Monday, 16 July 2012

No source? No problem...

When performing any kind of product assessment, it is always preferable to have the source code. However, in the real world we all know that this isn't always possible and as a security consultant we have to be prepared to use both static and dynamic analysis to reverse engineer what a product is doing. While these approaches are fairly well documented for run-of-the-mill binary applications, there is far less published research available for mobile apps.

Over the last few years, MDSec have been regularly performing a mixture of both whitebox and blackbox mobile app reviews. During the course of these assessments we have developed a comprehensive toolset to help automate some of the tasks that need to be performed. One such weapon from our arsenal is "iAuditor", a tool to provide semi-automation of blackbox mobile app tests.

What is iAuditor?
iAuditor is a command line tool that can be used on a jailbroken iOS device to "peak" inside other apps. It uses MobileSubstrate to hook Objective-C APIs and evaluate if they are being used in a secure manner. iAuditor is "semi-automatic" because it requires the user to go and navigate the app while iAuditor is injected in to the runtime. This user-driven approach allows wide coverage of the application features.

What does it check for?
Currently, we've implemented checks for the following common issues:
  • Accepting self-signed certificates
  • Use of protocol handlers
  • Connecting to clear-text URLs
  • Writing to the file-system
  • Permitting external XML entities
  • Address book access
  • Logging with NSLog
  • Use of GeoLocation
The hooks are implemented within the LibiAuditor dynamic library that should be placed in the MobileSubstrate directory under "/Library/MobileSubstrate/DynamicLibraries". When a method is hooked, the hook will evaluate the issue and write an entry in to the iAuditor database which is stored in the relevant apps "Documents" directory.

Let's look at an example:
CHOptimizedMethod(1, self, BOOL, NSURLConnection, continueWithoutCredentialForAuthenticationChallenge, NSURLAuthenticationChallenge *, challenge)
{
    NSString *issueTitle = @"Self Signed Certificates Permitted";
    NSString *issueDesc = [NSString stringWithFormat:@"The application permitted a self-signed certificate when attempting to connect the host %@.", [challenge.protectionSpace host]];
    Database *iadb = [[Database alloc] init];
    [iadb setName:issueTitle];
    [iadb setDescription:issueDesc];
    [iadb addIssue];
    [iadb release];
    
    return CHSuper(1, NSURLConnection, continueWithoutCredentialForAuthenticationChallenge, challenge);
}
The above example shows how to hook the "continueWithoutCredentialForAuthenticationChallenge" delegate method of NSURLConnection. This method may be called when an application is configured to accept a self-signed certificate. The issue is then added to the iAuditor database using the "addIssue" method. Finally, the return value calls the original function, allowing the application to continue as normal.

Finally, let's take a look at iAuditor in action:


As this is the first release, there will probably be some bugs to iron out; bug reports, feature requests and/or general flames are welcome!

Download it
The iAuditor binary release can be downloaded from the the research section of MDSec's website, here.

Alternatively, the source is available on our GitHub repository.

No comments:

Post a Comment

Note: only a member of this blog may post a comment.