Ali Mobile Security · 2015/10/23 11:01
Author: Xuan Xia
0 x00 overview
Man-in-the-middle Attack (MITM Attack) is a kind of “indirect” invasion Attack. This Attack mode is to place a computer controlled by the intruder between two communication computers in the network connection through various technical means. This computer is called “man-in-the-middle”. Man-in-the-middle attacks can be used to steal information, tamper with information, and deceive others.
Man-in-the-middle attacks on Android have been discussed a lot. Today we will talk about man-in-the-middle attacks on iOS and trusted certificate management on iOS.
0x01 Man-in-the-middle Attack
Without special explanation, all experimental environments in this paper are as follows:
IPhone 5 + iOS 8.1.2 + jailbroken
1.1. Man-in-the-middle attack classification
According to the difficulty of man-in-the-middle attack on iOS platform, man-in-the-middle attack can be divided into three levels:
1) Level1: Man-in-the-middle attacks can be performed without installing an attacker’s certificate into the phone
2) level2: man-in-the-middle attacks can be performed if the attacker’s certificate is installed in the phone
3) level3: man-in-the-middle attacks are not allowed even if the attacker’s certificate is installed in the phone
For these three cases, we use an example to illustrate them respectively. Take the example from Owasp’s iOS HTTPS man-in-the-middle demo and modify it a bit. Under normal circumstances, when the program is started, as shown in Figure 1, click “Fetch Secret” to request server data and display it, as shown in Figure 2.
Figure 1 Startup interface
Figure 2 Normal data acquisition
1.1.1. Middleman without importing certificates
In this connection NSURLConnection object’s delegate class only implements a connection: didReceiveAuthenticationChallenge: method, as shown in figure 3.
FIG. 3 Connection verification method
Set up the Burp Suite to enable the agent, as shown in Figure 4.
Figure 4 Burp Suite setup
The phone sets the agent to the address of the PC that burp Suite runs on, as shown in Figure 5.
Figure 5 Mobile phone agent Settings
Run the program and click “Fetch Secret”. The program normally obtains the same data as shown in Figure 2, and Burp Suite also intercepts all information. As shown in Figure 6, the man-in-the-middle attack succeeds.
Figure 6 BurP Suite intercept data
1.1.2. Import certificate can be middleman
Modify the program, the delegate class implements connection NSURLConnection object: willSendRequestForAuthenticationChallenge: method, as shown in figure 7.
Figure 7 Connection verification method
Other Settings are exactly the same as in section 1.1.1. The program finds that the connection is abnormal and stops fetching data, as shown in Figure 8. Burp Suite also automatically fails to fetch data.
Figure 8 Failed to get data
At this point, install the BurP Suite certificate into the phone, as shown in Figure 9.
Figure 9 Installing the BURP certificate
Re-open the application and click “Fetch Secret”. The application normally obtains data and Burp Suite also intercepts all data. The man-in-the-middle attack succeeds.
1.1.3. Import certificates without middlemen
Continue to modify the program, a public key certificate to be included in the application, and modify the connection: didReceiveAuthenticationChallenge: method obtaining certificate information, in the process of connecting to the server side certificates for checking, as shown in figure 10. At the same time, comment out the connection: willSendRequestForAuthenticationChallenge: method, as shown in figure implements this method, Method the connection: didReceiveAuthenticationChallenge: will not be invoked.
FIG. 10 Connection verification method
Other Settings remain unchanged, and the burp Suite certificate is still installed in the phone. Open the application and click “Fetch Secret”, and the application cannot obtain data normally, as shown in Figure 11. Burp Suite also cannot intercept data, so the man in the middle attack fails.
1.2.4 Some suggestions
Generally speaking, it is recommended that the application trust all certificates in the mobile phone. The public key certificate in the application is the safest for strong verification of connections, but it may cause many problems, such as certificate update, certificate expiration, and certificate invalidity.
If you need to update the client certificate, you must upgrade the client version, which is a long process. For example, the certificate is stolen by hackers and the certificate needs to be invalidated urgently. However, many users do not have the habit of updating the client in time, which may lead to network exceptions for a large number of users. At this point, it’s really rare to see an application at level3.
0x02 Trusted Certificate Management
In the previous chapter on importing trusted certificates into mobile phones, I stumbled upon an interesting aspect of iOS certificate management while writing an iOS tool. “Settings” -> “General” -> “Profiles” allows you to view the list of certificates trusted by the device. Is this really a list of certificates trusted by the device?
2.1 Bizarre man-in-the-middle attack
As suggested in the previous chapter, set the application anti-manin level to level2, that is, the application trusts all certificates on the current device. If you want to use burp suite to perform manin attack on the application, you need to install burp’s certificate on the device, and the trust certificate on the device is shown in figure 12. The device has only one employee certificate for connecting to the Intranet.
Figure 12 Certificate list
In this case, burp Suite should not be able to access the application’s communication content, and what happens? To prevent the results from being affected by the 10-minute caching mechanism of the iOS system in HTTPS communication, restart or leave the device for 10 minutes. Start the application to communicate and find that the application normally gets the same data as shown in Figure 2 and the Burp Suite successfully intercepts the same communication content as shown in Figure 6. What the hell is this…
2.2 TrustStore. Sqlite3
In iOS, there is an sqlite3 file whose absolute path is:
"/ private/var/Keychains/TrustStore sqlite3"
This file stores the list of certificates that are actually trusted by the device, and the certificate list viewed by “Settings” -> “General” -> “Profiles” can be out of sync with the certificate list stored in this file. If we manually change the sqlite3 file, You can make the phone’s actual list of trusted certificates look completely different from what you see in Profiles. Xiao Sheng wrote a tool to manage the SQlite3 file and view the storage in the file, as shown in Figure 13.
Figure 13 Certificate list
Among them, the certificate with ID 0 is the employee certificate for connecting to the Intranet as shown in Figure 12. The certificate with ID 1 is the Burp Suite certificate, which is not shown in Profiles. This is what leads to energy middlemen.
We delete the certificate with ID 1 in the SQlite3 file, as shown in Figure 14, and restart or rest the device for 10 minutes before conducting the experiment in Section 2.1.
Figure 14 Deleting the BURP certificate
Open the application and click “Fetch Secret”, the application displays an error, as shown in Figure 15.
Figure 15 Certificate error
If the Burp Suite certificate is manually inserted into the trustStore. sqlite3 file, as shown in Figure 16, and the device is restarted or left standing for 10 minutes, then the experiment in Section 2.1 is performed, the man-in-middle attack is found to be successful. All the manual work on the trustStore.sqlite3 file in this article does not affect any display in “Profiles,” which always shows only one employee certificate.
Figure 16 Inserting a certificate
2.3 Man-in-the-Middle Attack without Displaying Certificates (Post-Jailbreak Environment)
As described in sections 2.1 and 2.2, if an attacker escapes the App Store by jailbreaking a plugin, or even by using some obscene means, To have escaped the file on the iphone “/ private/var/Keychains/TrustStore sqlite3”, modified to insert a attacker certificate, certificate of burp suite, for example, An attacker can execute a manin-the-middle attack on the victim’s gateway without anyone knowing, because the victim does not find any exceptions when viewing trusted certificates through “Settings” -> “General” -> “Profiles”. That is, the victim data can be stolen and tampered with without showing the certificate.
So for jailbroken phones, don’t rest easy without some weird certificates installed under “Settings” -> “General” -> “Profiles”.
0 x03 section
The manin attack methods and defense measures of iOS system are summarized in section 0x01. Xiao Sheng believes that ordinary applications only need to trust all the trusted certificates on the current device. On the list of trusted certificates iOS, prison break through friends or go to check “/ private/var/Keychains/TrustStore sqlite3” file to see if there is not shown in “Profiles” or display the unequal situation.