You are previewing Hacking and Securing iOS Applications.
O'Reilly logo
Hacking and Securing iOS Applications

Book Description

Based on unique and previously undocumented research, this book by noted forensic expert Jonathan Zdziarski shows the numerous weaknesses that exist in typical iPhone and iPad apps. Zdziarski shows finance companies, large institutions and others where the exploitable flaws lie in their code, and in this book he will show you as well, in a clear, direct, and immediately applicable style.

Table of Contents

  1. Hacking and Securing iOS Applications
    1. SPECIAL OFFER: Upgrade this ebook with O’Reilly
    2. Preface
      1. Audience of This Book
      2. Organization of the Material
      3. Conventions Used in This Book
      4. Using Code Examples
      5. Legal Disclaimer
      6. Safari® Books Online
      7. How to Contact Us
    3. 1. Everything You Know Is Wrong
      1. The Myth of a Monoculture
      2. The iOS Security Model
        1. Components of the iOS Security Model
          1. Device security
          2. Data security
          3. Network security
          4. Application security
      3. Storing the Key with the Lock
      4. Passcodes Equate to Weak Security
      5. Forensic Data Trumps Encryption
      6. External Data Is at Risk, Too
      7. Hijacking Traffic
        1. Data Can Be Stolen...Quickly
      8. Trust No One, Not Even Your Application
      9. Physical Access Is Optional
      10. Summary
    4. I. Hacking
      1. 2. The Basics of Compromising iOS
        1. Why It’s Important to Learn How to Break Into a Device
        2. Jailbreaking Explained
          1. Developer Tools
        3. End User Jailbreaks
          1. Jailbreaking an iPhone
          2. DFU Mode
          3. Tethered Versus Untethered
        4. Compromising Devices and Injecting Code
          1. Building Custom Code
          2. Analyzing Your Binary
            1. Basic disassembly
            2. Listing dynamic dependencies
            3. Symbol table dumps
            4. String searches
          3. Testing Your Binary
          4. Daemonizing Code
          5. Deploying Malicious Code with a Tar Archive
            1. Grabbing signed binaries
            2. Preparing the archive
            3. Deploying the archive
          6. Deploying Malicious Code with a RAM Disk
            1. Build a custom launchd
            2. Breakdown of launchd example
            3. Building a RAM disk
            4. Booting a RAM disk
            5. Troubleshooting
        5. Exercises
        6. Summary
      2. 3. Stealing the Filesystem
        1. Full Disk Encryption
          1. Solid State NAND
          2. Disk Encryption
            1. Filesystem Encryption
            2. Protection classes
          3. Where iOS Disk Encryption Has Failed You
        2. Copying the Live Filesystem
          1. The DataTheft Payload
            1. Disabling the watchdog timer
            2. Bringing up USB connectivity
            3. Payload code
          2. Customizing launchd
          3. Preparing the RAM disk
          4. Imaging the Filesystem
        3. Copying the Raw Filesystem
          1. The RawTheft Payload
            1. Payload code
          2. Customizing launchd
          3. Preparing the RAM disk
          4. Imaging the Filesystem
        4. Exercises
        5. The Role of Social Engineering
          1. Disabled Device Decoy
          2. Deactivated Device Decoy
          3. Malware Enabled Decoy
          4. Password Engineering Application
        6. Summary
      3. 4. Forensic Trace and Data Leakage
        1. Extracting Image Geotags
          1. Consolidated GPS Cache
        2. SQLite Databases
          1. Connecting to a Database
          2. SQLite Built-in Commands
          3. Issuing SQL Queries
          4. Important Database Files
          5. Address Book Contacts
            1. Putting it all together
          6. Address Book Images
          7. Google Maps Data
          8. Calendar Events
          9. Call History
          10. Email Database
            1. Mail attachments and message files
          11. Notes
          12. Photo Metadata
          13. SMS Messages
          14. Safari Bookmarks
          15. SMS Spotlight Cache
          16. Safari Web Caches
          17. Web Application Cache
          18. WebKit Storage
          19. Voicemail
        3. Reverse Engineering Remnant Database Fields
        4. SMS Drafts
        5. Property Lists
          1. Important Property List Files
        6. Other Important Files
        7. Summary
      4. 5. Defeating Encryption
        1. Sogeti’s Data Protection Tools
          1. Installing Data Protection Tools
          2. Building the Brute Forcer
          3. Building Needed Python Libraries
        2. Extracting Encryption Keys
          1. The KeyTheft Payload
          2. Customizing Launchd
          3. Preparing the RAM disk
          4. Preparing the Kernel
          5. Executing the Brute Force
        3. Decrypting the Keychain
        4. Decrypting Raw Disk
        5. Decrypting iTunes Backups
        6. Defeating Encryption Through Spyware
          1. The SpyTheft Payload
          2. Daemonizing spyd
          3. Customizing Launchd
          4. Preparing the RAM disk
          5. Executing the Payload
        7. Exercises
        8. Summary
      5. 6. Unobliterating Files
        1. Scraping the HFS Journal
        2. Carving Empty Space
        3. Commonly Recovered Data
          1. Application Screenshots
          2. Deleted Property Lists
          3. Deleted Voicemail and Voice Recordings
          4. Deleted Keyboard Cache
          5. Photos and Other Personal Information
        4. Summary
      6. 7. Manipulating the Runtime
        1. Analyzing Binaries
          1. The Mach-O Format
          2. Introduction to class-dump-z
          3. Symbol Tables
        2. Encrypted Binaries
          1. Calculating Offsets
          2. Dumping Memory
          3. Copy Decrypted Code Back to the File
          4. Resetting the cryptid
        3. Abusing the Runtime with Cycript
          1. Installing Cycript
          2. Using Cycript
          3. Breaking Simple Locks
          4. Replacing Methods
          5. Trawling for Data
            1. Instance variables
            2. Methods
            3. Classes
          6. Logging Data
          7. More Serious Implications
            1. Personal data vaults
            2. Payment processing applications
            3. Electronic banking
        4. Exercises
          1. SpringBoard Animations
          2. Call Tapping...Kind Of
          3. Making Screen Shots
        5. Summary
      7. 8. Abusing the Runtime Library
        1. Breaking Objective-C Down
          1. Instance Variables
          2. Methods
          3. Method Cache
        2. Disassembling and Debugging
          1. Eavesdropping
          2. The Underlying Objective-C Framework
          3. Interfacing with Objective-C
        3. Malicious Code Injection
          1. The CodeTheft Payload
          2. Injection Using a Debugger
        4. Injection Using Dynamic Linker Attack
          1. Full Device Infection
        5. Summary
      8. 9. Hijacking Traffic
        1. APN Hijacking
          1. Payload Delivery
          2. Removal
        2. Simple Proxy Setup
        3. Attacking SSL
          1. SSLStrip
          2. Paros Proxy
          3. Browser Warnings
        4. Attacking Application-Level SSL Validation
          1. The SSLTheft Payload
        5. Hijacking Foundation HTTP Classes
          1. The POSTTheft Payload
        6. Analyzing Data
        7. Driftnet
          1. Building
          2. Running
        8. Exercises
        9. Summary
    5. II. Securing
      1. 10. Implementing Encryption
        1. Password Strength
          1. Beware Random Password Generators
        2. Introduction to Common Crypto
          1. Stateless Operations
          2. Stateful Encryption
        3. Master Key Encryption
        4. Geo-Encryption
          1. Geo-Encryption with Passphrase
        5. Split Server-Side Keys
        6. Securing Memory
          1. Wiping Memory
        7. Public Key Cryptography
        8. Exercises
      2. 11. Counter Forensics
        1. Secure File Wiping
          1. DOD 5220.22-M Wiping
          2. Objective-C
        2. Wiping SQLite Records
        3. Keyboard Cache
        4. Randomizing PIN Digits
        5. Application Screenshots
      3. 12. Securing the Runtime
        1. Tamper Response
          1. Wipe User Data
          2. Disable Network Access
          3. Report Home
          4. Enable Logging
          5. False Contacts and Kill Switches
        2. Process Trace Checking
        3. Blocking Debuggers
        4. Runtime Class Integrity Checks
          1. Validating Address Space
        5. Inline Functions
        6. Complicating Disassembly
          1. Optimization Flags
          2. Stripping
          3. They’re Fun! They Roll! -funroll-loops
        7. Exercises
      4. 13. Jailbreak Detection
        1. Sandbox Integrity Check
        2. Filesystem Tests
          1. Existence of Jailbreak Files
          2. Size of /etc/fstab
          3. Evidence of Symbolic Linking
        3. Page Execution Check
      5. 14. Next Steps
        1. Thinking Like an Attacker
        2. Other Reverse Engineering Tools
        3. Security Versus Code Management
        4. A Flexible Approach to Security
        5. Other Great Books
    6. About the Author
    7. SPECIAL OFFER: Upgrade this ebook with O’Reilly