iOS Cryptography Monitoring
Cryptography is crucial to mobile application security since a lot of attacks are based on a threat actor having physical access to the device. Cryptography includes Encryption/Decryption, Hashing, Message Authentication Codes (MAC), Signatures, and Key Derivation Functions (KDF’s).
When testing a mobile app, you need to evaluate the cryptographic algorithms and protocol’s that are in use and evaluate them for weak or insecure configurations. This can be accomplished through source code review, and dynamic analysis.
Weak Algorithms
The following algorithms are known to be weak or insecure:
- DES / 3DES
- RC2
- RC4
- Blowfish
- MD4
- MD5
Monitor Cryptography With Objection
Launch the mobile then run the following command:
objection -g 'App Name' explore
Then, setup the monitoring job:
ios monitor crypto
The output will be similar to this:
objection -g ‘App Name’ explore
Checking for a newer version of objection...
Using USB device `iPhone`
Agent injected and responds ok!
_ _ _ _
___| |_|_|___ ___| |_|_|___ ___
| . | . | | -_| _| _| | . | |
|___|___| |___|___|_| |_|___|_|_|
|___|(object)inject(ion) v1.11.0
Runtime Mobile Exploration
by: @leonjza from @sensepost
[tab] for command suggestions
com.example.app on (iPhone: 14.8) [usb] #
com.example.app on (iPhone: 14.8) [usb] # ios monitor crypto
(agent) Registering job 956086. Type: ios-crypto-monitor
com.example.app on (iPhone: 14.8) [usb] #
With the monitoring job running, login to the mobile app and use the app as a normal user would. When the app encounters a crypto function that is hooked, it will display the information on the terminal screen.
In some cases, the app may use a third-party cryptography package instead of the default Apple API’s. In these cases, you will need to determine which library is used, and research the best way to monitor those methods. If the Objection monitoring does not show any entries, look for an alternate library. Having no encryption or hashing in a mobile app is very unlikely.