iOS Applications Security Testing: A Comprehensive Cheat Sheet, Lecture notes of Communication

Download iOS Applications Security Testing: A Comprehensive Cheat Sheet and more Lecture notes Communication in PDF only on Docsity! Oana Cornea OWASP The Open Web Application Security Project About Me • Oana Cornea • Application Security Analyst at Electronic Arts, in Bucharest, Romania. iOS application assessment iOS application assessment Client attacks File system analysis Runtime analysis Binary analysis Network attacks Communication channel Server attacks iOS application assessment Assessment Insecure data storage Information gathering Application traffic analysis Runtime analysis i Test application OWASP The Open Web Application Security Project YF iTunes Shared Album SP__ First Album Photo Vault Application traffic analysis • Intercept the traffic and analyze the requests and responses using a proxy: Burp, Charles, Mallory Runtime analysis • Disassemble the application (gdb) • Analyze file system interaction • Analyze the application with a debugger (gdb): inspecting objects in memory and calling functions and methods; replacing variables and methods at runtime. Runtime analysis • Runtime analysis protecting features: – Locate the PIE (Position Independent Executable) Check this using the command: otool –hv <app name> – Stack smashing protection - specify the –fstack- protector-all compiler flag. Check this using: otool –I –v <app name> | grep stack . If the application was compiled with the stack smashing protection two undefined symbols will be present: “___stack_chk_fail” and “___stack_chk_guard”. Steps • Hook into the application process using cycript –p [PID] command. • Grab the application delegate instance using UIApp.delegate command. Steps Search the class dump for AppDelegate and look for its interface. The Open Web Application Security Project • Insecure data storage • Avoid storing sensitive data on the device because any data stored locally could be compromised. • Weak server side controls • Harden servers against malicious attacks • Insufficient server side protection • Secure the communication Wrap up - Mobile risks Wrap up - Mobile risks • Client side injection • Implement proper input validation • Poor authorization and authentication • Avoid query string for sensitive data, institute local session timeout • Improper session handling • Review the session management mechanism Wrap up - Mobile risks • Security decisions via untrusted inputs • The combination of input validation, output escaping, and authorization controls can be used against these weaknesses. • Side channel data leakage • Avoid crash logs, debug logs and caching app data. • Broken cryptography • Take advantage of what your platform already provides • Sensitive information disclosure • Anything that must truly remain private should not reside on the mobile device; keep private information (e.g., algorithms, proprietary information) on the server.