In the previous article, we looked at how we can use Introspy for Black-box assessment of IOS applications. In this article, we will look at how we can use Introspy to set up our own custom signatures and detect them in an application trace. Setting up our own predefined signatures could be useful for cases where you have a found a method in a particular application that seems of particular interest to you and you want to know when it is being called. Introspy already has a list of predefined signatures that it uses to flag vulnerabilities or insecure configurations. However, it also allows us to add our own signatures.

You can find the predefined signatures in Introspy in the signatures.py file inside the analyzer folder.

Click to Enlarge

From here, we can see that a signatures consists of a title, description, a severity level and a filter which consists of the method calls that correspond to the signature. So let’s look at a sample signature.

Over here, you can see a signature that checks whether the application uses Pasteboards or not. Pasteboards are generally very insecure as they can allow an application to copy some data from the Pasteboard into their application. Hence this signature makes sense. You can see that the filter consists of two values, classes_to_match and methods_to_match. You can also specify a parameter args_to_match in your signature. So from this signature, it is pretty much clear that these following method implementations will match the above signature.

  • UIPasteboard *pasteboard = [UIPasteboard generalPasteboard];
  • UIPasteboard *pasteboard = [UIPasteboard pasteboardWithName:@"XYZ" create:YES];
  • UIPasteboard *pasteboard = [UIPasteboard pasteboardWithUniqueName];

Another signature shown in the image below checks for methods that bypass credential validation while connecting to a remote server. This happens in cases where you are using a self singed SSL certificate and would like to trust it everytime without any kind of validation.

For any LibC signature, just set the classes_to_match attribute as C.

Now lets understand a signature that has some arguments also with it as a filter. The filter can be defined using 3 classes which can be found in the file Filters.py. These classes are ArgumentsFilter, ArgumentsNotSetFilter or ArgumentsWithMaskFilter. Here are some screenshots from the code itself that define the purpose of these classes.



Want to learn more?? The InfoSec Institute Web Application Penetration Testing Boot Camp focuses on preparing you for the real world of Web App Pen Testing through extensive lab exercises, thought provoking lectures led by an expert instructor. We review of the entire body of knowledge as it pertains to web application pen testing through a high-energy seminar approach.

The Web Application Penetration Testing course from InfoSec Institute is a totally hands-on learning experience. From the first day to the last day, you will learn the ins and outs of Web App Pen Testing by attending thought provoking lectures led by an expert instructor. Every lecture is directly followed up by a comprehensive lab exercise (we also set up and provide lab workstations so you don't waste valuable class time installing tools and apps). Benefits to you are:

  • Get CWAPT Certified
  • Learn the Secrets of Web App Pen Testing in a totally hands-on classroom environment
  • Learn how to exploit and defend real-world web apps: not just silly sample code
  • Complete the 83 Step "Web App Pen Test Methodology", and bring a copy back to work with you
  • Learn how perform OWASP Top 10 Assessments: for PCI DSS compliance

Here is a signature written in the Signatures.py file that detects the scenario when some data is written to the keychain without a secure protection domain (pdmn). As you can see, both the ArgumentsFilter and ArgumentsNotSetFilter filters have been used to detect signaturres. The ArgumentsFilter signature is used to find pdmn’s that are insecure whereas ArgumentsNotSetFilter is used to find cases where no accessibility option is provided and hence defaults to kSecAttrAccessibleAlways.

Click to Enlarge

Now lets add a custom signature to the signature.py file. In this case, we are checking for the case whenever someone gets a string saved in NSUserDefaults.

Now run the python script introspy.py file on the saved database file.

In the report under Potential Findings, you will see that our signature was identified in many different places.

Conclusion

In this article, we looked at how we can use Introspy to set up our own custom signatures and detect them in an application. Using these custom signatures when performing static analysis of these applications can be very useful if you are looking to track some specific method implementations.

References