I am glad to release a completely new version of Damn Vulnerable iOS App written in Swift 4. With developers now migrating to Swift for developing apps, it is important to have a testbed app for iOS in Swift. Though I have added some sections in Objective-C too which the users can test to learn Objective-C related vulns. The following vulnerabilities are covered in this version.
- Local Data Storage – Data Storage in Plist, UserDefaults, Keychain, CoreData, Webkit Cache, Realm, Couchbase and YapDatabase.
- Jailbreak Detection – 5 challenges in this section. Apart from the usual checks where you can use runtime manipulation and attach debuggers to bypass Jailbreak detection, users will have to mitigate scenarios where there is added runtime protection, use of inline functions, string obfuscation, and certain edge cases, for e.g the exiting of an app when a jailbroken device is detected.
- Excessive Permissions – A demo on how app permissions can be misused, as demonstrated by Krause originally.
- Runtime Manipulation – Use runtime manipulation to modify instance variables, bypass local login checks, and brute force pin codes. In some cases, you might have to attach a debugger.
- Anti Anti Hooking/Debugging – Enabling these will detect when a debugger or a runtime analysis tool such as Cycript is attached to the app. There is also detection for MobileSubstrate, SSLKillSwitch2 etc. Try and work your way around it and see if you can still solve other challenges with these limitations. Reverse & Patch, Patch, Patch !
- Binary Protection – Do some binary analysis to identify whether ARC, PIE, Stack smashing is enabled. Find the signature used to sign the binary and the entitlements it has. Also check if the app is stripped of its symbols or not.
- Touch/Face ID Bypass – Bypass Touch ID authentication when insecure APIs (LAContext) are being used.
- Phishing – Demonstration of alerts generated by app that look like the ones generated from App Store, which can potentially be used for conducting phishing attacks. Original idea by Krause.
- Side Channel Data Leakage – Understand the different kinds of Side Channel Data leakage such as Device Logs, Pasteboard, App Screenshot, Keystroke Logging, Insecure APIs used for HTTP Cookies etc.
- IPC Issues – Solve this challenge to understand what can happen when an app is receiving requests via URL schemes from untrusted sources and doesn’t validate it properly.
- Broken Cryptography – Bypass 2 encryption and hashing implementations, one with AES and the other one with PBKDF2 with only few rounds of hashing.
- Webview Issues – Understand injections in Webviews.
- Network Layer Security – Capture traffic over HTTP and HTTPs. Bypass Certificate and Public Key Pinning. Also understand what is ATS (App Transport Security) and check whether it is implemented or not.
- Application Patching – Patch login checks, jailbreak detection methods, and in specific certain specific instructions used in the app.
- Sensitive Information in Memory – Dump the information from the memory to look at the sensitive data.
- Data leakage to third parties – Identify and Capture the data being leaked to third parties.
Installing DVIA on any iOS device
The best way to install DVIA on any device (jailbroken or not) is using Cydia Impactor. However, it would be ideal to have a jailbroken device for testing as most of the vulnerabilities can be exploited only with the use of a JB device.
- Create an Apple ID https://appleid.apple.com/account.
- Download Impactor, make sure the device you want to install the app on is connected to your computer. Now drag and drop the IPA file to Impactor.
- Enter your Apple ID credentials. App will install on the device.
- Go to your device, Settings -> General -> Device Management. Select the Apple ID you used to install the app. Click on Verify App under DVIAv2.
Compiling DVIA using Xcode
- Clone the DVIA repo , git clone https://github.com/prateek147/DVIA-v2
- cd to the project root directory where the Podfile is present (/DVIA-v2/DVIA-v2). Then run pod install
- Open the DVIA-v2.xcworkspace file with Xcode. You can now directly run the app on a simulator.
- For running on the device, go under Project settings in Xcode on the top left, head over to the General tab and under Signing, enter credentials for your Apple ID.
- Now you can build and run the project on the device. You will have to trust the app again by going under Settings -> General -> Device Management.
Some Important Links
if you benefit from this project and want to make a contribution, please consider making a donation to The Juniper Fund (www.thejuniperfund.org/)
The Juniper fund is focusing on high altitude workers involved with climbing and expedition support in the high mountains of Nepal. When a high altitude worker has an accident (death or debilitating injury), the impact to the family is devastating. The juniper fund provides funds to the affected families with a 3-Tier model – Cost of Living grant, vocational training and small business grant. For more information, visit www.thejuniperfund.org.
Or watch the videos below.
I am still working on the solutions and would post them in form of blog posts starting soon.
Happy Hacking !