Figure 1 – iOS Layered Architecture
Application developers have various options on how to approach the development via different application types:
Native iOS applications are going to be the focus, with specific focus being placed on an application called Damn Vulnerable iOS App-v2(DVIA v2). The application is written in Swift, and as the name suggests, is vulnerable by design.
What is an application?
At a basic level, iOS applications are compressed into an .IPA file which is an archive containing the relevant application files. The application data can be retrieved by renaming the file to <something>.zip and then extracted in the usual manner. Once complete the contents would become visible and be ready for analysis.
iOS applications are uniquely sandboxed. By sandboxing it helps ensure that individual databases are used per application and segregation is occurring. By adopting this process, the chance of another application obtaining confidential information is reduced, however, not nullified.
The iOS application contains three containers:
- Bundle Container – within this container all the application files are located in a designated folder when installed on the device. These will remain static in all resulting installations, on every iOS device, being identical. Important information would be located within this container and would help assist a threat actor in gaining a better understanding of potential attack surface.
- Data Container – contains unique data that is cached to assist with the running of the application. The files within the Data container would be continually changing to help remember data such as who has authenticated, what point the user stopped interacting so progress could resume from there or what data has been stored. These files should remain on the device until the application is removed.
- iCloud Container – Contains data stored within the iCloud that has been used by the application. If a user were to interact with one of these files on the application, subsequently, the data in iCloud should be updated to reflect these amendments.
Example Misconfigurations
When an iOS device has been compromised, a threat actor will look for target applications that would have the most financial gain, or greater chance of obtaining confidential data to carry out further attacks. Static assessment of files contained within the containers outlined above would occur along with dynamic analysis to identify an attack surface.
Threat actors, along with supporting API issues, would look to identify misconfigurations within the application logic such as, but not limited to
- Jailbreak Detection Bypass – Jailbreak detection is often implemented on applications. Developers implement this to prevent threat actors leveraging further tools that could compromise confidential data or from reverse engineering the application. Despite this, there is often a way to bypass this protection exposing the complete attack surface.
- Local Data Storage Misconfigurations – Local data storage contains application, and user, specific data. This data often relates to authenticated users, developers leaving in hardcoded credentials or excessive permissions. If exploited, the confidentiality of this information would be impacted in a negative manner and the integrity of data would also suffer negatively.
- Touch/Face ID Bypass – Touch and Face ID can be used by application users to authenticate into the application, an example of this would be your banking application. If the protection were bypassed, the functionality behind would become accessible. This would result in impersonation of the user and funds being transferred to a threat actor-controlled account. Additionally, account details may be amended resulting in availability suffering along with confidentiality and integrity.
- Phishing – Creating a phishing prompt that would attempt to compromise credential sets so that the associated account could be compromised.
Assisting Tools
Tools, as part of any job, are important as they will help identify, and leverage these misconfigurations. The tools discussed are only a small number of those available and would be adopted by threat actors and security consultants. These tools help perform the required actions in an easier manner and will be used to exploit the misconfigurations in DVIA-v2.
- Frida – a dynamic code instrumental toolkit. Frida allows threat actors to inject JavaScript into applications to help bypass restrictions. Frida has an active community that uses Frida Codeshare to share snippets of code that help to bypass Jailbreak detection, SSL Pinning and Root detection for Android and IOS amongst other things.
- Objection – a runtime mobile exploration toolkit that leverages Frida. Allows security professionals and threat actors to analyse target applications and helps assist with exporting confidential data, and bypassing protections.
Exploitation
Prior to using Frida, the device would need to be Jailbroken. Once Jailbroken the server will need to be launched, this could be achieved by installing the relevant files through the Cydia store or obtaining the version via their GitHub repository. Additionally, the client would need to be installed on the device the iOS device was connected to. Once on the devices, by default, Jailbroken devices allow for SSH, the networking details can be obtained via the settings page as such: