauriwa kutumia chombo MobSF kufanya Static Analysis ya kiotomatiki kwenye IPA file.

Utambuzi wa ulinzi uliopo kwenye binary:

PIE (Position Independent Executable): Wakati imewezeshwa, app inawekwa katika anwani ya kumbukumbu isiyotarajiwa kila inapowashwa, na hivyo kufanya iwe vigumu kutabiri anwani yake ya awali ya kumbukumbu.

otool -hv <app-binary> | grep PIE   # It should include the PIE flag

Stack Canaries: Ili kuthibitisha uadilifu wa stack, thamani ya ‘canary’ inawekwa kwenye stack kabla ya kuuita function na inathibitishwa tena mara function inapomalizika.

otool -I -v <app-binary> | grep stack_chk   # It should include the symbols: stack_chk_guard and stack_chk_fail

ARC (Automatic Reference Counting): Ili kuzuia makosa ya kawaida ya uharibifu wa kumbukumbu

otool -I -v <app-binary> | grep objc_release   # It should include the _objc_release symbol

Encrypted Binary: Binary inapaswa kuwa imesimbwa

otool -arch all -Vl <app-binary> | grep -A5 LC_ENCRYPT   # The cryptid should be 1

Utambuzi wa Functions Nyeti/Isizo Salama

Weak Hashing Algorithms

# On the iOS device
otool -Iv <app> | grep -w "_CC_MD5"
otool -Iv <app> | grep -w "_CC_SHA1"

# On linux
grep -iER "_CC_MD5"
grep -iER "_CC_SHA1"

Insecure Random Functions

# On the iOS device
otool -Iv <app> | grep -w "_random"
otool -Iv <app> | grep -w "_srand"
otool -Iv <app> | grep -w "_rand"

# On linux
grep -iER "_random"
grep -iER "_srand"
grep -iER "_rand"

Insecure ‘Malloc’ Function

# On the iOS device
otool -Iv <app> | grep -w "_malloc"

# On linux
grep -iER "_malloc"

Insecure and Vulnerable Functions

# On the iOS device
otool -Iv <app> | grep -w "_gets"
otool -Iv <app> | grep -w "_memcpy"
otool -Iv <app> | grep -w "_strncpy"
otool -Iv <app> | grep -w "_strlen"
otool -Iv <app> | grep -w "_vsnprintf"
otool -Iv <app> | grep -w "_sscanf"
otool -Iv <app> | grep -w "_strtok"
otool -Iv <app> | grep -w "_alloca"
otool -Iv <app> | grep -w "_sprintf"
otool -Iv <app> | grep -w "_printf"
otool -Iv <app> | grep -w "_vsprintf"

# On linux
grep -R "_gets"
grep -iER "_memcpy"
grep -iER "_strncpy"
grep -iER "_strlen"
grep -iER "_vsnprintf"
grep -iER "_sscanf"
grep -iER "_strtok"
grep -iER "_alloca"
grep -iER "_sprintf"
grep -iER "_printf"
grep -iER "_vsprintf"

Mbinu za Kawaida za Kugundua Jailbreak

File System Checks: Tafuta uwepo wa mafaili na saraka za kawaida za jailbreak, kama /Applications/Cydia.app au /Library/MobileSubstrate/MobileSubstrate.dylib.
Sandbox Violations: Jaribu kufikia maeneo yaliyopigwa marufuku ya file system, ambayo yanapaswa kuzuiliwa kwenye vifaa visivyo-jailbroken.
API Checks: Kagua kama inawezekana kutumia miito iliyoruhusiwa kama fork() kuunda mchakato mchanga au system() kuona kama /bin/sh ipo.
Process Checks: Angalia uwepo wa mchakato unaojulikana unaohusiana na jailbreak, kama Cydia, Substrate, au ssh.
Kernel Exploits: Angalia uwepo wa kernel exploits zinazotumika mara nyingi katika jailbreaks.
Environment Variables: Chunguza environment variables kwa dalili za jailbreak, kama DYLD_INSERT_LIBRARIES.
Libraries Check: Angalia libraries ambazo zamekwa ndani ya mchakato wa app.
Check schemes: Kama canOpenURL(URL(string: "cydia://")).

Mbinu za Kawaida za Kugundua Anti-Debugging

Check for Debugger Presence: Tumia sysctl au mbinu nyingine kukagua kama debugger imeambatishwa.
Anti-Debugging APIs: Tafuta miito kwa API za anti-debugging kama ptrace au SIGSTOP mfano ptrace(PT_DENY_ATTACH, 0, 0, 0).
Timing Checks: Pima muda unaochukua kwa operesheni fulani na angalia tofauti ambazo zinaweza kuashiria debugging.
Memory Checks: Kagua kumbukumbu kwa artifacts za debugger au mabadiliko yanayojulikana.
Environment Variables: Angalia environment variables ambazo zinaweza kuashiria kikao cha debugging.
Mach Ports: Gundua ikiwa mach exception ports zinatumika na debuggers.

Uchambuzi wa Msingi wa Dynamic

Angalia uchambuzi wa dynamic ambao MobSF hufanya. Utahitaji kuvinjari kupitia mawonekano tofauti na kuingiliana nayo; ita-hook classes kadhaa na kufanya mambo mengine na itatayarisha ripoti mara utakapomaliza.

Orodha ya Apps Zilizowekwa

Tumia amri frida-ps -Uai kubaini bundle identifier ya apps zilizowekwa:

$ frida-ps -Uai
PID  Name                 Identifier
----  -------------------  -----------------------------------------
6847  Calendar             com.apple.mobilecal
6815  Mail                 com.apple.mobilemail
-  App Store            com.apple.AppStore
-  Apple Store          com.apple.store.Jolly
-  Calculator           com.apple.calculator
-  Camera               com.apple.camera
-  iGoat-Swift          OWASP.iGoat-Swift

Msingi Enumeration & Hooking

Jifunze jinsi ya kuorodhesha vipengele vya application na jinsi ya kwa urahisi hook methods and classes kwa objection:

iOS Hooking With Objection

IPA Structure

Muundo wa IPA file kwa msingi ni ule wa zipped package. Kwa kubadilisha jina la extension kuwa .zip, inaweza kufunguliwa ili kuonyesha yaliyomo. Ndani ya muundo huu, Bundle inawakilisha programu iliyokamilishwa tayari kwa usakinishaji. Ndani yake, utapata directory inayoitwa <NAME>.app, ambayo inajumuisha rasilimali za application.

Info.plist: Faili hili lina maelezo maalum ya usanidi ya application.
_CodeSignature/: Directory hii ina faili ya plist ambayo ina saini, ikihakikisha uadilifu wa faili zote ndani ya bundle.
Assets.car: Archive iliyoshinikizwa inayohifadhi faili za asset kama icons.
Frameworks/: Folda hii ina maktaba za native za application, ambazo zinaweza kuwa kwa namna ya .dylib au .framework files.
PlugIns/: Hii inaweza kujumuisha extensions kwa application, zinazojulikana kama .appex files, ingawa si za lazima kuwepo. * Core Data: Inatumiwa kuhifadhi data za kudumu za application kwa matumizi offline, kuhifadhi cache ya data za muda, na kuongeza utendakazi wa undo kwenye app yako kwenye kifaa kimoja. Ili kusanifisha data kati ya vifaa vingi kwenye akaunti moja ya iCloud, Core Data inaakisi kimaelezo (schema) yako moja kwa moja kwa CloudKit container.
PkgInfo: Faili la PkgInfo ni njia mbadala ya kubainisha type na creator codes za application yako au bundle.
en.lproj, fr.proj, Base.lproj: Ni vifurushi vya lugha vinavyochukua rasilimali kwa lugha hizo maalum, na rasilimali ya default wakati lugha haitekegemwi.
Security: Directory ya _CodeSignature/ ina jukumu muhimu katika usalama wa app kwa kuthibitisha uadilifu wa faili zote zilizomo kupitia saini za digital.
Asset Management: Faili ya Assets.car inatumia compression kusimamia assets za picha kwa ufanisi, muhimu kwa kuboresha utendaji wa application na kupunguza ukubwa wake.
Frameworks and PlugIns: Directory hizi zinaonyesha modularity ya applications za iOS, zikiruhusu developers kujumuisha maktaba za code zinazoweza kutumika tena (Frameworks/) na kuongeza uwezo wa app (PlugIns/).
Localization: Muundo huu unaunga mkono lugha nyingi, ukirahisisha kufikia soko la kimataifa kwa kujumuisha rasilimali za vifurushi maalum vya lugha.

Info.plist

Info.plist ni msingi wa applications za iOS, ikijumuisha data muhimu za usanidi katika muundo wa key-value pairs. Faili hili ni lazima sio tu kwa applications bali pia kwa app extensions na frameworks zilizo ndani ya bundle. Limepangwa kwa fomati ya XML au binary na lina taarifa muhimu kuanzia ruhusa za app hadi usanidi wa usalama. Kwa uchunguzi wa kina wa keys zinazopatikana, unaweza kurejea kwenye Apple Developer Documentation.

Kwa wale wanaotaka kufanya kazi na faili hili kwa fomati rahisi zaidi, uongofu wa XML unaweza kufanywa kwa urahisi kwa kutumia plutil kwenye macOS (inapatikana kiasili kwenye toleo 10.2 na za baadaye) au plistutil kwenye Linux. Amri za uongofu ni kama ifuatavyo:

Kwa macOS:

$ plutil -convert xml1 Info.plist

Kwa Linux:

$ apt install libplist-utils
$ plistutil -i Info.plist -o Info_xml.plist

Miongoni mwa habari nyingi ambazo faili ya Info.plist inaweza kufichua, vipengele muhimu ni pamoja na mistari ya ruhusa za app (UsageDescription), mipangilio ya URL maalum (CFBundleURLTypes), na usanidi wa App Transport Security (NSAppTransportSecurity). Vipengele hivi, pamoja na vingine kama aina za nyaraka maalum zilizo exported/imported (UTExportedTypeDeclarations / UTImportedTypeDeclarations), zinaweza kupatikana kwa urahisi kwa kuchunguza faili au kutumia amri rahisi ya grep:

$ grep -i <keyword> Info.plist

Njia za Data

Katika mazingira ya iOS, saraka zimeundwa mahsusi kwa programu za mfumo na programu zilizowekwa na mtumiaji. Programu za mfumo ziko katika /Applications directory, wakati programu zilizowekwa na mtumiaji zipo chini ya /var/mobile/containers/Data/Application/. Programu hizi zinapewa kitambulisho cha kipekee kinachojulikana kama 128-bit UUID, jambo ambalo linafanya kazi ya kutafuta kwa mkono saraka ya app kuwa changamoto kutokana na nasibu ya majina ya saraka.

Warning

Kwa kuwa applications katika iOS lazima ziwe sandboxed, kila app pia itakuwa na folda ndani ya $HOME/Library/Containers yenye app’s CFBundleIdentifier kama jina la folda.

Hata hivyo, saraka zote mbili (data & container folders) zina faili .com.apple.mobile_container_manager.metadata.plist ambayo inaunganisha faili zote mbili kupitia key MCMetadataIdentifier).

Ili kuwezesha kugundua saraka ya usakinishaji ya app iliyowekwa na mtumiaji, the objection tool inatoa amri yenye msaada, env. Amri hii inaonyesha taarifa za kina za saraka kwa app husika. Hapo chini kuna mfano wa jinsi ya kutumia amri hii:

OWASP.iGoat-Swift on (iPhone: 11.1.2) [usb] # env

Name               Path
-----------------  -------------------------------------------------------------------------------------------
BundlePath         /var/containers/Bundle/Application/3ADAF47D-A734-49FA-B274-FBCA66589E67/iGoat-Swift.app
CachesDirectory    /var/mobile/Containers/Data/Application/8C8E7EB0-BC9B-435B-8EF8-8F5560EB0693/Library/Caches
DocumentDirectory  /var/mobile/Containers/Data/Application/8C8E7EB0-BC9B-435B-8EF8-8F5560EB0693/Documents
LibraryDirectory   /var/mobile/Containers/Data/Application/8C8E7EB0-BC9B-435B-8EF8-8F5560EB0693/Library

Vinginevyo, jina la app linaweza kutafutwa ndani ya /private/var/containers kwa kutumia amri ya find:

find /private/var/containers -name "Progname*"

Amri kama ps na lsof pia zinaweza kutumika kubaini mchakato wa app na kuorodhesha mafaili yaliyofunguliwa mtawalia, zikitoa mwanga kuhusu njia za saraka zinazotumika na app:

ps -ef | grep -i <app-name>
lsof -p <pid> | grep -i "/containers" | head -n 1

Bundle directory:

AppName.app
Hii ni Application Bundle kama ilivyotajwa hapo awali katika IPA, ina data muhimu za programu, yaliyomo statiki pamoja na binary iliyokusanywa ya programu.
Kabrasha hili inaonekana kwa watumiaji, lakini watumiaji hawawezi kuandika ndani yake.
Yaliyomo katika kabrasha hili hayahifadhiwi kwenye chelezo.
Yaliyomo ya folda hii yanatumiwa ili kuhakiki code signature.

Data directory:

Documents/
Inajumuisha data yote iliyoundwa na mtumiaji. Mtumiaji wa mwisho wa programu ndiye anayeanzisha uundaji wa data hii.
Inaonekana kwa watumiaji na watumiaji wanaweza kuandika ndani yake.
Yaliyomo katika kabrasha hili yanahifadhiwa kwenye chelezo.
Programu inaweza kuzima paths kwa kuweka NSURLIsExcludedFromBackupKey.
Library/
Inajumuisha faili ambazo sio maalum kwa mtumiaji, kama vile caches, preferences, cookies, na faili za usanidi wa property list (plist).
iOS apps kawaida hutumia subdirectories za Application Support na Caches, lakini app inaweza kuunda subdirectories za kawaida.
Library/Caches/
Inajumuisha faili za cache za muda mfupi.
Haionekani kwa watumiaji na watumiaji hawawezi kuandika ndani yake.
Yaliyomo katika kabrasha hili hayahifadhiwi kwenye chelezo.
OS inaweza kufuta faili za kabrasha hili kiotomatiki wakati app haifanyi kazi na nafasi ya kuhifadhi inapokuwa ndogo.
Library/Application Support/
Inajumuisha faili endelevu zinazohitajika kwa kuendesha app.
Haionekani kwa watumiaji na watumiaji hawawezi kuandika ndani yake.
Yaliyomo katika kabrasha hili yanahifadhiwa kwenye chelezo.
Programu inaweza kuzima paths kwa kuweka NSURLIsExcludedFromBackupKey.
Library/Preferences/
Inatumika kuhifadhi properties ambazo zinaweza kudumu hata baada ya programu kuanzishwa upya.
Taarifa zinahifadhiwa, bila encryption, ndani ya sandbox ya application katika faili ya plist iitwayo [BUNDLE_ID].plist.
Kila jozi ya key/value zilizohifadhiwa kwa kutumia NSUserDefaults zinaweza kupatikana katika faili hii.
tmp/
Tumia kabrasha hili kuandika faili za muda ambazo hazihitajiki kudumu kati ya uzinduzi za app.
Inajumuisha faili za cache zisizoendelevu.
Haionekani kwa watumiaji.
Yaliyomo katika kabrasha hili hayahifadhiwi kwenye chelezo.
OS inaweza kufuta faili za kabrasha hili kiotomatiki wakati app haifanyi kazi na nafasi ya kuhifadhi inapokuwa ndogo.

Let’s take a closer look at iGoat-Swift’s Application Bundle (.app) directory inside the Bundle directory (/var/containers/Bundle/Application/3ADAF47D-A734-49FA-B274-FBCA66589E67/iGoat-Swift.app):

OWASP.iGoat-Swift on (iPhone: 11.1.2) [usb] # ls
NSFileType      Perms  NSFileProtection    ...  Name
------------  -------  ------------------  ...  --------------------------------------
Regular           420  None                ...  rutger.html
Regular           420  None                ...  mansi.html
Regular           420  None                ...  splash.html
Regular           420  None                ...  about.html

Regular           420  None                ...  LICENSE.txt
Regular           420  None                ...  Sentinel.txt
Regular           420  None                ...  README.txt

Binary Reversing

Ndani ya folda <application-name>.app utapata faili ya binary iitwayo <application-name>. Hili ndilo faili ambalo litatumika kutekelezwa. Unaweza kufanya ukaguzi wa msingi wa faili ya binary kwa kutumia zana otool:

otool -Vh DVIA-v2 #Check some compilation attributes
magic  cputype cpusubtype  caps    filetype ncmds sizeofcmds      flags
MH_MAGIC_64    ARM64        ALL  0x00     EXECUTE    65       7112   NOUNDEFS DYLDLINK TWOLEVEL WEAK_DEFINES BINDS_TO_WEAK PIE

otool -L DVIA-v2 #Get third party libraries
DVIA-v2:
/usr/lib/libc++.1.dylib (compatibility version 1.0.0, current version 400.9.1)
/usr/lib/libsqlite3.dylib (compatibility version 9.0.0, current version 274.6.0)
/usr/lib/libz.1.dylib (compatibility version 1.0.0, current version 1.2.11)
@rpath/Bolts.framework/Bolts (compatibility version 1.0.0, current version 1.0.0)
[...]

Angalia ikiwa app imehifadhiwa kwa encryption

Tazama kama kuna output yoyote kwa:

otool -l <app-binary> | grep -A 4 LC_ENCRYPTION_INFO

Kuvunja binary

Vunjua sehemu ya text:

otool -tV DVIA-v2
DVIA-v2:
(__TEXT,__text) section
+[DDLog initialize]:
0000000100004ab8    sub    sp, sp, #0x60
0000000100004abc    stp    x29, x30, [sp, #0x50]   ; Latency: 6
0000000100004ac0    add    x29, sp, #0x50
0000000100004ac4    sub    x8, x29, #0x10
0000000100004ac8    mov    x9, #0x0
0000000100004acc    adrp    x10, 1098 ; 0x10044e000
0000000100004ad0    add    x10, x10, #0x268

Ili kuchapisha Objective-C segment ya programu ya mfano, unaweza kutumia:

otool -oV DVIA-v2
DVIA-v2:
Contents of (__DATA,__objc_classlist) section
00000001003dd5b8 0x1004423d0 _OBJC_CLASS_$_DDLog
isa        0x1004423a8 _OBJC_METACLASS_$_DDLog
superclass 0x0 _OBJC_CLASS_$_NSObject
cache      0x0 __objc_empty_cache
vtable     0x0
data       0x1003de748
flags          0x80
instanceStart  8

Ili kupata msimbo wa Objective-C wenye muundo mfupi zaidi unaweza kutumia class-dump:

class-dump some-app
//
//     Generated by class-dump 3.5 (64 bit).
//
//     class-dump is Copyright (C) 1997-1998, 2000-2001, 2004-2013 by Steve Nygard.
//

#pragma mark Named Structures

struct CGPoint {
double _field1;
double _field2;
};

struct CGRect {
struct CGPoint _field1;
struct CGSize _field2;
};

struct CGSize {
double _field1;
double _field2;
};

However, the best options to disassemble the binary are: Hopper and IDA.

Uhifadhi wa Data

To learn about how iOS stores data in the device read this page:

iOS Basics

Warning

Maeneo yafuatayo ya kuhifadhi taarifa yanapaswa kukaguliwa mara tu baada ya kusakinisha application, baada ya kukagua functionalities zote za application na hata baada ya kutoka (logout) kutoka kwa mtumiaji mmoja na kuingia (login) kwa mwingine.
Lengo ni kupata taarifa nyeti zisizo na ulinzi za application (passwords, tokens), za mtumiaji wa sasa na za watumiaji waliokuwa wameingia awali.

Plist

plist files are structured XML files that contains key-value pairs. It’s a way to store persistent data, so sometimes you may find sensitive information in these files. It’s recommended to check these files after installing the app and after using intensively it to see if new data is written.

The most common way to persist data in plist files is through the usage of NSUserDefaults. This plist file is saved inside the app sandbox in Library/Preferences/<appBundleID>.plist

The NSUserDefaults class provides a programmatic interface for interacting with the default system. The default system allows an application to customize its behaviour according to user preferences. Data saved by NSUserDefaults can be viewed in the application bundle. This class stores data in a plist file, but it’s meant to be used with small amounts of data.

This data cannot be longer accessed directly via a trusted computer, but can be accessed performing a backup.

You can dump the information saved using NSUserDefaults using objection’s ios nsuserdefaults get

To find all the plist of used by the application you can access to /private/var/mobile/Containers/Data/Application/{APPID} and run:

find ./ -name "*.plist"

Ili kubadilisha faili kutoka kwenye muundo wa XML or binary (bplist) kwenda XML, kuna njia mbalimbali kulingana na mfumo wako wa uendeshaji:

Kwa watumiaji wa macOS: Tumia amri ya plutil. Ni zana iliyojengwa ndani ya macOS (10.2+), iliyoundwa kwa ajili ya kusudi hili:

$ plutil -convert xml1 Info.plist

Kwa watumiaji wa Linux: Sakinisha libplist-utils kwanza, kisha tumia plistutil kubadilisha faili yako:

$ apt install libplist-utils
$ plistutil -i Info.plist -o Info_xml.plist

Ndani ya Objection Session: Kwa kuchambua programu za rununu, amri maalum inakuwezesha kubadilisha faili za plist moja kwa moja:

ios plist cat /private/var/mobile/Containers/Data/Application/<Application-UUID>/Library/Preferences/com.some.package.app.plist

Core Data

Core Data ni framework kwa kusimamia tabaka la modeli la vitu katika application yako. Core Data can use SQLite as its persistent store, lakini framework yenyewe si database.
CoreData haifanyi encrypt data zake kwa default. Hata hivyo, layer ya encryption ya ziada inaweza kuongezwa kwenye CoreData. Angalia the GitHub Repo kwa maelezo zaidi.

Unaweza kupata taarifa za SQLite Core Data za application katika path /private/var/mobile/Containers/Data/Application/{APPID}/Library/Application Support

Kama unaweza kufungua SQLite na kupata taarifa nyeti, basi umebaini mipangilio potofu (misconfiguration).

-(void)storeDetails {
AppDelegate * appDelegate = (AppDelegate *)(UIApplication.sharedApplication.delegate);

NSManagedObjectContext *context =[appDelegate managedObjectContext];

User *user = [self fetchUser];
if (user) {
return;
}
user = [NSEntityDescription insertNewObjectForEntityForName:@"User"
inManagedObjectContext:context];
user.email = CoreDataEmail;
user.password = CoreDataPassword;
NSError *error;
if (![context save:&error]) {
NSLog(@"Error in saving data: %@", [error localizedDescription]);

}else{
NSLog(@"data stored in core data");
}
}

YapDatabase

YapDatabase ni key/value store iliyojengwa juu ya SQLite.
Kwa kuwa Yap databases ni sqlite databases, unaweza kuzipata ukitumia amri iliyotajwa katika sehemu iliyopita.

Databases Nyingine za SQLite

Ni kawaida kwa applications kuunda database zao za sqlite. Zinaweza kuhifadhi data nyeti ndani yao na kuiacha isiyofichwa. Kwa hivyo, ni muhimu kila mara kuangalia kila database ndani ya directory ya application. Kwa hivyo nenda kwenye directory ya application ambapo data imehifadhiwa (/private/var/mobile/Containers/Data/Application/{APPID})

find ./ -name "*.sqlite" -or -name "*.db"

Firebase Real-Time Databases

Waendelezaji wanaweza kuhifadhi na kusawazisha data ndani ya NoSQL cloud-hosted database kupitia Firebase Real-Time Databases. Data, zilizohifadhiwa kwa muundo wa JSON, zinasawazishwa kwa wateja wote waliounganishwa katika wakati halisi.

Unaweza kupata jinsi ya kuangalia Firebase databases zenye mipangilio isiyo sahihi hapa:

Firebase Database

Realm databases

Realm Objective-C na Realm Swift zinatoa mbadala wenye nguvu kwa uhifadhi wa data, ambao haujatolewa na Apple. Kwa default, zinahifadhi data bila kusimbwa, na encryption inapatikana kupitia configuration maalum.

Databases ziko katika: /private/var/mobile/Containers/Data/Application/{APPID}. Kuchunguza mafaili haya, mtu anaweza kutumia amri kama:

iPhone:/private/var/mobile/Containers/Data/Application/A079DF84-726C-4AEA-A194-805B97B3684A/Documents root# ls
default.realm  default.realm.lock  default.realm.management/  default.realm.note|

$ find ./ -name "*.realm*"

Kwa kuangalia faili hizi za database, chombo cha Realm Studio kinapendekezwa.

Ili kutekeleza encryption ndani ya database ya Realm, kipande cha msimbo kifuatacho kinaweza kutumika:

// Open the encrypted Realm file where getKey() is a method to obtain a key from the Keychain or a server
let config = Realm.Configuration(encryptionKey: getKey())
do {
let realm = try Realm(configuration: config)
// Use the Realm as normal
} catch let error as NSError {
// If the encryption key is wrong, `error` will say that it's an invalid database
fatalError("Error opening realm: \(error)")
}

Hifadhidata za Couchbase Lite

Couchbase Lite inafafanuliwa kama nyepesi na iliyojumuishwa injini ya hifadhidata inayotumia njia ya inayolenga nyaraka (NoSQL). Imeundwa kuwa asilia kwa iOS na macOS, na inatoa uwezo wa kusawazisha data bila mshono.

Ili kutambua hifadhidata za Couchbase zinazoweza kuwepo kwenye kifaa, saraka ifuatayo inapaswa kuchunguzwa:

ls /private/var/mobile/Containers/Data/Application/{APPID}/Library/Application Support/

Cookies

iOS huhifadhi cookies za apps katika Library/Cookies/cookies.binarycookies ndani ya kila folda ya app. Hata hivyo, waendelezaji wakati mwingine huamua kuzihifadhi katika keychain kwa sababu faili ya cookie iliyotajwa inaweza kupatikana kwenye backups.

Ili kuchunguza faili ya cookies unaweza kutumia this python script au tumia objection kwa ios cookies get.
Unaweza pia kutumia objection ili kubadilisha mafaili haya kuwa muundo wa JSON na kuchunguza data.

...itudehacks.DVIAswiftv2.develop on (iPhone: 13.2.3) [usb] # ios cookies get --json
[
{
"domain": "highaltitudehacks.com",
"expiresDate": "2051-09-15 07:46:43 +0000",
"isHTTPOnly": "false",
"isSecure": "false",
"name": "username",
"path": "/",
"value": "admin123",
"version": "0"
}
]

Cache

Kwa default NSURLSession huhifadhi data, kama vile HTTP requests and responses in the Cache.db database. Hii database inaweza kuwa na sensitive data, ikiwa tokens, usernames au taarifa nyingine nyeti zime-cache-uliwa. Ili kupata taarifa zilizokaa kwenye cache fungua data directory ya app (/var/mobile/Containers/Data/Application/<UUID>) kisha nenda /Library/Caches/<Bundle Identifier>. The WebKit cache is also being stored in the Cache.db file. Objection inaweza kufungua na kuingiliana na database kwa amri sqlite connect Cache.db, kwani ni normal SQLite database.

Inashauriwa recommended to disable Caching this data, kwani inaweza kuwa na taarifa nyeti katika request au response. Orodha ifuatayo inaonyesha njia tofauti za kufanikisha hili:

Inashauriwa kuondoa Cached responses baada ya logout. Hii inaweza kufanywa kwa kutumia method iliyotolewa na Apple iitwayo removeAllCachedResponses Unaweza kuita method hii kama ifuatavyo:

URLCache.shared.removeAllCachedResponses()

Hii method itaondoa all cached requests and responses kutoka katika Cache.db file.

Ikiwa huna haja ya kutumia faida ya cookies inashauriwa kutumia tu property ya configuration .ephemeral ya URLSession, ambayo ita-disable saving cookies na Caches.

Apple documentation:

An ephemeral session configuration object is similar to a default session configuration (see default), except that the corresponding session object doesn’t store caches, credential stores, or any session-related data to disk. Instead, session-related data is stored in RAM. The only time an ephemeral session writes data to disk is when you tell it to write the contents of a URL to a file.

Cache pia inaweza kuzimwa kwa kuweka Cache Policy kuwa .notAllowed. Hii ita-disable storing Cache kwa njia yoyote, iwe katika memory au kwenye disk.

Snapshots

Kila unapobofya kitufe cha nyumbani, iOS takes a snapshot of the current screen ili kufanya transition kwenda application iwe laini zaidi. Hata hivyo, ikiwa sensitive data ipo kwenye skrini ya sasa, itahifadhiwa kwa saved kwenye image (ambayo persists across reboots). Hizi ndizo snapshots ambazo pia unaweza kuziona ukibofya mara mbili kitufe cha nyumbani kubadili kati ya apps.

Isipokuwa iPhone imejailbreak, attacker anahitaji kuwa na access kwa device ili kuona screenshots hizi. Kwa default snapshot ya mwisho huhifadhiwa kwenye sandbox ya application katika Library/Caches/Snapshots/ au Library/SplashBoard/Snapshots folda (trusted computers hawawezi kufikia filesystem tangu iOX 7.0).

Njia moja ya kuzuia mwenendo huu mbaya ni kuweka skrini tupu au kuondoa data nyeti kabla ya kuchukua snapshot kwa kutumia function ApplicationDidEnterBackground().

Hapa kuna mfano wa method ya kuremediation ambayo itaweka default screenshot.

Swift:

private var backgroundImage: UIImageView?

func applicationDidEnterBackground(_ application: UIApplication) {
let myBanner = UIImageView(image: #imageLiteral(resourceName: "overlayImage"))
myBanner.frame = UIScreen.main.bounds
backgroundImage = myBanner
window?.addSubview(myBanner)
}

func applicationWillEnterForeground(_ application: UIApplication) {
backgroundImage?.removeFromSuperview()
}

Objective-C:

@property (UIImageView *)backgroundImage;

- (void)applicationDidEnterBackground:(UIApplication *)application {
UIImageView *myBanner = [[UIImageView alloc] initWithImage:@"overlayImage.png"];
self.backgroundImage = myBanner;
self.backgroundImage.bounds = UIScreen.mainScreen.bounds;
[self.window addSubview:myBanner];
}

- (void)applicationWillEnterForeground:(UIApplication *)application {
[self.backgroundImage removeFromSuperview];
}

Hii inaweka picha ya background kuwa overlayImage.png kila programu inapokuwa backgrounded. Inazuia sensitive data leaks kwa sababu overlayImage.png kila wakati itaandika juu ya muonekano wa sasa.

Keychain

Kwa kufikia na kusimamia iOS keychain, zana kama Keychain-Dumper zinapatikana, zinazofaa kwa vifaa vya jailbroken. Zaidi ya hayo, Objection inatoa amri ios keychain dump kwa madhumuni sawa.

Kuhifadhi Kredensiali

Class ya NSURLCredential ni bora kwa kuhifadhi taarifa nyeti moja kwa moja kwenye keychain, ikiepuka haja ya NSUserDefaults au wrappers nyingine. Ili kuhifadhi kredensiali baada ya kuingia, kodhi ifuatayo ya Swift inatumiwa:

NSURLCredential *credential;
credential = [NSURLCredential credentialWithUser:username password:password persistence:NSURLCredentialPersistencePermanent];
[[NSURLCredentialStorage sharedCredentialStorage] setCredential:credential forProtectionSpace:self.loginProtectionSpace];

Ili kutoa cheti hizi zilizo hifadhiwa, amri ya Objection ios nsurlcredentialstorage dump inatumiwa.

Kibodi za Custom na Cache ya Kibodi

Kuanzia iOS 8.0, watumiaji wanaweza kusanisha extensions za kibodi za custom, ambazo zinaweza kusimamiwa chini ya Settings > General > Keyboard > Keyboards. Ingawa kibodi hizi zinatoa utendakazi ulioboreshwa, zinaweza kusababisha hatari ya keystroke logging na uhamishaji wa data kwenda kwa seva za nje, ingawa watumiaji wanaarifiwa kuhusu kibodi zinazohitaji ufikiaji wa network. Apps zinaweza, na zinapaswa, kuweka vikwazo kwa matumizi ya kibodi za custom wakati wa kuingiza taarifa nyeti.

Mapendekezo ya Usalama:

Inashauriwa kuzima kibodi za wahusika wa tatu ili kuongeza usalama.
Kuwa makini na vipengele vya autocorrect na auto-suggestions vya kibodi ya chaguo-msingi ya iOS, ambavyo vinaweza kuhifadhi taarifa nyeti katika faili za cache zilizopo Library/Keyboard/{locale}-dynamic-text.dat au /private/var/mobile/Library/Keyboard/dynamic-text.dat. Faili hizi za cache zinapaswa kukaguliwa mara kwa mara kwa ajili ya data nyeti. Inapendekezwa kurudisha kamusi ya kibodi kupitia Settings > General > Reset > Reset Keyboard Dictionary ili kufuta data zilizohifadhiwa kwenye cache.
Kukamata trafiki ya network kunaweza kufichua kama kibodi ya custom inatuma keystrokes kwa njia ya mbali.

Kuzuia Caching ya Sehemu za Maandishi

The UITextInputTraits protocol offers properties to manage autocorrection and secure text entry, essential for preventing sensitive information caching. For example, disabling autocorrection and enabling secure text entry can be achieved with:

textObject.autocorrectionType = UITextAutocorrectionTypeNo;
textObject.secureTextEntry = YES;

Zaidi ya hayo, waendelezaji wanapaswa kuhakikisha kuwa mashamba ya maandishi, hasa yale ya kuingiza taarifa nyeti kama passwords na PINs, yanazuia kuhifadhi kwenye cache kwa kuweka autocorrectionType kuwa UITextAutocorrectionTypeNo na secureTextEntry kuwa YES.

UITextField *textField = [[UITextField alloc] initWithFrame:frame];
textField.autocorrectionType = UITextAutocorrectionTypeNo;

Logs

Kudebugi code mara nyingi kunahusisha matumizi ya logging. Kuna hatari kwani logs zinaweza kuwa na habari nyeti. Hapo awali, katika iOS 6 na matoleo ya awali, logs zilikuwa zinapatikana kwa apps zote, ikisababisha hatari ya sensitive data leakage. Sasa, applications zimewekwa kikomo kufikia logs zao pekee.

Licha ya vikwazo hivi, mshambuliaji mwenye ufikiaji wa kimwili kwa kifaa kilichofunguliwa anaweza bado kutumia hili kwa kuunganisha kifaa kwa kompyuta na kusoma logs. Ni muhimu kutambua kwamba logs hubaki kwenye disk hata baada ya app kuondolewa.

Ili kupunguza hatari, inapendekezwa kuingiliana kwa kina na app, ukichunguza functionalities zote na inputs ili kuhakikisha hakuna taarifa nyeti zinazoandikwa bila kukusudi.

Unapokagua source code ya app kwa potential leaks, tafuta taarifa za predefined na custom logging statements ukitumia maneno muhimu kama NSLog, NSAssert, NSCAssert, fprintf kwa built-in functions, na marejeo yoyote ya Logging au Logfile kwa custom implementations.

Monitoring System Logs

Apps log various pieces of information which can be sensitive. To monitor these logs, tools and commands like:

idevice_id --list   # To find the device ID
idevicesyslog -u <id> (| grep <app>)   # To capture the device logs

zinasaidia. Zaidi ya hayo, Xcode hutoa njia ya kukusanya console logs:

Fungua Xcode.
Unganisha kifaa cha iOS.
Nenda kwenye Window -> Devices and Simulators.
Chagua kifaa chako.
Sababisha tatizo unalolichunguza.
Tumia kitufe cha Open Console ili kuona logs katika dirisha jipya.

Kwa ufuatiliaji wa logi wa kisasa zaidi, kuunganishwa kwenye shell ya kifaa na kutumia socat kunaweza kutoa ufuatiliaji wa logi kwa wakati-halisi:

iPhone:~ root# socat - UNIX-CONNECT:/var/run/lockdown/syslog.sock

Ikifuatiwa na amri za kuangalia shughuli za log, ambazo zinaweza kuwa muhimu sana kwa kugundua matatizo au kubaini uwezekano wa data leakage katika logi.

Chelezo

Vipengele vya auto-backup vimejumuishwa ndani ya iOS, vikirahisisha uundaji wa nakala za data za kifaa kupitia iTunes (hadi macOS Catalina), Finder (kuanzia macOS Catalina), au iCloud. Chelezo hizi zinajumuisha karibu data zote za kifaa, isipokuwa vipengele vya kiwango cha juu vya usiri kama maelezo ya Apple Pay na usanidi wa Touch ID.

Hatari za Usalama

Ujumuishaji wa installed apps and their data katika chelezo unasababisha suala la uwezekano wa data leakage na hatari kwamba backup modifications could alter app functionality. Inashauriwa kutohifadhi taarifa nyeti kwa fomu isiyosimbwa (plaintext) ndani ya saraka yoyote ya app au saraka zake ndogo ili kupunguza hatari hizi.

Kuondoa Faili kutoka kwa Chelezo

Faili katika Documents/ na Library/Application Support/ huchelezwa kwa chaguo-msingi. Waendelezaji wanaweza kuondoa faili maalum au saraka kutoka kwenye chelezo kwa kutumia NSURL setResourceValue:forKey:error: pamoja na NSURLIsExcludedFromBackupKey. Mazoezi haya ni muhimu kwa kulinda data nyeti isijajumuishwa katika chelezo.

Kupima Udhaifu

Ili kutathmini usalama wa chelezo la app, anza kwa kuunda chelezo kutumia Finder, kisha ukipate kwa kufuata mwongozo kutoka kwa nyaraka rasmi za Apple. Changanua chelezo kwa ajili ya data nyeti au usanidi ambao unaweza kubadilishwa ili kuathiri tabia ya app.

Taarifa nyeti zinaweza kutafutwa kwa kutumia zana za command-line au programu kama iMazing. Kwa chelezo zilizofichwa, uwepo wa encryption unaweza kuthibitishwa kwa kukagua ufunguo “IsEncrypted” katika faili “Manifest.plist” kwenye mzizi wa chelezo.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
...
<key>Date</key>
<date>2021-03-12T17:43:33Z</date>
<key>IsEncrypted</key>
<true/>
...
</plist>

For dealing with encrypted backups, Python scripts available in DinoSec’s GitHub repo, like backup_tool.py and backup_passwd.py, may be useful, albeit potentially requiring adjustments for compatibility with the latest iTunes/Finder versions. The iOSbackup tool is another option for accessing files within password-protected backups.

Kubadilisha Tabia za App

Mfano wa kubadilisha tabia ya app kupitia marekebisho ya backup unaonyeshwa katika the Bither bitcoin wallet app, ambapo UI lock PIN imehifadhiwa ndani ya net.bither.plist chini ya ufunguo pin_code. Kuondoa ufunguo huu kutoka kwa plist na kurejesha backup kunafuta hitaji la PIN, na kutoa upatikanaji bila vikwazo.

Muhtasari kuhusu Upimaji wa Kumbukumbu kwa Data Nyeti

Unaposhughulikia taarifa nyeti zilizohifadhiwa katika memory ya programu, ni muhimu kupunguza muda wa ufichuzi wa data hii. Kuna mbinu kuu mbili za kuchunguza maudhui ya memory: creating a memory dump na analyzing the memory in real time. Mbinu zote mbili zina changamoto zao, ikiwa ni pamoja na uwezekano wa kukosa data muhimu wakati wa mchakato wa dump au uchambuzi.

Retrieving and Analyzing a Memory Dump

For both jailbroken and non-jailbroken devices, tools like objection and Fridump allow for the dumping of an app’s process memory. Once dumped, analyzing this data requires various tools, depending on the nature of the information you’re searching for.

Ili kuchota strings kutoka kwa memory dump, amri kama strings au rabin2 -zz zinaweza kutumika:

# Extracting strings using strings command
$ strings memory > strings.txt

# Extracting strings using rabin2
$ rabin2 -ZZ memory > strings.txt

Kwa uchambuzi wa kina zaidi, ikiwa ni pamoja na kutafuta aina maalum za data au mifumo, radare2 hutoa uwezo mpana wa utafutaji:

$ r2 <name_of_your_dump_file>
[0x00000000]> /?
...

Uchambuzi wa Kumbukumbu Wakati wa Uendeshaji

r2frida inatoa mbadala wenye nguvu kwa kuchunguza kumbukumbu ya app kwa wakati halisi, bila kuhitaji memory dump. Chombo hiki kinawawezesha kutekeleza amri za utafutaji moja kwa moja kwenye kumbukumbu ya app inayokimbia:

$ r2 frida://usb//<name_of_your_app>
[0x00000000]> /\ <search_command>

Kriptografia Imevunjika

Michakato Duni ya Usimamizi wa Funguo

Baadhi ya waendelezaji huhifadhi data nyeti kwenye local storage na kui-encrypt kwa key iliyowekwa moja kwa moja/predictable ndani ya code. Hii haipaswi kufanywa kwani reversing inaweza kumruhusu attackers kutoa taarifa za siri.

Use of Insecure and/or Deprecated Algorithms

Waendelezaji hawapaswi kutumia deprecated algorithms kutekeleza ukaguzi wa authorisation (checks), store au send data. Baadhi ya algorithms hizi ni: RC4, MD4, MD5, SHA1… Ikiwa hashes zinatumiwa kuhifadhi nywila kwa mfano, lazima zitumie hash ambazo ni brute-force resistant pamoja na salt.

Check

Maangizo ya msingi ya kufanya ni kutafuta ikiwa kuna nywila/siri zilizo hardcoded ndani ya code, au ikiwa hizi ni predictable, na ikiwa code inatumia aina za weak cryptography algorithms.

Inavutia kujua kuwa unaweza monitor baadhi ya crypto libraries kwa njia ya moja kwa moja kwa kutumia objection pamoja na:

ios monitor crypt

For more information about iOS cryptographic APIs and libraries access https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06e-testing-cryptography

Uthibitishaji wa Ndani

Uthibitishaji wa ndani una jukumu muhimu, hasa linapohusu kulinda ufikiaji kwenye endpoint ya mbali kupitia mbinu za kriptografia. Kiini hapa ni kwamba bila utekelezaji sahihi, mifumo ya uthibitishaji wa ndani inaweza kupitishwa kwa urahisi.

Apple’s Local Authentication framework na keychain zinatoa API imara kwa developers ili kuwasilisha dialog za uthibitishaji wa mtumiaji na kushughulikia kwa usalama data nyeti, mtawaliwa. Secure Enclave inalinda fingerprint ID kwa Touch ID, wakati Face ID inategemea utambuzi wa uso bila kuathiri data za biometric.

Ili kuingiza Touch ID/Face ID, developers wana chaguzi mbili za API:

LocalAuthentication.framework kwa uthibitishaji wa juu-wa-ngazi wa mtumiaji bila ufikiaji wa data za biometric.
Security.framework kwa ufikiaji wa huduma za keychain za ngazi ya chini, ikilinda data nyeti kwa uthibitishaji wa biometric. Various open-source wrappers zinafanya ufikiaji wa keychain kuwa rahisi zaidi.

Caution

Hata hivyo, both LocalAuthentication.framework na Security.framework zinaonyesha udhaifu, kwani kwa kawaida hurudisha boolean values bila kupeleka data kwa ajili ya mchakato wa uthibitishaji, jambo ambalo linaweza kufanya ziwe rahisi kupitishwa (angalau rejea Don’t touch me that way, by David Lindner et al).

Kutekeleza Uthibitishaji wa Ndani

Ili kuomba mtumiaji afanye uthibitishaji, developers wanapaswa kutumia method ya evaluatePolicy ndani ya class ya LAContext, wakichagua kati ya:

deviceOwnerAuthentication: Inaonyesha ombi la Touch ID au device passcode, ikishindwa ikiwa hakuna kati ya hizo imewezeshwa.
deviceOwnerAuthenticationWithBiometrics: Inaonyesha ombi la Touch ID pekee.

Uthibitishaji uliofanikiwa unaonyeshwa kwa thamani ya boolean inayorudishwa na evaluatePolicy, jambo linalobainisha hitilafu inayowezekana ya usalama.

Uthibitishaji wa Ndani ukitumia Keychain

Kutekeleza uthibitishaji wa ndani katika apps za iOS kunahusisha matumizi ya API za keychain kuhifadhi kwa usalama data nyeti kama tokens za uthibitishaji. Mchakato huu unahakikisha kwamba data inaweza kufikiwa tu na mtumiaji, kwa kutumia device passcode yao au uthibitishaji wa biometric kama Touch ID.

Keychain inatoa uwezo wa kuweka items kwa sifa ya SecAccessControl, ambayo inazuia ufikiaji wa item hadi mtumiaji athibitishe kwa mafanikio kupitia Touch ID au device passcode. Kipengele hiki ni muhimu kwa kuboresha usalama.

Hapa chini kuna mifano ya code kwa Swift na Objective-C inayoonyesha jinsi ya kuhifadhi na kupata string kwa/from keychain, ikitumia vipengele hivi vya usalama. Mifano inaonyesha hasa jinsi ya kusanidi access control ili kuhitaji uthibitishaji wa Touch ID na kuhakikisha data inapatikana tu kwenye kifaa ambacho ilianzishwa, chini ya sharti kwamba device passcode imewekwa.

// From https://github.com/mufambisi/owasp-mstg/blob/master/Document/0x06f-Testing-Local-Authentication.md

// 1. create AccessControl object that will represent authentication settings

var error: Unmanaged<CFError>?

guard let accessControl = SecAccessControlCreateWithFlags(kCFAllocatorDefault,
kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly,
SecAccessControlCreateFlags.biometryCurrentSet,
&error) else {
// failed to create AccessControl object

return
}

// 2. define keychain services query. Pay attention that kSecAttrAccessControl is mutually exclusive with kSecAttrAccessible attribute

var query: [String: Any] = [:]

query[kSecClass as String] = kSecClassGenericPassword
query[kSecAttrLabel as String] = "com.me.myapp.password" as CFString
query[kSecAttrAccount as String] = "OWASP Account" as CFString
query[kSecValueData as String] = "test_strong_password".data(using: .utf8)! as CFData
query[kSecAttrAccessControl as String] = accessControl

// 3. save item

let status = SecItemAdd(query as CFDictionary, nil)

if status == noErr {
// successfully saved
} else {
// error while saving
}

// 1. create AccessControl object that will represent authentication settings
CFErrorRef *err = nil;

SecAccessControlRef sacRef = SecAccessControlCreateWithFlags(kCFAllocatorDefault,
kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly,
kSecAccessControlUserPresence,
err);

// 2. define keychain services query. Pay attention that kSecAttrAccessControl is mutually exclusive with kSecAttrAccessible attribute
NSDictionary* query = @{
(_ _bridge id)kSecClass: (__bridge id)kSecClassGenericPassword,
(__bridge id)kSecAttrLabel: @"com.me.myapp.password",
(__bridge id)kSecAttrAccount: @"OWASP Account",
(__bridge id)kSecValueData: [@"test_strong_password" dataUsingEncoding:NSUTF8StringEncoding],
(__bridge id)kSecAttrAccessControl: (__bridge_transfer id)sacRef
};

// 3. save item
OSStatus status = SecItemAdd((__bridge CFDictionaryRef)query, nil);

if (status == noErr) {
// successfully saved
} else {
// error while saving
}

Sasa tunaweza kuomba kipengee kilichohifadhiwa kutoka kwa keychain. Keychain services zitamwonyesha mtumiaji dirisha la uthibitishaji na kurudisha data au nil, kulingana na ikiwa alama ya vidole inayofaa ilitolewa au la.

// 1. define query
var query = [String: Any]()
query[kSecClass as String] = kSecClassGenericPassword
query[kSecReturnData as String] = kCFBooleanTrue
query[kSecAttrAccount as String] = "My Name" as CFString
query[kSecAttrLabel as String] = "com.me.myapp.password" as CFString
query[kSecUseOperationPrompt as String] = "Please, pass authorisation to enter this area" as CFString

// 2. get item
var queryResult: AnyObject?
let status = withUnsafeMutablePointer(to: &queryResult) {
SecItemCopyMatching(query as CFDictionary, UnsafeMutablePointer($0))
}

if status == noErr {
let password = String(data: queryResult as! Data, encoding: .utf8)!
// successfully received password
} else {
// authorization not passed
}

// 1. define query
NSDictionary *query = @{(__bridge id)kSecClass: (__bridge id)kSecClassGenericPassword,
(__bridge id)kSecReturnData: @YES,
(__bridge id)kSecAttrAccount: @"My Name1",
(__bridge id)kSecAttrLabel: @"com.me.myapp.password",
(__bridge id)kSecUseOperationPrompt: @"Please, pass authorisation to enter this area" };

// 2. get item
CFTypeRef queryResult = NULL;
OSStatus status = SecItemCopyMatching((__bridge CFDictionaryRef)query, &queryResult);

if (status == noErr){
NSData* resultData = ( __bridge_transfer NSData* )queryResult;
NSString* password = [[NSString alloc] initWithData:resultData encoding:NSUTF8StringEncoding];
NSLog(@"%@", password);
} else {
NSLog(@"Something went wrong");
}

Utambuzi

Matumizi ya frameworks katika app pia yanaweza kutambuliwa kwa kuchanganua orodha ya shared dynamic libraries ya binary ya app. Hii inaweza kufanywa kwa kutumia otool:

$ otool -L <AppName>.app/<AppName>

Ikiwa LocalAuthentication.framework imetumika katika app, output itajumuisha mistari yote miwili ifuatayo (kumbuka kwamba LocalAuthentication.framework inategemea Security.framework):

/System/Library/Frameworks/LocalAuthentication.framework/LocalAuthentication
/System/Library/Frameworks/Security.framework/Security

If Security.framework is used, only the second one will be shown.

Local Authentication Framework Bypass

Objection

Kupitia Objection Biometrics Bypass, located at this GitHub page, kuna mbinu ya kushinda mfumo wa LocalAuthentication. Msingi wa mbinu hii ni kutumia Frida kubadilisha kazi ya evaluatePolicy, kuhakikisha kila mara inarudisha True, bila kuzingatia matokeo halisi ya uthibitisho. Hii ni hasa muhimu kuepuka taratibu za uthibitishaji za biometric ambazo zina kasoro.

Ili kuwezesha bypass hii, amri ifuatayo inatumiwa:

...itudehacks.DVIAswiftv2.develop on (iPhone: 13.2.3) [usb] # ios ui biometrics_bypass
(agent) Registering job 3mhtws9x47q. Type: ios-biometrics-disable
...itudehacks.DVIAswiftv2.develop on (iPhone: 13.2.3) [usb] # (agent) [3mhtws9x47q] Localized Reason for auth requirement: Please authenticate yourself
(agent) [3mhtws9x47q] OS authentication response: false
(agent) [3mhtws9x47q] Marking OS response as True instead
(agent) [3mhtws9x47q] Biometrics bypass hook complete

Amri hii inaanzisha mfululizo ambapo Objection anasajili task ambayo kwa ufanisi inabadilisha matokeo ya ukaguzi wa evaluatePolicy kuwa True.

Frida

Mfano wa matumizi ya evaluatePolicy kutoka DVIA-v2 application:

+(void)authenticateWithTouchID {
LAContext *myContext = [[LAContext alloc] init];
NSError *authError = nil;
NSString *myLocalizedReasonString = @"Please authenticate yourself";

if ([myContext canEvaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics error:&authError]) {
[myContext evaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics
localizedReason:myLocalizedReasonString
reply:^(BOOL success, NSError *error) {
if (success) {
dispatch_async(dispatch_get_main_queue(), ^{
[TouchIDAuthentication showAlert:@"Authentication Successful" withTitle:@"Success"];
});
} else {
dispatch_async(dispatch_get_main_queue(), ^{
[TouchIDAuthentication showAlert:@"Authentication Failed !" withTitle:@"Error"];
});
}
}];
} else {
dispatch_async(dispatch_get_main_queue(), ^{
[TouchIDAuthentication showAlert:@"Your device doesn't support Touch ID or you haven't configured Touch ID authentication on your device" withTitle:@"Error"];
});
}
}

Ili kufanikisha bypass ya Local Authentication, Frida script imeandikwa. Script hii inalenga ukaguzi wa evaluatePolicy, ikikamata callback yake ili kuhakikisha inarudisha success=1. Kwa kubadilisha tabia ya callback, ukaguzi wa authentication unavukwa kwa ufanisi.

Script hapa chini ime injected ili kubadilisha matokeo ya evaluatePolicy method. Inabadilisha matokeo ya callback ili kila wakati yaonyeshe success.

// from https://securitycafe.ro/2022/09/05/mobile-pentesting-101-bypassing-biometric-authentication/
if(ObjC.available) {
console.log("Injecting...");
var hook = ObjC.classes.LAContext["- evaluatePolicy:localizedReason:reply:"];
Interceptor.attach(hook.implementation, {
onEnter: function(args) {
var block = new ObjC.Block(args[4]);
const callback = block.implementation;
block.implementation = function (error, value)  {

console.log("Changing the result value to true")
const result = callback(1, null);
return result;
};
},
});
} else {
console.log("Objective-C Runtime is not available!");
}

Ili kuingiza script ya Frida na kupitisha uthibitishaji wa biometriki, amri ifuatayo inatumiwa:

frida -U -f com.highaltitudehacks.DVIAswiftv2 --no-pause -l fingerprint-bypass-ios.js

Ufichuzi wa Utendaji Nyeti Kupitia IPC

Mawasiliano ya Mtandao

Ni muhimu kukagua kwamba hakuna mawasiliano yanayotokea bila encryption na pia kwamba programu inathibitisha kwa usahihi TLS certificate ya server.
Ili kukagua aina hizi za matatizo unaweza kutumia proxy kama Burp:

iOS Burp Suite Configuration

Ukaguzi wa Hostname

Tatizo moja linalotokea mara kwa mara wakati wa kuthibitisha TLS certificate ni kuthibitisha kwamba certificate ilisainiwa na CA aminika, lakini kutoangalia kama hostname ya certificate ndiyo hostname inayofikiwa.
Ili kukagua tatizo hili ukitumia Burp, baada ya kuamini Burp CA kwenye iPhone, unaweza kuunda certificate mpya na Burp kwa hostname tofauti na kuitumia. Ikiwa programu bado inafanya kazi, basi kuna udhaifu.

Certificate Pinning

Ikiwa programu inatumia vizuri SSL Pinning, basi programu itafanya kazi tu ikiwa certificate ni ile inayotarajiwa. Wakati wa kujaribu programu hii inaweza kuwa tatizo kwa sababu Burp itawasilisha certificate yake mwenyewe.
Ili kuzunguka ulinzi huu ndani ya kifaa kilicho-jailbroken, unaweza kusakinisha programu SSL Kill Switch au kusakinisha Burp Mobile Assistant

Unaweza pia kutumia objection ios sslpinning disable

Mengine

Katika /System/Library unaweza kupata frameworks zilizowekwa kwenye simu zinazotumika na programu za mfumo
Programu zilizowekwa na mtumiaji kutoka kwenye App Store ziko ndani ya /User/Applications
Na /User/Library ina data iliyohifadhiwa na programu za ngazi ya mtumiaji
Unaweza kufikia /User/Library/Notes/notes.sqlite kusoma noti zilizohifadhiwa ndani ya programu.
Ndani ya folda ya programu iliyosakinishwa (/User/Applications/<APP ID>/) unaweza kupata faili za kuvutia:
- iTunesArtwork: Ikoni inayotumika na app
- iTunesMetadata.plist: Taarifa za app zinazotumiwa kwenye App Store
- /Library/*: Inajumuisha preferences na cache. Katika /Library/Cache/Snapshots/* unaweza kupata snapshot iliyofanywa kwa programu kabla ya kuisukuma kwenda background.

Hot Patching/Enforced Updateing

Waendelezaji wanaweza kutengeneza patch kwa mbali kwa kila usakinishaji wa app zao papo hapo bila kuwasilisha tena programu kwenye App Store na kusubiri idhini.
Kwa kusudi hili kawaida hutumiwa JSPatch. Lakini kuna chaguzi nyingine pia kama Siren na react-native-appstore-version-checker.
Hii ni mekanisimu hatari ambayo inaweza kutumiwa vibaya na SDKs za pihakati zenye nia mbaya; kwa hivyo inashauriwa kukagua ni njia gani inatumika kwa updates za moja kwa moja (ikiwa ipo) na kuijaribu. Unaweza kujaribu kupakua toleo la zamani la app kwa kusudi hili.

Third Parties

Changamoto kubwa na 3rd party SDKs ni kukosa udhibiti wa kina juu ya uwezo wao. Waendelezaji wanapaswa kuchagua: kuingiza SDK na kukubali sifa zake zote, ikiwa ni pamoja na udhaifu wa usalama na masuala ya faragha, au kukosa faida zake kabisa. Mara nyingi, waendelezaji hawawezi kutengeneza patch kwa udhaifu ndani ya SDK hizi wenyewe. Zaidi ya hayo, kadri SDK zinavyozidi kuaminiwa na jumuiya, baadhi zinaweza kuanza kujumuisha malware.

Huduma zinazotolewa na third-party SDKs zinaweza kujumuisha ufuatiliaji wa tabia za watumiaji, onyesho la matangazo, au maboresho ya uzoefu wa mtumiaji. Hata hivyo, hii inaleta hatari kwa kuwa waendelezaji hawana ufahamu kamili wa code inayotekelezwa na maktaba hizi, jambo linaloweza kusababisha hatari za faragha na usalama. Ni muhimu kupunguza taarifa zinazoshirikiwa na huduma za pihakati kwa kile tu kinachohitajika na kuhakikisha kwamba hakuna data nyeti inayofichuliwa.

Utekelezaji wa huduma za pihakati kawaida huja kwa aina mbili: maktaba huru au SDK kamili. Ili kulinda faragha ya mtumiaji, data yoyote inayoshirikiwa na huduma hizi inapaswa kuwekwa bila utambulisho (anonymized) ili kuzuia ufichuzi wa Personal Identifiable Information (PII).

Ili kubaini maktaba programu inazitumia, amri ya otool inaweza kutumika. Chombo hiki kinapaswa kukimbizwa dhidi ya programu na kila shared library inayotumiwa ili kugundua maktaba za ziada.

otool -L <application_path>

Udhaifu Zinazivutia & Masomo ya Kesi

Air Keyboard Remote Input Injection

Itunesstored Bookassetd Sandbox Escape

Marejeo & Rasilimali Zaidi

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Angalia mpango wa usajili!

Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.

Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.