On This Page

IOS Exploitation - To the Heart of Apple's Most Secure OS

Prateek Gianchandani and @tihmstar | March 20 - 21



Overview

Day 1 - iOS Application Security

Module 1 : Getting Started with iOS Pentesting
  • iOS security model
  • App Signing, Sandboxing and Provisioning
  • Changes in iOS 11
  • Intro to Objective-C and Swift
  • Setting up the pentesting environment
  • Getting started with Damn Vulnerable iOS app
  • Binary analysis

Module 2 : Static and Dynamic Analysis of iOS Apps
  • Dumping class information
  • Insecure local data storage
  • Dumping Keychain
  • Finding url schemes
  • Dynamic Analysis of iOS applications
  • Cycript basics
  • Frida demo
  • Advanced Runtime Manipulation using Cycript
  • Method Swizzling
  • GDB basic usage
  • Modifying ARM registers

Module 3 : Exploiting iOS Applications
  • Exploiting iOS applications
  • Broken Cryptography
  • Side channel data leakage
  • Sensitive information disclosure
  • Exploiting URL schemes
  • Client side injection
  • Bypassing jailbreak, piracy checks
  • Inspecting Network traffic
  • Traffic interception over HTTP, HTTPs
  • Manipulating network traffic
  • Bypassing SSL pinning

Module 4 : Reversing iOS Apps
  • Introduction to Hopper
  • Disassembling methods
  • Modifying assembly instructions
  • Patching App Binary

Module 5 : Securing iOS Apps
  • Securing iOS applications
  • Where to look for vulnerabilities in code?
  • Code obfuscation techniques
  • Piracy/Jailbreak checks
  • iMAS, Encrypted Core Data

Day2 - iOS Exploitation

Module 1: iOS security measures
  • (K)ASLR
  • AMFI
  • Code signing
  • Entitlements
  • Data protection
  • disk encryption
  • passcode protection
  • Sandbox
  • Kernel Patch Protection (KPP)

Module 2: iOS Jailbreaking
  • Jailbreaking fundamentals
  • How is a jailbreak structured
  • Achieving code execution in userland
  • Executing code in kernelland
  • Patching the Kernel
  • Achieving Persistence
  • How jailbreaking assists exploit development ssh + gdb/lldb

Module 3: ARM assembly basics
  • Registers
  • Calling convention
  • ARM/THUMB mode
  • Interrupts (syscalls)
  • Disassembling + reverse engineering binaries
  • Introduction into gdb/lldb
  • Debugging binaries with gdb/lldb

Module 4: Mach-O file format basics
  • Introduction into mach-O file format
  • mach-O segments, sections, symbols
  • Intro to nm, jtool, joker
  • dynamic / static libraries
  • dyld dynamic linker

Module 5: Exploiting a real world bug on 32bit
  • exploiting a bug which was used to untether iOS 8.4.1-9.3.4

Module 6: Finding kernel offsets for public jailbreaks
  • what are "offsets"
  • how to find offsets
  • how patchfinder work
  • writing your own patchfinder

Module 7: Conclusion
  • Latest iOS security measures
  • Summary
  • Where to go from here/Further reading
  • Q&A

Who Should Take this Course

This course is for penetration testers, mobile developers or anyone keen to learn about iOS security

Student Requirements

  • 25+ GB free hard disk space
  • 4+ GB RAM
  • A jailbroken iPhone/iPad/iPod for iOS testing running iOS 9.0+ is necessary
  • If you are using a Mac machine, also download and install the latest version of Xcode.
  • Administrative access on the system
  • External USB access allowed

What Students Should Bring

  • 25+ GB free hard disk space
  • 4+ GB RAM
  • VMware player installed on the machine
  • A jailbroken iPhone/iPad/iPod for iOS testing running iOS 9.0+ is necessary
  • If you are using a Mac machine, also download and install the latest version of Xcode.
  • Administrative access on the system
  • External USB access allowed

What Students Will Be Provided With

  • Printed course material and slides for the 2-day class including additional bonus sections
  • Huge list of good reads and articles for learning iOS security
  • Source code from the tools released by authors
  • Source code for vulnerable applications
  • Future support over email/twitter

Trainers

Prateek Gianchandani, an OWASP member and contributor is currently leading the mobile security team at Cognosec. He has performed a number of penetration tests on mobile and web applications and even developed a lot of applications for the App Store. His core focus area is iOS application pentesting and exploitation. He is also the author of the open source vulnerable application named Damn Vulnerable iOS app. He has presented and trained at many international conferences including Defcon, Blackhat USA, Brucon, Hack in paris, Phdays, Appsec USA etc. In his free time, he blogs at http://highaltitudehacks.com

@tihmstar is an iOS exploit researcher well known for creating the first public jailbreak for iOS 9.3.5, named phoenix. He is also known for creating Prometheus, a downgrade tool for iOS and many other tools including offset finder and tsschecker. He open sources most of his work which can be found on https://github.com/tihmstar/

Dinesh leads the Mobile Security Testing Center of Excellence at Security Innovation. He has performed innumerable penetration tests on Web, Mobile and VoIP technologies - however his core area of expertise is Mobile and Embedded application pentesting and exploitation. He is an accomplished author and speaker, and his research has been published in multiple security zines and sites like Packet Storm, Exploit-DB, PenTest Magazine, SecurityXploded, ClubHACK Magazine, and Exploit-Id amongst others. Dinesh is a Hall of Fame member of Apple, Adobe, and Barracuda Networks for his identification and responsible disclosure of critical security vulnerabilities in their products, web sites, and web services. Dinesh Shetty has previously presented his work at security conferences around Europe, Boston, New York, Australia, India and a bunch of Middle East countries, and continues to enhance his knowledge by undergoing security trainings and certifications around the world. He maintains an open source intentionally vulnerable Android application called InsecureBankv2 for use by developers and security enthusiasts. He has presented and trained at many international conferences including Defcon, Blackhat, Brucon, Appsec USA, OWASP Sydney, etc Twitter: https://twitter.com/din3zh LinkedIn: https://www.linkedin.com/in/dineshshetty1