From 8c4ffe8205914028c6701248eb0ca6b420cd3e2e Mon Sep 17 00:00:00 2001 From: cpholguera Date: Sat, 27 Jul 2019 12:10:56 +0200 Subject: [PATCH 01/13] fixed true-false --- Document/0x05a-Platform-Overview.md | 6 +++--- Document/0x05c-Reverse-Engineering-and-Tampering.md | 2 +- Document/0x05h-Testing-Platform-Interaction.md | 8 ++++---- Document/0x06h-Testing-Platform-Interaction.md | 8 ++++---- ...x06j-Testing-Resiliency-Against-Reverse-Engineering.md | 2 +- 5 files changed, 13 insertions(+), 13 deletions(-) diff --git a/Document/0x05a-Platform-Overview.md b/Document/0x05a-Platform-Overview.md index 498b8e4667..6120d23263 100644 --- a/Document/0x05a-Platform-Overview.md +++ b/Document/0x05a-Platform-Overview.md @@ -483,9 +483,9 @@ Permissions can be enforced on *Activities*, *Services*, and *Broadcast Receiver *Content Providers* are a little different. They support a separate set of permissions for reading, writing, and accessing the content provider with a content URI. -- `android:writePermission`, `android:readPermission`: the developer can set separate permissions for reading or writing -- `android:permission`: general permission that will control reading and writing to the content provider -- `android:grantUriPermissions`: true if the content provider can be accessed with a content URI (the access temporarily bypasses the restrictions of other permissions), and false otherwise +- `android:writePermission`, `android:readPermission`: the developer can set separate permissions for reading or writing. +- `android:permission`: general permission that will control reading and writing to the content provider. +- `android:grantUriPermissions`: "true" if the content provider can be accessed with a content URI (the access temporarily bypasses the restrictions of other permissions), and "false" otherwise. ### Signing and Publishing Process diff --git a/Document/0x05c-Reverse-Engineering-and-Tampering.md b/Document/0x05c-Reverse-Engineering-and-Tampering.md index ad7bc92b96..c48ba6263a 100644 --- a/Document/0x05c-Reverse-Engineering-and-Tampering.md +++ b/Document/0x05c-Reverse-Engineering-and-Tampering.md @@ -582,7 +582,7 @@ main[1] locals flag = false ``` -You've now reached a call to `setCancelable` with the argument `false`. Set the variable to true with the `set` command and resume. +You've now reached a call to `setCancelable` with the argument `false`. Set the variable to "true" with the `set` command and resume. ```shell main[1] set flag = true diff --git a/Document/0x05h-Testing-Platform-Interaction.md b/Document/0x05h-Testing-Platform-Interaction.md index ae15a6df46..a7b17e0c2b 100644 --- a/Document/0x05h-Testing-Platform-Interaction.md +++ b/Document/0x05h-Testing-Platform-Interaction.md @@ -394,7 +394,7 @@ With this vulnerability, an attacker can call fragments inside the target applic To prevent this vulnerability, a new method called `isValidFragment` was added in Android 4.4 KitKat (API Level 19). It allows developers to override this method and define the fragments that may be used in this context. -The default implementation returns true on versions older than Android 4.4 KitKat (API Level 19); it will throw an exception on later versions. +The default implementation returns "true" on versions older than Android 4.4 KitKat (API Level 19); it will throw an exception on later versions. #### Static Analysis @@ -635,7 +635,7 @@ We start by looking at the AndroidManifest.xml, where all activities, services, - [``](https://developer.android.com/guide/topics/manifest/provider-element.html "ProviderElement") - [``](https://developer.android.com/guide/topics/manifest/receiver-element.html "ReceiverElement") -An "exported" activity, service, or content can be accessed by other apps. There are two common ways to designate a component as exported. The obvious one is setting the export tag to true `android:exported="true"`. The second way involves defining an `` within the component element (``, ``, ``). When this is done, the export tag is automatically set to "true." To prevent all other Android apps from interacting with the IPC component element, be sure that the `android:exported="true"` value and an `` aren't in their `AndroidManifest.xml` files unless this is necessary. +An "exported" activity, service, or content can be accessed by other apps. There are two common ways to designate a component as exported. The obvious one is setting the export tag to "true" (`android:exported="true"`). The second way involves defining an `` within the component element (``, ``, ``). When this is done, the export tag is automatically set to "true." To prevent all other Android apps from interacting with the IPC component element, be sure that the `android:exported="true"` value and an `` aren't in their `AndroidManifest.xml` files unless this is necessary. Remember that using the permission tag (`android:permission`) will also limit other applications' access to a component. If your IPC is intended to be accessible to other applications, you can apply a security policy with the `` element and set a proper `android:protectionLevel`. When `android:permission` is used in a service declaration, other applications must declare a corresponding `` element in their own manifest to start, stop, or bind to the service. @@ -987,8 +987,8 @@ Check the source code for WebView usage. The following [WebView settings](https: - `setAllowContentAccess`: Content URL access allows WebViews to load content from a content provider installed on the system, which is enabled by default . - `setAllowFileAccess`: Enables and disables file access within a WebView. File access is enabled by default. Note that this enables and disables [file system access](https://developer.android.com/reference/android/webkit/WebSettings.html#setAllowFileAccess%28boolean%29 "File Access in WebView") only. Asset and resource access is unaffected and accessible via `file:///android_asset` and `file:///android_res`. -- `setAllowFileAccessFromFileURLs`: Does or does not allow JavaScript running in the context of a file scheme URL to access content from other file scheme URLs. The default value is true for API level 15 (Ice Cream Sandwich) and below and false for API level 16 (Jelly Bean) and above. -- `setAllowUniversalAccessFromFileURLs`: Does or does not allow JavaScript running in the context of a file scheme URL to access content from any origin. The default value is true for API level 15 (Ice Cream Sandwich) and below and false for API level 16 (Jelly Bean) and above. +- `setAllowFileAccessFromFileURLs`: Does or does not allow JavaScript running in the context of a file scheme URL to access content from other file scheme URLs. The default value is "true" for API level 15 (Ice Cream Sandwich) and below and "false" for API level 16 (Jelly Bean) and above. +- `setAllowUniversalAccessFromFileURLs`: Does or does not allow JavaScript running in the context of a file scheme URL to access content from any origin. The default value is "true" for API level 15 (Ice Cream Sandwich) and below and "false" for API level 16 (Jelly Bean) and above. If one or more of the above methods is/are activated, you should determine whether the method(s) is/are really necessary for the app to work properly. diff --git a/Document/0x06h-Testing-Platform-Interaction.md b/Document/0x06h-Testing-Platform-Interaction.md index dca5415fd6..3557ac0ea2 100644 --- a/Document/0x06h-Testing-Platform-Interaction.md +++ b/Document/0x06h-Testing-Platform-Interaction.md @@ -1320,7 +1320,7 @@ Inspect the app extension's `Info.plist` file and search for `NSExtensionActivat ``` -Only the data types present here and not having `0` as `MaxCount` will be supported. However, more complex filtering is possible by using a so-called predicate string that will evaluate the UTIs given. Please refer to the [Apple App Extension Programming Guide](https://developer.apple.com/library/archive/documentation/General/Conceptual/ExtensibilityPG/ExtensionScenarios.html#//apple_ref/doc/uid/TP40014214-CH21-SW8 "Declaring Supported Data Types for a Share or Action Extension") for more detailed information about this. +Only the data types present here and not having "0" as `MaxCount` will be supported. However, more complex filtering is possible by using a so-called predicate string that will evaluate the UTIs given. Please refer to the [Apple App Extension Programming Guide](https://developer.apple.com/library/archive/documentation/General/Conceptual/ExtensibilityPG/ExtensionScenarios.html#//apple_ref/doc/uid/TP40014214-CH21-SW8 "Declaring Supported Data Types for a Share or Action Extension") for more detailed information about this. ###### Checking Data Sharing with the Containing App @@ -1619,7 +1619,7 @@ Before calling the `openURL:options:completionHandler:` method, apps can call [` ``` -`canOpenURL` will always return `NO` for undeclared schemes, whether or not an appropriate app is installed. However, this restriction only applies to `canOpenURL`, **the `openURL:options:completionHandler:` method will still open any URL scheme, even if the `LSApplicationQueriesSchemes` array was declared**, and return `YES` / `NO` depending on the result. +`canOpenURL` will always return"NO" for undeclared schemes, whether or not an appropriate app is installed. However, this restriction only applies to `canOpenURL`, **the `openURL:options:completionHandler:` method will still open any URL scheme, even if the `LSApplicationQueriesSchemes` array was declared**, and return "YES" / "NO" depending on the result. As an example, Telegram declares in its [`Info.plist`](https://github.com/peter-iakovlev/Telegram-iOS/blob/master/Telegram-iOS/Info.plist#L63 "Telegram's Info.plist Line 63") these Queries Schemes, among others: @@ -1938,7 +1938,7 @@ Now we know that: - It receives our URL as a parameter: `igoat://`. - We also can verify the source application: `com.apple.mobilesafari`. - We can also know from where it was called, as expected from `-[UIApplication _applicationOpenURLAction:payload:origin:]`. -- The method returns `0x1` which means `YES` ([the delegate successfully handled the request](https://developer.apple.com/documentation/uikit/uiapplicationdelegate/1623112-application?language=objc#return-value "application:openURL:options: Return Value")). +- The method returns "0x1" which means "YES" ([the delegate successfully handled the request](https://developer.apple.com/documentation/uikit/uiapplicationdelegate/1623112-application?language=objc#return-value "application:openURL:options: Return Value")). The call was successful and we see now that the iGoat app was open: @@ -2757,7 +2757,7 @@ hasOnlySecureContent: false allowUniversalAccessFromFileURLs: 0 ``` -Both `allowFileAccessFromFileURLs` and `allowUniversalAccessFromFileURLs` are set to `0`, meaning that they are disabled. In this app we can go to the WebView configuration and enable `allowFileAccessFromFileURLs`. If we do so and re-run the script we will see how it is set to `1` this time: +Both `allowFileAccessFromFileURLs` and `allowUniversalAccessFromFileURLs` are set to "0", meaning that they are disabled. In this app we can go to the WebView configuration and enable `allowFileAccessFromFileURLs`. If we do so and re-run the script we will see how it is set to "1" this time: ```shell $ frida -U -f com.authenticationfailure.WheresMyBrowser -l webviews_inspector.js diff --git a/Document/0x06j-Testing-Resiliency-Against-Reverse-Engineering.md b/Document/0x06j-Testing-Resiliency-Against-Reverse-Engineering.md index 43d52af62b..04deb32572 100644 --- a/Document/0x06j-Testing-Resiliency-Against-Reverse-Engineering.md +++ b/Document/0x06j-Testing-Resiliency-Against-Reverse-Engineering.md @@ -371,7 +371,7 @@ After the instruction at offset *0xC13C*, MOVNE R0, #1 is patched and changed to You can bypass a `sysctl` check by using the debugger itself and setting a breakpoint at the call to `sysctl`. This approach is demonstrated in [iOS Anti-Debugging Protections #2](https://www.coredump.gr/articles/ios-anti-debugging-protections-part-2/ "iOS Anti-Debugging Protections #2"). -Needle contains a module aimed to bypass non-specific jailbreak detection implementations. Needle uses Frida to hook native methods that may be used to determine whether the device is jailbroken. It also searches for function names that may be used in the jailbreak detection process and returns false when the device is jailbroken. Use the following command to execute this module: +Needle contains a module aimed to bypass non-specific jailbreak detection implementations. Needle uses Frida to hook native methods that may be used to determine whether the device is jailbroken. It also searches for function names that may be used in the jailbreak detection process and returns "false" when the device is jailbroken. Use the following command to execute this module: ```shell [needle] > use dynamic/detection/script_jailbreak-detection-bypass From 527e4523f062fc2210fd61f9ae15c6de54e51e31 Mon Sep 17 00:00:00 2001 From: cpholguera Date: Sat, 27 Jul 2019 12:54:41 +0200 Subject: [PATCH 02/13] fixed markdown links withouth title --- Document/0x02-Frontispiece.md | 2 +- Document/0x04a-Mobile-App-Taxonomy.md | 4 +- ...0x04c-Tampering-and-Reverse-Engineering.md | 2 +- ...g-Authentication-and-Session-Management.md | 4 +- .../0x04f-Testing-Network-Communication.md | 90 +++++++++---------- Document/0x04g-Testing-Cryptography.md | 2 +- Document/0x04h-Testing-Code-Quality.md | 6 +- Document/0x05a-Platform-Overview.md | 12 +-- ...0x05c-Reverse-Engineering-and-Tampering.md | 6 +- Document/0x05e-Testing-Cryptography.md | 8 +- .../0x05f-Testing-Local-Authentication.md | 4 +- .../0x05h-Testing-Platform-Interaction.md | 10 +-- ...-Resiliency-Against-Reverse-Engineering.md | 18 ++-- Document/0x06b-Basic-Security-Testing.md | 4 +- Document/0x06d-Testing-Data-Storage.md | 2 +- Document/0x06e-Testing-Cryptography.md | 7 +- .../0x06f-Testing-Local-Authentication.md | 4 +- .../0x06h-Testing-Platform-Interaction.md | 10 +-- ...Testing-Code-Quality-and-Build-Settings.md | 2 +- 19 files changed, 99 insertions(+), 98 deletions(-) diff --git a/Document/0x02-Frontispiece.md b/Document/0x02-Frontispiece.md index f8a3721fc1..58de7fc8d3 100644 --- a/Document/0x02-Frontispiece.md +++ b/Document/0x02-Frontispiece.md @@ -8,7 +8,7 @@ OWASP thanks the many authors, reviewers, and editors for their hard work in dev ## Copyright and License -Copyright © 2018 The OWASP Foundation. This work is licensed under a [Creative Commons Attribution-ShareAlike 4.0 International License](https://creativecommons.org/licenses/by-sa/4.0/). For any reuse or distribution, you must make clear to others the license terms of this work. +Copyright © 2018 The OWASP Foundation. This work is licensed under a [Creative Commons Attribution-ShareAlike 4.0 International License](https://creativecommons.org/licenses/by-sa/4.0/ "Creative Commons Attribution-ShareAlike 4.0 International License"). For any reuse or distribution, you must make clear to others the license terms of this work. drawing diff --git a/Document/0x04a-Mobile-App-Taxonomy.md b/Document/0x04a-Mobile-App-Taxonomy.md index 000bb7fd8c..f34af2c0e2 100644 --- a/Document/0x04a-Mobile-App-Taxonomy.md +++ b/Document/0x04a-Mobile-App-Taxonomy.md @@ -2,7 +2,7 @@ ## Mobile App Taxonomy -The term "mobile app" refers to a self-contained computer program designed to execute on a mobile device. Today, the Android and iOS operating systems cumulatively comprise [more than 99% of the mobile OS market share](https://www.idc.com/promo/smartphone-market-share/os). Additionally, mobile Internet usage has surpassed desktop usage for the first time in history, making mobile browsing and apps the [most widespread kind of Internet-capable applications](https://www.idc.com/promo/smartphone-market-share/os). +The term "mobile app" refers to a self-contained computer program designed to execute on a mobile device. Today, the Android and iOS operating systems cumulatively comprise [more than 99% of the mobile OS market share](https://www.idc.com/promo/smartphone-market-share/os "Smartphone Market Share"). Additionally, mobile Internet usage has surpassed desktop usage for the first time in history, making mobile browsing and apps the [most widespread kind of Internet-capable applications](https://www.idc.com/promo/smartphone-market-share/os "Smartphone Market Share"). > In this guide, we'll use the term "app" as a general term for referring to any kind of application running on popular mobile OSes. @@ -16,7 +16,7 @@ Native apps inherently have the capability to provide the fastest performance wi Some ambiguity exists when discussing *native apps* for Android as the platform provides two development kits - the Android SDK and the Android NDK. The SDK, which is based on the Java and Kotlin programming language, is the default for developing apps. The NDK (or Native Development Kit) is a C/C++ development kit used for developing binary libraries that can directly access lower level APIs (such as OpenGL). These libraries can be included in regular apps built with the SDK. Therefore, we say that Android *native apps* (i.e. built with the SDK) may have *native* code built with the NDK. -The most obvious downside of *native apps* is that they target only one specific platform. To build the same app for both Android and iOS, one needs to maintain two independent code bases, or introduce often complex development tools to port a single code base to two platforms (e.g. [Xamarin](https://www.xamarin.com/)). +The most obvious downside of *native apps* is that they target only one specific platform. To build the same app for both Android and iOS, one needs to maintain two independent code bases, or introduce often complex development tools to port a single code base to two platforms (e.g. [Xamarin](https://www.xamarin.com/ "Xamarin")). ### Web App diff --git a/Document/0x04c-Tampering-and-Reverse-Engineering.md b/Document/0x04c-Tampering-and-Reverse-Engineering.md index 473264d5e0..f584f907a8 100644 --- a/Document/0x04c-Tampering-and-Reverse-Engineering.md +++ b/Document/0x04c-Tampering-and-Reverse-Engineering.md @@ -66,7 +66,7 @@ In contrast, Frida implements code injection by writing code directly into proce ![Frida](Images/Chapters/0x04/frida.png) -*Frida Architecture, source: [https://www.frida.re/docs/hacking/](https://www.frida.re/docs/hacking)* +*Frida Architecture, source: [https://www.frida.re/docs/hacking/](https://www.frida.re/docs/hacking "Frida - Hacking")* Frida offers three modes of operation: diff --git a/Document/0x04e-Testing-Authentication-and-Session-Management.md b/Document/0x04e-Testing-Authentication-and-Session-Management.md index 776437b3a0..4968fc85c3 100644 --- a/Document/0x04e-Testing-Authentication-and-Session-Management.md +++ b/Document/0x04e-Testing-Authentication-and-Session-Management.md @@ -76,7 +76,7 @@ http://www.site.com/page.asp?authenticated=no The client can arbitrarily change the GET parameters sent with the request. Nothing prevents the client from simply changing the value of the `authenticated` parameter to "yes", effectively bypassing authentication. -Although this is a simplistic example that you probably won't find in the wild, programmers sometimes rely on "hidden" client-side parameters, such as cookies, to maintain authentication state. They assume that these parameters can't be tampered with. Consider, for example, the following [classic vulnerability in Nortel Contact Center Manager](http://seclists.org/bugtraq/2009/May/251). The administrative web application of Nortel's appliance relied on the cookie "isAdmin" to determine whether the logged-in user should be granted administrative privileges. Consequently, it was possible to get admin access by simply setting the cookie value as follows: +Although this is a simplistic example that you probably won't find in the wild, programmers sometimes rely on "hidden" client-side parameters, such as cookies, to maintain authentication state. They assume that these parameters can't be tampered with. Consider, for example, the following [classic vulnerability in Nortel Contact Center Manager](http://seclists.org/bugtraq/2009/May/251 "SEC Consult SA-20090525-0 :: Nortel Contact Center Manager Server Authentication Bypass Vulnerability"). The administrative web application of Nortel's appliance relied on the cookie "isAdmin" to determine whether the logged-in user should be granted administrative privileges. Consequently, it was possible to get admin access by simply setting the cookie value as follows: ```html isAdmin=True @@ -84,7 +84,7 @@ isAdmin=True Security experts used to recommend using session-based authentication and maintaining session data on the server only. This prevents any form of client-side tampering with the session state. However, the whole point of using stateless authentication instead of session-based authentication is to *not* have session state on the server. Instead, state is stored in client-side tokens and transmitted with every request. In this case, seeing client-side parameters such as `isAdmin` is perfectly normal. -To prevent tampering cryptographic signatures are added to client-side tokens. Of course, things may go wrong, and popular implementations of stateless authentication have been vulnerable to attacks. For example, the signature verification of some JSON Web Token (JWT) implementations could be deactivated by [setting the signature type to "None"](https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/). We'll discuss this attack in more detail in the "Testing JSON Web Tokens" chapter. +To prevent tampering cryptographic signatures are added to client-side tokens. Of course, things may go wrong, and popular implementations of stateless authentication have been vulnerable to attacks. For example, the signature verification of some JSON Web Token (JWT) implementations could be deactivated by [setting the signature type to "None"](https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/ "Critical vulnerabilities in JSON Web Token libraries"). We'll discuss this attack in more detail in the "Testing JSON Web Tokens" chapter. ### Testing Best Practices for Passwords (MSTG‑AUTH‑5 and MSTG‑AUTH‑6) diff --git a/Document/0x04f-Testing-Network-Communication.md b/Document/0x04f-Testing-Network-Communication.md index 760bb024fd..f2d3ecc9bd 100644 --- a/Document/0x04f-Testing-Network-Communication.md +++ b/Document/0x04f-Testing-Network-Communication.md @@ -8,9 +8,9 @@ In many cases, it is most practical to configure a system proxy on the mobile de Several free and commercial proxy tools are available. Here are some of the most popular: -- [Burp Suite](https://portswigger.net/burp) -- [OWASP ZAP](https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project) -- [Charles Proxy](https://www.charlesproxy.com) +- [Burp Suite](https://portswigger.net/burp "Burp Suite") +- [OWASP ZAP](https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project "OWASP ZAP") +- [Charles Proxy](https://www.charlesproxy.com "Charles Proxy") To use the interception proxy, you'll need run it on your machine and configure the mobile app to route HTTP(S) requests to your proxy. In most cases, it is enough to set a system-wide proxy in the network settings of the mobile device - if the app uses standard HTTP APIs or popular libraries such as `okhttp`, it will automatically use the system settings. @@ -22,8 +22,8 @@ Using a proxy breaks SSL certificate verification and the app will usually fail Interception proxies such as Burp and OWASP ZAP won't show non-HTTP traffic, because they aren't capable of decoding it properly by default. There are, however, Burp plugins available such as: -- [Burp-non-HTTP-Extension](https://github.com/summitt/Burp-Non-HTTP-Extension) and -- [Mitm-relay](https://github.com/jrmdev/mitm_relay). +- [Burp-non-HTTP-Extension](https://github.com/summitt/Burp-Non-HTTP-Extension "Burp-non-HTTP-Extension") and +- [Mitm-relay](https://github.com/jrmdev/mitm_relay "Mitm-relay"). These plugins can visualize non-HTTP protocols and you will also be able to intercept and manipulate the traffic. @@ -40,7 +40,7 @@ Dynamic analysis by using an interception proxy can be straight forward if stand In these cases you need to monitor and analyze the network traffic first in order to decide what to do next. Luckily, there are several options for redirecting and intercepting network communication: -- Route the traffic through the host machine. You can set up your machine as the network gateway, e.g. by using the built-in Internet Sharing facilities of your operating system. You can then use [Wireshark](https://www.wireshark.org) to sniff any traffic from the mobile device; +- Route the traffic through the host machine. You can set up your machine as the network gateway, e.g. by using the built-in Internet Sharing facilities of your operating system. You can then use [Wireshark](https://www.wireshark.org "Wireshark") to sniff any traffic from the mobile device; - Sometimes you need to execute a MITM attack to force the mobile device to talk to you. For this scenario you should consider [bettercap](https://github.com/bettercap/bettercap "bettercap") to redirect network traffic from the mobile device to your host machine (see below); @@ -119,7 +119,7 @@ In both scenarios the AP needs to be configured to point to your machines IP. To #### Setting a Proxy Through Runtime Instrumentation -On a rooted or jailbroken device, you can also use runtime hooking to set a new proxy or redirect network traffic. This can be achieved with hooking tools like [Inspeckage](https://github.com/ac-pm/Inspeckage) or code injection frameworks like [Frida](https://www.frida.re) and [cycript](http://www.cycript.org). You'll find more information about runtime instrumentation in the "Reverse Engineering and Tampering" chapters of this guide. +On a rooted or jailbroken device, you can also use runtime hooking to set a new proxy or redirect network traffic. This can be achieved with hooking tools like [Inspeckage](https://github.com/ac-pm/Inspeckage "Inspeckage") or code injection frameworks like [Frida](https://www.frida.re "Frida") and [cycript](http://www.cycript.org "cycript"). You'll find more information about runtime instrumentation in the "Reverse Engineering and Tampering" chapters of this guide. #### Example: Dealing with Xamarin @@ -202,58 +202,58 @@ In the following listing, we’ll present the different algorithms of each part Protocols: - `SSLv1` -- `SSLv2` - [RFC 6176](https://tools.ietf.org/html/rfc6176) -- `SSLv3` - [RFC 6101](https://tools.ietf.org/html/rfc6101) -- `TLSv1.0` - [RFC 2246](https://www.ietf.org/rfc/rfc2246) -- `TLSv1.1` - [RFC 4346](https://tools.ietf.org/html/rfc4346) -- `TLSv1.2` - [RFC 5246](https://tools.ietf.org/html/rfc5246) -- `TLSv1.3` - [RFC 8446](https://tools.ietf.org/html/rfc8446) +- `SSLv2` - [RFC 6176](https://tools.ietf.org/html/rfc6176 "RFC 6176") +- `SSLv3` - [RFC 6101](https://tools.ietf.org/html/rfc6101 "RFC 6101") +- `TLSv1.0` - [RFC 2246](https://www.ietf.org/rfc/rfc2246 "RFC 2246") +- `TLSv1.1` - [RFC 4346](https://tools.ietf.org/html/rfc4346 "RFC 4346") +- `TLSv1.2` - [RFC 5246](https://tools.ietf.org/html/rfc5246 "RFC 5246") +- `TLSv1.3` - [RFC 8446](https://tools.ietf.org/html/rfc8446 "RFC 8446") Key Exchange Algorithms: -- `DSA` - [RFC 6979](https://tools.ietf.org/html/rfc6979) -- `ECDSA` - [RFC 6979](https://tools.ietf.org/html/rfc6979) -- `RSA` - [RFC 8017](https://tools.ietf.org/html/rfc8017) -- `DHE` - [RFC 2631](https://tools.ietf.org/html/rfc2631) - [RFC 7919](https://tools.ietf.org/html/rfc7919) -- `ECDHE` - [RFC 4492](https://tools.ietf.org/html/rfc4492) -- `PSK` - [RFC 4279](https://tools.ietf.org/html/rfc4279) -- `DSS`[FIPS186-4](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf) -- `DH_anon` - [RFC 2631](https://tools.ietf.org/html/rfc2631) - [RFC 7919](https://tools.ietf.org/html/rfc7919) -- `DHE_RSA` - [RFC 2631](https://tools.ietf.org/html/rfc2631) - [RFC 7919](https://tools.ietf.org/html/rfc7919) -- `DHE_DSS` - [RFC 2631](https://tools.ietf.org/html/rfc2631) - [RFC 7919](https://tools.ietf.org/html/rfc7919) -- `ECDHE_ECDSA` - [RFC 8422](https://tools.ietf.org/html/rfc8422) -- `ECDHE_PSK` - [RFC 8422](https://tools.ietf.org/html/rfc8422) - [RFC 5489](https://tools.ietf.org/html/rfc5489) -- `ECDHE_RSA` - [RFC 8422](https://tools.ietf.org/html/rfc8422) +- `DSA` - [RFC 6979](https://tools.ietf.org/html/rfc6979 "RFC 6979") +- `ECDSA` - [RFC 6979](https://tools.ietf.org/html/rfc6979 "RFC 6979") +- `RSA` - [RFC 8017](https://tools.ietf.org/html/rfc8017 "RFC 8017") +- `DHE` - [RFC 2631](https://tools.ietf.org/html/rfc2631 "RFC 2631") - [RFC 7919](https://tools.ietf.org/html/rfc7919 "RFC 7919") +- `ECDHE` - [RFC 4492](https://tools.ietf.org/html/rfc4492 "RFC 4492") +- `PSK` - [RFC 4279](https://tools.ietf.org/html/rfc4279 "RFC 4279") +- `DSS` - [FIPS186-4](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf "FIPS186-4") +- `DH_anon` - [RFC 2631](https://tools.ietf.org/html/rfc2631 "RFC 2631") - [RFC 7919](https://tools.ietf.org/html/rfc7919 "RFC 7919") +- `DHE_RSA` - [RFC 2631](https://tools.ietf.org/html/rfc2631 "RFC 2631") - [RFC 7919](https://tools.ietf.org/html/rfc7919 "RFC 7919") +- `DHE_DSS` - [RFC 2631](https://tools.ietf.org/html/rfc2631 "RFC 2631") - [RFC 7919](https://tools.ietf.org/html/rfc7919 "RFC 7919") +- `ECDHE_ECDSA` - [RFC 8422](https://tools.ietf.org/html/rfc8422 "RFC 8422") +- `ECDHE_PSK` - [RFC 8422](https://tools.ietf.org/html/rfc8422 "RFC 8422") - [RFC 5489](https://tools.ietf.org/html/rfc5489 "RFC 5489") +- `ECDHE_RSA` - [RFC 8422](https://tools.ietf.org/html/rfc8422 "RFC 8422") Block Ciphers: -- `DES` - [RFC 4772](https://tools.ietf.org/html/rfc4772) -- `DES_CBC` - [RFC 1829](https://tools.ietf.org/html/rfc1829) -- `3DES` - [RFC 2420](https://tools.ietf.org/html/rfc2420) -- `3DES_EDE_CBC` - [RFC 2420](https://tools.ietf.org/html/rfc2420) -- `AES_128_CBC` - [RFC 3268](https://tools.ietf.org/html/rfc3268) -- `AES_128_GCM` - [RFC 5288](https://tools.ietf.org/html/rfc5288) -- `AES_256_CBC` - [RFC 3268](https://tools.ietf.org/html/rfc3268) -- `AES_256_GCM` - [RFC 5288](https://tools.ietf.org/html/rfc5288) -- `RC4_40` - [RFC 7465](https://tools.ietf.org/html/rfc7465) -- `RC4_128` - [RFC 7465](https://tools.ietf.org/html/rfc7465) -- `CHACHA20_POLY1305` - [RFC 7905](https://tools.ietf.org/html/rfc7905) - [RFC 7539](https://tools.ietf.org/html/rfc7539) +- `DES` - [RFC 4772](https://tools.ietf.org/html/rfc4772 "RFC 4772") +- `DES_CBC` - [RFC 1829](https://tools.ietf.org/html/rfc1829 "RFC 1829") +- `3DES` - [RFC 2420](https://tools.ietf.org/html/rfc2420 "RFC 2420") +- `3DES_EDE_CBC` - [RFC 2420](https://tools.ietf.org/html/rfc2420 "RFC 2420") +- `AES_128_CBC` - [RFC 3268](https://tools.ietf.org/html/rfc3268 "RFC 3268") +- `AES_128_GCM` - [RFC 5288](https://tools.ietf.org/html/rfc5288 "RFC 5288") +- `AES_256_CBC` - [RFC 3268](https://tools.ietf.org/html/rfc3268 "RFC 3268") +- `AES_256_GCM` - [RFC 5288](https://tools.ietf.org/html/rfc5288 "RFC 5288") +- `RC4_40` - [RFC 7465](https://tools.ietf.org/html/rfc7465 "RFC 7465") +- `RC4_128` - [RFC 7465](https://tools.ietf.org/html/rfc7465 "RFC 7465") +- `CHACHA20_POLY1305` - [RFC 7905](https://tools.ietf.org/html/rfc7905 "RFC 7905") - [RFC 7539](https://tools.ietf.org/html/rfc7539 "RFC 7539") Integrity Check Algorithms: -- `MD5` - [RFC 6151](https://tools.ietf.org/html/rfc6151) -- `SHA` - [RFC 6234](https://tools.ietf.org/html/rfc6234) -- `SHA256` - [RFC 6234](https://tools.ietf.org/html/rfc6234) -- `SHA384` - [RFC 6234](https://tools.ietf.org/html/rfc6234) +- `MD5` - [RFC 6151](https://tools.ietf.org/html/rfc6151 "RFC 6151") +- `SHA` - [RFC 6234](https://tools.ietf.org/html/rfc6234 "RFC 6234") +- `SHA256` - [RFC 6234](https://tools.ietf.org/html/rfc6234 "RFC 6234") +- `SHA384` - [RFC 6234](https://tools.ietf.org/html/rfc6234 "RFC 6234") Note that The efficiency of a cipher suite depends on the efficiency of its algorithms. In the following, we’ll present the updated recommended cipher suites list to use with TLS. These cipher suites are recommended by both IANA in its TLS parameters documentation and OWASP TLS Cipher String Cheat Sheet: -- IANA recommended cipher suites can be found in [TLS Cipher Suites](https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4). +- IANA recommended cipher suites can be found in [TLS Cipher Suites](https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4 "TLS Cipher Suites"). - OWASP recommended cipher suites can be found in the [TLS Cipher String Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/TLS_Cipher_String_Cheat_Sheet.md "OWASP TLS Cipher String Cheat Sheet"). -Some Android and iOS versions do not support some of the recommended cipher suites, so for compatibility purposes you can check the supported cipher suites for [Android](https://developer.android.com/reference/javax/net/ssl/SSLSocket#Cipher%20suites) and [iOS](https://developer.apple.com/documentation/security/1550981-ssl_cipher_suite_values?language=objc) versions and choose the top supported cipher suites. +Some Android and iOS versions do not support some of the recommended cipher suites, so for compatibility purposes you can check the supported cipher suites for [Android](https://developer.android.com/reference/javax/net/ssl/SSLSocket#cipher-suites "Cipher suites") and [iOS](https://developer.apple.com/documentation/security/1550981-ssl_cipher_suite_values?language=objc "SSL Cipher Suite Values") versions and choose the top supported cipher suites. #### Static Analysis @@ -268,14 +268,14 @@ Verify that the server or termination proxy at which the HTTPS connection termin Intercept the tested app's incoming and outgoing network traffic and make sure that this traffic is encrypted. You can intercept network traffic in any of the following ways: - Capture all HTTP(S) and Websocket traffic with an interception proxy like OWASP ZAP or Burp Suite and make sure all requests are made via HTTPS instead of HTTP. -- Interception proxies like Burp and OWASP ZAP will show HTTP(S) traffic only. You can, however, use a Burp plugin such as [Burp-non-HTTP-Extension](https://github.com/summitt/Burp-Non-HTTP-Extension) or the tool [mitm-relay](https://github.com/jrmdev/mitm_relay) to decode and visualize communication via XMPP and other protocols. +- Interception proxies like Burp and OWASP ZAP will show HTTP(S) traffic only. You can, however, use a Burp plugin such as [Burp-non-HTTP-Extension](https://github.com/summitt/Burp-Non-HTTP-Extension "Burp-non-HTTP-Extension") or the tool [mitm-relay](https://github.com/jrmdev/mitm_relay "mitm-relay") to decode and visualize communication via XMPP and other protocols. > Some applications may not work with proxies like Burp and ZAP because of Certificate Pinning. In such a scenario, please check "Testing Custom Certificate Stores and SSL Pinning". If you want to verify whether your server supports the right cipher suites, there are various tools you can use: - nscurl - see Testing Network Communication for iOS for more details. -- [testssl.sh](https://github.com/drwetter/testssl.sh) which "is a free command line tool which checks a server's service on any port for the support of TLS/SSL ciphers, protocols as well as some cryptographic flaws". +- [testssl.sh](https://github.com/drwetter/testssl.sh "mitm-relay") which "is a free command line tool which checks a server's service on any port for the support of TLS/SSL ciphers, protocols as well as some cryptographic flaws". ### Making Sure that Critical Operations Use Secure Communication Channels (MSTG‑NETWORK‑5) diff --git a/Document/0x04g-Testing-Cryptography.md b/Document/0x04g-Testing-Cryptography.md index a71b7a74ce..eb04f8dee7 100644 --- a/Document/0x04g-Testing-Cryptography.md +++ b/Document/0x04g-Testing-Cryptography.md @@ -130,7 +130,7 @@ For more information on effective block modes, see the [NIST guidelines on block ##### Predictable Initialization Vector -CBC, OFB, CFB, PCBC mode require an initialization vector (IV) as an initial input to the cipher. The IV doesn't have to be kept secret, but it shouldn't be predictable. Make sure that IVs are generated using a cryptographically secure random number generator. For more information on IVs, see [Crypto Fail's initialization vectors article](http://www.cryptofails.com/post/70059609995/crypto-noobs-1-initialization-vectors). +CBC, OFB, CFB, PCBC mode require an initialization vector (IV) as an initial input to the cipher. The IV doesn't have to be kept secret, but it shouldn't be predictable. Make sure that IVs are generated using a cryptographically secure random number generator. For more information on IVs, see [Crypto Fail's initialization vectors article](http://www.cryptofails.com/post/70059609995/crypto-noobs-1-initialization-vectors "Crypto Noobs #1: Initialization Vectors"). ##### Initialization Vectors in stateful operation modes diff --git a/Document/0x04h-Testing-Code-Quality.md b/Document/0x04h-Testing-Code-Quality.md index efac88fcf5..ffe65b31a1 100644 --- a/Document/0x04h-Testing-Code-Quality.md +++ b/Document/0x04h-Testing-Code-Quality.md @@ -51,7 +51,7 @@ Another real-world instance of client-side SQL injection was discovered by Mark In a *XML injection* attack, the attacker injects XML meta-characters to structurally alter XML content. This can be used to either compromise the logic of an XML-based application or service, as well as possibly allow an attacker to exploit the operation of the XML parser processing the content. -A popular variant of this attack is [XML Entity Injection (XXE)](https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing). Here, an attacker injects an external entity definition containing an URI into the input XML. During parsing, the XML parser expands the attacker-defined entity by accessing the resource specified by the URI. The integrity of the parsing application ultimately determines capabilities afforded to the attacker, where the malicious user could do any (or all) of the following: access local files, trigger HTTP requests to arbitrary hosts and ports, launch a [cross-site request forgery (CSRF)](https://goo.gl/UknMCj "Cross-Site Request Forgery (CSRF)") attack, and cause a denial-of-service condition. The OWASP web testing guide contains the [following example for XXE](https://goo.gl/QGQkEX "Testing for XML Injection (OTG-INPVAL-008)"): +A popular variant of this attack is [XML Entity Injection (XXE)](https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing "XML Entity Injection (XXE)"). Here, an attacker injects an external entity definition containing an URI into the input XML. During parsing, the XML parser expands the attacker-defined entity by accessing the resource specified by the URI. The integrity of the parsing application ultimately determines capabilities afforded to the attacker, where the malicious user could do any (or all) of the following: access local files, trigger HTTP requests to arbitrary hosts and ports, launch a [cross-site request forgery (CSRF)](https://goo.gl/UknMCj "Cross-Site Request Forgery (CSRF)") attack, and cause a denial-of-service condition. The OWASP web testing guide contains the [following example for XXE](https://goo.gl/QGQkEX "Testing for XML Injection (OTG-INPVAL-008)"): ```xml @@ -103,7 +103,7 @@ An older but well-known example is the [local XSS issue in the Skype app for iOS Take a close look at any WebViews present and investigate for untrusted input rendered by the app. -XSS issues may exist if the URL opened by WebView is partially determined by user input. The following example is from an XSS issue in the [Zoho Web Service, reported by Linus Särud](https://labs.detectify.com/2015/02/20/finding-an-xss-in-an-html-based-android-application/). +XSS issues may exist if the URL opened by WebView is partially determined by user input. The following example is from an XSS issue in the [Zoho Web Service, reported by Linus Särud](https://labs.detectify.com/2015/02/20/finding-an-xss-in-an-html-based-android-application/ "Finding an XSS in an HTML-based Android application"). Java @@ -140,7 +140,7 @@ Kotlin } ``` -Sergey Bobrov was able to take advantage of this in the following [HackerOne report](https://hackerone.com/reports/189793). Any input to the HTML parameter would be trusted in Quora's ActionBarContentActivity. Payloads were successful using adb, clipboard data via ModalContentActivity, and Intents from 3rd party applications. +Sergey Bobrov was able to take advantage of this in the following [HackerOne report](https://hackerone.com/reports/189793 "[Android] XSS via start ContentActivity"). Any input to the HTML parameter would be trusted in Quora's ActionBarContentActivity. Payloads were successful using adb, clipboard data via ModalContentActivity, and Intents from 3rd party applications. - ADB diff --git a/Document/0x05a-Platform-Overview.md b/Document/0x05a-Platform-Overview.md index 6120d23263..ed74764d2a 100644 --- a/Document/0x05a-Platform-Overview.md +++ b/Document/0x05a-Platform-Overview.md @@ -34,7 +34,7 @@ Android apps don't have direct access to hardware resources, and each app runs i Even though the Android operating system is based on Linux, it doesn't implement user accounts in the same way other Unix-like systems do. In Android, the multi-user support of the Linux kernel to sandbox apps: with a few exceptions, each app runs as though under a separate Linux user, effectively isolated from other apps and the rest of the operating system. -The file [system/core/include/private/android_filesystem_config.h](http://androidxref.com/7.1.1_r6/xref/system/core/include/private/android_filesystem_config.h) includes a list of the predefined users and groups system processes are assigned to. UIDs (userIDs) for other applications are added as the latter are installed. For more details, check out Bin Chen's [blog post](https://pierrchen.blogspot.mk/2016/09/an-walk-through-of-android-uidgid-based.html "Bin Chen - AProgrammer Blog - Android Security: An Overview Of Application Sandbox") on Android sandboxing. +The file [system/core/include/private/android_filesystem_config.h](http://androidxref.com/7.1.1_r6/xref/system/core/include/private/android_filesystem_config.h "android_filesystem_config.h") includes a list of the predefined users and groups system processes are assigned to. UIDs (userIDs) for other applications are added as the latter are installed. For more details, check out Bin Chen's [blog post](https://pierrchen.blogspot.mk/2016/09/an-walk-through-of-android-uidgid-based.html "Bin Chen - AProgrammer Blog - Android Security: An Overview Of Application Sandbox") on Android sandboxing. For example, Android Nougat defines the following system users: @@ -118,7 +118,7 @@ uid=10188(u0_a188) gid=10188(u0_a188) groups=10188(u0_a188),3003(inet), 9997(everybody),50188(all_a188) context=u:r:untrusted_app:s0:c512,c768 ``` -The relationship between group IDs and permissions is defined in the file [frameworks/base/data/etc/platform.xml](http://androidxref.com/7.1.1_r6/xref/frameworks/base/data/etc/platform.xml) +The relationship between group IDs and permissions is defined in the file [frameworks/base/data/etc/platform.xml](http://androidxref.com/7.1.1_r6/xref/frameworks/base/data/etc/platform.xml "platform.xml") ```xml @@ -175,7 +175,7 @@ Apps must implement callback methods that react to a number of events; for examp ##### App Bundles -Android applications can be shipped in two forms: the Android Package Kit (APK) file or an [Android App Bundle](https://developer.android.com/guide/app-bundle) (.aab). Android App Bundles provide all the resources necessary for an app, but defer the generation of the APK and its signing to Google Play. App Bundles are signed binaries which contain the code of the app in several modules. The base module contains the core of the application. The base module can be extended with various modules which contain new enrichments/functionalities for the app as further explained on the [developer documentation for app bundle](https://developer.android.com/guide/app-bundle "Documentation on App Bundle"). +Android applications can be shipped in two forms: the Android Package Kit (APK) file or an [Android App Bundle](https://developer.android.com/guide/app-bundle "Android App Bundle") (.aab). Android App Bundles provide all the resources necessary for an app, but defer the generation of the APK and its signing to Google Play. App Bundles are signed binaries which contain the code of the app in several modules. The base module contains the core of the application. The base module can be extended with various modules which contain new enrichments/functionalities for the app as further explained on the [developer documentation for app bundle](https://developer.android.com/guide/app-bundle "Documentation on App Bundle"). If you have an Android App Bundle, you can best use the [bundletool](https://developer.android.com/studio/command-line/bundletool "bundletool") command line tool from Google to build unsigned APKs in order to use the existing tooling on the APK. You can create an APK from an AAB file by running the following command: ```shell @@ -325,7 +325,7 @@ The Binder framework includes a client-server communication model. To use IPC, a Binder Overview -*Binder Overview - Image source: [Android Binder by Thorsten Schreiber](https://www.nds.rub.de/media/attachments/files/2011/10/main.pdf)* +*Binder Overview - Image source: [Android Binder by Thorsten Schreiber](https://www.nds.rub.de/media/attachments/files/2011/10/main.pdf "Android Binder")* Services that allow other applications to bind to them are called *bound services*. These services must provide an IBinder interface to clients. Developers use the Android Interface Descriptor Language (AIDL) to write interfaces for remote services. @@ -451,7 +451,7 @@ The example below shows an AndroidManifest.xml sample requesting permission to r ###### Declaring Permissions -Apps can expose features and content to other apps installed on the system. To restrict access to its own components, it can either use any of Android’s [predefined permissions](https://developer.android.com/reference/android/Manifest.permission.html) or define its own. A new permission is declared with the `` element. +Apps can expose features and content to other apps installed on the system. To restrict access to its own components, it can either use any of Android’s [predefined permissions](https://developer.android.com/reference/android/Manifest.permission.html "predefined permissions") or define its own. A new permission is declared with the `` element. The example below shows an app declaring a permission: ```xml @@ -559,7 +559,7 @@ Apps can be installed on an Android device from a variety of sources: locally vi Whereas other vendors may review and approve apps before they are actually published, Google will simply scan for known malware signatures; this minimizes the time between the beginning of the publishing process and public app availability. -Publishing an app is quite straightforward; the main operation is making the signed .apk file downloadable. On Google Play, publishing starts with account creation and is followed by app delivery through a dedicated interface. Details are available at [the official Android documentation](https://developer.android.com/distribute/googleplay/start.html). +Publishing an app is quite straightforward; the main operation is making the signed .apk file downloadable. On Google Play, publishing starts with account creation and is followed by app delivery through a dedicated interface. Details are available at [the official Android documentation](https://developer.android.com/distribute/googleplay/start.html "Review the checklists to plan your launch"). ### Android Application Attack surface diff --git a/Document/0x05c-Reverse-Engineering-and-Tampering.md b/Document/0x05c-Reverse-Engineering-and-Tampering.md index c48ba6263a..32f7ed1c1e 100644 --- a/Document/0x05c-Reverse-Engineering-and-Tampering.md +++ b/Document/0x05c-Reverse-Engineering-and-Tampering.md @@ -470,7 +470,7 @@ Dynamic Analysis tests the mobile app by executing and running the app binary an - Vulnerabilities in the tested environments - Weak input validation and bad input/output encoding as they are processed through one or multiple services -Analysis can be assisted by automated tools, such as [MobSF](https://github.com/MobSF/Mobile-Security-Framework-MobSF/), while assessing an application. An application can be assessed by side-loading it, re-packaging it, or by simply attacking the installed version. +Analysis can be assisted by automated tools, such as [MobSF](https://github.com/MobSF/Mobile-Security-Framework-MobSF/ "MobSF"), while assessing an application. An application can be assessed by side-loading it, re-packaging it, or by simply attacking the installed version. #### Dynamic Analysis on Non-Rooted Devices @@ -872,7 +872,7 @@ All of this makes it possible to build tracers that are practically transparent ##### PANDA -[PANDA](https://github.com/moyix/panda/blob/master/docs/) is another QEMU-based dynamic analysis platform. Similar to DroidScope, PANDA can be extended by registering callbacks that are triggered by certain QEMU events. The twist PANDA adds is its record/replay feature. This allows an iterative workflow: the reverse engineer records an execution trace of the target app (or some part of it), then replays it repeatedly, refining the analysis plugins with each iteration. +[PANDA](https://github.com/moyix/panda/blob/master/docs/ "PANDA Docs") is another QEMU-based dynamic analysis platform. Similar to DroidScope, PANDA can be extended by registering callbacks that are triggered by certain QEMU events. The twist PANDA adds is its record/replay feature. This allows an iterative workflow: the reverse engineer records an execution trace of the target app (or some part of it), then replays it repeatedly, refining the analysis plugins with each iteration. PANDA comes with pre-made plugins, including a string search tool and a syscall tracer. Most importantly, it supports Android guests, and some of the DroidScope code has even been ported. Building and running PANDA for Android ("PANDROID") is relatively straightforward. To test it, clone Moiyx's git repository and build PANDA: @@ -1580,7 +1580,7 @@ The most straightforward way to intercept system calls is to inject your own cod For hacking, I recommend an AOSP-supported device. Google's Nexus smartphones and tablets are the most logical candidates because kernels and system components built from the AOSP run on them without issues. Sony's Xperia series is also known for its openness. To build the AOSP kernel, you need a toolchain (a set of programs for cross-compiling the sources) and the appropriate version of the kernel sources. Follow Google's instructions to identify the correct git repo and branch for a given device and Android version. -[https://source.android.com/source/building-kernels.html#id-version](https://source.android.com/source/building-kernels.html#id-version) + For example, to get kernel sources for Lollipop that are compatible with the Nexus 5, you need to clone the `msm` repository and check out one of the `android-msm-hammerhead` branches (hammerhead is the codename of the Nexus 5, and finding the right branch is confusing). Once you have downloaded the sources, create the default kernel config with the command `make hammerhead_defconfig` (replacing "hammerhead" with your target device). diff --git a/Document/0x05e-Testing-Cryptography.md b/Document/0x05e-Testing-Cryptography.md index 8ac6a5bd60..5fcfe25080 100644 --- a/Document/0x05e-Testing-Cryptography.md +++ b/Document/0x05e-Testing-Cryptography.md @@ -253,8 +253,8 @@ public static SecretKey generateStrongAESKey(char[] password, int keyLength) } ``` -The above method requires a character array containing the password and the needed keylength in bits, for instance a 128 or 256-bit AES key. We define an iteration count of 10000 rounds which will be used by the PBKDF2 algorithm. This significantly increases the workload for a bruteforce attack. We define the salt size equal to the key length, we divide by 8 to take care of the bit to byte conversion. We use the `SecureRandom` class to randomly generate a salt. Obviously, the salt is something you want to keep constant to ensure the same encryption key is generated time after time for the same supplied password. Note that you can store the salt privately in `SharedPreferences`. It is recommended to exclude the salt from the Android backup mechanism to prevent synchronization in case of higher risk data. See "testing android storage" for more details. -Note that if you take a rooted device, or unpatched device, or a patched (e.g. repackaged) application into account as a threat to the data, it might be better to encrypt the salt with a key in the `AndroidKeystore`. Afterwards the Password-based Encryption (PBE) key is generated using the recommended `PBKDF2WithHmacSHA1` algorithm till API version 26. From there on it is best to use `PBKDF2withHmacSHA256`, which will end up with a different keysize. +The above method requires a character array containing the password and the needed key length in bits, for instance a 128 or 256-bit AES key. We define an iteration count of 10000 rounds which will be used by the PBKDF2 algorithm. This significantly increases the workload for a brute-force attack. We define the salt size equal to the key length, we divide by 8 to take care of the bit to byte conversion. We use the `SecureRandom` class to randomly generate a salt. Obviously, the salt is something you want to keep constant to ensure the same encryption key is generated time after time for the same supplied password. Note that you can store the salt privately in `SharedPreferences`. It is recommended to exclude the salt from the Android backup mechanism to prevent synchronization in case of higher risk data. See "testing android storage" for more details. +Note that if you take a rooted device, or unpatched device, or a patched (e.g. repackaged) application into account as a threat to the data, it might be better to encrypt the salt with a key in the `AndroidKeystore`. Afterwards the Password-based Encryption (PBE) key is generated using the recommended `PBKDF2WithHmacSHA1` algorithm till API version 26. From there on it is best to use `PBKDF2withHmacSHA256`, which will end up with a different key size. Now, it is clear that regularly prompting the user for its passphrase is not something that works for every application. In that case make sure you use the [Android KeyStore API](https://developer.android.com/reference/java/security/KeyStore.html "Android AndroidKeyStore API"). This API has been specifically developed to provide a secure storage for key material. Only your application has access to the keys that it generates. Starting from Android 6.0 it is also enforced that the AndroidKeyStore is hardware-backed in case a fingerprint sensor is present. This means a dedicated cryptography chip or trusted platform module (TPM) is being used to secure the key material. @@ -263,7 +263,7 @@ When keys are generated and used within the `AndroidKeyStore` and the `KeyInfo.i #### Secure Key Import into Keystore -Android Pie adds the ability to import keys securely into the `AndroidKeystore`. First `AndroidKeystore` generates a key pair using `PURPOSE_WRAP_KEY` which should also be protected with an attestation certficate, this pair aims to protect the Keys being imported to `AndroidKeystore`. The encypted keys are generated as ASN.1-encoded message in the `SecureKeyWrapper` format which also contains a description of the ways the imported key is allowed to be used. The keys are then decrypted inside the `AndroidKeystore` hardware belonging to the specific device that generated the wrapping key so they never appear as plaintext in the device's host memory. +Android Pie adds the ability to import keys securely into the `AndroidKeystore`. First `AndroidKeystore` generates a key pair using `PURPOSE_WRAP_KEY` which should also be protected with an attestation certificate, this pair aims to protect the Keys being imported to `AndroidKeystore`. The encrypted keys are generated as ASN.1-encoded message in the `SecureKeyWrapper` format which also contains a description of the ways the imported key is allowed to be used. The keys are then decrypted inside the `AndroidKeystore` hardware belonging to the specific device that generated the wrapping key so they never appear as plaintext in the device's host memory. Secure key import into Keystore @@ -283,7 +283,7 @@ SecureKeyWrapper ::= SEQUENCE { } ``` -The code above present the different parameters to be set when generating the encrypted keys in the SecureKeyWrapper format. Check the Android documentation on [WrappedKeyEntry](https://developer.android.com/reference/android/security/keystore/WrappedKeyEntry) for more details. +The code above present the different parameters to be set when generating the encrypted keys in the SecureKeyWrapper format. Check the Android documentation on [`WrappedKeyEntry`](https://developer.android.com/reference/android/security/keystore/WrappedKeyEntry "WrappedKeyEntry") for more details. When defining the KeyDescription AuthorizationList, the following parameters will affect the encrypted keys security: diff --git a/Document/0x05f-Testing-Local-Authentication.md b/Document/0x05f-Testing-Local-Authentication.md index cd7a6e0e40..2812a284dd 100644 --- a/Document/0x05f-Testing-Local-Authentication.md +++ b/Document/0x05f-Testing-Local-Authentication.md @@ -88,7 +88,7 @@ Patch the app or use runtime instrumentation to bypass fingerprint authenticatio #### Overview -Android Marshmallow (6.0) introduced public APIs for authenticating users via fingerprint. Access to the fingerprint hardware is provided through the [FingerprintManager class](https://developer.android.com/reference/android/hardware/fingerprint/). An app can request fingerprint authentication by instantiating a `FingerprintManager` object and calling its `authenticate()` method. The caller registers callback methods to handle possible outcomes of the authentication process (i.e. success, failure, or error). Note that this method doesn't constitute strong proof that fingerprint authentication has actually been performed - for example, the authentication step could be patched out by an attacker, or the "success" callback could be called using instrumentation. +Android Marshmallow (6.0) introduced public APIs for authenticating users via fingerprint. Access to the fingerprint hardware is provided through the [FingerprintManager class](https://developer.android.com/reference/android/hardware/fingerprint/ "FingerprintManager"). An app can request fingerprint authentication by instantiating a `FingerprintManager` object and calling its `authenticate()` method. The caller registers callback methods to handle possible outcomes of the authentication process (i.e. success, failure, or error). Note that this method doesn't constitute strong proof that fingerprint authentication has actually been performed - for example, the authentication step could be patched out by an attacker, or the "success" callback could be called using instrumentation. Better security is achieved by using the fingerprint API in conjunction with the Android `KeyGenerator` class. With this method, a symmetric key is stored in the KeyStore and "unlocked" with the user's fingerprint. For example, to enable user access to a remote service, an AES key is created which encrypts the user PIN or authentication token. By calling `setUserAuthenticationRequired(true)` when creating the key, it is ensured that the user must re-authenticate to retrieve it. The encrypted authentication credentials can then be saved directly to regular storage on the the device (e.g. `SharedPreferences`). This design is a relatively safe way to ensure the user actually entered an authorized fingerprint. Note however that this setup requires the app to hold the symmetric key in memory during cryptographic operations, potentially exposing it to attackers that manage to access the app's memory during runtime. @@ -98,7 +98,7 @@ Note that there are quite some SDKs provided by vendors, which should provide bi #### Static Analysis -Begin by searching for `FingerprintManager.authenticate()` calls. The first parameter passed to this method should be a `CryptoObject` instance which is a [wrapper class for crypto objects](https://developer.android.com/reference/android/hardware/fingerprint/FingerprintManager.CryptoObject.html) supported by FingerprintManager. Should the parameter be set to `null`, this means the fingerprint authorization is purely event-bound, likely creating a security issue. +Begin by searching for `FingerprintManager.authenticate()` calls. The first parameter passed to this method should be a `CryptoObject` instance which is a [wrapper class for crypto objects](https://developer.android.com/reference/android/hardware/fingerprint/FingerprintManager.CryptoObject.html "FingerprintManager.CryptoObject") supported by FingerprintManager. Should the parameter be set to `null`, this means the fingerprint authorization is purely event-bound, likely creating a security issue. The creation of the key used to initialize the cipher wrapper can be traced back to the `CryptoObject`. Verify the key was both created using the `KeyGenerator` class in addition to `setUserAuthenticationRequired(true)` being called during creation of the `KeyGenParameterSpec` object (see code samples below). diff --git a/Document/0x05h-Testing-Platform-Interaction.md b/Document/0x05h-Testing-Platform-Interaction.md index a7b17e0c2b..9473827425 100644 --- a/Document/0x05h-Testing-Platform-Interaction.md +++ b/Document/0x05h-Testing-Platform-Interaction.md @@ -35,7 +35,7 @@ Permissions applied via `android:permission` attribute within the `` t A permission can be supplied to `Context.registerReceiver()` to control who can broadcast to a programmatically registered receiver. Going the other way, a permission can be supplied when calling `Context.sendBroadcast()` to restrict which broadcast receivers are allowed to receive the broadcast. -Note that both a receiver and a broadcaster can require a permission. When this happens, both permission checks must pass for the intent to be delivered to the associated target. For more information, please reference [Restricting broadcasts with permissions](https://developer.android.com/guide/components/broadcasts#restricting_broadcasts_with_permissions). +Note that both a receiver and a broadcaster can require a permission. When this happens, both permission checks must pass for the intent to be delivered to the associated target. For more information, please reference [Restricting broadcasts with permissions](https://developer.android.com/guide/components/broadcasts#restrict-broadcasts-permissions "Restricting broadcasts with permissions"). #### Content Provider Permission Enforcement @@ -56,7 +56,7 @@ This allows a common capability-style model where user interaction drives ad-hoc #### Documentation for URI permissions - [grantUriPermission()](https://developer.android.com/guide/topics/manifest/provider-element#gprmsn), [revokeUriPermission()](https://developer.android.com/reference/android/content/Context#revokeUriPermission(android.net.Uri,%20int)), and [checkUriPermission()](https://developer.android.com/reference/android/content/Context#checkUriPermission(android.net.Uri,%20int,%20int,%20int)). +[grantUriPermission()](https://developer.android.com/guide/topics/manifest/provider-element#gprmsn "android:grantUriPermissions"), [revokeUriPermission()](https://developer.android.com/reference/android/content/Context#revokeUriPermission(android.net.Uri,%20int) "revokeUriPermission"), and [checkUriPermission()](https://developer.android.com/reference/android/content/Context#checkUriPermission(android.net.Uri,%20int,%20int,%20int) "checkUriPermission"). ##### Custom Permissions @@ -117,7 +117,7 @@ uses-permission: android.permission.SYSTEM_ALERT_WINDOW uses-permission: android.permission.INTERNAL_SYSTEM_WINDOW ``` -Please reference this [permissions overview](https://developer.android.com/guide/topics/permissions/overview#permission-groups) for descriptions of the listed permissions that are considered dangerous. +Please reference this [permissions overview](https://developer.android.com/guide/topics/permissions/overview#permission-groups "Table 1. Dangerous permissions and permission groups.") for descriptions of the listed permissions that are considered dangerous. ```text READ_CALENDAR, @@ -560,7 +560,7 @@ Defining and using your own URL scheme can be risky in this situation if data is #### Overview -With [Google Play Instant](https://developer.android.com/topic/google-play-instant/overview) you can now create Instant apps. An instant apps can be instantly launched from a browser or the "try now" button from the app store from Android 6 (API level 23) onward. They do not require any form of installation. There are a few challenges with an instant app: +With [Google Play Instant](https://developer.android.com/topic/google-play-instant/overview "Google Play Instant") you can now create Instant apps. An instant apps can be instantly launched from a browser or the "try now" button from the app store from Android 6 (API level 23) onward. They do not require any form of installation. There are a few challenges with an instant app: - There is a limited amount of size you can have with an instant app (max 10 mb). - Only a reduced number of permissions can be used, which are documented at [Android Instant app documentation](https://developer.android.com/topic/google-play-instant/getting-started/instant-enabled-app-bundle?tenant=irina#request-supported-permissions "Permission documentation for Android Instant Apps"). @@ -1406,7 +1406,7 @@ protected void onResume() { } ``` ->Source: [https://developer.android.com/guide/app-bundle/in-app-updates](https://developer.android.com/guide/app-bundle/in-app-updates) +>Source: [https://developer.android.com/guide/app-bundle/in-app-updates](https://developer.android.com/guide/app-bundle/in-app-updates "Support in-app updates") When checking for a proper update mechanism, make sure the usage of the `AppUpdateManager` is present. If it is not yet, then this means that users might be able to remain on an older version of the application with the given vulnerabilities. Next, pay attention to the `AppUpdateType.IMMEDIATE` use: if a security update comes in, then this flag should be used in order to make sure that the user cannot go forward with using the app without updating it. diff --git a/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md b/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md index 6b00ab9b4d..fac8cd5cf6 100644 --- a/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md +++ b/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md @@ -109,7 +109,7 @@ Checking whether `su` is on the PATH also works: } ``` -File checks can be easily implemented in both Java and native code. The following JNI example (adapted from [rootinspector](https://github.com/devadvance/rootinspector/)) uses the `stat` system call to retrieve information about a file and returns "1" if the file exists. +File checks can be easily implemented in both Java and native code. The following JNI example (adapted from [rootinspector](https://github.com/devadvance/rootinspector/ "rootinspector")) uses the `stat` system call to retrieve information about a file and returns "1" if the file exists. ```c jboolean Java_com_example_statfile(JNIEnv * env, jobject this, jstring filepath) { @@ -135,7 +135,7 @@ Another way of determining whether `su` exists is attempting to execute it throu ###### Checking running processes -Supersu-by far the most popular rooting tool-runs an authentication daemon named `daemonsu`, so the presence of this process is another sign of a rooted device. Running processes can be enumerated with the `ActivityManager.getRunningAppProcesses` and `manager.getRunningServices` APIs, the `ps` command, and browsing through the `/proc` directory. The following is an example implemented in [rootinspector](https://github.com/devadvance/rootinspector/): +Supersu-by far the most popular rooting tool-runs an authentication daemon named `daemonsu`, so the presence of this process is another sign of a rooted device. Running processes can be enumerated with the `ActivityManager.getRunningAppProcesses` and `manager.getRunningServices` APIs, the `ps` command, and browsing through the `/proc` directory. The following is an example implemented in [rootinspector](https://github.com/devadvance/rootinspector/ "rootinspector"): ```java public boolean checkRunningProcesses() { @@ -191,7 +191,7 @@ for (int i = 1; ; i = 0) } ``` -Missing Google Over-The-Air (OTA) certificates is another sign of a custom ROM: on stock Android builds, [OTA updates Google's public certificates](https://blog.netspi.com/android-root-detection-techniques/). +Missing Google Over-The-Air (OTA) certificates is another sign of a custom ROM: on stock Android builds, [OTA updates Google's public certificates](https://blog.netspi.com/android-root-detection-techniques/ "Android Root Detection Techniques"). ##### Bypassing Root Detection @@ -401,7 +401,7 @@ Most Anti-JDWP tricks (which may be safe for timer-based checks) won't catch cla When the `ptrace` system call is used to attach to a process, the "TracerPid" field in the status file of the debugged process shows the PID of the attaching process. The default value of "TracerPid" is 0 (no process attached). Consequently, finding anything other than 0 in that field is a sign of debugging or other ptrace shenanigans. -The following implementation is from [Tim Strazzere's Anti-Emulator project](https://github.com/strazzere/anti-emulator/): +The following implementation is from [Tim Strazzere's Anti-Emulator project](https://github.com/strazzere/anti-emulator/ "anti-emulator"): ```java public static boolean hasTracerPid() throws IOException { @@ -642,7 +642,7 @@ Integrity checks often calculate a checksum or hash over selected files. Commonl - class files *.dex, - native libraries (*.so). -The following [sample implementation from the Android Cracking blog](https://androidcracking.blogspot.com/2011/06/anti-tampering-with-crc-check.html) calculates a CRC over `classes.dex` and compares it to the expected value. +The following [sample implementation from the Android Cracking blog](https://androidcracking.blogspot.com/2011/06/anti-tampering-with-crc-check.html "anti-tampering with crc check") calculates a CRC over `classes.dex` and compares it to the expected value. ```java private void crcTest() throws IOException { @@ -687,7 +687,7 @@ Complete the following procedure when verifying the HMAC with BouncyCastle: 3. Repeat steps 1-4 of the procedure for generating an HMAC. 4. Compare the extracted HMAC-bytes to the result of step 3. -When generating the HMAC based on the [Android Keystore](https://developer.android.com/training/articles/keystore.html), then it is best to only do this for Android 6 and higher. +When generating the HMAC based on the [Android Keystore](https://developer.android.com/training/articles/keystore.html "Android Keystore"), then it is best to only do this for Android 6 and higher. The following is a convenient HMAC implementation without `AndroidKeyStore`: @@ -855,7 +855,7 @@ public boolean checkRunningProcesses() { ``` -Starting with Android Nougat (API Level 24) the `ps` command will only return processes started by the user itself, which is due to a stricter enforcement of namespace separation to increase the strength of the [Application Sandbox](https://source.android.com/security/app-sandbox) . When executing `ps` it will read the information from `/proc` and it's not possible to access information that belongs to other user ids. +Starting with Android Nougat (API Level 24) the `ps` command will only return processes started by the user itself, which is due to a stricter enforcement of namespace separation to increase the strength of the [Application Sandbox](https://source.android.com/security/app-sandbox "Application Sandbox") . When executing `ps` it will read the information from `/proc` and it's not possible to access information that belongs to other user ids. ![Executing ps on Android Lollipop](Images/Chapters/0x05j/Android_Lollipop_ps.png) @@ -1465,7 +1465,7 @@ For devices running Android version O and later, you can request the device's se ``` -2. Request the permission at run time from the user: See [https://developer.android.com/training/permissions/requesting.html](https://developer.android.com/training/permissions/requesting.html) for more details. +2. Request the permission at run time from the user: See [https://developer.android.com/training/permissions/requesting.html](https://developer.android.com/training/permissions/requesting.html "Request App Permissions") for more details. 3. Get the serial: ```java @@ -1480,7 +1480,7 @@ Retrieve the IMEI: ``` -2. If you're using Android version M or later, request the permission at run time from the user: See [https://developer.android.com/training/permissions/requesting.html](https://developer.android.com/training/permissions/requesting.html) for more details. +2. If you're using Android version M or later, request the permission at run time from the user: See [https://developer.android.com/training/permissions/requesting.html](https://developer.android.com/training/permissions/requesting.html "Request App Permissions") for more details. 3. Get the IMEI: diff --git a/Document/0x06b-Basic-Security-Testing.md b/Document/0x06b-Basic-Security-Testing.md index 592523a72e..7dcf0ffc4d 100644 --- a/Document/0x06b-Basic-Security-Testing.md +++ b/Document/0x06b-Basic-Security-Testing.md @@ -453,7 +453,7 @@ You can also connect to your iPhone's USB via [Needle](https://labs.mwrinfosecur ##### On-device Shell App -While usually using an on-device shell (terminal emulator) might be very tedious compared to a remote shell, it can prove handy for debugging in case of, for example, network issues or check some configuration. For example, you can install [NewTerm 2](https://repo.chariz.io/package/ws.hbang.newterm2/) via Cydia for this purpose (it supports iOS 6.0 to 12.1.2 at the time of this writing). +While usually using an on-device shell (terminal emulator) might be very tedious compared to a remote shell, it can prove handy for debugging in case of, for example, network issues or check some configuration. For example, you can install [NewTerm 2](https://repo.chariz.io/package/ws.hbang.newterm2/ "NewTerm 2") via Cydia for this purpose (it supports iOS 6.0 to 12.1.2 at the time of this writing). In addition, there are a few jailbreaks that explicitly disable incoming SSH *for security reasons*. In those cases, it is very convenient to have an on-device shell app, which you can use to first SSH out of the device with a reverse shell, and then connect from your host computer to it. @@ -1244,7 +1244,7 @@ With Passionfruit it's possible to access the keychain data of the app you have ###### Keychain-dumper (Jailbroken) -[Keychain-dumper](https://github.com/ptoomey3/Keychain-Dumper/) lets you dump a jailbroken device's KeyChain contents. The easiest way to get the tool is to download the binary from its GitHub repo: +[Keychain-dumper](https://github.com/ptoomey3/Keychain-Dumper/ "Keychain-dumper") lets you dump a jailbroken device's KeyChain contents. The easiest way to get the tool is to download the binary from its GitHub repo: ```shell $ git clone https://github.com/ptoomey3/Keychain-Dumper diff --git a/Document/0x06d-Testing-Data-Storage.md b/Document/0x06d-Testing-Data-Storage.md index 1b31cd3fe1..c48895097b 100644 --- a/Document/0x06d-Testing-Data-Storage.md +++ b/Document/0x06d-Testing-Data-Storage.md @@ -855,7 +855,7 @@ libdyld.dylib 0x185c81000 20480 (20.0 KiB) /usr/lib/sys ##### Fridump (No Jailbreak needed) -To use Fridump you need to have either a jailbroken/rooted device with Frida-server installed, or build the original application with the Frida library attached instructions on [Frida’s site](https://www.frida.re/docs/ios/) +To use Fridump you need to have either a jailbroken/rooted device with Frida-server installed, or build the original application with the Frida library attached instructions on [Frida’s site](https://www.frida.re/docs/ios/ "Frida - iOS") The original version of Fridump is no longer maintained, and the tool works only with Python 2. The latest Python version (3.x) should be used for Frida, so Fridump doesn't work out of the box. diff --git a/Document/0x06e-Testing-Cryptography.md b/Document/0x06e-Testing-Cryptography.md index 4142c9101f..5015c80e22 100644 --- a/Document/0x06e-Testing-Cryptography.md +++ b/Document/0x06e-Testing-Cryptography.md @@ -136,10 +136,11 @@ There are various methods on how to store the key on the device. Not storing a k } ``` - *Source: [https://stackoverflow.com/questions/8569555/pbkdf2-using-commoncrypto-on-ios](https://stackoverflow.com/questions/8569555/pbkdf2-using-commoncrypto-on-ios), tested in the testsuite of the `Arcane` library* + *Source: [https://stackoverflow.com/questions/8569555/pbkdf2-using-commoncrypto-on-ios](https://stackoverflow.com/questions/8569555/pbkdf2-using-commoncrypto-on-ios "PBKDF2 using CommonCrypto on iOS +"), tested in the testsuite of the `Arcane` library* -When you need to store the key, it is recommended to use the Keychain as long as the protection class chosen is not `kSecAttrAccessibleAlways`. Storing keys in any other location, such as the `NSUserDefaults`, Propertylists or by any other sink from Coredata or Realm, is usually less secure than using the KeyChain. -Even when the sync of CoreData or Realm is protected by using `NSFileProtectionComplete` data protection class, we still recommend using the KeyChain. See the Testing Data Storage section for more details. +When you need to store the key, it is recommended to use the Keychain as long as the protection class chosen is not `kSecAttrAccessibleAlways`. Storing keys in any other location, such as the `NSUserDefaults`, property list files or by any other sink from Core Data or Realm, is usually less secure than using the KeyChain. +Even when the sync of Core Data or Realm is protected by using `NSFileProtectionComplete` data protection class, we still recommend using the KeyChain. See the Testing Data Storage section for more details. The KeyChain supports two type of storage mechanisms: a key is either secured by an encryption key stored in the secure-enclave or the key itself is within the secure enclave. The latter only holds when you use an ECDH singing key. See the [Apple Documentation](https://developer.apple.com/documentation/security/certificate_key_and_trust_services/keys/storing_keys_in_the_secure_enclave "Secure Enclave") for more details on its implementation. diff --git a/Document/0x06f-Testing-Local-Authentication.md b/Document/0x06f-Testing-Local-Authentication.md index caa239bc7a..181028b891 100644 --- a/Document/0x06f-Testing-Local-Authentication.md +++ b/Document/0x06f-Testing-Local-Authentication.md @@ -15,7 +15,7 @@ Developers have two options for incorporating Touch ID/Face ID authentication: - `LocalAuthentication.framework` is a high-level API that can be used to authenticate the user via Touch ID. The app can't access any data associated with the enrolled fingerprint and is notified only whether authentication was successful. - `Security.framework` is a lower level API to access [Keychain Services](https://developer.apple.com/documentation/security/keychain_services "Keychain Services"). This is a secure option if your app needs to protect some secret data with biometric authentication, since the access control is managed on a system-level and can not easily be bypassed. `Security.framework` has a C API, but there are several [open source wrappers available](https://www.raywenderlich.com/147308/secure-ios-user-data-keychain-touch-id "How To Secure iOS User Data: The Keychain and Touch ID"), making access to the Keychain as simple as to NSUserDefaults. `Security.framework` underlies `LocalAuthentication.framework`; Apple recommends to default to higher-level APIs whenever possible. -Please be aware that using either the `LocalAuthentication.framework` or the `Security.framework`, will be a control that can be bypassed by an attacker as it does only return a boolean and no data to proceed with. See [Don't touch me that way, by David Lidner et al](https://www.youtube.com/watch?v=XhXIHVGCFFM) for more details. +Please be aware that using either the `LocalAuthentication.framework` or the `Security.framework`, will be a control that can be bypassed by an attacker as it does only return a boolean and no data to proceed with. See [Don't touch me that way, by David Lidner et al](https://www.youtube.com/watch?v=XhXIHVGCFFM "Don't Touch Me That Way - David Linder") for more details. #### Local Authentication Framework @@ -29,7 +29,7 @@ Two available policies define acceptable forms of authentication: The `evaluatePolicy` function returns a boolean value indicating whether the user has authenticated successfully. -The Apple Developer website offers code samples for both [Swift](https://developer.apple.com/documentation/localauthentication) and [Objective-C](https://developer.apple.com/documentation/localauthentication?language=objc). A typical implementation in Swift looks as follows. +The Apple Developer website offers code samples for both [Swift](https://developer.apple.com/documentation/localauthentication "LocalAuthentication") and [Objective-C](https://developer.apple.com/documentation/localauthentication?language=objc "LocalAuthentication"). A typical implementation in Swift looks as follows. ```swift let context = LAContext() diff --git a/Document/0x06h-Testing-Platform-Interaction.md b/Document/0x06h-Testing-Platform-Interaction.md index 3557ac0ea2..7557e5bdac 100644 --- a/Document/0x06h-Testing-Platform-Interaction.md +++ b/Document/0x06h-Testing-Platform-Interaction.md @@ -4,7 +4,7 @@ #### Overview -In contrast to Android, where each app runs on its own user ID, iOS makes all third-party apps run under the non-privileged `mobile` user. Each app has a unique home directory and is sandboxed, so that they cannot access protected system resources or files stored by the system or by other apps. These restrictions are implemented via sandbox policies (aka. *profiles*), which are enforced by the [Trusted BSD (MAC) Mandatory Access Control Framework](http://www.trustedbsd.org/mac.html "TrustedBSD Mandatory Access Control (MAC) Framework") via a kernel extension. iOS applies a generic sandbox profile to all third-party apps called *container*. Access to protected resources or data (some also known as [app capabilities](https://developer.apple.com/support/app-capabilities/)) is possible, but it's strictly controlled via special permissions known as *entitlements*. +In contrast to Android, where each app runs on its own user ID, iOS makes all third-party apps run under the non-privileged `mobile` user. Each app has a unique home directory and is sandboxed, so that they cannot access protected system resources or files stored by the system or by other apps. These restrictions are implemented via sandbox policies (aka. *profiles*), which are enforced by the [Trusted BSD (MAC) Mandatory Access Control Framework](http://www.trustedbsd.org/mac.html "TrustedBSD Mandatory Access Control (MAC) Framework") via a kernel extension. iOS applies a generic sandbox profile to all third-party apps called *container*. Access to protected resources or data (some also known as [app capabilities](https://developer.apple.com/support/app-capabilities/ "Advanced App Capabilities")) is possible, but it's strictly controlled via special permissions known as *entitlements*. Some permissions can be configured by the app's developers (e.g. Data Protection or Keychain Sharing) and will directly take effect after the installation. However, for others, the user will be explicitly asked the first time the app attempts to access a protected resource, [for example](https://developer.apple.com/library/archive/documentation/iPhone/Conceptual/iPhoneOSProgrammingGuide/ExpectedAppBehaviors/ExpectedAppBehaviors.html#//apple_ref/doc/uid/TP40007072-CH3-SW7 "Data and resources protected by system authorization settings"): @@ -1324,7 +1324,7 @@ Only the data types present here and not having "0" as `MaxCount` will be suppor ###### Checking Data Sharing with the Containing App -Remember that app extensions and their containing apps do not have direct access to each other’s containers. However, data sharing can be enabled. This is done via ["App Groups"](https://developer.apple.com/library/archive/documentation/Miscellaneous/Reference/EntitlementKeyReference/Chapters/EnablingAppSandbox.html#//apple_ref/doc/uid/TP40011195-CH4-SW19 "Adding an App to an App Group") and the [`NSUserDefaults`](https://developer.apple.com/documentation/foundation/nsuserdefaults) API. See this figure from [Apple App Extension Programming Guide](https://developer.apple.com/library/archive/documentation/General/Conceptual/ExtensibilityPG/ExtensionScenarios.html#//apple_ref/doc/uid/TP40014214-CH21-SW11 "An app extension’s container is distinct from its containing app’s container"): +Remember that app extensions and their containing apps do not have direct access to each other’s containers. However, data sharing can be enabled. This is done via ["App Groups"](https://developer.apple.com/library/archive/documentation/Miscellaneous/Reference/EntitlementKeyReference/Chapters/EnablingAppSandbox.html#//apple_ref/doc/uid/TP40011195-CH4-SW19 "Adding an App to an App Group") and the [`NSUserDefaults`](https://developer.apple.com/documentation/foundation/nsuserdefaults "NSUserDefaults") API. See this figure from [Apple App Extension Programming Guide](https://developer.apple.com/library/archive/documentation/General/Conceptual/ExtensibilityPG/ExtensionScenarios.html#//apple_ref/doc/uid/TP40014214-CH21-SW11 "An app extension’s container is distinct from its containing app’s container"): ![App Extensions Container Restrictions](Images/Chapters/0x06h/app_extensions_container_restrictions.png) @@ -1997,7 +1997,7 @@ The output is truncated for better readability. This time you see that `UIApplic ###### Opening a Link by Navigating to a Page and Letting Safari Open It -You can now test the same situation when clicking on a link contained on a page. Safari will identify and process the URL scheme and choose which action to execute. Opening this link "[https://telegram.me/fridadotre](https://telegram.me/fridadotre)" will trigger this behaviour. +You can now test the same situation when clicking on a link contained on a page. Safari will identify and process the URL scheme and choose which action to execute. Opening this link "" will trigger this behaviour. ![Open this page in "Telegram"?](Images/Chapters/0x06h/open_in_telegram_via_urlscheme.png) @@ -2080,7 +2080,7 @@ There you can observe the following: - The URL being opened is `tg://resolve?domain=fridadotre`. - It uses the `tg://` custom URL scheme from Telegram. -It is interesting to see that if you navigate again to "[https://telegram.me/fridadotre](https://telegram.me/fridadotre)", click on cancel and then click on the link offered by the page itself ("Open in the Telegram app"), instead of opening via custom URL scheme it will open via universal links. +It is interesting to see that if you navigate again to "", click on cancel and then click on the link offered by the page itself ("Open in the Telegram app"), instead of opening via custom URL scheme it will open via universal links. ![Open in the Telegram app](Images/Chapters/0x06h/open_in_telegram_via_universallink.png) @@ -2355,7 +2355,7 @@ $ rabin2 -zz ./WheresMyBrowser | grep -i "javascriptenabled" 392 0x0002f2d9 0x10002f2d9 21 22 (4.__TEXT.__objc_methname) ascii setJavaScriptEnabled: ``` -If user scripts were defined, they will continue running as the `javaScriptEnabled` property won't affect them. See [WKUserContentController](https://developer.apple.com/documentation/webkit/wkusercontentcontroller) and [WKUserScript](https://developer.apple.com/documentation/webkit/wkuserscript "WKUserScript") for more information on injecting user scripts to WKWebViews. +If user scripts were defined, they will continue running as the `javaScriptEnabled` property won't affect them. See [WKUserContentController](https://developer.apple.com/documentation/webkit/wkusercontentcontroller "WKUserContentController") and [WKUserScript](https://developer.apple.com/documentation/webkit/wkuserscript "WKUserScript") for more information on injecting user scripts to WKWebViews. ##### Testing for Mixed Content diff --git a/Document/0x06i-Testing-Code-Quality-and-Build-Settings.md b/Document/0x06i-Testing-Code-Quality-and-Build-Settings.md index 1a3970a837..c8afd8b6f0 100644 --- a/Document/0x06i-Testing-Code-Quality-and-Build-Settings.md +++ b/Document/0x06i-Testing-Code-Quality-and-Build-Settings.md @@ -6,7 +6,7 @@ Code signing your app assures users that the app has a known source and hasn't been modified since it was last signed. Before your app can integrate app services, be installed on a device, or be submitted to the App Store, it must be signed with a certificate issued by Apple. For more information on how to request certificates and code sign your apps, review the [App Distribution Guide.](https://developer.apple.com/library/content/documentation/IDEs/Conceptual/AppDistributionGuide/Introduction/Introduction.html "App Distribution Guide") -You can retrieve the signing certificate information from the application's .app file with [codesign](https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Procedures/Procedures.html). Codesign is used to create, check, and display code signatures, as well as inquire into the dynamic status of signed code in the system. +You can retrieve the signing certificate information from the application's .app file with [codesign](https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Procedures/Procedures.html "Code Signing Tasks"). Codesign is used to create, check, and display code signatures, as well as inquire into the dynamic status of signed code in the system. After you get the application's .ipa file, re-save it as a ZIP file and decompress the ZIP file. Navigate to the Payload directory, where the application's .app file will be. From 5c512e0fc4f388ac13ac8dc038fcde59b69a9080 Mon Sep 17 00:00:00 2001 From: cpholguera Date: Sat, 27 Jul 2019 15:10:34 +0200 Subject: [PATCH 03/13] Update Document/0x05f-Testing-Local-Authentication.md Co-Authored-By: Jeroen Willemsen --- Document/0x05f-Testing-Local-Authentication.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Document/0x05f-Testing-Local-Authentication.md b/Document/0x05f-Testing-Local-Authentication.md index 2812a284dd..6d16ae2112 100644 --- a/Document/0x05f-Testing-Local-Authentication.md +++ b/Document/0x05f-Testing-Local-Authentication.md @@ -88,7 +88,7 @@ Patch the app or use runtime instrumentation to bypass fingerprint authenticatio #### Overview -Android Marshmallow (6.0) introduced public APIs for authenticating users via fingerprint. Access to the fingerprint hardware is provided through the [FingerprintManager class](https://developer.android.com/reference/android/hardware/fingerprint/ "FingerprintManager"). An app can request fingerprint authentication by instantiating a `FingerprintManager` object and calling its `authenticate()` method. The caller registers callback methods to handle possible outcomes of the authentication process (i.e. success, failure, or error). Note that this method doesn't constitute strong proof that fingerprint authentication has actually been performed - for example, the authentication step could be patched out by an attacker, or the "success" callback could be called using instrumentation. +Android Marshmallow (6.0) introduced public APIs for authenticating users via fingerprint. Access to the fingerprint hardware is provided through the [FingerprintManager class](https://developer.android.com/reference/android/hardware/fingerprint/ "FingerprintManager"). An app can request fingerprint authentication by instantiating a `FingerprintManager` object and calling its `authenticate` method. The caller registers callback methods to handle possible outcomes of the authentication process (i.e. success, failure, or error). Note that this method doesn't constitute strong proof that fingerprint authentication has actually been performed - for example, the authentication step could be patched out by an attacker, or the "success" callback could be called using instrumentation. Better security is achieved by using the fingerprint API in conjunction with the Android `KeyGenerator` class. With this method, a symmetric key is stored in the KeyStore and "unlocked" with the user's fingerprint. For example, to enable user access to a remote service, an AES key is created which encrypts the user PIN or authentication token. By calling `setUserAuthenticationRequired(true)` when creating the key, it is ensured that the user must re-authenticate to retrieve it. The encrypted authentication credentials can then be saved directly to regular storage on the the device (e.g. `SharedPreferences`). This design is a relatively safe way to ensure the user actually entered an authorized fingerprint. Note however that this setup requires the app to hold the symmetric key in memory during cryptographic operations, potentially exposing it to attackers that manage to access the app's memory during runtime. From 04faed4a942fb743caaef467fe7a27ced80a00c7 Mon Sep 17 00:00:00 2001 From: cpholguera Date: Sat, 27 Jul 2019 15:10:52 +0200 Subject: [PATCH 04/13] Update Document/0x05f-Testing-Local-Authentication.md Co-Authored-By: Jeroen Willemsen --- Document/0x05f-Testing-Local-Authentication.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Document/0x05f-Testing-Local-Authentication.md b/Document/0x05f-Testing-Local-Authentication.md index 6d16ae2112..de5762ce51 100644 --- a/Document/0x05f-Testing-Local-Authentication.md +++ b/Document/0x05f-Testing-Local-Authentication.md @@ -98,7 +98,7 @@ Note that there are quite some SDKs provided by vendors, which should provide bi #### Static Analysis -Begin by searching for `FingerprintManager.authenticate()` calls. The first parameter passed to this method should be a `CryptoObject` instance which is a [wrapper class for crypto objects](https://developer.android.com/reference/android/hardware/fingerprint/FingerprintManager.CryptoObject.html "FingerprintManager.CryptoObject") supported by FingerprintManager. Should the parameter be set to `null`, this means the fingerprint authorization is purely event-bound, likely creating a security issue. +Begin by searching for `FingerprintManager.authenticate` calls. The first parameter passed to this method should be a `CryptoObject` instance which is a [wrapper class for crypto objects](https://developer.android.com/reference/android/hardware/fingerprint/FingerprintManager.CryptoObject.html "FingerprintManager.CryptoObject") supported by FingerprintManager. Should the parameter be set to `null`, this means the fingerprint authorization is purely event-bound, likely creating a security issue. The creation of the key used to initialize the cipher wrapper can be traced back to the `CryptoObject`. Verify the key was both created using the `KeyGenerator` class in addition to `setUserAuthenticationRequired(true)` being called during creation of the `KeyGenParameterSpec` object (see code samples below). From 72e71ae47d879424da1918b8dae71d48f0a134f2 Mon Sep 17 00:00:00 2001 From: cpholguera Date: Sun, 28 Jul 2019 20:54:06 +0200 Subject: [PATCH 05/13] Update Document/0x06h-Testing-Platform-Interaction.md Co-Authored-By: Jeroen Willemsen --- Document/0x06h-Testing-Platform-Interaction.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Document/0x06h-Testing-Platform-Interaction.md b/Document/0x06h-Testing-Platform-Interaction.md index 6507e86bda..adf0a01a2c 100644 --- a/Document/0x06h-Testing-Platform-Interaction.md +++ b/Document/0x06h-Testing-Platform-Interaction.md @@ -1320,7 +1320,7 @@ Inspect the app extension's `Info.plist` file and search for `NSExtensionActivat ``` -Only the data types present here and not having "0" as `MaxCount` will be supported. However, more complex filtering is possible by using a so-called predicate string that will evaluate the UTIs given. Please refer to the [Apple App Extension Programming Guide](https://developer.apple.com/library/archive/documentation/General/Conceptual/ExtensibilityPG/ExtensionScenarios.html#//apple_ref/doc/uid/TP40014214-CH21-SW8 "Declaring Supported Data Types for a Share or Action Extension") for more detailed information about this. +Only the data types present here and not having `0` as `MaxCount` will be supported. However, more complex filtering is possible by using a so-called predicate string that will evaluate the UTIs given. Please refer to the [Apple App Extension Programming Guide](https://developer.apple.com/library/archive/documentation/General/Conceptual/ExtensibilityPG/ExtensionScenarios.html#//apple_ref/doc/uid/TP40014214-CH21-SW8 "Declaring Supported Data Types for a Share or Action Extension") for more detailed information about this. ###### Checking Data Sharing with the Containing App From 4f6b4f51b8a9ded9a2ecc80d44614fc19b1248f3 Mon Sep 17 00:00:00 2001 From: cpholguera Date: Sun, 28 Jul 2019 20:54:52 +0200 Subject: [PATCH 06/13] Update Document/0x05c-Reverse-Engineering-and-Tampering.md Co-Authored-By: Jeroen Willemsen --- Document/0x05c-Reverse-Engineering-and-Tampering.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Document/0x05c-Reverse-Engineering-and-Tampering.md b/Document/0x05c-Reverse-Engineering-and-Tampering.md index 08802415a7..5a9db0cbed 100644 --- a/Document/0x05c-Reverse-Engineering-and-Tampering.md +++ b/Document/0x05c-Reverse-Engineering-and-Tampering.md @@ -582,7 +582,7 @@ main[1] locals flag = false ``` -You've now reached a call to `setCancelable` with the argument `false`. Set the variable to "true" with the `set` command and resume. +You've now reached a call to `setCancelable` with the argument `false`. Set the variable to `true` with the `set` command and resume. ```shell main[1] set flag = true From 2f1fa939cbd34d4160a0a8fe958ec79cdc25083e Mon Sep 17 00:00:00 2001 From: cpholguera Date: Sun, 28 Jul 2019 20:55:10 +0200 Subject: [PATCH 07/13] Update Document/0x05h-Testing-Platform-Interaction.md Co-Authored-By: Jeroen Willemsen --- Document/0x05h-Testing-Platform-Interaction.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Document/0x05h-Testing-Platform-Interaction.md b/Document/0x05h-Testing-Platform-Interaction.md index 8ab89c7468..cbe2ef7a27 100644 --- a/Document/0x05h-Testing-Platform-Interaction.md +++ b/Document/0x05h-Testing-Platform-Interaction.md @@ -394,7 +394,7 @@ With this vulnerability, an attacker can call fragments inside the target applic To prevent this vulnerability, a new method called `isValidFragment` was added in Android 4.4 KitKat (API Level 19). It allows developers to override this method and define the fragments that may be used in this context. -The default implementation returns "true" on versions older than Android 4.4 KitKat (API Level 19); it will throw an exception on later versions. +The default implementation returns `true` on versions older than Android 4.4 KitKat (API Level 19); it will throw an exception on later versions. #### Static Analysis From 83718c154c6240cc585d0e9bf7b038b04a96b9fa Mon Sep 17 00:00:00 2001 From: cpholguera Date: Sun, 28 Jul 2019 20:55:30 +0200 Subject: [PATCH 08/13] Update Document/0x05h-Testing-Platform-Interaction.md Co-Authored-By: Jeroen Willemsen --- Document/0x05h-Testing-Platform-Interaction.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Document/0x05h-Testing-Platform-Interaction.md b/Document/0x05h-Testing-Platform-Interaction.md index cbe2ef7a27..59f1f80868 100644 --- a/Document/0x05h-Testing-Platform-Interaction.md +++ b/Document/0x05h-Testing-Platform-Interaction.md @@ -987,7 +987,7 @@ Check the source code for WebView usage. The following [WebView settings](https: - `setAllowContentAccess`: Content URL access allows WebViews to load content from a content provider installed on the system, which is enabled by default . - `setAllowFileAccess`: Enables and disables file access within a WebView. File access is enabled by default. Note that this enables and disables [file system access](https://developer.android.com/reference/android/webkit/WebSettings.html#setAllowFileAccess%28boolean%29 "File Access in WebView") only. Asset and resource access is unaffected and accessible via `file:///android_asset` and `file:///android_res`. -- `setAllowFileAccessFromFileURLs`: Does or does not allow JavaScript running in the context of a file scheme URL to access content from other file scheme URLs. The default value is "true" for API level 15 (Ice Cream Sandwich) and below and "false" for API level 16 (Jelly Bean) and above. +- `setAllowFileAccessFromFileURLs`: Does or does not allow JavaScript running in the context of a file scheme URL to access content from other file scheme URLs. The default value is `true` for API level 15 (Ice Cream Sandwich) and below and `false` for API level 16 (Jelly Bean) and above. - `setAllowUniversalAccessFromFileURLs`: Does or does not allow JavaScript running in the context of a file scheme URL to access content from any origin. The default value is "true" for API level 15 (Ice Cream Sandwich) and below and "false" for API level 16 (Jelly Bean) and above. If one or more of the above methods is/are activated, you should determine whether the method(s) is/are really necessary for the app to work properly. From 601f412948b083ed20c6d5e3fc02f3908a8904c8 Mon Sep 17 00:00:00 2001 From: cpholguera Date: Sun, 28 Jul 2019 20:55:44 +0200 Subject: [PATCH 09/13] Update Document/0x05h-Testing-Platform-Interaction.md Co-Authored-By: Jeroen Willemsen --- Document/0x05h-Testing-Platform-Interaction.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Document/0x05h-Testing-Platform-Interaction.md b/Document/0x05h-Testing-Platform-Interaction.md index 59f1f80868..ccab651d62 100644 --- a/Document/0x05h-Testing-Platform-Interaction.md +++ b/Document/0x05h-Testing-Platform-Interaction.md @@ -988,7 +988,7 @@ Check the source code for WebView usage. The following [WebView settings](https: - `setAllowContentAccess`: Content URL access allows WebViews to load content from a content provider installed on the system, which is enabled by default . - `setAllowFileAccess`: Enables and disables file access within a WebView. File access is enabled by default. Note that this enables and disables [file system access](https://developer.android.com/reference/android/webkit/WebSettings.html#setAllowFileAccess%28boolean%29 "File Access in WebView") only. Asset and resource access is unaffected and accessible via `file:///android_asset` and `file:///android_res`. - `setAllowFileAccessFromFileURLs`: Does or does not allow JavaScript running in the context of a file scheme URL to access content from other file scheme URLs. The default value is `true` for API level 15 (Ice Cream Sandwich) and below and `false` for API level 16 (Jelly Bean) and above. -- `setAllowUniversalAccessFromFileURLs`: Does or does not allow JavaScript running in the context of a file scheme URL to access content from any origin. The default value is "true" for API level 15 (Ice Cream Sandwich) and below and "false" for API level 16 (Jelly Bean) and above. +- `setAllowUniversalAccessFromFileURLs`: Does or does not allow JavaScript running in the context of a file scheme URL to access content from any origin. The default value is `true` for API level 15 (Ice Cream Sandwich) and below and `false` for API level 16 (Jelly Bean) and above. If one or more of the above methods is/are activated, you should determine whether the method(s) is/are really necessary for the app to work properly. From d7cd3d8ef4de9a464468f66306334710904da4a9 Mon Sep 17 00:00:00 2001 From: cpholguera Date: Mon, 29 Jul 2019 08:04:11 +0200 Subject: [PATCH 10/13] fixed more values --- Document/0x04h-Testing-Code-Quality.md | 2 +- Document/0x05a-Platform-Overview.md | 4 ++-- Document/0x05c-Reverse-Engineering-and-Tampering.md | 8 ++++---- Document/0x05d-Testing-Data-Storage.md | 2 +- Document/0x05f-Testing-Local-Authentication.md | 2 +- Document/0x05g-Testing-Network-Communication.md | 2 +- Document/0x05i-Testing-Code-Quality-and-Build-Settings.md | 4 ++-- Document/0x06c-Reverse-Engineering-and-Tampering.md | 4 ++-- Document/0x06d-Testing-Data-Storage.md | 4 ++-- Document/0x06h-Testing-Platform-Interaction.md | 8 ++++---- Document/0x06i-Testing-Code-Quality-and-Build-Settings.md | 6 +++--- 11 files changed, 23 insertions(+), 23 deletions(-) diff --git a/Document/0x04h-Testing-Code-Quality.md b/Document/0x04h-Testing-Code-Quality.md index b0d3cb91f3..f595d178fb 100644 --- a/Document/0x04h-Testing-Code-Quality.md +++ b/Document/0x04h-Testing-Code-Quality.md @@ -41,7 +41,7 @@ This results in the following query: SELECT * FROM users WHERE username='1' OR '1' = '1' AND Password='1' OR '1' = '1' ``` -Because the condition `'1' = '1'` always evaluates as true, this query return all records in the database, causing the login function to return "true" even though no valid user account was entered. +Because the condition `'1' = '1'` always evaluates as true, this query return all records in the database, causing the login function to return `true` even though no valid user account was entered. Ostorlab exploited the sort parameter of [Yahoo's weather mobile application](https://blog.ostorlab.co/android-sql-contentProvider-sql-injections.html "Android, SQL and ContentProviders or Why SQL injections aren't dead yet ?") with adb using this SQL injection payload. diff --git a/Document/0x05a-Platform-Overview.md b/Document/0x05a-Platform-Overview.md index ed74764d2a..1bb7d7b6d7 100644 --- a/Document/0x05a-Platform-Overview.md +++ b/Document/0x05a-Platform-Overview.md @@ -451,7 +451,7 @@ The example below shows an AndroidManifest.xml sample requesting permission to r ###### Declaring Permissions -Apps can expose features and content to other apps installed on the system. To restrict access to its own components, it can either use any of Android’s [predefined permissions](https://developer.android.com/reference/android/Manifest.permission.html "predefined permissions") or define its own. A new permission is declared with the `` element. +Apps can expose features and content to other apps installed on the system. To restrict access to its own components, it can either use any of Android’s [predefined permissions](https://developer.android.com/reference/android/Manifest.permission.html "predefined permissions") or define its own. A new permission is declared with the `` element. The example below shows an app declaring a permission: ```xml @@ -485,7 +485,7 @@ Permissions can be enforced on *Activities*, *Services*, and *Broadcast Receiver - `android:writePermission`, `android:readPermission`: the developer can set separate permissions for reading or writing. - `android:permission`: general permission that will control reading and writing to the content provider. -- `android:grantUriPermissions`: "true" if the content provider can be accessed with a content URI (the access temporarily bypasses the restrictions of other permissions), and "false" otherwise. +- `android:grantUriPermissions`: `"true"` if the content provider can be accessed with a content URI (the access temporarily bypasses the restrictions of other permissions), and `"false"` otherwise. ### Signing and Publishing Process diff --git a/Document/0x05c-Reverse-Engineering-and-Tampering.md b/Document/0x05c-Reverse-Engineering-and-Tampering.md index 5a9db0cbed..ef385df89a 100644 --- a/Document/0x05c-Reverse-Engineering-and-Tampering.md +++ b/Document/0x05c-Reverse-Engineering-and-Tampering.md @@ -590,7 +590,7 @@ main[1] set flag = true main[1] resume ``` -Repeat this process, setting `flag` to "true" each time the breakpoint is reached, until the alert box is finally displayed (the breakpoint will be reached five or six times). The alert box should now be cancelable! Tap the screen next to the box and it will close without terminating the app. +Repeat this process, setting `flag` to `true` each time the breakpoint is reached, until the alert box is finally displayed (the breakpoint will be reached five or six times). The alert box should now be cancelable! Tap the screen next to the box and it will close without terminating the app. Now that the anti-tampering is out of the way, you're ready to extract the secret string! In the "static analysis" section, you saw that the string is decrypted with AES, then compared with the string input to the message box. The method `equals` of the `java.lang.String` class compares the string input with the secret string. Set a method breakpoint on `java.lang.String.equals`, enter an arbitrary text string in the edit field, and tap the "verify" button. Once the breakpoint is reached, you can read the method argument with the `locals` command. @@ -1096,7 +1096,7 @@ First, we'll look at some simple ways to modify and instrument mobile apps. *Tam Making small changes to the Android Manifest or bytecode is often the quickest way to fix small annoyances that prevent you from testing or reverse engineering an app. On Android, two issues in particular happen regularly: 1. You can't intercept HTTPS traffic with a proxy because the app employs SSL pinning. -2. You can't attach a debugger to the app because the `android:debuggable` flag is not set to "true" in the Android Manifest. +2. You can't attach a debugger to the app because the `android:debuggable` flag is not set to `"true"` in the Android Manifest. In most cases, both issues can be fixed by making minor changes to the app (aka. patching) and then re-signing and repackaging it. Apps that run additional integrity checks beyond default Android code-signing are an exception—in these cases, you have to patch the additional checks as well. @@ -1208,7 +1208,7 @@ In the Developer options, pick `Uncrackable1` as the debugging application and a Developer Options -Note: Even with `ro.debuggable` set to "1" in `default.prop`, an app won't show up in the "debug app" list unless the `android:debuggable` flag is set to "true" in the Android Manifest. +Note: Even with `ro.debuggable` set to "1" in `default.prop`, an app won't show up in the "debug app" list unless the `android:debuggable` flag is set to `"true"` in the Android Manifest. ##### Patching React Native applications @@ -1254,7 +1254,7 @@ public static boolean c() { } ``` -This method iterates through a list of directories and returns "true" (device rooted) if it finds the `su` binary in any of them. Checks like this are easy to deactivate all you have to do is replace the code with something that returns "false". Method hooking with an Xposed module is one way to do this (see "Android Basic Security Testing" for more details on Xposed installation and basics). +This method iterates through a list of directories and returns `true` (device rooted) if it finds the `su` binary in any of them. Checks like this are easy to deactivate all you have to do is replace the code with something that returns "false". Method hooking with an Xposed module is one way to do this (see "Android Basic Security Testing" for more details on Xposed installation and basics). The method `XposedHelpers.findAndHookMethod` allows you to override existing class methods. By inspecting the decompiled source code, you can find out that the method performing the check is `c`. This method is located in the class `com.example.a.b`. The following is an Xposed module that overrides the function so that it always returns false: diff --git a/Document/0x05d-Testing-Data-Storage.md b/Document/0x05d-Testing-Data-Storage.md index 59fc91cdd7..453396b36e 100644 --- a/Document/0x05d-Testing-Data-Storage.md +++ b/Document/0x05d-Testing-Data-Storage.md @@ -478,7 +478,7 @@ As part of Android's IPC mechanisms, content providers allow an app's stored dat The first step is to look at `AndroidManifest.xml` to detect content providers exposed by the app. You can identify content providers by the `` element. Complete the following steps: -- Determine whether the value of the export tag is "true" (`android:exported="true"`). Even if it is not, the tag will be set to "true" automatically if an `` has been defined for the tag. If the content is meant to be accessed only by the app itself, set `android:exported` to "false". If not, set the flag to "true" and define proper read/write permissions. +- Determine whether the value of the export tag (`android:exported`) is `"true"`. Even if it is not, the tag will be set to `"true"` automatically if an `` has been defined for the tag. If the content is meant to be accessed only by the app itself, set `android:exported` to `"false"`. If not, set the flag to `"true"` and define proper read/write permissions. - Determine whether the data is being protected by a permission tag (`android:permission`). Permission tags limit exposure to other apps. - Determine whether the `android:protectionLevel` attribute has the value `signature`. This setting indicates that the data is intended to be accessed only by apps from the same enterprise (i.e., signed with the same key). To make the data accessible to other apps, apply a security policy with the `` element and set a proper `android:protectionLevel`. If you use `android:permission`, other applications must declare corresponding `` elements in their manifests to interact with your content provider. You can use the `android:grantUriPermissions` attribute to grant more specific access to other apps; you can limit access with the `` element. diff --git a/Document/0x05f-Testing-Local-Authentication.md b/Document/0x05f-Testing-Local-Authentication.md index d0af85e849..52769ca3b6 100644 --- a/Document/0x05f-Testing-Local-Authentication.md +++ b/Document/0x05f-Testing-Local-Authentication.md @@ -248,7 +248,7 @@ byte[] signed = signature.sign(); ##### Additional Security Features -Android Nougat (API 24) adds the `setInvalidatedByBiometricEnrollment(boolean invalidateKey)` method to `KeyGenParameterSpec.Builder`. When `invalidateKey` value is set to "true" (the default), keys that are valid for fingerprint authentication are irreversibly invalidated when a new fingerprint is enrolled. This prevents an attacker from retrieving they key even if they are able to enroll an additional fingerprint. +Android Nougat (API 24) adds the `setInvalidatedByBiometricEnrollment(boolean invalidateKey)` method to `KeyGenParameterSpec.Builder`. When `invalidateKey` value is set to `true` (the default), keys that are valid for fingerprint authentication are irreversibly invalidated when a new fingerprint is enrolled. This prevents an attacker from retrieving they key even if they are able to enroll an additional fingerprint. Android Oreo (API 26) adds two additional error-codes: - `FINGERPRINT_ERROR_LOCKOUT_PERMANENT`: The user has tried too many times to unlock their device using the fingerprint reader. diff --git a/Document/0x05g-Testing-Network-Communication.md b/Document/0x05g-Testing-Network-Communication.md index c7a3390e79..e849406a7f 100644 --- a/Document/0x05g-Testing-Network-Communication.md +++ b/Document/0x05g-Testing-Network-Communication.md @@ -125,7 +125,7 @@ To customize their network security settings in a safe, declarative configuratio The Network Security Configuration can also be used to pin [declarative certificates](https://developer.android.com/training/articles/security-config.html#CertificatePinning "Certificate Pinning using Network Security Configuration") to specific domains. If an application uses this feature, two things should be checked to identify the defined configuration: -First, find the Network Security Configuration file in the Android application manifest via the "android:networkSecurityConfig" attribute on the application tag: +First, find the Network Security Configuration file in the Android application manifest via the `android:networkSecurityConfig` attribute on the application tag: ```xml diff --git a/Document/0x05i-Testing-Code-Quality-and-Build-Settings.md b/Document/0x05i-Testing-Code-Quality-and-Build-Settings.md index f084cf229e..9a00cfedf4 100644 --- a/Document/0x05i-Testing-Code-Quality-and-Build-Settings.md +++ b/Document/0x05i-Testing-Code-Quality-and-Build-Settings.md @@ -75,7 +75,7 @@ Static analysis should be used to verify the APK signature. #### Overview -The `android:debuggable` attribute in the [`Application` element](https://developer.android.com/guide/topics/manifest/application-element.html "Application element") that is defined in the Android manifest determines whether the app can be debugged or not. +The `android:debuggable` attribute in the [`Application` element](https://developer.android.com/guide/topics/manifest/application-element.html "Application element") that is defined in the Android manifest determines whether the app can be debugged or not. #### Static Analysis @@ -87,7 +87,7 @@ Check `AndroidManifest.xml` to determine whether the `android:debuggable` attrib ... ``` -For a release build, this attribute should always be set to "false" (the default value). +For a release build, this attribute should always be set to `"false"` (the default value). #### Dynamic Analysis diff --git a/Document/0x06c-Reverse-Engineering-and-Tampering.md b/Document/0x06c-Reverse-Engineering-and-Tampering.md index 9d6d55cbe1..24c5566842 100644 --- a/Document/0x06c-Reverse-Engineering-and-Tampering.md +++ b/Document/0x06c-Reverse-Engineering-and-Tampering.md @@ -158,7 +158,7 @@ $ security find-identity -v Log into the Apple Developer portal to issue a new App ID, then issue and download the profile. An App ID is a two-part string: a Team ID supplied by Apple and a bundle ID search string that you can set to an arbitrary value, such as `com.example.myapp`. Note that you can use a single App ID to re-sign multiple apps. Make sure you create a *development* profile and not a *distribution* profile so that you can debug the app. -In the examples below, I use my signing identity, which is associated with my company's development team. I created the App ID "sg.vp.repackaged" and the provisioning profile "AwesomeRepackaging" for these examples. I ended up with the file `AwesomeRepackaging.mobileprovision`-replace this with your own filename in the shell commands below. +In the examples below, I use my signing identity, which is associated with my company's development team. I created the App ID "sg.vp.repackaged" and the provisioning profile "AwesomeRepackaging" for these examples. I ended up with the file `AwesomeRepackaging.mobileprovision`-replace this with your own filename in the shell commands below. **With a Regular iTunes Account:** @@ -188,7 +188,7 @@ $ cat entitlements.plist ``` -Note the application identifier, which is a combination of the Team ID (LRUD9L355Y) and Bundle ID (sg.vantagepoint.repackage). This provisioning profile is only valid for the app that has this App ID. The "get-task-allow" key is also important: when set to "true", other processes, such as the debugging server, are allowed to attach to the app (consequently, this would be set to "false" in a distribution profile). +Note the application identifier, which is a combination of the Team ID (LRUD9L355Y) and Bundle ID (sg.vantagepoint.repackage). This provisioning profile is only valid for the app that has this App ID. The `get-task-allow` key is also important: when set to `true`, other processes, such as the debugging server, are allowed to attach to the app (consequently, this would be set to `false` in a distribution profile). ##### Other Preparations diff --git a/Document/0x06d-Testing-Data-Storage.md b/Document/0x06d-Testing-Data-Storage.md index 055909202a..ed8f2da550 100644 --- a/Document/0x06d-Testing-Data-Storage.md +++ b/Document/0x06d-Testing-Data-Storage.md @@ -430,7 +430,7 @@ Several options for simplifying keyboard input are available to users. These opt The [UITextInputTraits protocol](https://developer.apple.com/reference/uikit/uitextinputtraits "UITextInputTraits protocol") is used for keyboard caching. The UITextField, UITextView, and UISearchBar classes automatically support this protocol and it offers the following properties: - `var autocorrectionType: UITextAutocorrectionType` determines whether autocorrection is enabled during typing. When autocorrection is enabled, the text object tracks unknown words and suggests suitable replacements, replacing the typed text automatically unless the user overrides the replacement. The default value of this property is `UITextAutocorrectionTypeDefault`, which for most input methods enables autocorrection. -- `var secureTextEntry: BOOL` determines whether text copying and text caching are disabled and hides the text being entered for `UITextField`. The default value of this property is "NO". +- `var secureTextEntry: BOOL` determines whether text copying and text caching are disabled and hides the text being entered for `UITextField`. The default value of this property is `NO`. #### Static Analysis @@ -443,7 +443,7 @@ The [UITextInputTraits protocol](https://developer.apple.com/reference/uikit/uit - Open xib and storyboard files in the `Interface Builder` of Xcode and verify the states of `Secure Text Entry` and `Correction` in the `Attributes Inspector` for the appropriate object. -The application must prevent the caching of sensitive information entered into text fields. You can prevent caching by disabling it programmatically, using the `textObject.autocorrectionType = UITextAutocorrectionTypeNo` directive in the desired UITextFields, UITextViews, and UISearchBars. For data that should be masked, such as PINs and passwords, set `textObject.secureTextEntry` to "YES". +The application must prevent the caching of sensitive information entered into text fields. You can prevent caching by disabling it programmatically, using the `textObject.autocorrectionType = UITextAutocorrectionTypeNo` directive in the desired UITextFields, UITextViews, and UISearchBars. For data that should be masked, such as PINs and passwords, set `textObject.secureTextEntry` to `YES`. ```objc UITextField *textField = [ [ UITextField alloc ] initWithFrame: frame ]; diff --git a/Document/0x06h-Testing-Platform-Interaction.md b/Document/0x06h-Testing-Platform-Interaction.md index adf0a01a2c..a075919d0c 100644 --- a/Document/0x06h-Testing-Platform-Interaction.md +++ b/Document/0x06h-Testing-Platform-Interaction.md @@ -1619,7 +1619,7 @@ Before calling the `openURL:options:completionHandler:` method, apps can call [` ``` -`canOpenURL` will always return"NO" for undeclared schemes, whether or not an appropriate app is installed. However, this restriction only applies to `canOpenURL`, **the `openURL:options:completionHandler:` method will still open any URL scheme, even if the `LSApplicationQueriesSchemes` array was declared**, and return "YES" / "NO" depending on the result. +`canOpenURL` will always return `NO` for undeclared schemes, whether or not an appropriate app is installed. However, this restriction only applies to `canOpenURL`, **the `openURL:options:completionHandler:` method will still open any URL scheme, even if the `LSApplicationQueriesSchemes` array was declared**, and return `YES` / `NO` depending on the result. As an example, Telegram declares in its [`Info.plist`](https://github.com/peter-iakovlev/Telegram-iOS/blob/master/Telegram-iOS/Info.plist#L63 "Telegram's Info.plist Line 63") these Queries Schemes, among others: @@ -1938,7 +1938,7 @@ Now we know that: - It receives our URL as a parameter: `igoat://`. - We also can verify the source application: `com.apple.mobilesafari`. - We can also know from where it was called, as expected from `-[UIApplication _applicationOpenURLAction:payload:origin:]`. -- The method returns "0x1" which means "YES" ([the delegate successfully handled the request](https://developer.apple.com/documentation/uikit/uiapplicationdelegate/1623112-application?language=objc#return-value "application:openURL:options: Return Value")). +- The method returns `0x1` which means `YES` ([the delegate successfully handled the request](https://developer.apple.com/documentation/uikit/uiapplicationdelegate/1623112-application?language=objc#return-value "application:openURL:options: Return Value")). The call was successful and we see now that the iGoat app was open: @@ -2611,7 +2611,7 @@ $ rabin2 -zz ./WheresMyBrowser | grep -i "loadHTMLString" 231 0x0002df6c 24 (4.__TEXT.__objc_methname) ascii loadHTMLString:baseURL: ``` -In a case like this, it is recommended to perform dynamic anaylsis to ensure that this is in fact being used and from which kind of WebView. The `baseURL` parameter here doesn't present an issue as it will be set to "null" but could be an issue if not set properly when using a `UIWebView`. See "Checking How WebViews are Loaded" for an example about this. +In a case like this, it is recommended to perform dynamic analysis to ensure that this is in fact being used and from which kind of WebView. The `baseURL` parameter here doesn't present an issue as it will be set to "null" but could be an issue if not set properly when using a `UIWebView`. See "Checking How WebViews are Loaded" for an example about this. In addition, you should also verify if the app is using the method [`loadFileURL:allowingReadAccessToURL:`](https://developer.apple.com/documentation/webkit/wkwebview/1414973-loadfileurl?language=objc "WKWebView loadFileURL:allowingReadAccessToURL:"). Its first parameter is `URL` and contains the URL to be loaded in the WebView, its second parameter `allowingReadAccessToURL` may contain a single file or a directory. If containing a single file, that file will be available to the WebView. However, if it contains a directory, all files on that directory will be made available to the WebView. Therefore, it is worth inspecting this and in case it is a directory, verifying that no sensitive data can be found inside it. @@ -2709,7 +2709,7 @@ $ frida-trace -U "Where's My Browser?" 14190 ms baseURL: nil ``` -In this case, `baseURL` is set to `nil`, meaning that the effective origin is "null". You can obtain the effective origin by running `window.origin` from the JavaScript of the page (this app has an explotation helper that allows to write and run JavaScript, but you could also implement a MITM or simply use Frida to inject JavaScript, e.g. via `evaluateJavaScript:completionHandler` of `WKWebView`). +In this case, `baseURL` is set to `nil`, meaning that the effective origin is "null". You can obtain the effective origin by running `window.origin` from the JavaScript of the page (this app has an exploitation helper that allows to write and run JavaScript, but you could also implement a MITM or simply use Frida to inject JavaScript, e.g. via `evaluateJavaScript:completionHandler` of `WKWebView`). As an additional note regarding `UIWebView`s, if you retrieve the effective origin from a `UIWebView` where `baseURL` is also set to `nil` you will see that it is not set to "null", instead you'll obtain something similar to the following: diff --git a/Document/0x06i-Testing-Code-Quality-and-Build-Settings.md b/Document/0x06i-Testing-Code-Quality-and-Build-Settings.md index aa51996c04..b7fc92eaae 100644 --- a/Document/0x06i-Testing-Code-Quality-and-Build-Settings.md +++ b/Document/0x06i-Testing-Code-Quality-and-Build-Settings.md @@ -80,7 +80,7 @@ aarch64: file format mach-o-arm64 Gobjdump is part of [binutils](https://www.gnu.org/s/binutils/ "Binutils") and can be installed on macOS via Homebrew. -Make sure that debugging symbols are stripped when the application is being built for production. Stripping debugging symbols will reduce the size of the binary and increase the difficulty of reverse engineering. To strip debugging symbols, set `Strip Debug Symbols During Copy` to "YES" via the project's build settings. +Make sure that debugging symbols are stripped when the application is being built for production. Stripping debugging symbols will reduce the size of the binary and increase the difficulty of reverse engineering. To strip debugging symbols, set `Strip Debug Symbols During Copy` to `YES` via the project's build settings. A proper [Crash Reporter System](https://developer.apple.com/library/content/documentation/IDEs/Conceptual/AppDistributionGuide/AnalyzingCrashReports/AnalyzingCrashReports.html "Crash Reporter System) is possible because the system doesn't require any symbols in the application binary. @@ -307,7 +307,7 @@ An `NSException` can either be raised by `raise` or thrown with `@throw`. Unless Bear in mind that using `NSException` comes with memory management pitfalls: you need to [clean up allocations](https://developer.apple.com/library/content/documentation/Cocoa/Conceptual/Exceptions/Tasks/RaisingExceptions.html#//apple_ref/doc/uid/20000058-BBCCFIBF "Raising exceptions") from the try block that are in the [finally block](https://developer.apple.com/library/content/documentation/Cocoa/Conceptual/Exceptions/Tasks/HandlingExceptions.html "Handling Exceptions"). Note that you can promote `NSException` objects to `NSError` by instantiating an `NSError` in the `@catch` block. **NSError** -`NSError` is used for all other types of [errors](https://developer.apple.com/library/content/documentation/Cocoa/Conceptual/ProgrammingWithObjectiveC/ErrorHandling/ErrorHandling.html "Dealing with Errors"). Some Cocoa framework APIs provide errors as objects in their failure callback in case something goes wrong; those that don't provide them pass a pointer to an `NSError` object by reference. It is a good practice to provide a `BOOL` return type to the method that takes a pointer to an `NSError` object to indicate success or failure. If there's a return type, make sure to return "nil" for errors. If "NO" or "nil" is returned, it allows you to inspect the error/reason for failure. +`NSError` is used for all other types of [errors](https://developer.apple.com/library/content/documentation/Cocoa/Conceptual/ProgrammingWithObjectiveC/ErrorHandling/ErrorHandling.html "Dealing with Errors"). Some Cocoa framework APIs provide errors as objects in their failure callback in case something goes wrong; those that don't provide them pass a pointer to an `NSError` object by reference. It is a good practice to provide a `BOOL` return type to the method that takes a pointer to an `NSError` object to indicate success or failure. If there's a return type, make sure to return `nil` for errors. If `NO` or `nil` is returned, it allows you to inspect the error/reason for failure. ##### Exception Handling in Swift @@ -461,7 +461,7 @@ Steps for enabling ACR protection for an iOS application: 1. In Xcode, select your target in the "Targets" section, then click the "Build Settings" tab to view the target's settings. 2. Make sure that "Objective-C Automatic Reference Counting" is set to its default value ("YES"). -See the [Technical Q&A QA1788 Building a Position Independent Executable]( https://developer.apple.com/library/mac/qa/qa1788/_index.html "Technical Q&A QA1788 Building a Position Independent Executable"). +See the [Technical Q&A QA1788 Building a Position Independent Executable](https://developer.apple.com/library/mac/qa/qa1788/_index.html "Technical Q&A QA1788 Building a Position Independent Executable"). ##### With otool From 2345675049bc42a0494120411d6dc3ff83990a95 Mon Sep 17 00:00:00 2001 From: cpholguera Date: Mon, 29 Jul 2019 08:13:11 +0200 Subject: [PATCH 11/13] changes to the style guide --- style_guide.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/style_guide.md b/style_guide.md index 48b49e5083..b859df70d7 100644 --- a/style_guide.md +++ b/style_guide.md @@ -328,6 +328,9 @@ When they do not occur in a code block, place the following code-related keyword | port numbers || | binary names || |method/function arguments|| +|method/function argument or return values (e.g., `true`, `0`, `YES`)|| +| XML attributes (e.g., `get-task-allow` on iOS Plists, `"@string/app_name"` on Android Manifests)|| +| XML attribute values (e.g., `android:label` on Android Manifests)|| | property names || | object names || | API calls || From 005699db3137e83aa3300e7cbc86ab4622e2bf73 Mon Sep 17 00:00:00 2001 From: cpholguera Date: Mon, 29 Jul 2019 21:57:59 +0200 Subject: [PATCH 12/13] corrected XXE definition; added XXE link where missing; bold corrected; CoreData corrected --- Document/0x04h-Testing-Code-Quality.md | 2 +- Document/0x05h-Testing-Platform-Interaction.md | 2 +- Document/0x06h-Testing-Platform-Interaction.md | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Document/0x04h-Testing-Code-Quality.md b/Document/0x04h-Testing-Code-Quality.md index f595d178fb..7adde5ebae 100644 --- a/Document/0x04h-Testing-Code-Quality.md +++ b/Document/0x04h-Testing-Code-Quality.md @@ -51,7 +51,7 @@ Another real-world instance of client-side SQL injection was discovered by Mark In a *XML injection* attack, the attacker injects XML meta-characters to structurally alter XML content. This can be used to either compromise the logic of an XML-based application or service, as well as possibly allow an attacker to exploit the operation of the XML parser processing the content. -A popular variant of this attack is [XML Entity Injection (XXE)](https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing "XML Entity Injection (XXE)"). Here, an attacker injects an external entity definition containing an URI into the input XML. During parsing, the XML parser expands the attacker-defined entity by accessing the resource specified by the URI. The integrity of the parsing application ultimately determines capabilities afforded to the attacker, where the malicious user could do any (or all) of the following: access local files, trigger HTTP requests to arbitrary hosts and ports, launch a [cross-site request forgery (CSRF)](https://goo.gl/UknMCj "Cross-Site Request Forgery (CSRF)") attack, and cause a denial-of-service condition. The OWASP web testing guide contains the [following example for XXE](https://goo.gl/QGQkEX "Testing for XML Injection (OTG-INPVAL-008)"): +A popular variant of this attack is [XML eXternal Entity (XXE)](https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing "XML eXternal Entity attack (XXE)"). Here, an attacker injects an external entity definition containing an URI into the input XML. During parsing, the XML parser expands the attacker-defined entity by accessing the resource specified by the URI. The integrity of the parsing application ultimately determines capabilities afforded to the attacker, where the malicious user could do any (or all) of the following: access local files, trigger HTTP requests to arbitrary hosts and ports, launch a [cross-site request forgery (CSRF)](https://goo.gl/UknMCj "Cross-Site Request Forgery (CSRF)") attack, and cause a denial-of-service condition. The OWASP web testing guide contains the [following example for XXE](https://goo.gl/QGQkEX "Testing for XML Injection (OTG-INPVAL-008)"): ```xml diff --git a/Document/0x05h-Testing-Platform-Interaction.md b/Document/0x05h-Testing-Platform-Interaction.md index ccab651d62..dadb07e76f 100644 --- a/Document/0x05h-Testing-Platform-Interaction.md +++ b/Document/0x05h-Testing-Platform-Interaction.md @@ -1171,7 +1171,7 @@ String json = gson.toJson(obj); ##### XML There are several ways to serialize the contents of an object to XML and back. Android comes with the `XmlPullParser` interface which allows for easily maintainable XML parsing. There are two implementations within Android: `KXmlParser` and `ExpatPullParser`. The [Android Developer Guide](https://developer.android.com/training/basics/network-ops/xml#java "Instantiate the parser") provides a great write-up on how to use them. Next, there are various alternatives, such as a `SAX` parser that comes with the Java runtime. For more information, see [a blogpost from ibm.com](https://www.ibm.com/developerworks/opensource/library/x-android/index.html "Working with XML on Android on IBM Developer"). -Similarly to JSON, XML has the issue of working mostly String based, which means that String-type secrets will be harder to remove from memory. XML data can be stored anywhere (database, files), but do need additional protection in case of secrets or information that should not be changed. See the data storage chapter for more details. As stated earlier: the true danger in XML lies in the XML eXternal Entity attack (XXE) as it might allow for reading external data sources that are still accessible within the application. +Similarly to JSON, XML has the issue of working mostly String based, which means that String-type secrets will be harder to remove from memory. XML data can be stored anywhere (database, files), but do need additional protection in case of secrets or information that should not be changed. See the data storage chapter for more details. As stated earlier: the true danger in XML lies in the [XML eXternal Entity (XXE)](https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing "XML eXternal Entity attack (XXE)") attack as it might allow for reading external data sources that are still accessible within the application. ##### ORM diff --git a/Document/0x06h-Testing-Platform-Interaction.md b/Document/0x06h-Testing-Platform-Interaction.md index a075919d0c..cac1634c8e 100644 --- a/Document/0x06h-Testing-Platform-Interaction.md +++ b/Document/0x06h-Testing-Platform-Interaction.md @@ -3055,7 +3055,7 @@ In this first example, the `NSUserDefaults` are used, which is the primary *prop ``` -Note that `plist` files are not meant to store secret information**. They are designed to hold user preferences for an app. +Note that **`plist` files are not meant to store secret information**. They are designed to hold user preferences for an app. ##### XML @@ -3073,7 +3073,7 @@ Next to the libraries, you can make use of Apple's [`XMLParser` class](https://d When not using third party libraries, but Apple's `XMLParser`, be sure to let `shouldResolveExternalEntities` return `false`. -##### Object-Relational Mapping (Coredata and Realm) +##### Object-Relational Mapping (CoreData and Realm) There are various ORM-like solutions for iOS. The first one is [Realm](https://realm.io/docs/swift/latest/ "Realm"), which comes with its own storage engine. Realm has settings to encrypt the data as explained in [Realm's documentation](https://academy.realm.io/posts/tim-oliver-realm-cocoa-tutorial-on-encryption-with-realm/ "Encryption with Realm"). This allows for handling secure data. Note that the encryption is turned off by default. From 1f71bde770f197325f44cba0b07f57304fb86435 Mon Sep 17 00:00:00 2001 From: cpholguera Date: Mon, 29 Jul 2019 22:08:52 +0200 Subject: [PATCH 13/13] fixed links, format issues and a cuple more typos --- Document/0x04h-Testing-Code-Quality.md | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/Document/0x04h-Testing-Code-Quality.md b/Document/0x04h-Testing-Code-Quality.md index 7adde5ebae..956cdc8e09 100644 --- a/Document/0x04h-Testing-Code-Quality.md +++ b/Document/0x04h-Testing-Code-Quality.md @@ -95,9 +95,9 @@ We will cover details related to input sources and potentially vulnerable APIs f Cross-site scripting (XSS) issues allow attackers to inject client-side scripts into web pages viewed by users. This type of vulnerability is prevalent in web applications. When a user views the injected script in a browser, the attacker gains the ability to bypass the same origin policy, enabling a wide variety of exploits (e.g. stealing session cookies, logging key presses, performing arbitrary actions, etc.). -In the context of *native apps*, XSS risks are far less prevalent for the simple reason these kinds of applications do not rely on a web browser. However, apps using WebView components, such as ‘WKWebView’ or the deprecated 'UIWebView' on iOS and ‘WebView’ on Android, are potentially vulnerable to such attacks. +In the context of *native apps*, XSS risks are far less prevalent for the simple reason these kinds of applications do not rely on a web browser. However, apps using WebView components, such as `WKWebView` or the deprecated `UIWebView` on iOS and `WebView` on Android, are potentially vulnerable to such attacks. -An older but well-known example is the [local XSS issue in the Skype app for iOS, first identified by Phil Purviance]( https://superevr.com/blog/2011/xss-in-skype-for-ios). The Skype app failed to properly encode the name of the message sender, allowing an attacker to inject malicious JavaScript to be executed when a user views the message. In his proof-of-concept, Phil showed how to exploit the issue and steal a user's address book. +An older but well-known example is the [local XSS issue in the Skype app for iOS, first identified by Phil Purviance](https://superevr.com/blog/2011/xss-in-skype-for-ios "XSS in Skype for iOS"). The Skype app failed to properly encode the name of the message sender, allowing an attacker to inject malicious JavaScript to be executed when a user views the message. In his proof-of-concept, Phil showed how to exploit the issue and steal a user's address book. #### Static Analysis @@ -117,7 +117,7 @@ Kotlin webView.loadUrl("javascript:initialize($myNumber);") ``` -Another example of XSS issues determined by user input is public overriden methods. +Another example of XSS issues determined by user input is public overridden methods. Java @@ -158,7 +158,7 @@ Sergey Bobrov was able to take advantage of this in the following [HackerOne rep '' ``` -- 3rd party Intent in Java or kotlin: +- 3rd party Intent in Java or Kotlin: ```java Intent i = new Intent(); @@ -178,12 +178,11 @@ Sergey Bobrov was able to take advantage of this in the following [HackerOne rep view.context.startActivity(i) ``` -If WebView is used to display a remote website, the burden of escaping HTML shifts to the server side. If an XSS flaw exists on the web server, this can be used to execute script in the context of the WebView. As such, it is important to perform static analysis of the web application source code. +If a WebView is used to display a remote website, the burden of escaping HTML shifts to the server side. If an XSS flaw exists on the web server, this can be used to execute script in the context of the WebView. As such, it is important to perform static analysis of the web application source code. Verify that the following best practices have been followed: - No untrusted data is rendered in HTML, JavaScript or other interpreted contexts unless it is absolutely necessary. - - Appropriate encoding is applied to escape characters, such as HTML entity encoding. Note: escaping rules become complicated when HTML is nested within other code, for example, rendering a URL located inside a JavaScript block. Consider how data will be rendered in a response. For example, if data is rendered in a HTML context, six control characters that must be escaped: