IOS Application Security Part 29 - Insecure or Broken Cryptography

EvernoteExport
IOS ApplicationSecurity Part 29- Insecureor BrokenCryptography.html[25.05.201418:24:26]

In this article we will look at an example of Insecure or Broken Cryptography which is a common vulnerability found in most IOS applications. This
vulnerability occurs when the data stored on the device is not encrypted properly thereby allowing a malicious user to gain access to that
information. There could be many reasons for an improper implementaion of encrytption, using hardcoded keys for encryption, bad algorithms etc
can all be the cause for an implementation that is not secure.
I would recommend you have a look at Apples documentation on Encrypting and hashing data.
In this article, we will look at an example of how we can spot and break an incorrectly implemented encrytion technique. For this article, we will be
testing on the application InsecureCryptography-Demo that you can download from my Github profile. Download it and run on the simulator or on
the device. Lets look at what this application does. Once you start the application for the first time, it asks you to set up a new password to get
started.
IOS Application Security Part 29 - Insecure or Broken Cryptography
Source: http://highaltitudehacks.com/2014/01/17/ios-application-security-part-29-insecure-or-broken-cryptography/
IOS Application Security Part 29 - Insecure or Broken
Cryptography
J an 17th, 2014
Posed by Prateek Gianchandani
EvernoteExport
Once you have set up the password, it will prompt you to log in with same password.
So lets assume i open this application once the password has already been set. Our task is to bypass this login check. Some of the things that are
clear are that this password is being stored locally on the device as no network activity was noted. You can use a proxy like Burpsuite to observe
the traffic and see that there is no network traffic, so everything is being done locally.
Lets try and open the application in Hopper. Please check article 28 in this series to know more about Hopper. Go to Hopper and go to File->Read
Executable to Disassemble.
EvernoteExport
If you have successfully run the application using Xcode, it will install the application in the IOS simulator. Now our task is to find the location of the
application binary on our system so we can provide it to Hopper. If you run an application in Xcode, it will generate an application directory inside
the folder /Users/$username/Library/Application Support/iPhone Simulator/$ios version of simulator/Applications/. In my case, the location is
/Users/Prateek/Library/Application Support/iPhone Simulator 7.0.3/Applications/. Once you are in this directory, you have to find your application
folder. Using the command ls -al will give you the created date of these folders. The latest one would be our application.
Open this folder in Finder using the command open $directoryName and right click on the .app package and click on Show Package Contents
EvernoteExport
Provide this executable to Hopper to disassemble.
Once Hopper has analyzed the executable and produced the dissassembly, here is what you get.
EvernoteExport
On the left hand side, you can see stuff like RNEncryptor etc. Looks like this class is being used to encrypt data.
EvernoteExport
On google searching RNEncryptor, we find that it is a open source Github class used for encrypting data. Anyways, our task is to bypass the login.
So lets search for the method that gets called to perform the authentication check. Lets go back to the app. If you look at the image below, there is
no login button to tap. The login check happens once you tap on the return button in the text field.
EvernoteExport
And if you are a bit familiar with IOS development you should know that if the current view controller is a delegate of this text field, then the method
that will be called is -(BOOL)textFieldShouldReturn:(UITextField *)textField. So lets search for this method in the labels section.
EvernoteExport
Ok, we can see the disassembly. Thats pretty cool. But you know whats more cool ? Checking out the pseudo code for this function. Lets click on
the Pseudo Code button on the top right to check out the Pseudo code for this function.
EvernoteExport
Well, this pretty much gives everything away. And this is why i love Hopper so much. Here is the pseudo code generated for this method.
f unct i on met hI mpl _Vi ewCont r ol l er _t ext Fi el dShoul dRet ur n_ {
var _372 = ar g_0;
var _368 = ar g_4;
var _364 = 0x0;
_PI C_r egi st er _ = eax;
obj c_st or eSt r ong( &var _364, ar g_8) ;
var _312 = 0x9;
var _308 = 0x1;
eax = NSSear chPat hFor Di r ect or i esI nDomai ns( 0x9, 0x1, 0x1) ;
eax = [ eax r et ai n] ;
var _304 = 0x0;
var _300 = eax;
eax = [ eax obj ect At I ndex: 0x0] ;
var _296 = eax;
eax = [ eax st r i ngByAppendi ngPat hComponent : @" / secr et - dat a" ] ;
EvernoteExport
var _360 = eax;
[ var _296 r el ease] ;
var _292 = var _364;
eax = [ var _372 passwor dText Fi el d] ;
var _288 = eax;
[ eax r el ease] ;
i f ( var _292 ! = var _288) got o l oc_4f ab;
got o l oc_4b74;
l oc_4f ab:
var _172 = var _364;
eax = [ var _372 r et ur ni ngUser Text Fi el d] ;
var _168 = eax;
[ eax r el ease] ;
i f ( var _172 ! = var _168) got o l oc_53a5;
got o l oc_4f f 8;
l oc_53a5:
var _379 = 0x0;
var _356 = 0x1;
l oc_53b0:
var _104 = 0x0;
obj c_st or eSt r ong( &var _360, 0x0) ;
var _100 = 0x0;
eax = SI GN_EXTEND( var _379) ;
r et ur n eax;
l oc_4f f 8:
var _164 = eax;
eax = [ eax t ext ] ;
var _160 = 0x4;
var _156 = eax;
eax = [ eax dat aUsi ngEncodi ng: 0x4] ;
var _336 = eax;
var _332 = 0x0;
eax = [ NSDat a dat aWi t hCont ent sOf Fi l e: var _360] ;
var _328 = eax;
var _320 = var _332;
eax = [ RNDecr ypt or decr ypt Dat a: var _328 wi t hPasswor d: @" Secr et - Key" er r or : &var _320] ;
var _152 = eax;
obj c_st or eSt r ong( &var _332, var _320) ;
var _324 = var _152;
eax = [ var _336 i sEqual ToDat a: var _324] ;
EvernoteExport
i f ( eax ! = 0x0) {
eax = [ var _372 l oggedI nLabel ] ;
var _148 = 0x0;
var _144 = eax;
[ eax set Hi dden: 0x0] ;
var _140 = 0x1;
var _136 = eax;
eax = [ var _372 r et ur ni ngUser Label ] ;
var _132 = 0x1;
var _128 = eax;
var _356 = 0x0;
}
el se {
var _124 = @" OK" ;
var _120 = @" Oops" ;
var _116 = @" Passwor d i s i ncor r ect " ;
var _112 = 0x0;
eax = [ UI Al er t Vi ew al l oc] ;
eax = [ eax i ni t Wi t hTi t l e: var _120 message: var _116 del egat e: 0x0 cancel But t onTi t l e: var _124 ot her But t onTi t l es: 0x0] ;
var _108 = eax;
[ eax show] ;
var _379 = 0x0;
var _356 = 0x1;
}
ecx = esp;
*ecx = &var _324;
*( ecx + 0x4) = 0x0;
obj c_st or eSt r ong( ) ;
ecx = esp;
*ecx = &var _328;
*( ecx + 0x4) = 0x0;
ecx = esp;
*ecx = &var _332;
*( ecx + 0x4) = 0x0;
ecx = esp;
*ecx = &var _336;
*( ecx + 0x4) = 0x0;
i f ( var _356 ! = 0x0) got o l oc_53b0;
got o l oc_53a5;
l oc_4b74:
eax = [ var _364 r esi gnFi r st Responder ] ;
var _287 = eax;
eax = [ var _364 t ext ] ;
EvernoteExport
var _280 = eax;
eax = [ eax l engt h] ;
var _276 = eax;
i f ( var _276 ! = 0x0) got o l oc_4c9b;
got o l oc_4be5;
l oc_4c9b:
eax = [ var _372 passwor dText Fi el d] ;
var _252 = eax;
var _248 = 0x4;
var _244 = eax;
var _352 = eax;
var _348 = 0x0;
var _340 = var _348;
edi = esp;
var _240 = 0x12;
var _236 = _kRNCr ypt or AES256Set t i ngs;
var _232 = *0x158b0;
var _228 = edi ;
var _224 = *0x157bc;
*( edi + 0xc) = *var _236;
esi = var _228;
*( esi + 0x58) = &var _340;
*( esi + 0x54) = @" Secr et - Key" ;
*( esi + 0x8) = var _352;
*( esi + 0x4) = var _224;
*esi = var _232;
eax = obj c_msgSend( ) ;
var _220 = eax;
obj c_st or eSt r ong( &var _348, var _340) ;
var _344 = var _220;
var _216 = 0x1;
eax = [ var _344 wr i t eToFi l e: var _360 at omi cal l y: 0x1] ;
var _215 = eax;
eax = [ NSUser Def aul t s st andar dUser Def aul t s] ;
var _208 = eax;
var _204 = 0x1;
[ eax set Bool : 0x1 f or Key: @" l oggedI n" ] ;
eax = [ NSUser Def aul t s st andar dUser Def aul t s] ;
var _200 = eax;
eax = [ eax synchr oni ze] ;
var _199 = eax;
eax = [ var _372 f i r st User Vi ew] ;
EvernoteExport
var _192 = 0x1;
var _188 = eax;
var _184 = 0x0;
var _180 = 0x0;
var _176 = 0x0;
got o l oc_53a5;
l oc_4be5:
var _272 = @" OK" ;
var _268 = @" Oops" ;
var _264 = @" Pl ease ent er a passwor d" ;
var _260 = 0x0;
var _256 = eax;
[ eax show] ;
var _379 = 0x0;
var _356 = 0x1;
got o l oc_53b0;
}

Some things that we can interpret from this Pseudo code.
var _160 = 0x4;
var _156 = eax;
The text from the text field is being converted into NSData using the method dataUsingEncoding.
eax = NSSear chPat hFor Di r ect or i esI nDomai ns( 0x9, 0x1, 0x1) ;
var _304 = 0x0;
var _300 = eax;
eax = [ eax obj ect At I ndex: 0x0] ;
var _296 = eax;
eax = [ eax st r i ngByAppendi ngPat hComponent : @" / secr et - dat a" ] ;
This indicates a file with the name secret-data. If we scroll down a bit, we see this line
eax = [ var _344 wr i t eToFi l e: var _360 at omi cal l y: 0x1] ;
EvernoteExport
Looks like something is being written to this file.
var _332 = 0x0;
eax = [ NSDat a dat aWi t hCont ent sOf Fi l e: var _360] ;
var _328 = eax;
var _320 = var _332;

The contents of the file with the name Secret-data is being read and decrypted with a password.
It looks like the key used for enryption and decryption is a hardcoded string Secret-Key.
eax = [ var _336 i sEqual ToDat a: var _324] ;
There is a comparison between two kinds of data. The boolean value result is stored in the eax register.
i f ( eax ! = 0x0) {
eax = [ var _372 l oggedI nLabel ] ;
var _148 = 0x0;
var _144 = eax;
var _140 = 0x1;
var _136 = eax;
eax = [ var _372 r et ur ni ngUser Label ] ;
var _132 = 0x1;
var _128 = eax;
var _356 = 0x0;
}
el se {
var _124 = @" OK" ;
var _120 = @" Oops" ;
var _116 = @" Passwor d i s i ncor r ect " ;
var _112 = 0x0;
var _108 = eax;
[ eax show] ;
var _379 = 0x0;
var _356 = 0x1;
}
EvernoteExport
Depending on the value of eax, the flow can go to different places. If the value is 0, user will be shown an alert that the password is incorrect.
Otherwise, as you might be guessing, the user is logged in.
Well, lets see if we can find the file secret-data in the application sandbox. On searching just a little bit, we see that this file is present in the
Documents folder. On opening it, we find that it contains some data. and the content looks encrypted.
Also, on googling a bit on RNEncryptor and RNDecryptor, we see that they are part of an open source library available on Github that can be found
here
So from all this information, we can interpret that.
When the user enters the password, the text is converted into NSData using the method dataUsingEncoding with the param 0x4. The
parameter 0x4 corresponds to NSUTF8StringEncoding.
Data is read from the file secret-data and decrypted using a hardcoded key
The two values found from the above two steps are compared against each other. If they match, the user is logged in.
Well, it is pretty much clear that we can find the password by decrypting the data from the file secret-data and converting it into a string with the
encoding NSUTF8StringEncoding. Lets write a simple IOS Application to decrypt the data. For this, you will need to copy the file secret-datafrom
the application sandbox and paste it into the documents folder of the applications sandbox of this new application. You can also download the
complete code from here.
EvernoteExport
We add this method in the new project.
NSSt r i ng *dat aPat h = [ [ NSSear chPat hFor Di r ect or i esI nDomai ns( NSDocument Di r ect or y, NSUser Domai nMask, YES) obj ect At I ndex: 0] st r i ngByAppendi ngPat hCompo
nent : @" / secr et - dat a" ] ;
NSEr r or *er r or ;
NSDat a *encr ypt edDat a = [ NSDat a dat aWi t hCont ent sOf Fi l e: dat aPat h] ;
NSDat a *decr ypt edDat a = [ RNDecr ypt or decr ypt Dat a: encr ypt edDat a
wi t hPasswor d: @" Secr et - Key"
er r or : &er r or ] ;
NSSt r i ng *passwor d = [ [ NSSt r i ng al l oc] i ni t Wi t hDat a: decr ypt edDat a
encodi ng: NSUTF8St r i ngEncodi ng] ;

UI Label *newLabel = [ [ UI Label al l oc] i ni t Wi t hFr ame: CGRect Make( 140. 0, 160. 0, 100. 0, 100. 0) ] ;
[ sel f . vi ew addSubvi ew: newLabel ] ;
[ newLabel set Text : passwor d] ;
As you can clearly note, this method decrypts the data using the hardcoded password, and shows the value in a label that is displayed on the view.
After running this application, we can easily see the decrypted password.
In this article, we looked at how one can exploit a weakness in the encryption being used to find sensitive information from an application. In this
case, the weakness was using a hardcoded key. It is essential for developers to make sure that they enforce proper encryption in their applications
to prevent them from being compromised.
In the next article, we will look at Client Side Injection in IOS Applications.

IOS Application Security Part 29 - Insecure or Broken Cryptography

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

IOS Application Security Part 29 - Insecure or Broken Cryptography

Uploaded by

Copyright:

Available Formats

EvernoteExport

IOS ApplicationSecurity Part 29- Insecureor BrokenCryptography.html[25.05.201418:24:26]

You might also like