DeepSec 2012 Talk: Pentesting iOS Apps – Runtime Analysis and Manipulation
„Apple’s iPhone and iPad are quite trendy consumer devices, and have become increasingly popular even in enterprises nowadays. Apps, downloaded from the AppStore or developed in-house, are supposed to completely change and optimize the way of work. Suddenly, managers have access to business intelligence information, data warehouses and financial charts on their mobile devices: Apps are used as front ends to executive information systems and, thus, are carrying around loads of sensitive data.
At a first glance it seems, that there’s nothing new on it. Indeed, it is quite common to remotely access critical business data. However, the popularity of mobile devices, combined with the sensitive data processed and stored on these, raise new questions about system security and privacy. These questions go far beyond integration and deployment of mobile devices in the business infrastructure, which has been the main focus during the last years, when mobile device security was considered. What about the apps running on these systems? Is sensitive data protected, even if a device is lost or stolen? Is data in transit resistant to eavesdropping?
To answer these and many other questions, security testing of mobile apps and their environment is required. This is why mobile application security has become increasingly important in recent years. Even though, there is still a lack of testing methodologies and supporting tools.
As in any kind of software security assessment two different approaches do exist: Static and dynamic analysis. While static analysis gives detailed insights into a mobile app and is, of course, the preferred way of performing a security assessment, it is not always the most practicable way. To evaluate the security level of a mobile app within an economically reasonable timeframe, it is worthwhile to combine both, static and dynamic analysis.
During this talk, Andreas explains the basic concepts of Objective-C and its runtime. Based on the dynamic nature of the Objective-C runtime he shows, how runtime analysis and manipulation leverages security assessments of mobile apps.
For this purpose he explains the background, techniques, problems and solutions to Objective-C runtime analysis and manipulation. Furthermore he demonstrates, how running applications can be extended with additional debugging and runtime tracing capabilities, and how this facilitates both, dynamic and static analysis of Apple iOS apps.
By using the tools and techniques provided during this talk, pentesters should be able to explore the attack surface of mobile applications more efficiently, while developers of mobile apps might prefer to avoid client-side logic and security measures in the future.“