iOS Hacking: Advanced Pentest & Forensic Techniques

Editor's Notes

• #6: • Encryption and data protection: The architecture and design that protects user data if the device is lost or stolen, or if an unauthorized person attempts to use or modify it. • App security: The systems that enable apps to run securely and without compromising platform integrity. • Network security: Industry-standard networking protocols that provide secure authentication and encryption of data in transmission. Each step of the startup process contains components that are cryptographically signed by Apple to ensure integrity and that proceed only after verifying the chain of trust. The Boot ROM code contains the Apple Root CA public key, which is used to verify that the Low-Level Bootloader (LLB) is signed by Apple before allowing it to load. On a device with an A7 or later A-series processor, the Secure Enclave is a coprocessor also utilizes System Software Authorization to ensure the integrity of its software and prevent downgrade installations. (Secure enclave) IT provides all the cryptographic operations for data protection key The Secure Enclave uses encrypted memory and includes a hardware random number generator Communication between the Secure Enclave and the application processor is isolated to an interrupt-driven mailbox and shared memory data buffers. The keys for both file and keychain Data Protection classes are collected and managed in keybags System keybag is where the wrapped class keys used in normal operation of the device are stored. Backup keybag is created when an encrypted backup is made by iTunes and stored on the computer to which the device is backed up
• #7: The MAC Framework defines four interfaces: the KSI (Kernel service entry point) from kernel services to the framework, the API from policy-agnostic user commands to the framework, the KPI between the framework and access control policy modules, and an additional debugging and tracing. KPI between the framework and access control policy modules, and an additional debugging and tracing interface via DTrace probes not shown in this illustration. Kernel programming interface (KPI) is called by kernel services, such as the Virtual File System (VFS) and Inter-Process Communication (IPC), to notify the MAC Frame-work of object events such as allocation and destruction, and to perform access control check KPI between the framework and access control policy modules, and an additional debugging and tracing interface via DTrace probes not shown in this illustration
• #8: Sandboxing an application begins with a call to the system function Sandbox_init . This function uses the libsandbox.dylib library to turn a human readable policy definition Mac syscall system call handledby the TrustedBSD subsystem TrustedBSD will pass the sandbox initialization request o the Sandbox.kext kernel extension for processing. The kernel extension will install the sandbox profile rules for the current process. Upon completion, a success return value will be passed back out of the kernel Once the sandbox is initialized, function calls hooked by the TrustedBSD layer will pass Through Sandbox.kext for policy enforcement
• #9: Thee sandbox is implemented via a policy module for the TrustedBSD MAC framework user space configurable per process profile even though all 3rd party apps run as the user “mobile” they all have different sandboxes (but they also run with the same sandbox profile) components user space library functions for configuring and starting the sandbox a kernel extension to enforce individual policies a kernel support extension (with regular expression support) to evaluate policy restrictions a Mach server for handling logging (also holds prebuilt configurations
• #10: kSBXProfileNoInternet->TCP/IP networking is prohibited. kSBXProfileNoNetwork->All sockets-based networking is prohibited. kSBXProfileNoWrite -> File system writes are prohibited. kSBXProfileNoWriteExceptTemporary->File system writes are restricted to the temporary folder /var/tmp and the folder specified by the confstr(3) configuration variable _CS_DARWIN_USER_TEMP_DIR. kSBXProfilePureComputation-> All operating system services are prohibited. Undocumented: MobileMail UNIX sockets cannot be used. /var/mobile/Applications/* , /var/mobile/Media/* (except DCIM/, com.apple.itdbprep.postprocess.lock and com.apple.itunes.lock_sync) , /var/mobile/Library/Caches/com.apple.mobile.installation.plist , /usr/sbin/fairplayd -> Thesefiles and directories cannot be read apsd, mDNSResponder -> The filesystem cannot be accessed at all.
• #11: The per-file key is unwrapped with the class key, then supplied to the hardware AES engine, which decrypts the file as it is read from flash memory. Every time a file on the data partition is created, Data Protection creates a new 256-bit key (the “per-file” key) and gives it to the hardware AES engine, which uses the key to encrypt the file as it is written to flash memory using AES CBC mode. The initialization vector (IV) is calculated with the block offset into the file, encrypted with the SHA-1 hash of the per-file key.
• #12: Complete Protection (NSFileProtectionComplete): The class key is protected with a key derived from the user passcode and the device UID. Shortly after the user locks a device (10 seconds, if the Require Password setting is Immediately), the decrypted class key is discarded, rendering all data in this class inaccessible until the user enters the passcode again. SData constants begin with NSDataWritingFileProtection…. …None — The file is not protected and can be read or written at any time. This is the default value. …Complete — Any file with this setting is protected ten seconds after the device is locked. This is the highest level of protection. Files with this setting may not be available when your program is running in the background. When the device is unlocked, these files are unprotected. …CompleteUnlessOpen — Files with this setting are protected ten seconds after the device is locked unless they’re currently open. This allows your program to continue accessing the file while running in the background. When the file is closed, it will be protected if the device is locked. …CompleteUntilFirstUserAuthentication — Files with this setting are protected only between the time the device boots and the first time the user unlocks the device. The files are unprotected from that point until the device is rebooted. This allows your application to open existing files while running in the background. NSData and its mutable subclass NSMutableData provide data objects, object-oriented wrappers for byte buffers. Why use an NSFileManager rather than just using NSData's writeToFile:atomically: method when creating a new file? The advantage of the NSFileManager method is the attributes field: A dictionary containing the attributes to associate with the new file. You can use these attributes to set the owner and group numbers, file permissions, and modification date. For a list of keys, see “File Attribute Keys.” If you specify nil for attributes, the file is created with a set of default attributes.
• #14: Internal version of mmap. Currently used by mmap, exec, and sys5 * shared memory. Handle is either a vnode pointer or NULL for MAP_ANON. Virtual memory protection definitions. -> read, write and execute
• #18: Entitlements confer specific capabilities or security permissions to your app. These file(s) define properties that provide your application access to iOS features (such as push notifications) and secure data (such as the user’s keychain).
• #31: Don’t be intidimitaded by the assembly instructions STP -> The aarch64 architecture doesn't have instructions for multiple store and load, i.e. there are no equivalents of stm and ldm from armv7 arch. Instead you must use the stp and ldp instructions for store and loading pairs of registers.
• #34: Mark should speak from this slide on
• #36: You would wanna do Real time traffic analysis of ios application on a jailbroken device Pipe in tcpdump running on the jailbroken iOS to my pentest machine
• #46: It's run when a shared library is loaded, typically during program startup. he way the constructors and destructors work is that the shared object file contains special sections (.ctors and .dtors on ELF) which contain references to the functions marked with the constructor and destructor attributes, respectively.
• #50: BurpExtenderCallBacks – getScannerChecks, getIntruderPayloadProcessors, load/unload extension
• #51: Action Message Format (AMF) is a binary format used to serialize object graphs such as ActionScript objects and XML, or send messages between an Adobe Flash client and a remote service, usually a Flash Media Server or third party alternatives Masher - can be used to guess passwords given a word list and a known password specification.
• #53: It simply replaces the session identifiers and compares the results whether it yielded any different.
• #54: It comes in handy especially bruteforcing weblogins etc.