.. | ||
basic-ios-testing-operations.md | ||
burp-configuration-for-ios.md | ||
extracting-entitlements-from-compiled-application.md | ||
frida-configuration-in-ios.md | ||
ios-app-extensions.md | ||
ios-basics.md | ||
ios-custom-uri-handlers-deeplinks-custom-schemes.md | ||
ios-hooking-with-objection.md | ||
ios-protocol-handlers.md | ||
ios-serialisation-and-encoding.md | ||
ios-testing-environment.md | ||
ios-uiactivity-sharing.md | ||
ios-uipasteboard.md | ||
ios-universal-links.md | ||
ios-webviews.md | ||
README.md |
iOS Pentesting
Tumia Trickest kujenga na kujiendesha kwa urahisi kazi zinazotolewa na zana za jamii za kisasa zaidi duniani.
Pata Ufikiaji Leo:
{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=ios-pentesting" %}
{% hint style="success" %}
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
iOS Msingi
{% content-ref url="ios-basics.md" %} ios-basics.md {% endcontent-ref %}
Mazingira ya Upimaji
Katika ukurasa huu unaweza kupata taarifa kuhusu simulator ya iOS, emulators na jailbreaking:
{% content-ref url="ios-testing-environment.md" %} ios-testing-environment.md {% endcontent-ref %}
Uchambuzi wa Awali
Operesheni za Msingi za Upimaji wa iOS
Wakati wa upimaji operesheni kadhaa zitapendekezwa (unganisho na kifaa, kusoma/kandika/kuweka/upakuaji wa faili, kutumia zana kadhaa...). Hivyo, ikiwa hujui jinsi ya kufanya mojawapo ya hatua hizi tafadhali, anza kusoma ukurasa:
{% content-ref url="basic-ios-testing-operations.md" %} basic-ios-testing-operations.md {% endcontent-ref %}
{% hint style="info" %}
Kwa hatua zinazofuata programu inapaswa kuwa imewekwa kwenye kifaa na inapaswa kuwa tayari imepata faili ya IPA ya programu.
Soma ukurasa wa Basic iOS Testing Operations kujifunza jinsi ya kufanya hivyo.
{% endhint %}
Uchambuzi wa Msingi wa Kijamii
Inapendekezwa kutumia zana MobSF kufanya Uchambuzi wa Kijamii wa moja kwa moja kwa faili ya IPA.
Utambuzi wa ulinzi ulio katika binary:
- PIE (Position Independent Executable): Wakati umewezeshwa, programu inaload kwenye anwani ya kumbukumbu ya nasibu kila wakati inapoanzishwa, na kufanya iwe vigumu kutabiri anwani yake ya awali ya kumbukumbu.
otool -hv <app-binary> | grep PIE # Inapaswa kujumuisha bendera ya PIE
- Stack Canaries: Ili kuthibitisha uadilifu wa stack, thamani ya ‘canary’ inawekwa kwenye stack kabla ya kuita kazi na inathibitishwa tena mara kazi inapoisha.
otool -I -v <app-binary> | grep stack_chk # Inapaswa kujumuisha alama: stack_chk_guard na stack_chk_fail
- ARC (Automatic Reference Counting): Ili kuzuia kasoro za kawaida za uharibifu wa kumbukumbu
otool -I -v <app-binary> | grep objc_release # Inapaswa kujumuisha alama ya _objc_release
- Binary Iliyoandikwa: Binary inapaswa kuwa imeandikwa
otool -arch all -Vl <app-binary> | grep -A5 LC_ENCRYPT # Cryptid inapaswa kuwa 1
Utambuzi wa Kazi Nyeti/Zisizo Salama
- Algorithimu za Hash Zenye Ukatili
# Kwenye kifaa cha iOS
otool -Iv <app> | grep -w "_CC_MD5"
otool -Iv <app> | grep -w "_CC_SHA1"
# Kwenye linux
grep -iER "_CC_MD5"
grep -iER "_CC_SHA1"
- Kazi za Nasibu Zisizo Salama
# Kwenye kifaa cha iOS
otool -Iv <app> | grep -w "_random"
otool -Iv <app> | grep -w "_srand"
otool -Iv <app> | grep -w "_rand"
# Kwenye linux
grep -iER "_random"
grep -iER "_srand"
grep -iER "_rand"
- Kazi ya ‘Malloc’ Isiyo Salama
# Kwenye kifaa cha iOS
otool -Iv <app> | grep -w "_malloc"
# Kwenye linux
grep -iER "_malloc"
- Kazi Zisizo Salama na Zenye Uthibitisho
# Kwenye kifaa cha iOS
otool -Iv <app> | grep -w "_gets"
otool -Iv <app> | grep -w "_memcpy"
otool -Iv <app> | grep -w "_strncpy"
otool -Iv <app> | grep -w "_strlen"
otool -Iv <app> | grep -w "_vsnprintf"
otool -Iv <app> | grep -w "_sscanf"
otool -Iv <app> | grep -w "_strtok"
otool -Iv <app> | grep -w "_alloca"
otool -Iv <app> | grep -w "_sprintf"
otool -Iv <app> | grep -w "_printf"
otool -Iv <app> | grep -w "_vsprintf"
# Kwenye linux
grep -R "_gets"
grep -iER "_memcpy"
grep -iER "_strncpy"
grep -iER "_strlen"
grep -iER "_vsnprintf"
grep -iER "_sscanf"
grep -iER "_strtok"
grep -iER "_alloca"
grep -iER "_sprintf"
grep -iER "_printf"
grep -iER "_vsprintf"
Uchambuzi wa Msingi wa Kijamii
Angalia uchambuzi wa kijamii ambao MobSF unafanya. Utahitaji kuzunguka kupitia maoni tofauti na kuingiliana nayo lakini itakuwa ikichora madarasa kadhaa wakati wa kufanya mambo mengine na itatayarisha ripoti mara utakapokamilisha.
Orodha ya Programu Zilizowekwa
Tumia amri frida-ps -Uai
kubaini kitambulisho cha bundle cha programu zilizowekwa:
$ frida-ps -Uai
PID Name Identifier
---- ------------------- -----------------------------------------
6847 Calendar com.apple.mobilecal
6815 Mail com.apple.mobilemail
- App Store com.apple.AppStore
- Apple Store com.apple.store.Jolly
- Calculator com.apple.calculator
- Camera com.apple.camera
- iGoat-Swift OWASP.iGoat-Swift
Basic Enumeration & Hooking
Jifunze jinsi ya kuhesabu vipengele vya programu na jinsi ya kuunganisha mbinu na madarasa kwa kutumia objection:
{% content-ref url="ios-hooking-with-objection.md" %} ios-hooking-with-objection.md {% endcontent-ref %}
IPA Structure
Muundo wa faili ya IPA kimsingi ni sawa na kifurushi kilichozungushwa. Kwa kubadilisha kiendelezi chake kuwa .zip
, inaweza kufunguliwa ili kuonyesha yaliyomo. Ndani ya muundo huu, Bundle inawakilisha programu iliyopakiwa kikamilifu tayari kwa usakinishaji. Ndani, utaona directory inayoitwa <NAME>.app
, ambayo inajumuisha rasilimali za programu.
Info.plist
: Faili hii ina maelezo maalum ya usanidi wa programu._CodeSignature/
: Hii ni directory inayojumuisha faili ya plist ambayo ina saini, kuhakikisha uadilifu wa faili zote ndani ya bundle.Assets.car
: Archive iliyoshinikizwa inayohifadhi faili za mali kama ikoni.Frameworks/
: Folda hii ina maktaba asilia za programu, ambazo zinaweza kuwa katika mfumo wa faili za.dylib
au.framework
.PlugIns/
: Hii inaweza kujumuisha nyongeza kwa programu, inayojulikana kama faili za.appex
, ingawa hazipo kila wakati. *Core Data
: Inatumika kuhifadhi data ya kudumu ya programu yako kwa matumizi ya mtandaoni, kuhifadhi data ya muda, na kuongeza uwezo wa kufuta kwenye programu yako kwenye kifaa kimoja. Ili kusawazisha data kati ya vifaa vingi katika akaunti moja ya iCloud, Core Data inakidhi moja kwa moja muundo wako kwenye kontena la CloudKit.PkgInfo
: Faili yaPkgInfo
ni njia mbadala ya kubainisha aina na nambari za muundaji wa programu yako au bundle.- en.lproj, fr.proj, Base.lproj: Ni pakiti za lugha ambazo zina rasilimali za lugha hizo maalum, na rasilimali ya chaguo-msingi ikiwa lugha haipatikani.
- Security: Directory ya
_CodeSignature/
ina jukumu muhimu katika usalama wa programu kwa kuthibitisha uadilifu wa faili zote zilizopakiwa kupitia saini za kidijitali. - Asset Management: Faili ya
Assets.car
inatumia shinikizo kusimamia kwa ufanisi mali za picha, muhimu kwa kuboresha utendaji wa programu na kupunguza ukubwa wake kwa ujumla. - Frameworks and PlugIns: Hizi directory zinasisitiza uundaji wa programu za iOS, zikiwaruhusu waendelezaji kujumuisha maktaba za msimbo zinazoweza kutumika tena (
Frameworks/
) na kupanua kazi za programu (PlugIns/
). - Localization: Muundo huu unasaidia lugha nyingi, ukirahisisha kufikia kimataifa kwa programu kwa kujumuisha rasilimali za pakiti za lugha maalum.
Info.plist
Info.plist inatumika kama msingi wa programu za iOS, ikijumuisha data muhimu za usanidi katika mfumo wa funguo-thamani. Faili hii ni lazima si tu kwa programu bali pia kwa nyongeza za programu na maktaba zilizopakiwa ndani. Imeundwa kwa muundo wa XML au wa binary na ina taarifa muhimu kuanzia ruhusa za programu hadi usanidi wa usalama. Kwa uchambuzi wa kina wa funguo zinazopatikana, mtu anaweza kurejelea Apple Developer Documentation.
Kwa wale wanaotaka kufanya kazi na faili hii katika muundo rahisi zaidi, ubadilishaji wa XML unaweza kufanywa kwa urahisi kupitia matumizi ya plutil
kwenye macOS (inapatikana kiasili kwenye toleo 10.2 na baadaye) au plistutil
kwenye Linux. Amri za ubadilishaji ni kama ifuatavyo:
- Kwa macOS:
$ plutil -convert xml1 Info.plist
- Kwa Linux:
$ apt install libplist-utils
$ plistutil -i Info.plist -o Info_xml.plist
Kati ya maelezo mengi ambayo faili ya Info.plist inaweza kufichua, entries muhimu ni pamoja na nyuzi za ruhusa za programu (UsageDescription
), mipango ya URL ya kawaida (CFBundleURLTypes
), na mipangilio ya Usalama wa Usafiri wa Programu (NSAppTransportSecurity
). Entries hizi, pamoja na nyingine kama aina za hati zilizotolewa/zilizopokelewa za kawaida (UTExportedTypeDeclarations
/ UTImportedTypeDeclarations
), zinaweza kupatikana kwa urahisi kwa kukagua faili au kutumia amri rahisi ya grep
:
$ grep -i <keyword> Info.plist
Data Paths
Katika mazingira ya iOS, directories zimewekwa maalum kwa ajili ya system applications na user-installed applications. System applications zinapatikana katika directory ya /Applications
, wakati apps zilizowekwa na mtumiaji zinawekwa chini ya /var/mobile/containers/Data/Application/
. Programu hizi zinapewa kitambulisho cha kipekee kinachojulikana kama 128-bit UUID, na kufanya kazi ya kutafuta folda ya programu kwa mikono kuwa ngumu kutokana na uhodari wa majina ya directories.
{% hint style="warning" %}
Kwa kuwa programu katika iOS lazima ziwe sandboxed, kila app pia itakuwa na folda ndani ya $HOME/Library/Containers
yenye CFBundleIdentifier
ya app kama jina la folda.
Hata hivyo, folda zote mbili (folda za data & folda za container) zina faili .com.apple.mobile_container_manager.metadata.plist
inayounganisha faili hizo mbili katika ufunguo MCMetadataIdentifier
).
{% endhint %}
Ili kuwezesha kugundua directory ya usakinishaji ya app iliyowekwa na mtumiaji, objection tool inatoa amri muhimu, env
. Amri hii inaonyesha taarifa za kina za directory kwa app husika. Hapa kuna mfano wa jinsi ya kutumia amri hii:
OWASP.iGoat-Swift on (iPhone: 11.1.2) [usb] # env
Name Path
----------------- -------------------------------------------------------------------------------------------
BundlePath /var/containers/Bundle/Application/3ADAF47D-A734-49FA-B274-FBCA66589E67/iGoat-Swift.app
CachesDirectory /var/mobile/Containers/Data/Application/8C8E7EB0-BC9B-435B-8EF8-8F5560EB0693/Library/Caches
DocumentDirectory /var/mobile/Containers/Data/Application/8C8E7EB0-BC9B-435B-8EF8-8F5560EB0693/Documents
LibraryDirectory /var/mobile/Containers/Data/Application/8C8E7EB0-BC9B-435B-8EF8-8F5560EB0693/Library
Kwa upande mwingine, jina la programu linaweza kutafutwa ndani ya /private/var/containers
kwa kutumia amri ya find
:
find /private/var/containers -name "Progname*"
Amri kama ps
na lsof
zinaweza pia kutumika kubaini mchakato wa programu na orodha ya faili zilizo wazi, mtawalia, zikitoa maarifa kuhusu njia za saraka za programu zinazofanya kazi:
ps -ef | grep -i <app-name>
lsof -p <pid> | grep -i "/containers" | head -n 1
Bundle directory:
- AppName.app
- Hii ni Application Bundle kama ilivyoonekana hapo awali katika IPA, ina data muhimu ya programu, maudhui ya kudumu pamoja na binary iliyokusanywa ya programu.
- Hii directory inaonekana kwa watumiaji, lakini watumiaji hawawezi kuandika ndani yake.
- Maudhui katika hii directory hayahifadhiwi.
- Maudhui ya folda hii yanatumika ku thibitisha saini ya msimbo.
Data directory:
- Documents/
- Inashikilia data yote iliyoundwa na mtumiaji. Mtumiaji wa mwisho wa programu anaanzisha uundaji wa data hii.
- Inaonekana kwa watumiaji na watumiaji wanaweza kuandika ndani yake.
- Maudhui katika hii directory yanahifadhiwa.
- Programu inaweza kuzima njia kwa kuweka
NSURLIsExcludedFromBackupKey
. - Library/
- Inashikilia faili ambazo si maalum kwa mtumiaji, kama caches, preferences, cookies, na faili za usanidi wa orodha ya mali (plist).
- Programu za iOS kwa kawaida hutumia
Application Support
naCaches
subdirectories, lakini programu inaweza kuunda subdirectories za kawaida. - Library/Caches/
- Inashikilia faili za cache zisizodumu.
- Haionekani kwa watumiaji na watumiaji hawawezi kuandika ndani yake.
- Maudhui katika hii directory hayahifadhiwi.
- OS inaweza kufuta faili za directory hii kiotomatiki wakati programu haiko inafanya kazi na nafasi ya kuhifadhi inakosekana.
- Library/Application Support/
- Inashikilia faili za kudumu zinazohitajika kwa ajili ya kuendesha programu.
- Haionekani kwa watumiaji na watumiaji hawawezi kuandika ndani yake.
- Maudhui katika hii directory yanahifadhiwa.
- Programu inaweza kuzima njia kwa kuweka
NSURLIsExcludedFromBackupKey
. - Library/Preferences/
- Inatumika kuhifadhi mali ambazo zinaweza kudumu hata baada ya programu kuanzishwa upya.
- Taarifa huhifadhiwa, bila usimbaji, ndani ya sandbox ya programu katika faili ya plist inayoitwa [BUNDLE_ID].plist.
- Mifano yote ya funguo/thamani iliyohifadhiwa kwa kutumia
NSUserDefaults
inaweza kupatikana katika faili hii. - tmp/
- Tumia hii directory kuandika faili za muda ambazo hazihitaji kudumu kati ya uzinduzi wa programu.
- Inashikilia faili za cache zisizodumu.
- Haionekani kwa watumiaji.
- Maudhui katika hii directory hayahifadhiwi.
- OS inaweza kufuta faili za directory hii kiotomatiki wakati programu haiko inafanya kazi na nafasi ya kuhifadhi inakosekana.
Tuchunguze kwa karibu Application Bundle ya iGoat-Swift (.app) ndani ya directory ya Bundle (/var/containers/Bundle/Application/3ADAF47D-A734-49FA-B274-FBCA66589E67/iGoat-Swift.app
):
OWASP.iGoat-Swift on (iPhone: 11.1.2) [usb] # ls
NSFileType Perms NSFileProtection ... Name
------------ ------- ------------------ ... --------------------------------------
Regular 420 None ... rutger.html
Regular 420 None ... mansi.html
Regular 420 None ... splash.html
Regular 420 None ... about.html
Regular 420 None ... LICENSE.txt
Regular 420 None ... Sentinel.txt
Regular 420 None ... README.txt
Binary Reversing
Ndani ya folda ya <application-name>.app
utaona faili la binary linaloitwa <application-name>
. Huu ndio faili utakaokuwa ukitekelezwa. Unaweza kufanya ukaguzi wa msingi wa binary kwa kutumia chombo otool
:
otool -Vh DVIA-v2 #Check some compilation attributes
magic cputype cpusubtype caps filetype ncmds sizeofcmds flags
MH_MAGIC_64 ARM64 ALL 0x00 EXECUTE 65 7112 NOUNDEFS DYLDLINK TWOLEVEL WEAK_DEFINES BINDS_TO_WEAK PIE
otool -L DVIA-v2 #Get third party libraries
DVIA-v2:
/usr/lib/libc++.1.dylib (compatibility version 1.0.0, current version 400.9.1)
/usr/lib/libsqlite3.dylib (compatibility version 9.0.0, current version 274.6.0)
/usr/lib/libz.1.dylib (compatibility version 1.0.0, current version 1.2.11)
@rpath/Bolts.framework/Bolts (compatibility version 1.0.0, current version 1.0.0)
[...]
Angalia kama programu imefungwa
Tazama kama kuna matokeo yoyote kwa:
otool -l <app-binary> | grep -A 4 LC_ENCRYPTION_INFO
Kufanya disassembly ya binary
Fanya disassembly ya sehemu ya maandiko:
otool -tV DVIA-v2
DVIA-v2:
(__TEXT,__text) section
+[DDLog initialize]:
0000000100004ab8 sub sp, sp, #0x60
0000000100004abc stp x29, x30, [sp, #0x50] ; Latency: 6
0000000100004ac0 add x29, sp, #0x50
0000000100004ac4 sub x8, x29, #0x10
0000000100004ac8 mov x9, #0x0
0000000100004acc adrp x10, 1098 ; 0x10044e000
0000000100004ad0 add x10, x10, #0x268
Ili kuchapisha sehemu ya Objective-C ya programu ya mfano, mtu anaweza kutumia:
otool -oV DVIA-v2
DVIA-v2:
Contents of (__DATA,__objc_classlist) section
00000001003dd5b8 0x1004423d0 _OBJC_CLASS_$_DDLog
isa 0x1004423a8 _OBJC_METACLASS_$_DDLog
superclass 0x0 _OBJC_CLASS_$_NSObject
cache 0x0 __objc_empty_cache
vtable 0x0
data 0x1003de748
flags 0x80
instanceStart 8
Ili kupata msimbo wa Objective-C wenye ukubwa mdogo zaidi unaweza kutumia class-dump:
class-dump some-app
//
// Generated by class-dump 3.5 (64 bit).
//
// class-dump is Copyright (C) 1997-1998, 2000-2001, 2004-2013 by Steve Nygard.
//
#pragma mark Named Structures
struct CGPoint {
double _field1;
double _field2;
};
struct CGRect {
struct CGPoint _field1;
struct CGSize _field2;
};
struct CGSize {
double _field1;
double _field2;
};
However, the best options to disassemble the binary are: Hopper and IDA.
Use Trickest to easily build and automate workflows powered by the world's most advanced community tools.
Get Access Today:
{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=ios-pentesting" %}
Hifadhi ya Data
To learn about how iOS stores data in the device read this page:
{% content-ref url="ios-basics.md" %} ios-basics.md {% endcontent-ref %}
{% hint style="warning" %}
The following places to store information should be checked right after installing the application, after checking all the functionalities of the application and even after login out from one user and login into a different one.
The goal is to find unprotected sensitive information of the application (passwords, tokens), of the current user and of previously logged users.
{% endhint %}
Plist
plist files are structured XML files that contains key-value pairs. It's a way to store persistent data, so sometimes you may find sensitive information in these files. It's recommended to check these files after installing the app and after using intensively it to see if new data is written.
The most common way to persist data in plist files is through the usage of NSUserDefaults. This plist file is saved inside the app sandbox in Library/Preferences/<appBundleID>.plist
The NSUserDefaults
class provides a programmatic interface for interacting with the default system. The default system allows an application to customize its behaviour according to user preferences. Data saved by NSUserDefaults
can be viewed in the application bundle. This class stores data in a plist file, but it's meant to be used with small amounts of data.
This data cannot be longer accessed directly via a trusted computer, but can be accessed performing a backup.
You can dump the information saved using NSUserDefaults
using objection's ios nsuserdefaults get
To find all the plist of used by the application you can access to /private/var/mobile/Containers/Data/Application/{APPID}
and run:
find ./ -name "*.plist"
Ili kubadilisha faili kutoka XML au muundo wa binary (bplist) kuwa XML, njia mbalimbali kulingana na mfumo wako wa uendeshaji zinapatikana:
Kwa Watumiaji wa macOS: Tumia amri ya plutil
. Ni chombo kilichojengwa ndani katika macOS (10.2+), kilichoundwa kwa ajili ya kusudi hili:
$ plutil -convert xml1 Info.plist
Kwa Watumiaji wa Linux: Sakinisha libplist-utils
kwanza, kisha tumia plistutil
kubadilisha faili yako:
$ apt install libplist-utils
$ plistutil -i Info.plist -o Info_xml.plist
Ndani ya Kikao cha Objection: Kwa kuchambua programu za simu, amri maalum inaruhusu kubadilisha faili za plist moja kwa moja:
ios plist cat /private/var/mobile/Containers/Data/Application/<Application-UUID>/Library/Preferences/com.some.package.app.plist
Core Data
Core Data
ni mfumo wa kusimamia tabaka la mfano wa vitu katika programu yako. Core Data inaweza kutumia SQLite kama duka lake la kudumu, lakini mfumo wenyewe si database.
CoreData haiwezi kupeleka data zake kwa usimbuaji kwa chaguo-msingi. Hata hivyo, safu ya ziada ya usimbuaji inaweza kuongezwa kwa CoreData. Tazama GitHub Repo kwa maelezo zaidi.
Unaweza kupata taarifa za SQLite Core Data za programu katika njia /private/var/mobile/Containers/Data/Application/{APPID}/Library/Application Support
Ikiwa unaweza kufungua SQLite na kufikia taarifa nyeti, basi umepata usakinishaji usio sahihi.
{% code title="Code from iGoat" %}
-(void)storeDetails {
AppDelegate * appDelegate = (AppDelegate *)(UIApplication.sharedApplication.delegate);
NSManagedObjectContext *context =[appDelegate managedObjectContext];
User *user = [self fetchUser];
if (user) {
return;
}
user = [NSEntityDescription insertNewObjectForEntityForName:@"User"
inManagedObjectContext:context];
user.email = CoreDataEmail;
user.password = CoreDataPassword;
NSError *error;
if (![context save:&error]) {
NSLog(@"Error in saving data: %@", [error localizedDescription]);
}else{
NSLog(@"data stored in core data");
}
}
{% endcode %}
YapDatabase
YapDatabase ni duka la funguo/thamani lililojengwa juu ya SQLite.
Kwa kuwa hifadhidata za Yap ni hifadhidata za sqlite unaweza kuziona kwa kutumia amri iliyopendekezwa katika sehemu iliyopita.
Hifadhidata Nyingine za SQLite
Ni kawaida kwa programu kuunda hifadhidata zao za sqlite. Wanaweza kuwa wanahifadhi data nyeti ndani yao na kuziacha bila usimbaji. Kwa hivyo, kila wakati ni muhimu kuangalia kila hifadhidata ndani ya saraka ya programu. Kwa hivyo nenda kwenye saraka ya programu ambapo data imehifadhiwa (/private/var/mobile/Containers/Data/Application/{APPID}
)
find ./ -name "*.sqlite" -or -name "*.db"
Firebase Real-Time Databases
Wakuu wa programu wana uwezo wa kuhifadhi na kusawazisha data ndani ya hifadhi ya data ya NoSQL iliyo kwenye wingu kupitia Firebase Real-Time Databases. Iliyohifadhiwa katika muundo wa JSON, data inasawazishwa kwa wateja wote waliounganishwa kwa wakati halisi.
Unaweza kupata jinsi ya kuangalia hifadhi za Firebase zilizopangwa vibaya hapa:
{% content-ref url="../../network-services-pentesting/pentesting-web/buckets/firebase-database.md" %} firebase-database.md {% endcontent-ref %}
Realm databases
Realm Objective-C na Realm Swift hutoa mbadala mzuri wa kuhifadhi data, ambao haupatikani kutoka Apple. Kwa kawaida, wana hifadhi data bila usimbaji, huku usimbaji ukiwa unapatikana kupitia usanidi maalum.
Hifadhi za data ziko katika: /private/var/mobile/Containers/Data/Application/{APPID}
. Ili kuchunguza faili hizi, mtu anaweza kutumia amri kama:
iPhone:/private/var/mobile/Containers/Data/Application/A079DF84-726C-4AEA-A194-805B97B3684A/Documents root# ls
default.realm default.realm.lock default.realm.management/ default.realm.note|
$ find ./ -name "*.realm*"
Ili kuona faili hizi za database, chombo cha Realm Studio kinapendekezwa.
Ili kutekeleza usimbaji ndani ya database ya Realm, kipande kifuatacho cha msimbo kinaweza kutumika:
// Open the encrypted Realm file where getKey() is a method to obtain a key from the Keychain or a server
let config = Realm.Configuration(encryptionKey: getKey())
do {
let realm = try Realm(configuration: config)
// Use the Realm as normal
} catch let error as NSError {
// If the encryption key is wrong, `error` will say that it's an invalid database
fatalError("Error opening realm: \(error)")
}
Couchbase Lite Databases
Couchbase Lite inafafanuliwa kama nyepesi na imejumuishwa injini ya hifadhidata inayofuata mbinu ya mwelekeo wa hati (NoSQL). Imeundwa kuwa asili kwa iOS na macOS, inatoa uwezo wa kusawazisha data bila mshono.
Ili kubaini hifadhidata za Couchbase zinazoweza kuwa kwenye kifaa, directory ifuatayo inapaswa kukaguliwa:
ls /private/var/mobile/Containers/Data/Application/{APPID}/Library/Application Support/
Cookies
iOS huhifadhi vidakuzi vya programu katika Library/Cookies/cookies.binarycookies
ndani ya folda ya kila programu. Hata hivyo, waendelezaji wakati mwingine huamua kuviweka katika keychain kwani faili ya cookie inaweza kufikiwa katika nakala za akiba.
Ili kukagua faili ya vidakuzi unaweza kutumia hii python script au tumia ios cookies get
ya objection.
Unaweza pia kutumia objection kubadilisha faili hizi kuwa muundo wa JSON na kukagua data.
...itudehacks.DVIAswiftv2.develop on (iPhone: 13.2.3) [usb] # ios cookies get --json
[
{
"domain": "highaltitudehacks.com",
"expiresDate": "2051-09-15 07:46:43 +0000",
"isHTTPOnly": "false",
"isSecure": "false",
"name": "username",
"path": "/",
"value": "admin123",
"version": "0"
}
]
Cache
Kwa kawaida NSURLSession huhifadhi data, kama vile maombi na majibu ya HTTP katika Cache.db database. Hii database inaweza kuwa na data nyeti, ikiwa tokeni, majina ya watumiaji au taarifa nyingine yoyote nyeti imehifadhiwa. Ili kupata taarifa zilizohifadhiwa fungua directory ya data ya programu (/var/mobile/Containers/Data/Application/<UUID>
) na nenda kwenye /Library/Caches/<Bundle Identifier>
. WebKit cache pia huhifadhiwa katika faili ya Cache.db. Objection inaweza kufungua na kuingiliana na database kwa amri sqlite connect Cache.db
, kwani ni normal SQLite database.
Inapendekezwa kuondoa uhifadhi wa data hii, kwani inaweza kuwa na taarifa nyeti katika ombi au jibu. Orodha ifuatayo inaonyesha njia tofauti za kufanikisha hili:
- Inapendekezwa kuondoa majibu yaliyohifadhiwa baada ya kutoka. Hii inaweza kufanywa kwa njia iliyotolewa na Apple inayoitwa
removeAllCachedResponses
Unaweza kuita njia hii kama ifuatavyo:
URLCache.shared.removeAllCachedResponses()
Njia hii itafuta maombi na majibu yote yaliyohifadhiwa kutoka faili la Cache.db. 2. Ikiwa huhitaji kutumia faida ya vidakuzi, itakuwa bora kutumia mali ya usanidi ya .ephemeral ya URLSession, ambayo itazima uhifadhi wa vidakuzi na Caches.
An ephemeral session configuration object is similar to a default session configuration (see default), except that the corresponding session object doesn’t store caches, credential stores, or any session-related data to disk. Instead, session-related data is stored in RAM. The only time an ephemeral session writes data to disk is when you tell it to write the contents of a URL to a file.
3. Cache inaweza pia kuzuiwa kwa kuweka Sera ya Cache kuwa .notAllowed. Itazima kuhifadhi Cache kwa njia yoyote, ama katika kumbukumbu au kwenye diski.
Snapshots
Kila wakati unapobonyeza kitufe cha nyumbani, iOS huchukua picha ya skrini ya sasa ili iweze kufanya mpito kwenda kwenye programu kwa njia laini zaidi. Hata hivyo, ikiwa data nyeti ipo kwenye skrini ya sasa, itahifadhiwa katika picha (ambayo inasalia katika reboots). Hizi ni picha ambazo unaweza pia kufikia kwa kubonyeza mara mbili skrini ya nyumbani ili kubadilisha kati ya programu.
Ipasavyo, ikiwa iPhone haijavunjwa, mshambuliaji anahitaji kuwa na ufikiaji wa kifaa kilichofunguliwa ili kuona picha hizi. Kwa kawaida picha ya mwisho huhifadhiwa katika sandbox ya programu katika folda Library/Caches/Snapshots/
au Library/SplashBoard/Snapshots
(kompyuta zinazotegemewa haziwezi kufikia mfumo wa faili kutoka iOX 7.0).
Njia moja ya kuzuia tabia hii mbaya ni kuweka skrini tupu au kuondoa data nyeti kabla ya kuchukua picha kwa kutumia kazi ya ApplicationDidEnterBackground()
.
Ifuatayo ni mfano wa njia ya kurekebisha ambayo itapanga picha ya skrini ya kawaida.
Swift:
private var backgroundImage: UIImageView?
func applicationDidEnterBackground(_ application: UIApplication) {
let myBanner = UIImageView(image: #imageLiteral(resourceName: "overlayImage"))
myBanner.frame = UIScreen.main.bounds
backgroundImage = myBanner
window?.addSubview(myBanner)
}
func applicationWillEnterForeground(_ application: UIApplication) {
backgroundImage?.removeFromSuperview()
}
Lengo la Objective-C:
@property (UIImageView *)backgroundImage;
- (void)applicationDidEnterBackground:(UIApplication *)application {
UIImageView *myBanner = [[UIImageView alloc] initWithImage:@"overlayImage.png"];
self.backgroundImage = myBanner;
self.backgroundImage.bounds = UIScreen.mainScreen.bounds;
[self.window addSubview:myBanner];
}
- (void)applicationWillEnterForeground:(UIApplication *)application {
[self.backgroundImage removeFromSuperview];
}
Hii inafanya picha ya nyuma kuwa overlayImage.png
kila wakati programu inapokuwa kwenye background. Inazuia uvujaji wa data nyeti kwa sababu overlayImage.png
daima itachukua nafasi ya mtazamo wa sasa.
Keychain
Kwa kupata na kusimamia iOS keychain, zana kama Keychain-Dumper zinapatikana, zinazofaa kwa vifaa vilivyovunjwa. Zaidi ya hayo, Objection inatoa amri ios keychain dump
kwa madhumuni sawa.
Hifadhi Akikumbuka
Darasa la NSURLCredential ni bora kwa kuhifadhi taarifa nyeti moja kwa moja kwenye keychain, ikiepuka hitaji la NSUserDefaults au vifungashio vingine. Ili kuhifadhi akumbuka baada ya kuingia, msimbo ufuatao wa Swift unatumika:
NSURLCredential *credential;
credential = [NSURLCredential credentialWithUser:username password:password persistence:NSURLCredentialPersistencePermanent];
[[NSURLCredentialStorage sharedCredentialStorage] setCredential:credential forProtectionSpace:self.loginProtectionSpace];
To extract these stored credentials, Objection's command ios nsurlcredentialstorage dump
is utilized.
Custom Keyboards and Keyboard Cache
With iOS 8.0 onwards, users can install custom keyboard extensions, which are manageable under Settings > General > Keyboard > Keyboards. While these keyboards offer extended functionality, they pose a risk of keystroke logging and transmitting data to external servers, though users are notified about keyboards requiring network access. Apps can, and should, restrict the use of custom keyboards for sensitive information entry.
Security Recommendations:
- It's advised to disable third-party keyboards for enhanced security.
- Be aware of the autocorrect and auto-suggestions features of the default iOS keyboard, which could store sensitive information in cache files located in
Library/Keyboard/{locale}-dynamic-text.dat
or/private/var/mobile/Library/Keyboard/dynamic-text.dat
. These cache files should be regularly checked for sensitive data. Resetting the keyboard dictionary via Settings > General > Reset > Reset Keyboard Dictionary is recommended for clearing cached data. - Intercepting network traffic can reveal whether a custom keyboard is transmitting keystrokes remotely.
Preventing Text Field Caching
The UITextInputTraits protocol offers properties to manage autocorrection and secure text entry, essential for preventing sensitive information caching. For example, disabling autocorrection and enabling secure text entry can be achieved with:
textObject.autocorrectionType = UITextAutocorrectionTypeNo;
textObject.secureTextEntry = YES;
Additionally, developers should ensure that text fields, especially those for entering sensitive information like passwords and PINs, disable caching by setting autocorrectionType
to UITextAutocorrectionTypeNo
and secureTextEntry
to YES
.
UITextField *textField = [[UITextField alloc] initWithFrame:frame];
textField.autocorrectionType = UITextAutocorrectionTypeNo;
Logs
Kusafisha makosa ya msimbo mara nyingi kunahusisha matumizi ya logging. Kuna hatari inayohusiana kwani logs zinaweza kuwa na taarifa nyeti. Awali, katika iOS 6 na toleo la awali, logs zilikuwa zinapatikana kwa programu zote, na kuleta hatari ya kuvuja kwa data nyeti. Sasa, programu zimepunguzia upatikanaji wa logs zao pekee.
Licha ya vizuizi hivi, mshambuliaji mwenye ufikiaji wa kimwili kwa kifaa kisichofungwa bado anaweza kutumia hii kwa kuunganisha kifaa na kompyuta na kusoma logs. Ni muhimu kutambua kwamba logs zinabaki kwenye diski hata baada ya kufutwa kwa programu.
Ili kupunguza hatari, inashauriwa kuingiliana kwa kina na programu, kuchunguza kazi zake zote na ingizo ili kuhakikisha hakuna taarifa nyeti inayorekodiwa bila kukusudia.
Wakati wa kukagua msimbo wa chanzo wa programu kwa uvujaji wa uwezekano, angalia maelekezo ya logging yaliyowekwa na ya kawaida kwa kutumia maneno muhimu kama NSLog
, NSAssert
, NSCAssert
, fprintf
kwa kazi zilizojengwa, na yoyote inayohusisha Logging
au Logfile
kwa utekelezaji wa kawaida.
Monitoring System Logs
Programu zinaandika vipande mbalimbali vya taarifa ambavyo vinaweza kuwa nyeti. Ili kufuatilia logs hizi, zana na amri kama:
idevice_id --list # To find the device ID
idevicesyslog -u <id> (| grep <app>) # To capture the device logs
ni muhimu. Zaidi ya hayo, Xcode inatoa njia ya kukusanya kumbukumbu za console:
- Fungua Xcode.
- Unganisha kifaa cha iOS.
- Tembelea Window -> Devices and Simulators.
- Chagua kifaa chako.
- Chochea tatizo unalochunguza.
- Tumia kitufe cha Open Console kuona kumbukumbu katika dirisha jipya.
Kwa kumbukumbu za hali ya juu, kuungana na shell ya kifaa na kutumia socat kunaweza kutoa ufuatiliaji wa kumbukumbu kwa wakati halisi:
iPhone:~ root# socat - UNIX-CONNECT:/var/run/lockdown/syslog.sock
Followed by commands to observe log activities, which can be invaluable for diagnosing issues or identifying potential data leakage in logs.
Use Trickest to easily build and automate workflows powered by the world's most advanced community tools.
Get Access Today:
{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=ios-pentesting" %}
Backups
Vipengele vya auto-backup vimejumuishwa katika iOS, vinavyorahisisha uundaji wa nakala za data za kifaa kupitia iTunes (hadi macOS Catalina), Finder (kuanzia macOS Catalina kuendelea), au iCloud. Nakala hizi zinajumuisha karibu data zote za kifaa, isipokuwa vipengele vya siri sana kama maelezo ya Apple Pay na mipangilio ya Touch ID.
Security Risks
Kuongezwa kwa apps zilizowekwa na data zao katika nakala za backup kunaleta suala la data leakage na hatari kwamba mabadiliko ya backup yanaweza kubadilisha utendaji wa app. Inashauriwa kutohifadhi taarifa nyeti katika maandiko ya wazi ndani ya directory ya app yoyote au subdirectories zake ili kupunguza hatari hizi.
Excluding Files from Backups
Faili katika Documents/
na Library/Application Support/
zinahifadhiwa kwa default. Wataalamu wa programu wanaweza kuondoa faili au directories maalum kutoka kwa nakala za backup kwa kutumia NSURL setResourceValue:forKey:error:
na NSURLIsExcludedFromBackupKey
. Praktiki hii ni muhimu kwa kulinda data nyeti isijumuishwe katika nakala za backup.
Testing for Vulnerabilities
Ili kutathmini usalama wa backup wa app, anza kwa kuunda backup kwa kutumia Finder, kisha ipate kwa kufuata mwongozo kutoka nyaraka rasmi za Apple. Changanua backup kwa data nyeti au mipangilio ambayo inaweza kubadilishwa ili kuathiri tabia ya app.
Taarifa nyeti zinaweza kutafutwa kwa kutumia zana za command-line au programu kama iMazing. Kwa nakala za backup zilizofichwa, uwepo wa usimbaji unaweza kuthibitishwa kwa kuangalia ufunguo wa "IsEncrypted" katika faili ya "Manifest.plist" kwenye mzizi wa backup.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
...
<key>Date</key>
<date>2021-03-12T17:43:33Z</date>
<key>IsEncrypted</key>
<true/>
...
</plist>
Kwa kushughulikia nakala zilizofichwa, skripti za Python zinazopatikana katika repo ya GitHub ya DinoSec, kama backup_tool.py na backup_passwd.py, zinaweza kuwa na manufaa, ingawa huenda zikahitaji marekebisho ili kuendana na toleo jipya la iTunes/Finder. Zana ya iOSbackup ni chaguo jingine la kupata faili ndani ya nakala zilizolindwa kwa nenosiri.
Kubadilisha Tabia ya Programu
Mfano wa kubadilisha tabia ya programu kupitia marekebisho ya nakala umeonyeshwa katika programu ya pochi ya bitcoin ya Bither, ambapo PIN ya kufunga UI inahifadhiwa ndani ya net.bither.plist
chini ya ufunguo wa pin_code. Kuondoa ufunguo huu kutoka kwa plist na kurejesha nakala kunafuta hitaji la PIN, na kutoa ufikiaji usio na kikomo.
Muhtasari juu ya Upimaji wa Kumbukumbu kwa Taarifa Nyeti
Wakati wa kushughulikia taarifa nyeti zilizohifadhiwa katika kumbukumbu ya programu, ni muhimu kupunguza muda wa kufichuliwa kwa data hii. Kuna mbinu mbili kuu za kuchunguza maudhui ya kumbukumbu: kuunda dump ya kumbukumbu na kuchambua kumbukumbu kwa wakati halisi. Mbinu zote zina changamoto zao, ikiwa ni pamoja na uwezekano wa kukosa data muhimu wakati wa mchakato wa dump au uchambuzi.
Kurejesha na Kuchambua Dump ya Kumbukumbu
Kwa vifaa vyote vilivyovunjwa na visivyovunjwa, zana kama objection na Fridump zinaruhusu dumping ya kumbukumbu ya mchakato wa programu. Mara baada ya dumping, kuchambua data hii kunahitaji zana mbalimbali, kulingana na asili ya taarifa unayotafuta.
Ili kutoa nyuzi kutoka kwa dump ya kumbukumbu, amri kama strings
au rabin2 -zz
zinaweza kutumika:
# Extracting strings using strings command
$ strings memory > strings.txt
# Extracting strings using rabin2
$ rabin2 -ZZ memory > strings.txt
Kwa uchambuzi wa kina zaidi, ikiwa ni pamoja na kutafuta aina maalum za data au mifumo, radare2 inatoa uwezo mpana wa kutafuta:
$ r2 <name_of_your_dump_file>
[0x00000000]> /?
...
Uchambuzi wa Kumbukumbu ya Wakati Halisi
r2frida inatoa mbadala wenye nguvu wa kukagua kumbukumbu ya programu kwa wakati halisi, bila kuhitaji dump ya kumbukumbu. Chombo hiki kinaruhusu utekelezaji wa amri za utafutaji moja kwa moja kwenye kumbukumbu ya programu inayotembea:
$ r2 frida://usb//<name_of_your_app>
[0x00000000]> /\ <search_command>
Broken Cryptography
Poor Key Management Processes
Wakati mwingine waendelezaji huhifadhi data nyeti katika hifadhi ya ndani na kuificha kwa kutumia funguo zilizowekwa kwa nguvu/kutabirika katika msimbo. Hii haipaswi kufanywa kwani baadhi ya kurudi nyuma kunaweza kuruhusu washambuliaji kutoa taarifa za siri.
Use of Insecure and/or Deprecated Algorithms
Waendelezaji hawapaswi kutumia algorithms deprecated kufanya checks za idhini, hifadhi au tuma data. Baadhi ya hizi ni: RC4, MD4, MD5, SHA1... Ikiwa hashes zinatumika kuhifadhi nywila kwa mfano, hashes zinazostahimili brute-force zinapaswa kutumika na chumvi.
Check
Majaribio makuu ya kufanya ni kutafuta ikiwa unaweza kupata hardcoded nywila/siri katika msimbo, au ikiwa hizo ni predictable, na ikiwa msimbo unatumia aina fulani ya weak cryptography algorithms.
Ni ya kuvutia kujua kwamba unaweza monitor baadhi ya crypto libraries kiotomatiki ukitumia objection na:
ios monitor crypt
Kwa maelezo zaidi kuhusu iOS cryptographic APIs na maktaba, tembelea https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06e-testing-cryptography
Uthibitishaji wa Mitaa
Uthibitishaji wa mitaa una jukumu muhimu, hasa linapokuja suala la kulinda ufikiaji katika eneo la mbali kupitia mbinu za kijasusi. Kiini hapa ni kwamba bila utekelezaji sahihi, mitambo ya uthibitishaji wa mitaa inaweza kupuuziliwa mbali.
Msingi wa Uthibitishaji wa Mitaa wa Apple na keychain zinatoa APIs thabiti kwa waendelezaji kuwezesha mazungumzo ya uthibitishaji wa mtumiaji na kushughulikia data ya siri kwa usalama, mtawalia. Secure Enclave inalinda fingerprint ID kwa Touch ID, wakati Face ID inategemea utambuzi wa uso bila kuathiri data za kibaiolojia.
Ili kuunganisha Touch ID/Face ID, waendelezaji wana chaguo mbili za API:
LocalAuthentication.framework
kwa uthibitishaji wa mtumiaji wa kiwango cha juu bila ufikiaji wa data za kibaiolojia.Security.framework
kwa ufikiaji wa huduma za keychain za kiwango cha chini, ikilinda data za siri kwa uthibitishaji wa kibaiolojia. Wrappers mbalimbali za wazi zinafanya ufikiaji wa keychain kuwa rahisi.
{% hint style="danger" %}
Hata hivyo, LocalAuthentication.framework
na Security.framework
zinaonyesha udhaifu, kwani kimsingi hurudisha thamani za boolean bila kuhamasisha data kwa michakato ya uthibitishaji, na kuifanya kuwa rahisi kupuuzilia mbali (tazama Usiguse hivyo, na David Lindner et al).
{% endhint %}
Kutekeleza Uthibitishaji wa Mitaa
Ili kuwahamasisha watumiaji kwa uthibitishaji, waendelezaji wanapaswa kutumia evaluatePolicy
njia ndani ya LAContext
darasa, wakichagua kati ya:
deviceOwnerAuthentication
: Inahamasisha kwa Touch ID au nambari ya kifaa, ikishindwa ikiwa zote mbili hazijawashwa.deviceOwnerAuthenticationWithBiometrics
: Inahamasisha pekee kwa Touch ID.
Uthibitishaji uliofanikiwa unadhihirishwa na thamani ya kurudi ya boolean kutoka evaluatePolicy
, ikionyesha kasoro ya usalama inayoweza kutokea.
Uthibitishaji wa Mitaa kwa kutumia Keychain
Kutekeleza uthibitishaji wa mitaa katika programu za iOS kunahusisha matumizi ya keychain APIs kuhifadhi data za siri kama vile token za uthibitishaji kwa usalama. Mchakato huu unahakikisha kuwa data inaweza kufikiwa tu na mtumiaji, akitumia nambari ya kifaa chake au uthibitishaji wa kibaiolojia kama Touch ID.
Keychain inatoa uwezo wa kuweka vitu na sifa ya SecAccessControl
, ambayo inazuia ufikiaji wa kipengee hadi mtumiaji athibitishwe kwa mafanikio kupitia Touch ID au nambari ya kifaa. Kipengele hiki ni muhimu kwa kuboresha usalama.
Hapa chini kuna mifano ya msimbo katika Swift na Objective-C inayoonyesha jinsi ya kuhifadhi na kupata string kutoka/kwenda keychain, ikitumia vipengele hivi vya usalama. Mifano inaonyesha hasa jinsi ya kuanzisha udhibiti wa ufikiaji ili kuhitaji uthibitishaji wa Touch ID na kuhakikisha kuwa data inapatikana tu kwenye kifaa ambacho ilianzishwa, chini ya hali kwamba nambari ya kifaa imewekwa.
{% tabs %} {% tab title="Swift" %}
// From https://github.com/mufambisi/owasp-mstg/blob/master/Document/0x06f-Testing-Local-Authentication.md
// 1. create AccessControl object that will represent authentication settings
var error: Unmanaged<CFError>?
guard let accessControl = SecAccessControlCreateWithFlags(kCFAllocatorDefault,
kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly,
SecAccessControlCreateFlags.biometryCurrentSet,
&error) else {
// failed to create AccessControl object
return
}
// 2. define keychain services query. Pay attention that kSecAttrAccessControl is mutually exclusive with kSecAttrAccessible attribute
var query: [String: Any] = [:]
query[kSecClass as String] = kSecClassGenericPassword
query[kSecAttrLabel as String] = "com.me.myapp.password" as CFString
query[kSecAttrAccount as String] = "OWASP Account" as CFString
query[kSecValueData as String] = "test_strong_password".data(using: .utf8)! as CFData
query[kSecAttrAccessControl as String] = accessControl
// 3. save item
let status = SecItemAdd(query as CFDictionary, nil)
if status == noErr {
// successfully saved
} else {
// error while saving
}
{% endtab %}
{% tab title="Objective-C" %}
// 1. create AccessControl object that will represent authentication settings
CFErrorRef *err = nil;
SecAccessControlRef sacRef = SecAccessControlCreateWithFlags(kCFAllocatorDefault,
kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly,
kSecAccessControlUserPresence,
err);
// 2. define keychain services query. Pay attention that kSecAttrAccessControl is mutually exclusive with kSecAttrAccessible attribute
NSDictionary* query = @{
(_ _bridge id)kSecClass: (__bridge id)kSecClassGenericPassword,
(__bridge id)kSecAttrLabel: @"com.me.myapp.password",
(__bridge id)kSecAttrAccount: @"OWASP Account",
(__bridge id)kSecValueData: [@"test_strong_password" dataUsingEncoding:NSUTF8StringEncoding],
(__bridge id)kSecAttrAccessControl: (__bridge_transfer id)sacRef
};
// 3. save item
OSStatus status = SecItemAdd((__bridge CFDictionaryRef)query, nil);
if (status == noErr) {
// successfully saved
} else {
// error while saving
}
{% endtab %} {% endtabs %}
Sasa tunaweza kuomba kipengee kilichohifadhiwa kutoka kwa keychain. Huduma za keychain zitaonyesha kidirisha cha uthibitishaji kwa mtumiaji na kurudisha data au nil kulingana na ikiwa alitoa alama sahihi ya vidole au la.
{% tabs %} {% tab title="Swift" %}
// 1. define query
var query = [String: Any]()
query[kSecClass as String] = kSecClassGenericPassword
query[kSecReturnData as String] = kCFBooleanTrue
query[kSecAttrAccount as String] = "My Name" as CFString
query[kSecAttrLabel as String] = "com.me.myapp.password" as CFString
query[kSecUseOperationPrompt as String] = "Please, pass authorisation to enter this area" as CFString
// 2. get item
var queryResult: AnyObject?
let status = withUnsafeMutablePointer(to: &queryResult) {
SecItemCopyMatching(query as CFDictionary, UnsafeMutablePointer($0))
}
if status == noErr {
let password = String(data: queryResult as! Data, encoding: .utf8)!
// successfully received password
} else {
// authorization not passed
}
{% endtab %}
{% tab title="Objective-C" %}
// 1. define query
NSDictionary *query = @{(__bridge id)kSecClass: (__bridge id)kSecClassGenericPassword,
(__bridge id)kSecReturnData: @YES,
(__bridge id)kSecAttrAccount: @"My Name1",
(__bridge id)kSecAttrLabel: @"com.me.myapp.password",
(__bridge id)kSecUseOperationPrompt: @"Please, pass authorisation to enter this area" };
// 2. get item
CFTypeRef queryResult = NULL;
OSStatus status = SecItemCopyMatching((__bridge CFDictionaryRef)query, &queryResult);
if (status == noErr){
NSData* resultData = ( __bridge_transfer NSData* )queryResult;
NSString* password = [[NSString alloc] initWithData:resultData encoding:NSUTF8StringEncoding];
NSLog(@"%@", password);
} else {
NSLog(@"Something went wrong");
}
{% endtab %} {% endtabs %}
Kugundua
Matumizi ya mifumo katika programu yanaweza pia kugunduliwa kwa kuchambua orodha ya maktaba za pamoja za dinamik katika binary ya programu. Hii inaweza kufanywa kwa kutumia otool
:
$ otool -L <AppName>.app/<AppName>
Ikiwa LocalAuthentication.framework
inatumika katika programu, matokeo yatakuwa na mistari ifuatayo (kumbuka kwamba LocalAuthentication.framework
inatumia Security.framework
chini ya uso):
/System/Library/Frameworks/LocalAuthentication.framework/LocalAuthentication
/System/Library/Frameworks/Security.framework/Security
If Security.framework
inatumika, ni wa pili tu atakayeonyeshwa.
Local Authentication Framework Bypass
Objection
Kupitia Objection Biometrics Bypass, iliyoko hapa kwenye ukurasa wa GitHub, mbinu inapatikana ya kushinda mekanizma ya LocalAuthentication. Msingi wa njia hii unahusisha kutumia Frida kubadilisha kazi ya evaluatePolicy
, kuhakikisha inatoa matokeo ya True
kila wakati, bila kujali mafanikio halisi ya uthibitishaji. Hii ni muhimu sana kwa kukwepa michakato ya uthibitishaji wa biometriki yenye kasoro.
Ili kuanzisha hii bypass, amri ifuatayo inatumika:
...itudehacks.DVIAswiftv2.develop on (iPhone: 13.2.3) [usb] # ios ui biometrics_bypass
(agent) Registering job 3mhtws9x47q. Type: ios-biometrics-disable
...itudehacks.DVIAswiftv2.develop on (iPhone: 13.2.3) [usb] # (agent) [3mhtws9x47q] Localized Reason for auth requirement: Please authenticate yourself
(agent) [3mhtws9x47q] OS authentication response: false
(agent) [3mhtws9x47q] Marking OS response as True instead
(agent) [3mhtws9x47q] Biometrics bypass hook complete
Hii amri inaanzisha mfululizo ambapo Objection inarekodi kazi ambayo kwa ufanisi inabadilisha matokeo ya ukaguzi wa evaluatePolicy
kuwa True
.
Frida
Mfano wa matumizi ya evaluatePolicy
kutoka DVIA-v2 application:
+(void)authenticateWithTouchID {
LAContext *myContext = [[LAContext alloc] init];
NSError *authError = nil;
NSString *myLocalizedReasonString = @"Please authenticate yourself";
if ([myContext canEvaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics error:&authError]) {
[myContext evaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics
localizedReason:myLocalizedReasonString
reply:^(BOOL success, NSError *error) {
if (success) {
dispatch_async(dispatch_get_main_queue(), ^{
[TouchIDAuthentication showAlert:@"Authentication Successful" withTitle:@"Success"];
});
} else {
dispatch_async(dispatch_get_main_queue(), ^{
[TouchIDAuthentication showAlert:@"Authentication Failed !" withTitle:@"Error"];
});
}
}];
} else {
dispatch_async(dispatch_get_main_queue(), ^{
[TouchIDAuthentication showAlert:@"Your device doesn't support Touch ID or you haven't configured Touch ID authentication on your device" withTitle:@"Error"];
});
}
}
Ili kufanikisha bypass ya Uthibitishaji wa Mitaa, skripti ya Frida imeandikwa. Skripti hii inalenga ukaguzi wa evaluatePolicy, ikikamata callback yake ili kuhakikisha inarudisha success=1. Kwa kubadilisha tabia ya callback, ukaguzi wa uthibitishaji unakwepa kwa ufanisi.
Skripti iliyo hapa chini inachomwa ili kubadilisha matokeo ya njia ya evaluatePolicy. Inabadilisha matokeo ya callback kuonyesha kila wakati mafanikio.
// from https://securitycafe.ro/2022/09/05/mobile-pentesting-101-bypassing-biometric-authentication/
if(ObjC.available) {
console.log("Injecting...");
var hook = ObjC.classes.LAContext["- evaluatePolicy:localizedReason:reply:"];
Interceptor.attach(hook.implementation, {
onEnter: function(args) {
var block = new ObjC.Block(args[4]);
const callback = block.implementation;
block.implementation = function (error, value) {
console.log("Changing the result value to true")
const result = callback(1, null);
return result;
};
},
});
} else {
console.log("Objective-C Runtime is not available!");
}
Ili kuingiza script ya Frida na kupita uthibitisho wa kibayometriki, amri ifuatayo inatumika:
frida -U -f com.highaltitudehacks.DVIAswiftv2 --no-pause -l fingerprint-bypass-ios.js
Sensitive Functionality Exposure Through IPC
Custom URI Handlers / Deeplinks / Custom Schemes
{% content-ref url="ios-custom-uri-handlers-deeplinks-custom-schemes.md" %} ios-custom-uri-handlers-deeplinks-custom-schemes.md {% endcontent-ref %}
Universal Links
{% content-ref url="ios-universal-links.md" %} ios-universal-links.md {% endcontent-ref %}
UIActivity Sharing
{% content-ref url="ios-uiactivity-sharing.md" %} ios-uiactivity-sharing.md {% endcontent-ref %}
UIPasteboard
{% content-ref url="ios-uipasteboard.md" %} ios-uipasteboard.md {% endcontent-ref %}
App Extensions
{% content-ref url="ios-app-extensions.md" %} ios-app-extensions.md {% endcontent-ref %}
WebViews
{% content-ref url="ios-webviews.md" %} ios-webviews.md {% endcontent-ref %}
Serialisation and Encoding
{% content-ref url="ios-serialisation-and-encoding.md" %} ios-serialisation-and-encoding.md {% endcontent-ref %}
Network Communication
Ni muhimu kuangalia kwamba hakuna mawasiliano yanayotokea bila usimbuaji na pia kwamba programu inathibitisha kwa usahihi cheti cha TLS cha seva.
Ili kuangalia masuala haya unaweza kutumia proxy kama Burp:
{% content-ref url="burp-configuration-for-ios.md" %} burp-configuration-for-ios.md {% endcontent-ref %}
Hostname check
Tatizo moja la kawaida katika kuthibitisha cheti cha TLS ni kuangalia kwamba cheti kimeandikwa na CA iliyoaminika, lakini sio kuangalia kama jina la mwenyeji la cheti ndilo jina la mwenyeji linalofikiwa.
Ili kuangalia tatizo hili kwa kutumia Burp, baada ya kuamini Burp CA kwenye iPhone, unaweza kuunda cheti kipya na Burp kwa jina la mwenyeji tofauti na kukitumia. Ikiwa programu bado inafanya kazi, basi, kuna kitu kinahatarisha.
Certificate Pinning
Ikiwa programu inatumia SSL Pinning kwa usahihi, basi programu itafanya kazi tu ikiwa cheti ni kile kinachotarajiwa. Wakati wa kujaribu programu hii inaweza kuwa tatizo kwani Burp itatoa cheti yake mwenyewe.
Ili kupita ulinzi huu ndani ya kifaa kilichovunjwa, unaweza kufunga programu SSL Kill Switch au kufunga Burp Mobile Assistant
Unaweza pia kutumia objection's ios sslpinning disable
Misc
- Katika
/System/Library
unaweza kupata mifumo iliyosakinishwa kwenye simu inayotumiwa na programu za mfumo - Programu zilizowekwa na mtumiaji kutoka Duka la Programu ziko ndani ya
/User/Applications
- Na
/User/Library
ina data iliyohifadhiwa na programu za kiwango cha mtumiaji - Unaweza kufikia
/User/Library/Notes/notes.sqlite
kusoma noti zilizohifadhiwa ndani ya programu. - Ndani ya folda ya programu iliyosakinishwa (
/User/Applications/<APP ID>/
) unaweza kupata faili za kuvutia: iTunesArtwork
: Ikoni inayotumiwa na programuiTunesMetadata.plist
: Taarifa ya programu inayotumiwa katika Duka la Programu/Library/*
: Inashikilia mapendeleo na cache. Katika/Library/Cache/Snapshots/*
unaweza kupata picha iliyofanywa kwa programu kabla ya kuhamasisha kwenye background.
Hot Patching/Enforced Updateing
Wakuu wa programu wanaweza kwa mbali kurekebisha usakinishaji wote wa programu yao mara moja bila ya kuwasilisha tena programu hiyo kwenye Duka la Programu na kusubiri hadi idhini ipatikane.
Kwa kusudi hili mara nyingi hutumia JSPatch. Lakini kuna chaguzi nyingine pia kama Siren na react-native-appstore-version-checker.
Huu ni mfumo hatari ambao unaweza kutumiwa vibaya na SDKs za wahalifu, kwa hivyo inashauriwa kuangalia ni njia gani inatumika kwa sasisho za kiotomatiki (ikiwa zipo) na kujaribu. Unaweza kujaribu kupakua toleo la awali la programu kwa kusudi hili.
Third Parties
Changamoto kubwa na SDKs za wahusika wengine ni ukosefu wa udhibiti wa kina juu ya kazi zao. Wakuu wa programu wanakabiliwa na chaguo: ama kuunganisha SDK na kukubali vipengele vyake vyote, ikiwa ni pamoja na hatari za usalama na wasiwasi wa faragha, au kuacha faida zake kabisa. Mara nyingi, wakuu wa programu hawawezi kurekebisha hatari ndani ya SDK hizi wenyewe. Zaidi ya hayo, kadri SDK zinavyopata uaminifu ndani ya jamii, baadhi zinaweza kuanza kuwa na malware.
Huduma zinazotolewa na SDKs za wahusika wengine zinaweza kujumuisha ufuatiliaji wa tabia za mtumiaji, kuonyesha matangazo, au kuboresha uzoefu wa mtumiaji. Hata hivyo, hii inaletwa na hatari kwani wakuu wa programu wanaweza kutokuwa na ufahamu kamili wa msimbo unaotekelezwa na maktaba hizi, na kusababisha hatari za faragha na usalama. Ni muhimu kupunguza taarifa zinazoshirikiwa na huduma za wahusika wengine kwa kile kinachohitajika na kuhakikisha kwamba hakuna data nyeti inayofichuliwa.
Utekelezaji wa huduma za wahusika wengine kawaida huja katika aina mbili: maktaba huru au SDK kamili. Ili kulinda faragha ya mtumiaji, data yoyote inayoshirikiwa na huduma hizi inapaswa kuwa isiyojulikana ili kuzuia kufichuliwa kwa Taarifa za Kibinafsi (PII).
Ili kubaini maktaba ambazo programu inatumia, amri ya otool
inaweza kutumika. Chombo hiki kinapaswa kukimbizwa dhidi ya programu na kila maktaba iliyoshirikiwa inayotumiwa kugundua maktaba za ziada.
otool -L <application_path>
Marejeo & Rasilimali Zaidi
- https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06b-basic-security-testing#information-gathering
- iOS & Mobile App Pentesting - INE
- https://mas.owasp.org/MASTG/techniques/ios/MASTG-TECH-0057/
- https://mas.owasp.org/MASTG/techniques/ios/MASTG-TECH-0058/
- https://mas.owasp.org/MASTG/techniques/ios/MASTG-TECH-0059/
- https://mas.owasp.org/MASTG/iOS/0x06d-Testing-Data-Storage
- https://coderwall.com/p/kjb3lw/storing-password-in-keychain-the-smart-way
- https://mas.owasp.org/MASTG/tests/ios/MASVS-STORAGE/MASTG-TEST-0055/
- https://mas.owasp.org/MASTG/tests/ios/MASVS-STORAGE/MASTG-TEST-0053
- https://mas.owasp.org/MASTG/techniques/ios/MASTG-TECH-0060/
- https://mas.owasp.org/MASTG/tests/ios/MASVS-STORAGE/MASTG-TEST-0058
- https://mas.owasp.org/MASTG/tests/ios/MASVS-STORAGE/MASTG-TEST-0060
- https://mas.owasp.org/MASTG/Android/0x05f-Testing-Local-Authentication/
- https://mas.owasp.org/MASTG/tests/ios/MASVS-AUTH/MASTG-TEST-0064
- https://medium.com/securing/bypassing-your-apps-biometric-checks-on-ios-c2555c81a2dc
- https://mas.owasp.org/MASTG/tests/ios/MASVS-STORAGE/MASTG-TEST-0054
- https://github.com/ivRodriguezCA/RE-iOS-Apps/ Kozi ya bure ya IOS (https://syrion.me/blog/ios-swift-antijailbreak-bypass-frida/)
- https://www.sans.org/reading-room/whitepapers/testing/ipwn-apps-pentesting-ios-applications-34577
- https://www.slideshare.net/RyanISI/ios-appsecurityminicourse
- https://github.com/prateek147/DVIA
- https://github.com/prateek147/DVIA-v2
- https://github.com/OWASP/MSTG-Hacking-Playground%20
- OWASP iGoat https://github.com/OWASP/igoat <<< Toleo la Objective-C https://github.com/OWASP/iGoat-Swift <<< Toleo la Swift
- https://github.com/authenticationfailure/WheresMyBrowser.iOS
- https://github.com/nabla-c0d3/ssl-kill-switch2
Tumia Trickest kujenga na kujiendesha kazi kwa urahisi kwa kutumia zana za jamii za kisasa zaidi duniani.
Pata Ufikiaji Leo:
{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=ios-pentesting" %}
{% hint style="success" %}
Jifunze & fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze & fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au fuata sisi kwenye Twitter 🐦 @hacktricks_live.
- Shiriki hila za udukuzi kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud github repos.