TrustKit: Code Injection on iOS 8 for the Greater Good

Presented at Black Hat USA 2015, Aug. 6, 2015, 9 a.m. (25 minutes).

With the release of iOS 8, Apple has relaxed the rules regarding how code can be packaged within an iOS App when submitting to the App Store. While in the pre-iOS 8 world, all code had to be statically linked into the Apps binary, Apple is now allowing third-party frameworks and libraries to be embedded in an Apps package and be dynamically loaded at runtime, as needed by the App. We will describe what has changed exactly and why, and the new opportunities it provides to mobile and security engineers. While doing so, we will also provide a quick overview of the library loading mechanism on iOS as well as how to perform function hooking in a non-jailbroken environment, and how developers can take advantage of this functionality. We will then present a new open-source library for iOS that leverages these mechanisms: TrustKit. TrustKit provides universal SSL public key pinning (NSURLSession, NSURLConnection, UIWebView, Cordova, etc.) and can be deployed within an App in a matter of minutes, without having to modify the Apps source code. This work is a collaboration between Data Theorem and Yahoo's mobile engineers, and offers a novel and easy-to-use implementation; we call it drag & drop SSL pinning. Throughout the presentation, attendees will have the opportunity to understand how the rules regarding dynamic linking have changed in iOS 8 and how this change can be leveraged to solve security issues in a novel way. Additionally, as TrustKit will be released as an open-source library, attendees will also be able to discover and deploy this library in their own iOS Apps.

Presenters:

  • Alban Diquet - Data Theorem
    Alban Diquet is Head of iOS Research at Data Theorem, a cloud-enabled scanning service for mobile application security and data privacy. Alban's research focuses on security protocols, data privacy, and mobile security with a focus on iOS, Android, and Windows Phone devices. Alban has released several open-source security tools including SSLyze, iOS-SSL-Kill-Switch, and Introspy. Furthermore, Alban has presented at various security conferences including Black Hat USA, Hack in the Box, and Ruxcon. Prior to joining Data Theorem, Alban was a Principal at iSEC Partners, Inc. Alban received a MS in Computer and Electrical Engineering from the Institut Superieur d'Electronique de Paris in Paris, France, and a MS in Secure and Dependable Computer Systems from Chalmers University, in Gothenburg, Sweden.
  • Eric Castro - Data Theorem
    Eric Castro is an iOS Engineer at Data Theorem. His background in Apple's iOS ecosystem dates back from late 2007 with the first jailbreak ever. In early 2008, he released 'iSlsk', a SoulSeek client for jailbroken iPhones becoming the first P2P file sharing app ever on a mobile platform, when the AppStore didn't even exist yet. Since then, he has been deeply involved into the reverse engineering of iOS private frameworks in order to circumvent many of Apple's limitations on their devices. Most notably with his jailbreak app 'MewSeek', with crucial collaboration from security expert Nikias Bassen, it allowed syncing mp3 files to the iPhone's internal music library without the need of iTunes or any computer. Eric joined Data Theorem in 2014 to apply his expertise in iOS internals allowing to further develop its cloud-enabled scanning service for mobile application security and data privacy.
  • Angela On-kit Chow - Yahoo
    Angela On-kit Chow, CISSP, is part of the Paranoids (security) team within Yahoo! focusing on mobile security, and has over five years of security experience. In the past, she has worked at RSA doing cryptographic library development support.

Links:

Similar Presentations: