iOS Application Security: The Definitive Guide for Hackers and Developers 9781593276010, 159327601X

Table of contents :
About the Author
About the Technical Reviewer
Brief Contents
Contents in Detail
Foreword by Alex Stamos
Acknowledgments
Introduction
Who This Book Is For
What's in This Book
How This Book Is Structured
Conventions This Book Follows
A Note on Swift
Mobile Security Promises and Threats
What Mobile Apps Shouldn't Be Able to Do
Classifying Mobile Security Threats in This Book
Some Notes for iOS Security Testers
Part I: iOS Fundamentals
Chapter 1: The iOS Security Model
Secure Boot
Limiting Access with the App Sandbox
Data Protection and Full-Disk Encryption
The Encryption Key Hierarchy
The Keychain API
The Data Protection API
Native Code Exploit Mitigations: ASLR, XN, and Friends
Jailbreak Detection
How Effective Is App Store Review?
Bridging from WebKit
Dynamic Patching
Intentionally Vulnerable Code
Embedded Interpreters
Closing Thoughts
Chapter 2: Objective-C for the Lazy
Key iOS Programming Technology
Passing Messages
Dissecting an Objective-C Program
Declaring an Interface
Inside an Implementation File
Specifying Callbacks with Blocks
How Objective-C Manages Memory
Automatic Reference Counting
Delegates and Protocols
Should Messages
Will Messages
Did Messages
Declaring and Conforming to Protocols
The Dangers of Categories
Method Swizzling
Closing Thoughts
Chapter 3: iOS Application Anatomy
Dealing with plist Files
Device Directories
The Bundle Directory
The Data Directory
The Documents and Inbox Directories
The Library Directory
The tmp Directory
The Shared Directory
Closing Thoughts
Part II: Security Testing
Chapter 4: Building Your Test Platform
Taking Off the Training Wheels
Suggested Testing Devices
Testing with a Device vs. Using a Simulator
Network and Proxy Setup
Bypassing TLS Validation
Bypassing SSL with stunnel
Certificate Management on a Device
Proxy Setup on a Device
Xcode and Build Setup
Make Life Difficult
Enabling Full ASLR
Clang and Static Analysis
Address Sanitizer and Dynamic Analysis
Monitoring Programs with Instruments
Activating Instruments
Watching Filesystem Activity with Watchdog
Closing Thoughts
Chapter 5: Debugging with lldb and Friends
Useful Features in lldb
Working with Breakpoints
Navigating Frames and Variables
Visually Inspecting Objects
Manipulating Variables and Properties
Breakpoint Actions
Using llbd for Security Analysis
Fault Injection
Tracing Data
Examining Core Frameworks
Closing Thoughts
Chapter 6: Black-Box Testing
Installing Third-Party Apps
Using a .app Directory
Using a .ipa Package File
Decrypting Binaries
Launching the debugserver on the Device
Locating the Encrypted Segment
Dumping Application Memory
Reverse Engineering from Decrypted Binaries
Inspecting Binaries with otool
Obtaining Class Information with class-dump
Extracting Data from Running Programs with Cycript
Disassembly with Hopper
Defeating Certificate Pinning
Hooking with Cydia Substrate
Automating Hooking with Introspy
Closing Thoughts
Part III: Security Quirks of the Cocoa API
Chapter 7: iOS Networking
Using the iOS URL Loading System
Using Transport Layer Security Correctly
Basic Authentication with NSURLConnection
Implementing TLS Mutual Authentication with NSURL Connection
Modifying Redirect Behavior
TLS Certificate Pinning
Using NSURLSession
NSURLSession Configuration
Performing NSURLSession Tasks
Spotting NSURLSession TLS Bypasses
Basic Authentication with NSURL Session
Managing Stored URL Credentials
Risks of Third-Party Networking APIs
Bad and Good Uses of AFNetworking
Unsafe Uses of ASIHTTPRequest
Multipeer Connectivity
Lower-Level Networking with NSStream
Even Lower-level Networking with CFStream
Closing Thoughts
Chapter 8: Interprocess Communication
URL Schemes and the openURL Method
Defining URL Schemes
Sending and Receiving URL/IPC Requests
Validating URLs and Authenticating the Sender
URL Scheme Hijacking
Universal Links
Sharing Data with UIActivity
Application Extensions
Checking Whether an App Implements Extensions
Restricting and Validating Shareable Data
Preventing Apps from Interacting with Extensions
A Failed IPC Hack: The Pasteboard
Closing Thoughts
Chapter 9: iOS-Targeted Web Apps
Using (and Abusing) UIWebViews
Working with UIWebViews
Executing JavaScript in UIWebViews
Rewards and Risks of JavaScript-Cocoa Bridges
Interfacing Apps with JavaScriptCore
Executing JavaScript with Cordova
Enter WKWebView
Working with WKWebViews
Security Benefits of WKWebViews
Closing Thoughts
Chapter 10: Data Leakage
The Truth About NSLog and the Apple System Log
Disabling NSLog in Release Builds
Logging with Breakpoint Actions Instead
How Sensitive Data Leaks Through Pasteboards
Restriction-Free System Pasteboards
The Risks of Custom-Named Pasteboards
Pasteboard Data Protection Strategies
Finding and Plugging HTTP Cache Leaks
Cache Management
Solutions for Removing Cached Data
Data Leakage from HTTP Local Storage and Databases
Keylogging and the Autocorrection Database
Misusing User Preferences
Dealing with Sensitive Data in Snapshots
Screen Sanitization Strategies
Why Do Those Screen Sanitization Strategies Work?
Common Sanitization Mistakes
Avoiding Snapshots by Preventing Suspension
Leaks Due to State Preservation
Secure State Preservation
Getting Off iCloud to Avoid Leaks
Closing Thoughts
Chapter 11: Legacy Issues and Baggage from C
Format Strings
Preventing Classic C Format String Attacks
Preventing Objective-C Format String Attacks
Buffer Overflows and the Stack
A strcpy Buffer Overflow
Preventing Buffer Overflows
Integer Overflows and the Heap
A malloc Integer Overflow
Preventing Integer Overflows
Closing Thoughts
Chapter 12: Injection Attacks
Client-Side Cross-Site Scripting
Input Sanitization
Output Encoding
SQL Injection
Predicate Injection
XML Injection
Injection Through XML External Entities
Issues with Alternative XML Libraries
Closing Thoughts
Part IV: Keeping Data Safe
Chapter 13: Encryption and Authentication
Using the Keychain
The Keychain in User Backups
Keychain Protection Attributes
Basic Keychain Usage
Keychain Wrappers
Shared Keychains
iCloud Synchronization
The Data Protection API
Protection Levels
The DataProtectionClass Entitlement
Checking for Protected Data Availability
Encryption with CommonCrypto
Broken Algorithms to Avoid
Broken Initialization Vectors
Broken Entropy
Poor Quality Keys
Performing Hashing Operations
Ensuring Message Authenticity with HMACs
Wrapping CommonCrypto with RNCryptor
Local Authentication: Using the TouchID
How Safe Are Fingerprints?
Closing Thoughts
Chapter 14: Mobile Privacy Concerns
Dangers of Unique Device Identifiers
Solutions from Apple
Rules for Working with Unique Identifiers
Mobile Safari and the Do Not Track Header
Cookie Acceptance Policy
Monitoring Location and Movement
How Geolocation Works
The Risks of Storing Location Data
Restricting Location Accuracy
Requesting Location Data
Managing Health and Motion Information
Reading and Writing Data from HealthKit
The M7 Motion Processor
Requesting Permission to Collect Data
Proximity Tracking with iBeacons
Monitoring for iBeacons
Turning an iOS Device into an iBeacon
iBeacon Considerations
Establishing Privacy Policies
Closing Thoughts
Index
Support the Electronic Frontier Foundation
Updates