O'Reilly logo

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Hacking and Securing iOS Applications

Book Description

If you’re an app developer with a solid foundation in Objective-C, this book is an absolute must—chances are very high that your company’s iOS applications are vulnerable to attack. That’s because malicious attackers now use an arsenal of tools to reverse-engineer, trace, and manipulate applications in ways that most programmers aren’t aware of.

This guide illustrates several types of iOS attacks, as well as the tools and techniques that hackers use. You’ll learn best practices to help protect your applications, and discover how important it is to understand and strategize like your adversary.

  • Examine subtle vulnerabilities in real-world applications—and avoid the same problems in your apps
  • Learn how attackers infect apps with malware through code injection
  • Discover how attackers defeat iOS keychain and data-protection encryption
  • Use a debugger and custom code injection to manipulate the runtime Objective-C environment
  • Prevent attackers from hijacking SSL sessions and stealing traffic
  • Securely delete files and design your apps to prevent forensic data leakage
  • Avoid debugging abuse, validate the integrity of run-time classes, and make your code harder to trace

Table of Contents

  1. Dedication
  2. A Note Regarding Supplemental Files
  3. Preface
    1. Audience of This Book
    2. Organization of the Material
    3. Conventions Used in This Book
    4. Using Code Examples
    5. Legal Disclaimer
    6. Safari® Books Online
    7. How to Contact Us
  4. 1. Everything You Know Is Wrong
    1. The Myth of a Monoculture
    2. The iOS Security Model
      1. Components of the iOS Security Model
        1. Device security
        2. Data security
        3. Network security
        4. Application security
    3. Storing the Key with the Lock
    4. Passcodes Equate to Weak Security
    5. Forensic Data Trumps Encryption
    6. External Data Is at Risk, Too
    7. Hijacking Traffic
      1. Data Can Be Stolen...Quickly
    8. Trust No One, Not Even Your Application
    9. Physical Access Is Optional
    10. Summary
  5. I. Hacking
    1. 2. The Basics of Compromising iOS
      1. Why It’s Important to Learn How to Break Into a Device
      2. Jailbreaking Explained
        1. Developer Tools
      3. End User Jailbreaks
        1. Jailbreaking an iPhone
        2. DFU Mode
        3. Tethered Versus Untethered
      4. Compromising Devices and Injecting Code
        1. Building Custom Code
        2. Analyzing Your Binary
          1. Basic disassembly
          2. Listing dynamic dependencies
          3. Symbol table dumps
          4. String searches
        3. Testing Your Binary
        4. Daemonizing Code
        5. Deploying Malicious Code with a Tar Archive
          1. Grabbing signed binaries
          2. Preparing the archive
          3. Deploying the archive
        6. Deploying Malicious Code with a RAM Disk
          1. Build a custom launchd
          2. Breakdown of launchd example
          3. Building a RAM disk
          4. Booting a RAM disk
          5. Troubleshooting
      5. Exercises
      6. Summary
    2. 3. Stealing the Filesystem
      1. Full Disk Encryption
        1. Solid State NAND
        2. Disk Encryption
          1. Filesystem Encryption
          2. Protection classes
        3. Where iOS Disk Encryption Has Failed You
      2. Copying the Live Filesystem
        1. The DataTheft Payload
          1. Disabling the watchdog timer
          2. Bringing up USB connectivity
          3. Payload code
        2. Customizing launchd
        3. Preparing the RAM disk
        4. Imaging the Filesystem
      3. Copying the Raw Filesystem
        1. The RawTheft Payload
          1. Payload code
        2. Customizing launchd
        3. Preparing the RAM disk
        4. Imaging the Filesystem
      4. Exercises
      5. The Role of Social Engineering
        1. Disabled Device Decoy
        2. Deactivated Device Decoy
        3. Malware Enabled Decoy
        4. Password Engineering Application
      6. Summary
    3. 4. Forensic Trace and Data Leakage
      1. Extracting Image Geotags
        1. Consolidated GPS Cache
      2. SQLite Databases
        1. Connecting to a Database
        2. SQLite Built-in Commands
        3. Issuing SQL Queries
        4. Important Database Files
        5. Address Book Contacts
          1. Putting it all together
        6. Address Book Images
        7. Google Maps Data
        8. Calendar Events
        9. Call History
        10. Email Database
          1. Mail attachments and message files
        11. Notes
        12. Photo Metadata
        13. SMS Messages
        14. Safari Bookmarks
        15. SMS Spotlight Cache
        16. Safari Web Caches
        17. Web Application Cache
        18. WebKit Storage
        19. Voicemail
      3. Reverse Engineering Remnant Database Fields
      4. SMS Drafts
      5. Property Lists
        1. Important Property List Files
      6. Other Important Files
      7. Summary
    4. 5. Defeating Encryption
      1. Sogeti’s Data Protection Tools
        1. Installing Data Protection Tools
        2. Building the Brute Forcer
        3. Building Needed Python Libraries
      2. Extracting Encryption Keys
        1. The KeyTheft Payload
        2. Customizing Launchd
        3. Preparing the RAM disk
        4. Preparing the Kernel
        5. Executing the Brute Force
      3. Decrypting the Keychain
      4. Decrypting Raw Disk
      5. Decrypting iTunes Backups
      6. Defeating Encryption Through Spyware
        1. The SpyTheft Payload
        2. Daemonizing spyd
        3. Customizing Launchd
        4. Preparing the RAM disk
        5. Executing the Payload
      7. Exercises
      8. Summary
    5. 6. Unobliterating Files
      1. Scraping the HFS Journal
      2. Carving Empty Space
      3. Commonly Recovered Data
        1. Application Screenshots
        2. Deleted Property Lists
        3. Deleted Voicemail and Voice Recordings
        4. Deleted Keyboard Cache
        5. Photos and Other Personal Information
      4. Summary
    6. 7. Manipulating the Runtime
      1. Analyzing Binaries
        1. The Mach-O Format
        2. Introduction to class-dump-z
        3. Symbol Tables
      2. Encrypted Binaries
        1. Calculating Offsets
        2. Dumping Memory
        3. Copy Decrypted Code Back to the File
        4. Resetting the cryptid
      3. Abusing the Runtime with Cycript
        1. Installing Cycript
        2. Using Cycript
        3. Breaking Simple Locks
        4. Replacing Methods
        5. Trawling for Data
          1. Instance variables
          2. Methods
          3. Classes
        6. Logging Data
        7. More Serious Implications
          1. Personal data vaults
          2. Payment processing applications
          3. Electronic banking
      4. Exercises
        1. SpringBoard Animations
        2. Call Tapping...Kind Of
        3. Making Screen Shots
      5. Summary
    7. 8. Abusing the Runtime Library
      1. Breaking Objective-C Down
        1. Instance Variables
        2. Methods
        3. Method Cache
      2. Disassembling and Debugging
        1. Eavesdropping
        2. The Underlying Objective-C Framework
        3. Interfacing with Objective-C
      3. Malicious Code Injection
        1. The CodeTheft Payload
        2. Injection Using a Debugger
      4. Injection Using Dynamic Linker Attack
        1. Full Device Infection
      5. Summary
    8. 9. Hijacking Traffic
      1. APN Hijacking
        1. Payload Delivery
        2. Removal
      2. Simple Proxy Setup
      3. Attacking SSL
        1. SSLStrip
        2. Paros Proxy
        3. Browser Warnings
      4. Attacking Application-Level SSL Validation
        1. The SSLTheft Payload
      5. Hijacking Foundation HTTP Classes
        1. The POSTTheft Payload
      6. Analyzing Data
      7. Driftnet
        1. Building
        2. Running
      8. Exercises
      9. Summary
  6. II. Securing
    1. 10. Implementing Encryption
      1. Password Strength
        1. Beware Random Password Generators
      2. Introduction to Common Crypto
        1. Stateless Operations
        2. Stateful Encryption
      3. Master Key Encryption
      4. Geo-Encryption
        1. Geo-Encryption with Passphrase
      5. Split Server-Side Keys
      6. Securing Memory
        1. Wiping Memory
      7. Public Key Cryptography
      8. Exercises
    2. 11. Counter Forensics
      1. Secure File Wiping
        1. DOD 5220.22-M Wiping
        2. Objective-C
      2. Wiping SQLite Records
      3. Keyboard Cache
      4. Randomizing PIN Digits
      5. Application Screenshots
    3. 12. Securing the Runtime
      1. Tamper Response
        1. Wipe User Data
        2. Disable Network Access
        3. Report Home
        4. Enable Logging
        5. False Contacts and Kill Switches
      2. Process Trace Checking
      3. Blocking Debuggers
      4. Runtime Class Integrity Checks
        1. Validating Address Space
      5. Inline Functions
      6. Complicating Disassembly
        1. Optimization Flags
        2. Stripping
        3. They’re Fun! They Roll! -funroll-loops
      7. Exercises
    4. 13. Jailbreak Detection
      1. Sandbox Integrity Check
      2. Filesystem Tests
        1. Existence of Jailbreak Files
        2. Size of /etc/fstab
        3. Evidence of Symbolic Linking
      3. Page Execution Check
    5. 14. Next Steps
      1. Thinking Like an Attacker
      2. Other Reverse Engineering Tools
      3. Security Versus Code Management
      4. A Flexible Approach to Security
      5. Other Great Books
  7. About the Author
  8. Copyright