FOCUSBreaking Downthe i* {<strong>Devices</strong>}<strong>Penetration</strong> <strong>Testing</strong> <strong>Like</strong> a <strong>Hacker</strong>Smartphones have revolutionized the world. The online world isgrappling with severe security and privacy issues. The smartphoneapplications require an aggressive approach of security testingand integrity verification in order to serve the three metrics ofsecurity such as confidentiality, integrity and availability.This paper sheds a light on the behavioral testingand security issues present in Apple’s IOSdevices and applications. Primarily, this paperrevolves around penetration testing of iPhone deviceand its applications. The paper does not discuss theiPhone application source code analysis and reverseengineering.Mach-O Format and IPhone ArchitectureMach-O is the primary file format that is used forrunning applications and programs on Apple devices.This format is stored as an application binaryinterface on the respective MAC OS X operatingsystem. Mach-O provides support for intermediate(debug) and final build (released) of the binaries.This is quite helpful in debugging as MACH-O formatsupports both dynamic and statically linked codefiles. Mach-O format is basically divided into threemain components stated as header structure, loadstructure and data structure. The header structureexplicitly specifies the environment information of thebinary which is required by the kernel to differentiatebetween the code execution on different processorsand architectures. Load structure comprises of thevarious segments which define the byte size andmemory protection attributes. When the code isexecuted dynamically, the segments map the desiredbytes into virtual memory as these segments arealways aligned with the virtual memory pages. Datastructure contains various sections of data which aremapped through the segments defined in the loaderstructure. Usually, there are text and data segments.For example: considering an Objective C, there aresegments defined as __OBJC which are private to theObjective C compiler. The internals of Mach-O formatcan be read here [1]. Figure 1 shows the genericlayout of iPhone architecture.The application binaries (Mach-O) format areencrypted in nature when these are retrieved from theApple store. In order to perform source code analysisthese files are required to be decrypted by the processof reverse engineering.Figure 1. iPhone architecture05/2011 (5) SeptemberPage 8 http://pentestmag.com
DFU and Jail breakingDevice Firmware Upgrade (DFU) allows the user torestore factory defaults by restoring operating system.However, this mechanism has been exploited withrobust exploits in order to thwart the inherent sandbox.The complete process is applied under jail breakingwhich allows the attackers to circumvent the DataProtection Framework (DPF). As a result of this, itbecomes easy to run Objective C code on the device asthe entire application layer protection gets demolishedby jail breaking process.Jail breaking [2] is an important step from testingperspective if the application has to go under thereverse engineering process. As the designedapplication runs only on the required architecture(ARM), it is ineffectual to try to run these applicationson the local machine or even on the simulator forreverse engineering purposes using GDB. The bestway is to perform jail breaking (exploits are availablein public) and then debug that application in order toperform implicit analysis. It is advisable for normaland regular work purposes to avoid jail breaking fromtesting purposes and the penetration tester or reverseengineer has to go to the core to perform legitimatetesting steps. Jail breaking requires specific steps tobe performed as discussed here [3]. One should besure of Jail breaking exploit which performs tethered[4] or un-tethered jail breaking (depends on the typeof bootrom version is used), which might impact therunning state of your IPhone. After jail breaking,requisite utilities such as GDB, GCC etc must beinstalled. For example: using red snow to perform ajail break loads only SSH as the main utility for rootingiPhone. Once Cydia is installed, use the defaultrepository to install other tools. Cydia has aptitudepackage downloader. Always choose the developer orhacker profile in Cydia while jail breaking.Scrutinizing IPhone Backup ProcessThe IPhone device follows a defined backup process.However, with the change in IOS and IPhone versions,there are certain developments that have taken placein creating backup files. Generally, when an IPhone isattached to the computer and ITunes is running, thesoftware by default performs some backup operationsand creates some backup file. These files are usedextensively for forensic investigations and containfruitful information. A new entry is created every time atthe location: /Users//Library/ApplicationSupport/MobileSync/Backup/., C:\Documents and Settings\USERNAME\Application Data\Apple Computer\MobileSync\Backup;when a device is synced with the laptop. The back pathmay vary depending upon the operating systems. Thebackup directory contains some index files, propertyfiles (plist) and manifest (mbdb, mbdx) files. This mightvary with different IOS versions. The primary files thatneed attention are manifest files having extensions suchas mbdb and mbdx. Simply editing these files might giveyou some clear test information but that is incomplete innature. The best way is to use iPhonebackupdb.py [5]script in order to process the files automatically.Fuzzing Endpoints CommunicationEvery application requires end point communicationswhich involves both port 80 and port 443. Certain largesize applications work in a distributed environment. Itmeans that the application does not communicate usingsingle end point; rather data is transacted from multipleend points by using dual channel. The fuzzing shouldencompass different scenarios as discussed below:• For HTTP specific communication fuzzing, useany HTTP proxy such as Charles, Web Scarab,Fiddler and Burp to perform fuzzing of differentimplicit parameters in the request. As discussedearlier, server might fetch data from other nodesin the communication channel. Thus, all the nodesmust be verified against the type of data. Whenevaluating a Client-Server iPhone application, boththe server and client should be tested (fuzzed).Always verify whether both end points are secure.It has been noticed that most of the vendors areimplementing input validation only at Client-side,and, as a result, are vulnerable to injection attackswhen request is directly issues to the server.• For aggressive testing, fuzzing local files(Application specific files) can be used toinstrument the application for automated brute forcepurposes, as well as abusing of other applicationspecific features.• For effective penetration testing, raw HTTP agentsuch as cURL should be used to send customqueries to different endpoints from the jail brokeniPhone in order to utilize the device resources andsession rather setting a network proxy and routingtraffic out of it. This is a very effective step forfuzzing end points. This step actually ensures thenature of malicious applications attacking legitimateapplication on iPhone device.• All the end points must be verified against thestrength of deployed SSL. One should notconcentrate on testing the single end point for SSLstability.The end point fuzzing is very critical to determine thestrength of application from a behavioral perspective.05/2011 (5) SeptemberPage 9 http://pentestmag.com