Hacking and Securing iOS Applications by Jonathan Zdziarski

Since the release of the original iPhone in 2007, Apple has engaged in a cat-and-mouse game with hackers to secure their suite of devices for what has grown to nearly 100 million end users. Over this time, many improvements have been made to the security of the device, and the stakes have been raised by their introduction into circles with far greater security requirements than the device and its operating system have thus far delivered. The introduction of hardware-accelerated encryption came with the iPhone 3GS, as did many other features, and helped to begin addressing the requirements needed for use in these environments.

Software engineering principles tell us that code reuse is one of the keys to writing good software. Many managers and engineers alike also generally assume that, if a given device (or a security module within that device) is certified or validated by a government agency or consortium, its security mechanisms should be trusted for conducting secure transactions. As a developer, you may put your trust in the suite of classes provided in the iOS SDK to develop secure applications because that’s what you’re led to believe is the best approach. While code reuse has its benefits, a security-oriented monoculture creates a significant amount of risk in any environment. The thought process that typically starts this kind of monoculture seems to follow this pattern:

Certifications of secure modules, such as those outlined in the National Institute of Standards and Technology’s FIPS 140-2 standards, operate primarily from a conceptual perspective; that is, requirements dictate how the device or module must be designed to function. When a device is hacked, the device is caused to malfunction—that is, operate in a way in which it was not designed. As a result, most certifications do not cover penetration testing, nor do they purport to certify that any given device or module is secure at all, but only that the manufacturer has conceptually designed the security module to be capable of meeting the requirements in the specification. In other words, FIPS 140-2 is about compliance, and not security.

FIPS 140-2 is a standards publication titled Security Requirements for Cryptographic Modules that outlines the requirements of four different levels of security compliance to which a cryptographic module can adhere. The FIPS certification standards were never intended, however, to certify that a given module was hacker-proof—in fact, low-level penetration testing isn’t even considered part of the standard certification process. So why do we, as developers, allow ourselves to be pigeonholed into relying on the manufacturer’s security framework when it was never certified to be secure?

The real engineering-level testing of these devices is left up to independent agencies and their red teams to perform penetration testing and auditing long after the certification process is complete. A red team is a group of penetration testers that assesses the security of a target. Historically, the target has been an organization that often doesn’t even know that its security is being tested. In recent use of the term, red teams have also been assembled to conduct technical penetration tests against devices, cryptographic modules, or other equipment. Many times, the results of such tests aren’t made publicly available, nor are they even available to the manufacturer in some cases. This can be due to information being classified, confidentiality agreements in place, or for other reasons.

Due to the confidential nature of private penetration testing (especially in the intelligence world), a security module may be riddled with holes that the manufacturer may never hear about until a hacker exploits them—perhaps years after its device is certified. If a manufacturer doesn’t embrace full disclosure and attempts to hide these flaws, or if they are not quick enough to address flaws in its operating system, the entire monoculture stands to leave hundreds of thousands of applications, spanning millions of users, exposed to vulnerabilities. This leads us to our first myths about secure computing monocultures.

Apple has incorporated four layers of security in iOS to protect the user and their data.

Securing data at rest comes down to the effectiveness of the encryption protecting it. The effectiveness of the encryption largely depends on the strength and secrecy of the key. The filesystem encryption used in iOS as of versions 4 and 5 rests entirely on these keys. Only select files, such as the user’s email and attachments, are encrypted in a way that takes the device passcode into consideration. The rest of the user’s data is at risk from the classic problem of storing the lock with the key.

All iOS-based devices are shipped with two built-in keys. These include a GID key, which is shared by all devices of the same model, and a UID key, which is a key unique to the device (a hardware key). Additional keys are computed when the device is booted as well. These derived keys are dependent on the GID and UID key, and not on a passcode or PIN. They must be operational before the user even enters a passcode, to boot and use the device. A key hierarchy is built upon all of these keys, with the UID and GID keys at the top of the hierarchy. Keys at the top are used to calculate other keys, which protect randomly generated keys used to encrypt data. One important key used to encrypt data is called the Dkey, and is the master encryption key used to encrypt all files that are not specifically protected with Apple’s data protection. This is nearly every user data file, except for email and attachments, or any files that third-party applications specifically protect. The Dkey is stored in effaceable storage to make wiping the filesystem a quick process. Effaceable storage is a region of flash memory on the device that allows small amounts of data to be stored and quickly erased (for example, during a wipe). The Dkey is stored in a locker in the effaceable storage along with other keys used to encrypt the underlying filesystem.

You may have the most secure deadbolt on the market protecting your front door. Perhaps this $799 lock is pick-proof, tool-proof, and built to extreme tolerances making it impossible to open without the key. Now take a spare key and hide it under your doormat. You’ve now made all of the expensive security you paid for entirely irrelevant. This is much the same problem in the digital world that we used to see with digital rights management, which has now made its way into mobile security. People who pay for expensive locks shouldn’t place a spare key under the mat.

Apple has a lot of experience with digital rights management, much more than with mobile security, in fact. The iTunes store existed for years prior to the iPhone, and allows songs to be encrypted and distributed to the user, providing them the keys to play the music only after authenticating. Over time, those who didn’t like to be told what they could and couldn’t do with their music ended up writing many tools to free their music. These tools removed the encryption from songs downloaded through iTunes so that the user could copy it to another machine, back it up, or play it with third-party software. Such tools depend largely on two things the user already has: the encrypted music, and the keys to each song.

The filesystem encryption in iOS is very similar to iTunes Digital Rights Management (DRM), in that the master keys to the filesystem’s encryption are stored on the device—the lock and key together, just as they are in DRM. The key to decrypting the filesystem, therefore, is in knowing where to find the keys. It’s much simpler than that, as you’ll see in this book. In fact, we aren’t dealing with a $799 lock that is pick-proof, and there are many ways to convince the operating system to decrypt the filesystem for you, without even looking for a key. Think “open sesame”.

With a mobile device, the trade-off between security and convenience of use is more noticeable than that of a desktop machine with a full keyboard. The device’s smaller on-screen keyboard combined with its mobile form factor make unlocking it a productivity nightmare for an enterprise. As a mobile device, an average user will work in short bursts—perhaps a text message or an email at a time—before placing it in his pocket again. To adequately secure a device, it must be unlocked by a password on each and every use, or at the very least every 15 minutes. This generally leads to one inevitable result: weak passwords.

As a result of the inconvenience of unlocking a device several hundred times per day, many enterprises resort to allowing a simple four-digit PIN, a simple word, or a password mirroring an easy to type pattern on the keyboard (dot-space-mzlapq anyone?). All of these have historically been easily hacked by password cracking tools within a fraction of the time a complex password would take. While only a few select files are encrypted using Apple’s data protection APIs, the ones that are protected aren’t protected that much better.

Consider a four-digit PIN, which is the “simple passcode” default when using iOS. A four-digit numeric PIN has only 10,000 possibilities. Existing tools, which you’ll learn about in this book, can iterate through all 10,000 codes in a little less than 20 minutes. Whether you’ve stolen a device or just borrowed it for a little while, this is an extremely short amount of time to steal all of the device’s encryption keys. The problem, however, is that most users will defer to a four-digit PIN, or the simplest complex passcode they can get away with. Why? Because it’s not their job to understand how the iOS passcode is tied to the encryption of their credit card information.

Your users are going to use weak passwords, so you’ll need to either accept this as a fact of life, or prevent it from happening. Unless they’re bound to an enterprise policy forbidding their use, the average user is going to stick with what’s convenient. The inconvenience of corporately owned devices, in fact, is precisely why more employees are using personal devices in the workplace.

Your application might be the most secure application ever written, but unbeknownst to you, the operating system is unintentionally working against your security. I’ve tested many applications that were otherwise securely written, but leaked clear text copies of confidential information into the operating system’s caches. You’ll learn about the different caches in Chapter 4. From web caches that store web page data, to keyboard caches that store everything you type, much of the information that goes through the device can be recovered from cached copies on disk, regardless of how strong your encryption of the original files was.

In addition to forensic trace data, you might also be surprised to find that deleted data can still be carved out of the device. Apple has made some significant improvements to its encrypted filesystem, where each file now has its own encryption key. Making a file unrecoverable is as easy as destroying the key. Unfortunately for developers, traces of these keys can still be recovered, allowing the files they decrypt to be recovered. You’ll learn more about journal carving in Chapter 6.

Even the strongest safe deposit box can be opened with the right key. Your valuables might be safe in the strongest, most fortified bank in the world, but if the key is sitting on the bar with your car keys, it only takes a simple and quick attack to defeat every layer of the bank’s multimillion dollar security. Swiping your key, watching you sign your bill, and forging a fake identification is much easier than defeating a bank’s security system, drilling through six-inch steel walls, and breaking into the right safe deposit box.

Not all data you wish to protect is on the device, but usernames, passwords, and URLs to remote resources can be. All too often developers make the painstaking effort to encrypt all of the user’s confidential data on the device, but then compile in the strings to URLs, global usernames/passwords, or other back doors, such as those of credit card processing systems or other global system. Another common mistake is to write a thin client that stores no user data on the device, but makes the exception of storing the user’s password and/or session cookies there, or common bugs that make such an application susceptible to a man-in-the-middle attack. This makes the nightmare worse because once credentials are stolen (possibly unbeknownst to the device’s owner), the remote resources tied to these credentials can be easily accessed from anywhere.

Apart from the most paranoid users (of which you will be, if you are reading this book), most inherently trust the networks their traffic runs across, especially if the network is a cellular network. In spite of the many cellular hacking tools and how-tos widely available today, many still believe that seeing their carrier name at the top of the device’s menu bar is secure enough. You’ll learn how easy it is to redirect traffic bound for the user’s cellular network to your own proxy in Chapter 9.

If you can’t trust your own application, who can you trust? After all, Apple has digitally signed your application and if any modifications are made to it (say, causing it to bypass certain security check), the application should cease to run. Not so, and this is a dangerous assumption made by many developers. I’ve seen this time and time again in applications I review, from passcode screens that serve only as a weak GUI lock, to methods to check whether certain features are enabled, and more importantly, on security checks dealing with financial transactions that should take place on a remote server instead of on the phone. All of these and more can be easily manipulated. App Store developers have even found ways to manipulate their own applications into sneaking in code that Apple hasn’t reviewed.

You’ll learn as early as in Chapter 2 that Apple’s signing mechanism can be disabled either by a criminal hacker or by jailbreaking your device, allowing any modifications to be made to the binary itself, or more importantly in the runtime. In fact, manipulating an application’s runtime has never been easier than with the Objective-C environment. Objective-C is a reflective language, allowing it to perceive and modify its own state as the application runs. You’ll learn about tools in Chapter 7 and Chapter 8 to manipulate the runtime of an application, allowing a hacker to bypass UIViewController screens (or any other screen), throw new objects onto the key window, instantiate and manipulate objects of any kind, change the value of variables, and even override methods in your application to inject their own.

Why would a user hack her own application? Well, that is possible, but think more in terms of a criminal running a copy of a victim’s stolen application, with her stolen data. Another common scenario involves malware running on a device to hijack an application. You’ll see many examples in the chapters to come. One of the most notable examples includes manipulating a stolen copy of a merchant’s credit card application to refund the attacker thousands of dollars in products she did not purchase from the merchant, which would be transferred from the merchant’s account, still linked to the stolen application.

We’ve established that stolen or “borrowed” devices are easy to hack. Physical security is commonly the biggest reason some developers dismiss the notion of stolen data. After all, if someone can steal your wallet with your credit cards, you’re also going to be in for a considerable headache. Historically, a limited number of remote code injection vulnerabilities have been discovered and exploited for iOS. Fortunately, the good guys have found the ones we presently know about, but that is not to say criminal hackers won’t find future remote code injection exploits. The most notable of these exploits include the following:

Apple has implemented some great security mechanisms in their operating system, but like any technique, they are subject to attack. By depending solely on solutions such as the keychain, passcode keys, and encrypted filesystems, the collective pool of applications stand to be at risk from one of many points of failure within Apple’s opaque architecture. Implementation is key to making any form of security effective. Without a flawless implementation, terms like “hardware encryption” don’t mean anything to criminal hackers, and they stand to provide no real world protection against those who can find flaws in it. Application security can be improved only by having a sober understanding of the shortcomings of the current implementations and either coding to compensate for them, or writing our own implementations that work better.

Apple has done a good job with what is an otherwise sophisticated implementation of a security framework, but iOS still suffers from flaws. With nearly 100 million iPhone devices sold and over a half million applications in Apple’s App Store, many different interest groups ranging from forensic software manufacturers to criminal hackers have targeted iOS security. By relying on the manufacturer’s implementation alone, many have lent themselves to the untimely demise of the customer data stored within their applications.

It’s easier to shoot a big fish in a little pond than the opposite. The chapters to follow will teach you how criminals can hack into iOS to steal data and hijack applications, but more importantly will teach you, the developer, how to better secure your applications to lower the risk of exposure.