Jump to content
DarkyAngel

Penetration Testing for iPhone Applications – Part 3

By DarkyAngel, in Tutoriale in engleza

Recommended Posts

DarkyAngel Newbie

DarkyAngel

Posted
Posted

In the first part of this article, we have discussed the iPhone application traffic analysis. In the second part, we covered the privacy issues and property list data storage. In this part, we will take a look at in-depth analysis of the keychain data storage. Apple has designed the keychain with many security measures in place to protect the user’s data, however it is broken at every level. So complete understanding of the keychain and its security & weaknesses will help penetration testers to provide proper remediation suggestions during iOS application security assessments.

Local Data Storage

Keychain Storage:

Keychain is an encrypted container (128 bit AES algorithm) and a centralized SQLite database that holds identities & passwords for multiple applications and network services, with restricted access rights. On the iPhone, keychain SQLite database is used to store the small amounts of sensitive data like usernames, passwords, encryption keys, certificates and private keys. In general, iOS applications store the user’s credentials in the keychain to provide transparent authentication and to not prompt the user every time for login. iOS applications use the keychain service library/API (secItemAdd, secItemDelete, secItemCopyMatching & secItemUpdate methods) to read and write data to and from the keychain. Developers leverage the keychain services API to dictate the operating system to store sensitive data securely on their behalf, instead of storing them in a property list file or a plaintext configuration file. On the iPhone, keychain SQLite database file is located at – /private/var/Keychains/keychain-2.db.

Keychain contains a number of keychain items and each keychain item will have encrypted data and a set of unencrypted attributes that describes it. Attributes associated with a keychain item depend on the keychain item class (kSecClass). In iOS, keychain items are classified into 5 classes – generic passwords (kSecClassGenericPassword), Internet passwords (kSecClassInternetPassword), certificates (kSecClassCertificate), keys (kSecClassKey) and digital identities (kSecClassIdentity, identity=certificate + key). In iOS keychain, all the keychain items are stored in 4 tables – genp, inet, cert and keys (shown in Figure 1). Genp table contains generic password keychain items, inet table contains Internet password keychain items, and cert & keys tables contain certificates, keys and digital identity keychain items.

083012_1604_Penetration1.jpg

(Figure 1)

Columns in the keychain tables are mapped to the corresponding keychain item class attributes.

Example:

genp table columns shown in Figure 2 are mapped to generic password keychain item class attributes as shown in Table 1.

083012_1604_Penetration2.jpg

(Figure 2)

[table=width: 500, class: grid]

[tr]

[td]column[/td]

[td]Attribute[/td]

[td]description[/td]

[/tr]

[tr]

[td]cdat[/td]

[td]kSecAttrCreationDate[/td]

[td]Item creation date in Unix epoch time format[/td]

[/tr]

[tr]

[td]mdat[/td]

[td]kSecAttrModificationDate[/td]

[td]Item modification date in Unix epoch time format[/td]

[/tr]

[tr]

[td]desc[/td]

[td]kSecAttrDescription[/td]

[td]User visible string that describes the item[/td]

[/tr]

[tr]

[td]icmt [/td]

[td]kSecAttrComment [/td]

[td]User editable comment for the item[/td]

[/tr]

[tr]

[td]crtr[/td]

[td]kSecAttrCreator/td]

[td]Application created (4 char) code[/td]

[/tr]

[tr]

[td]type[/td]

[td]kSecAttrType[/td]

[td]Item type[/td]

[/tr]

[tr]

[td]scrp[/td]

[td]kSecAttrScriptCode[/td]

[td]String script code (such as encoding type)[/td]

[/tr]

[tr]

[td]labl[/td]

[td]kSecAttrLabel[/td]

[td]Label to be displayed to the user (print name)[/td]

[/tr]

[tr]

[td]alis[/td]

[td]kSecAttrAlias[/td]

[td]Item alias[/td]

[/tr]

[tr]

[td]invi[/td]

[td]kSecAttrIsInvisible[/td]

[td]Invisible[/td]

[/tr]

[tr]

[td]nega[/td]

[td]kSecAttrIsNegative[/td]

[td]Invalid item[/td]

[/tr]

[tr]

[td]cusi[/td]

[td]kSecAttrHasCustomIcon[/td]

[td]Existence of application specific icon (Boolean)[/td]

[/tr]

[tr]

[td]prot[/td]

[td]kSecProtectedDataItemAttr ? [/td]

[td]Item’s data is protected (Boolean)[/td]

[/tr]

[tr]

[td]acct[/td]

[td]kSecAttrAccount[/td]

[td]Account key (such as user id)[/td]

[/tr]

[tr]

[td]svce[/td]

[td]kSecAttrService[/td]

[td]Service name (such as Application identifier)[/td]

[/tr]

[tr]

[td]gena[/td]

[td]kSecAttrGeneric[/td]

[td]User defined attribute[/td]

[/tr]

[tr]

[td]data[/td]

[td]kSecValueData [/td]

[td]Actual data (such as password, crypto key…)[/td]

[/tr]

[tr]

[td]agrp[/td]

[td]kSecAttrAccessGroup[/td]

[td]Keychain access group[/td]

[/tr]

[tr]

[td]pdmn[/td]

[td]kSecAttrAccessible[/td]

[td]Access restrictions (Data protection classes)[/td]

[/tr]

[/table]

Attributes for all the keychain item classes are documented in the -Keychain Item

Original Article

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...