1 00:00:06,800 --> 00:00:10,140 - When it comes to investigating iOS applications, 2 00:00:10,140 --> 00:00:12,360 there's four primary areas of focus. 3 00:00:12,360 --> 00:00:14,410 Data storage, network communications, 4 00:00:14,410 --> 00:00:15,820 platform communications 5 00:00:15,820 --> 00:00:17,900 and then finally reverse engineering. 6 00:00:17,900 --> 00:00:22,310 Trying to get to the operation of that code. 7 00:00:22,310 --> 00:00:25,260 Starting with data storage, files on disk. 8 00:00:25,260 --> 00:00:30,110 So iOS applications execute and are installed in a sandbox. 9 00:00:30,110 --> 00:00:33,650 These applications cannot interact with other applications. 10 00:00:33,650 --> 00:00:36,130 Whenever you create your native application 11 00:00:36,130 --> 00:00:39,460 and you create some data and you say, "I wanna save it." 12 00:00:39,460 --> 00:00:42,770 There is something called a secure storage API. 13 00:00:42,770 --> 00:00:47,270 It is available for developers to use if they choose. 14 00:00:47,270 --> 00:00:49,100 And that's a key point there. 15 00:00:49,100 --> 00:00:53,350 What would be faster, taking a blob of binary data 16 00:00:53,350 --> 00:00:55,270 and simply writing it to disk 17 00:00:55,270 --> 00:00:58,830 or dealing with encryption, et cetera 18 00:00:58,830 --> 00:01:02,090 and having to set the protection class on the data? 19 00:01:02,090 --> 00:01:04,390 The first option is quite a bit easier. 20 00:01:04,390 --> 00:01:05,720 Second option takes some work. 21 00:01:05,720 --> 00:01:06,553 However, 22 00:01:07,990 --> 00:01:09,860 if it is used, it is very secure. 23 00:01:09,860 --> 00:01:10,840 If it's not used 24 00:01:10,840 --> 00:01:13,220 then maybe you can get access to that data. 25 00:01:13,220 --> 00:01:16,770 So secure storage API, it is hardware-based encryption. 26 00:01:16,770 --> 00:01:18,830 So there's a chip inside the iOS 27 00:01:18,830 --> 00:01:21,630 that accelerates the encryption of data. 28 00:01:21,630 --> 00:01:22,540 Data flows through it, 29 00:01:22,540 --> 00:01:24,650 comes out encrypted on the other side. 30 00:01:24,650 --> 00:01:29,150 The key for this data is derived from that device UID. 31 00:01:29,150 --> 00:01:30,330 That's a unique identifier 32 00:01:30,330 --> 00:01:32,250 that I talked about in the previous lesson 33 00:01:32,250 --> 00:01:34,920 as well as the user specific passcode. 34 00:01:34,920 --> 00:01:37,010 So if you type in, you know, 35 00:01:37,010 --> 00:01:41,730 085632, that's not my passcode, by the way, 36 00:01:41,730 --> 00:01:43,480 but that's your passcode. 37 00:01:43,480 --> 00:01:46,610 That plus the device UID becomes 38 00:01:46,610 --> 00:01:49,970 or are used as input to derive a key 39 00:01:49,970 --> 00:01:51,690 for the encryption of this data. 40 00:01:51,690 --> 00:01:53,780 It's four different protection classes available 41 00:01:53,780 --> 00:01:54,800 for use. 42 00:01:54,800 --> 00:01:55,960 Protection complete, 43 00:01:55,960 --> 00:01:57,870 what this does is when you lock the device, 44 00:01:57,870 --> 00:02:00,770 the data is no longer accessible. 45 00:02:00,770 --> 00:02:02,620 Once the user unlocks the device, 46 00:02:02,620 --> 00:02:05,550 then they can open the application, get access to the data. 47 00:02:05,550 --> 00:02:08,730 And then we have further protection classes 48 00:02:08,730 --> 00:02:10,670 that become less secure, 49 00:02:10,670 --> 00:02:12,808 all the way down to NSFileProtectionNone. 50 00:02:12,808 --> 00:02:14,993 So that there is no protection here. 51 00:02:17,870 --> 00:02:22,030 You can also, or developers can store data in the keychain. 52 00:02:22,030 --> 00:02:24,800 However, it's only for small data. 53 00:02:24,800 --> 00:02:27,750 You can see here, we have a four kilobyte soft limit. 54 00:02:27,750 --> 00:02:29,790 Also the keychain that's built 55 00:02:29,790 --> 00:02:33,550 into iOS is mostly open source published by Apple. 56 00:02:33,550 --> 00:02:36,120 You can go take a look at it, try to find a vulnerability. 57 00:02:36,120 --> 00:02:37,530 If you do find a vulnerability 58 00:02:37,530 --> 00:02:40,410 in Apple's published keychain, good for you. 59 00:02:40,410 --> 00:02:44,380 You might want to get in touch with Apple and let them know. 60 00:02:44,380 --> 00:02:45,740 So there was a question. 61 00:02:45,740 --> 00:02:47,980 Someone was trying to store megabytes 62 00:02:47,980 --> 00:02:49,200 of data in the keychain. 63 00:02:49,200 --> 00:02:50,460 And I found a forum post 64 00:02:50,460 --> 00:02:52,630 where I got this particular information from 65 00:02:52,630 --> 00:02:54,710 and someone dug into the source code 66 00:02:54,710 --> 00:02:57,330 and this particular definition right here. 67 00:02:57,330 --> 00:03:00,943 Reasonable secret data size of four kilobytes, 68 00:03:01,850 --> 00:03:03,660 written by Apple many years ago, 69 00:03:03,660 --> 00:03:05,410 they found that there's your limit. 70 00:03:06,520 --> 00:03:08,760 If you go over 16, it's gonna kill it. 71 00:03:08,760 --> 00:03:12,053 But the definition in the code is four kilobytes. 72 00:03:12,920 --> 00:03:14,810 For databases on disks, 73 00:03:14,810 --> 00:03:17,630 so databases are not necessarily only used 74 00:03:17,630 --> 00:03:19,710 in web applications to store data. 75 00:03:19,710 --> 00:03:24,500 We can also have databases in our device, in our iOS iPhone. 76 00:03:24,500 --> 00:03:29,250 The SQLite databases are what is available for iOS. 77 00:03:29,250 --> 00:03:32,430 There is a library written in C++, 78 00:03:32,430 --> 00:03:35,090 it's a wrapper to SQLite 3 79 00:03:35,090 --> 00:03:37,330 and allows you to store data in a database 80 00:03:37,330 --> 00:03:40,230 in a file inside that sandbox. 81 00:03:40,230 --> 00:03:42,920 Also Firebase databases are available. 82 00:03:42,920 --> 00:03:44,210 Actually let me go back a second. 83 00:03:44,210 --> 00:03:47,720 So these SQLite databases, they are an actual file. 84 00:03:47,720 --> 00:03:49,210 That's one of the cool features 85 00:03:49,210 --> 00:03:51,910 of SQLite is that the entire contents 86 00:03:51,910 --> 00:03:54,860 of the database is stored within a single file. 87 00:03:54,860 --> 00:03:56,350 So SQLite's available to you. 88 00:03:56,350 --> 00:03:58,320 If you can get access to the disk, 89 00:03:58,320 --> 00:04:00,980 that sandbox where the application is stored 90 00:04:00,980 --> 00:04:04,400 and you can get access to that file, extract that file, 91 00:04:04,400 --> 00:04:07,250 then you can actually read that database. 92 00:04:07,250 --> 00:04:08,610 Next up is Firebase. 93 00:04:08,610 --> 00:04:11,570 So Firebase is a service from Google, 94 00:04:11,570 --> 00:04:13,550 it's available for iOS and Android. 95 00:04:13,550 --> 00:04:16,580 It provides frameworks or libraries to integrate 96 00:04:16,580 --> 00:04:19,350 with your applications to give you a local database 97 00:04:19,350 --> 00:04:21,870 that is synchronized with the cloud. 98 00:04:21,870 --> 00:04:24,340 So whatever changes happen in the local database, 99 00:04:24,340 --> 00:04:25,530 they're reflected in the cloud 100 00:04:25,530 --> 00:04:27,310 and vice versa, stays synchronized 101 00:04:27,310 --> 00:04:29,950 whenever internet access is available. 102 00:04:29,950 --> 00:04:33,983 Now, back in 2018, this person right here, Shiv Sahni, 103 00:04:34,920 --> 00:04:38,130 discovered a misconfiguration vulnerability 104 00:04:38,130 --> 00:04:39,330 in the Firebase service. 105 00:04:39,330 --> 00:04:42,173 It's called the hospital gown vulnerability. 106 00:04:43,140 --> 00:04:45,980 And at the time, this was 2018, 107 00:04:45,980 --> 00:04:49,260 one in 11 applications was vulnerable to this. 108 00:04:49,260 --> 00:04:51,420 This particular Python script here, 109 00:04:51,420 --> 00:04:54,510 Firebase scanner, scans for that vulnerability 110 00:04:54,510 --> 00:04:56,663 against Firebase instances. 111 00:04:58,370 --> 00:05:02,670 For the network, we talked a lot about sniffing 112 00:05:02,670 --> 00:05:04,340 earlier on in this course. 113 00:05:04,340 --> 00:05:06,380 Same concepts apply here. 114 00:05:06,380 --> 00:05:09,260 These iOS applications are most likely going to need 115 00:05:09,260 --> 00:05:12,950 to talk to the internet, either to a backend cloud service 116 00:05:12,950 --> 00:05:14,770 or simply to a public service 117 00:05:14,770 --> 00:05:17,203 in order to grab data, to display to the user. 118 00:05:18,270 --> 00:05:19,710 What information can we get 119 00:05:19,710 --> 00:05:21,640 from those network communications? 120 00:05:21,640 --> 00:05:25,240 There's a couple applications listed here, Burp Suite, ZAP, 121 00:05:25,240 --> 00:05:29,680 as well as Bettercap in order to capture network traffic 122 00:05:29,680 --> 00:05:33,380 as it is flowing across the local network. 123 00:05:33,380 --> 00:05:36,430 So if you have an iPhone, you install an application on it 124 00:05:36,430 --> 00:05:39,870 and then you want to analyze that application 125 00:05:39,870 --> 00:05:41,550 and its network traffic. 126 00:05:41,550 --> 00:05:44,040 You join it to a wifi network that you control 127 00:05:44,040 --> 00:05:45,720 or maybe using the tools 128 00:05:45,720 --> 00:05:47,710 that we talked about in the previous lessons, 129 00:05:47,710 --> 00:05:50,380 you stand up a soft access point on your laptop. 130 00:05:50,380 --> 00:05:52,780 You join the iPhone to that soft access point 131 00:05:52,780 --> 00:05:55,280 and start sending the data through your laptop. 132 00:05:55,280 --> 00:05:57,300 From that point, you can get access to all the data 133 00:05:57,300 --> 00:05:58,680 that's flowing through there. 134 00:05:58,680 --> 00:06:02,100 Burp Suite as well as Zed Attack Proxy will allow you 135 00:06:02,100 --> 00:06:04,630 to see that data as it's flowing in real time. 136 00:06:04,630 --> 00:06:05,880 Now I mentioned Bettercap here. 137 00:06:05,880 --> 00:06:08,690 So Bettercap is an improved version 138 00:06:08,690 --> 00:06:11,070 of Ettercap which we talked about 139 00:06:11,070 --> 00:06:12,730 in the the previous lesson, 140 00:06:12,730 --> 00:06:15,650 had machine in the middle for ARP type stuff. 141 00:06:15,650 --> 00:06:18,680 Better cap is a, it's an application. 142 00:06:18,680 --> 00:06:20,380 You install it on your computer. 143 00:06:20,380 --> 00:06:22,070 You surf to local host 144 00:06:22,070 --> 00:06:25,780 and interact with the Bettercap application. 145 00:06:25,780 --> 00:06:30,490 It's very pretty, does the same job as Ettercap and more. 146 00:06:30,490 --> 00:06:31,890 So take a look at Bettercap. 147 00:06:34,050 --> 00:06:36,270 For platform communications, 148 00:06:36,270 --> 00:06:38,920 remember that our applications are sandboxed. 149 00:06:38,920 --> 00:06:41,310 And in order to get out of that sandbox, 150 00:06:41,310 --> 00:06:45,350 the application needs to declare that it wants to do things 151 00:06:45,350 --> 00:06:48,360 like this application wants to interact with the camera. 152 00:06:48,360 --> 00:06:50,060 The application needs to specifically 153 00:06:50,060 --> 00:06:52,680 tell the iOS operating system 154 00:06:52,680 --> 00:06:55,290 that this application needs to interact with the camera. 155 00:06:55,290 --> 00:06:57,583 Those are declared in an entitlements file. 156 00:06:58,490 --> 00:06:59,680 Whenever an application wants 157 00:06:59,680 --> 00:07:02,420 to use these actual entitlements, 158 00:07:02,420 --> 00:07:04,520 the user is going to be presented 159 00:07:04,520 --> 00:07:07,580 with a permit or deny question. 160 00:07:07,580 --> 00:07:10,830 Do you want to allow this application to access the camera, 161 00:07:10,830 --> 00:07:13,300 for example, and the user would have to say yes 162 00:07:13,300 --> 00:07:16,040 before the operating system grants the camera 163 00:07:16,040 --> 00:07:17,163 to the application. 164 00:07:18,940 --> 00:07:21,220 For reverse engineering iOS applications, 165 00:07:21,220 --> 00:07:23,410 these iOS apps are compiled. 166 00:07:23,410 --> 00:07:25,500 So that means you need to decompile 167 00:07:25,500 --> 00:07:28,410 and disassemble them in order to see what they're doing. 168 00:07:28,410 --> 00:07:30,450 And that's a pretty complicated process. 169 00:07:30,450 --> 00:07:33,290 However, it is possible 170 00:07:33,290 --> 00:07:35,700 but you need to understand where you're going 171 00:07:35,700 --> 00:07:38,110 to get the actual binary from. 172 00:07:38,110 --> 00:07:41,143 IPA is iOS App Store Package. 173 00:07:42,060 --> 00:07:43,690 That's what IPA stands for. 174 00:07:43,690 --> 00:07:46,000 Not exactly sure why the P and A are swapped, 175 00:07:46,000 --> 00:07:48,550 but regardless, it's a zip file 176 00:07:48,550 --> 00:07:50,250 that contains all the information needed 177 00:07:50,250 --> 00:07:53,370 for the App Store to publish that application. 178 00:07:53,370 --> 00:07:57,320 If you have that, that IPA file, unzip it 179 00:07:57,320 --> 00:07:59,450 and you have the binary, it's right there for you. 180 00:07:59,450 --> 00:08:01,040 If you don't have the IPA, 181 00:08:01,040 --> 00:08:04,453 you need to extract the binary and that's complicated. 182 00:08:05,330 --> 00:08:07,610 See here, Jailbreak, install the app, 183 00:08:07,610 --> 00:08:11,140 extract the app binary, and then rebuild the IPA. 184 00:08:11,140 --> 00:08:12,780 So apps are encrypted on disk. 185 00:08:12,780 --> 00:08:16,070 So you can't just copy the application binary off disk. 186 00:08:16,070 --> 00:08:20,370 These two programs here, Clutch and Frida iOS Dump 187 00:08:20,370 --> 00:08:24,860 will actually extract the running application from memory. 188 00:08:24,860 --> 00:08:27,990 So you launch or you launch the application 189 00:08:27,990 --> 00:08:30,440 and then you execute these applications and they will go 190 00:08:30,440 --> 00:08:33,500 and interrogate the, I'm talking about random access memory, 191 00:08:33,500 --> 00:08:36,780 RAM here, to extract the running application 192 00:08:36,780 --> 00:08:39,865 and then bring it back together for you. 193 00:08:39,865 --> 00:08:43,203 It is somewhat intense to get to this point. 194 00:08:44,140 --> 00:08:45,590 Once we have the information 195 00:08:45,590 --> 00:08:48,440 that's contained within that IPA, by using something 196 00:08:48,440 --> 00:08:51,360 like Clutch or Frida, to extract that information, 197 00:08:51,360 --> 00:08:55,890 what files are included in that IPA distribution by default? 198 00:08:55,890 --> 00:08:58,160 Before the user opens the application 199 00:08:58,160 --> 00:09:00,950 and maybe logs in or configures the application. 200 00:09:00,950 --> 00:09:03,110 And then once they open the application, 201 00:09:03,110 --> 00:09:05,270 how have those files changed? 202 00:09:05,270 --> 00:09:07,940 What frameworks are in use by the application 203 00:09:07,940 --> 00:09:11,630 and what vulnerabilities might exist in those frameworks? 204 00:09:11,630 --> 00:09:13,010 Take a look at that. 205 00:09:13,010 --> 00:09:15,010 The platform capabilities declared. 206 00:09:15,010 --> 00:09:17,380 We touched on the entitlements that can be declared 207 00:09:17,380 --> 00:09:18,540 as part of an application. 208 00:09:18,540 --> 00:09:21,390 The user has to say yes or no, I permit that. 209 00:09:21,390 --> 00:09:24,760 What sort of information might change on disk 210 00:09:24,760 --> 00:09:27,370 that is derived from one of those entitlements? 211 00:09:27,370 --> 00:09:30,370 Any additional permissions requested to the user. 212 00:09:30,370 --> 00:09:32,930 For network communications encrypted, 213 00:09:32,930 --> 00:09:36,020 on this previous slide here, I didn't touch on this point 214 00:09:36,020 --> 00:09:37,990 and I just realized it as I was talking about it. 215 00:09:37,990 --> 00:09:39,940 So we're gonna come back and talk about this real quick. 216 00:09:39,940 --> 00:09:42,300 App transport security or ATS. 217 00:09:42,300 --> 00:09:45,470 This is a feature built into iOS 218 00:09:45,470 --> 00:09:48,590 that enforces secure communication across the internet. 219 00:09:48,590 --> 00:09:53,080 By default, it will not allow insecure HTTP. 220 00:09:53,080 --> 00:09:57,790 The developer must manually declare its intent 221 00:09:57,790 --> 00:10:00,800 to speak insecure HTTP. 222 00:10:00,800 --> 00:10:04,493 It enforces it on these three calls here, CFURL, 223 00:10:04,493 --> 00:10:06,700 NSURL and NSURL connection, 224 00:10:06,700 --> 00:10:09,180 excuse me, session and connection. 225 00:10:09,180 --> 00:10:13,000 So a developer must comply with secure HTTP 226 00:10:14,070 --> 00:10:17,850 unless they specify manually an exemption 227 00:10:17,850 --> 00:10:22,360 to this policy within their application. 228 00:10:22,360 --> 00:10:25,120 So those network communications, are they encrypted? 229 00:10:25,120 --> 00:10:28,030 If not, sniff it, grab the data, decode it, 230 00:10:28,030 --> 00:10:29,380 figure out what it's doing. 231 00:10:30,730 --> 00:10:34,480 And then finally does the app store data on the device. 232 00:10:34,480 --> 00:10:37,430 So I touched on that in the first bullet point here. 233 00:10:37,430 --> 00:10:39,610 After the user has launched the application, 234 00:10:39,610 --> 00:10:41,610 what changed on disk? 235 00:10:41,610 --> 00:10:42,930 We needed to take a look at that 236 00:10:42,930 --> 00:10:45,570 'cause that can reveal some really good information. 237 00:10:45,570 --> 00:10:47,450 For dissembling applications, 238 00:10:47,450 --> 00:10:49,620 IDA Pro is kind of the gold standard 239 00:10:49,620 --> 00:10:53,440 for disassembling the actual executable binary 240 00:10:53,440 --> 00:10:54,623 of the application. 241 00:10:55,640 --> 00:10:59,580 Cisco Talos has released a plugin for IDA Pro called GhIDA 242 00:10:59,580 --> 00:11:04,350 or G-H-I-D-A that integrates the Ghidra decompiler. 243 00:11:04,350 --> 00:11:06,580 And then finally I mentioned Frida when we were talking 244 00:11:06,580 --> 00:11:07,820 about Clutch a little bit ago, 245 00:11:07,820 --> 00:11:11,430 dynamic code instrumentation toolkit available here 246 00:11:11,430 --> 00:11:13,763 at this URL at the bottom of your screen.