ios app security
Embed Size (px)
DESCRIPTION
Cocoaheads Taipei 2013.10TRANSCRIPT
- iOS app security -analyze and defense Hokila Cocoaheads Taipei 2013.10
- Android Taipei (2013 August) Android Apps Security Taien Wang Ruby Tuesday (2013.9.10) App:ServerIAP Kevin Wang
- ( )( ) ( )
- / /
- / / Splashtop / KKBOX / WhosCall
- iOS app native leak network monitor IAP crack Analyze tools Encode /decode Good Habits
- 2012.12 Cocoaheads Taipei In App Purchase youtu.be/g2tWRPdweeY
- 1. iOS app API 2. 3. IAP Free /LocalAppStore iGameGardian / Flex
- OWASP Mobile Top 10 Risk (2013-M1) M1. (Insecure Data Storage) M2. (Weak Server Side Controls) M3. (Insufficient Transport Layer Protection) M4. (Client Side Injection) M5. (Poor Authorization and Authentication) M6. (Improper Session Handling) M7. (Security Decisions Via Untrusted Inputs) M8. (Side Channel Data Leakage) M9. (Broken Cryptography) M10. (Sensitive Informaiton Disclosure)
- app itself app /user data automatically backed up by iCloud. temporary files,clean when app restart NSTemporaryDirectory Library Application Support good place for configuration/template Cache Data that can be downloaded again or regenerated Cookie store cookies for sandbox webView Prefences NSUSerDefault Ref: File System Programming Guide
- info.plist
- info.plist
- console log iphone configuration utility iTool2012
- DEMO
- applog framework log system notification memory warming
- User Defaults,secure?
- User Defaults,secure?
- keychain locate at /var/Keychains/keychain-2.db Apple says keychain is a secure place to store keys and passwords dump keychain database (jb necessary)
- API Charles / open data /iCulture DEMO
- 1. Charles (Mac Windows) $ 2. ZAP (Mac Windows) Free 3. Fiddler (Windows) Free 4. Wire Shark (Mac Windows) Free
- device screen console log plistdb API request/response
- app verify 1 appdbgoogle docdropbox ......
- class dump-z dumping class info from an iOS app guess class utility https://code.google.com/p/networkpx/
- DEMO
- IAP Free/LocalAppStore app
- IAP Free/LocalAppStore app iGameGardin / value
- IAP Free/LocalAppStore app iGameGardin / value Flex function -(BOOL)isTransactionSucess YES
- IAP Free/LocalAppStore app iGameGardin / value Flex function -(BOOL)isTransactionSucess YES developerapp.....
- OSapp server/model data King Of Design Pattern:MVC model view use encrypt ,not hash hashsalt ....
- API GET http://xxx.yyy/getUserData.php paeameters (string)userID response (string)name (array)xxlist (string)itemname (int)quantity (string)status
- POST http://xxx.yyy/getUserData.php public parameters (string)token (string)call_file_name (string)userID response (string)name (array)xxlist (string)itemname (int)quantity (string)status (int)status
- POST http://xxx.yyy/getUserData.php public parameters (string)token (string)call_file_name (string)userID response (string)name (array)xxlist (string)itemname (int)quantity (string)status (int)status
- SSL POST http://xxx.yyy/public parameters (string)token (string)call_file_name (string)userID struct object (string)itemname (int)quantity (int)status response (string)name (array)xxlist (string)itemname (int)quantity (int)status (object)item base64 encode
- In-App Purchase Programming Guide base64
- SSL POST http://xxx.yyy/public parameters (string)token (string)call_file_name (string)userID response (string)name (array)xxlist (object)item
- SSL POST http://xxx.yyy/public parameters (string)token (string)call_file_name (string)userID response (string)name (array)xxlist (object)item Accept = "*/*"; Accept-Language = zh-TW; Connection = close; User-Agent = "Something special~~";
- public entry access token SSL status code object ,not clear dictionary and...?
- King Of Design Pattern:MVC Model memory View API plist db NSString NSNumber UILabel encrypt() 08f90c1a417155361a5c4b8d297e0d78 2000 Money 2000
- King Of Design Pattern:MVC Model memory View API plist db NSString NSNumber UILabel encrypt() 2000 08f90c1a417155361a5c4b8d297e0d78 need protection!! Money 2000
- double_check http://xxx.yyy/buy paeameters (string)user (string)itemID response (string)status (string)itemID (int)quantity (int)leftmoney
- double_check http://xxx.yyy/buy paeameters (string)user (string)itemID response (string)status (string)itemID (int)quantity (int)leftmoney http://xxx.yyy/double_check paeameters response (string)user (string)status (OK /Reject) (string)itemID
- use encrypt ,not hash sha1md5base64 QA1~100md5 hash
- use encrypt ,not hash hashsalt md5($salt.$pass.$username) sha1($salt.$pass) md5($salt.md5($pass)) sha1($salt.$username.$pass.$salt) md5($salt.md5($pass).$salt) sha1($salt.md5($pass)) encrypt
- use encrypt ,not hash hashsalt md5($salt.$pass.$username) sha1($salt.$pass) md5($salt.md5($pass)) sha1($salt.$username.$pass.$salt) md5($salt.md5($pass).$salt) sha1($salt.md5($pass)) encrypt DES 19771999
- use encrypt ,not hash hashsalt md5($salt.$pass.$username) sha1($salt.$pass) md5($salt.md5($pass)) sha1($salt.$username.$pass.$salt) md5($salt.md5($pass).$salt) sha1($salt.md5($pass)) encrypt DES 19771999 AES-128 AES-256 passwd = AESEncrypt(string, key)
- So.... public dataprivate data user serverservice() app
- So.... public dataprivate data user serverservice() app think as a service,not an app.
- One more thing
- video on niconico youtube
- video on niconico youtube availiable today
- Thanks Bye~~ Hokila mail blog FB [email protected] josihokila.blogspot.com fb.me/hokilaj
- Thanks Bye~~ Hokila mail blog FB [email protected] josihokila.blogspot.com fb.me/hokilaj