Download - Mobile app security
![Page 1: Mobile app security](https://reader031.vdocuments.site/reader031/viewer/2022020110/55756ca9d8b42a2e248b4dd3/html5/thumbnails/1.jpg)
1
mobile APP security 交流碳基体( dani )
![Page 2: Mobile app security](https://reader031.vdocuments.site/reader031/viewer/2022020110/55756ca9d8b42a2e248b4dd3/html5/thumbnails/2.jpg)
2
我是谁
产品安全工程师APP security
web app ,页游,手游( iOS&Android)
![Page 3: Mobile app security](https://reader031.vdocuments.site/reader031/viewer/2022020110/55756ca9d8b42a2e248b4dd3/html5/thumbnails/3.jpg)
3
主题
1. mobile APP 主要威胁2.mobile APP 安全管理流程
![Page 4: Mobile app security](https://reader031.vdocuments.site/reader031/viewer/2022020110/55756ca9d8b42a2e248b4dd3/html5/thumbnails/4.jpg)
4
mobile APP 主要威胁- iOS
1. IPA 破解2.IAP 解锁( in-apple-purchase)
3. 存档修改4. 内存修改5. 封包修改6. 越狱检测绕过7.patch mach-o executable
![Page 5: Mobile app security](https://reader031.vdocuments.site/reader031/viewer/2022020110/55756ca9d8b42a2e248b4dd3/html5/thumbnails/5.jpg)
5
IPA 破解-方法 1
方法 1:破坏 DRM 数字版权保护技术,去处数字签名,取消 IPA 对 apple 帐号的绑定,允许没有合法签名的程序在设备上运行。(适用于非越狱机)
![Page 6: Mobile app security](https://reader031.vdocuments.site/reader031/viewer/2022020110/55756ca9d8b42a2e248b4dd3/html5/thumbnails/6.jpg)
6
IPA 破解-方法 1
条件一:设备越狱,获得 root 权限,去除掉设备上的签名检查,允许没有合法签名的程序在设备上运行代表工具: AppSync for iOS 5.0+
工具原理: 使用 MobileSubstrate 来 hook libmis.dylib 库的MISValidateSignatureAndCopyInfo 函数来绕过签名验证
![Page 7: Mobile app security](https://reader031.vdocuments.site/reader031/viewer/2022020110/55756ca9d8b42a2e248b4dd3/html5/thumbnails/7.jpg)
7
IPA 破解-方法 1
条件二:解密的 mach-o 可执行文件代表工具: Clutch , Crackulous
工具原理:从内存中导出解密部分
![Page 8: Mobile app security](https://reader031.vdocuments.site/reader031/viewer/2022020110/55756ca9d8b42a2e248b4dd3/html5/thumbnails/8.jpg)
8
IPA 破解-方法 2
方法 2:代表工具: PP 助手,快用助手工具原理:将正版购买相关信息同步到设备上,让其通过签名检查。 返回
![Page 9: Mobile app security](https://reader031.vdocuments.site/reader031/viewer/2022020110/55756ca9d8b42a2e248b4dd3/html5/thumbnails/9.jpg)
9
IAP 解锁
什么是 IAP
游戏关卡,游戏道具built-in
server
![Page 10: Mobile app security](https://reader031.vdocuments.site/reader031/viewer/2022020110/55756ca9d8b42a2e248b4dd3/html5/thumbnails/10.jpg)
10
IAP 解锁
![Page 11: Mobile app security](https://reader031.vdocuments.site/reader031/viewer/2022020110/55756ca9d8b42a2e248b4dd3/html5/thumbnails/11.jpg)
11
IAP 解锁
![Page 12: Mobile app security](https://reader031.vdocuments.site/reader031/viewer/2022020110/55756ca9d8b42a2e248b4dd3/html5/thumbnails/12.jpg)
12
IAP 解锁 -方法 1
方法 1:使用免费内购工具代表工具: IAP cracker, IAP Free, LocalIAPStore
工具原理:伪造交易状态,伪造收据
![Page 13: Mobile app security](https://reader031.vdocuments.site/reader031/viewer/2022020110/55756ca9d8b42a2e248b4dd3/html5/thumbnails/13.jpg)
13
IAP 解锁 -方法 1:IAPCracker
原理:在客户端将 transactionState 修改为 SKPaymentTransactionStatePurchased来欺骗应用程序下发购买内容
![Page 14: Mobile app security](https://reader031.vdocuments.site/reader031/viewer/2022020110/55756ca9d8b42a2e248b4dd3/html5/thumbnails/14.jpg)
14
IAP 解锁 -方法 1: IAP Free
![Page 15: Mobile app security](https://reader031.vdocuments.site/reader031/viewer/2022020110/55756ca9d8b42a2e248b4dd3/html5/thumbnails/15.jpg)
15
IAP 解锁 -方法 1: IAP Free
![Page 16: Mobile app security](https://reader031.vdocuments.site/reader031/viewer/2022020110/55756ca9d8b42a2e248b4dd3/html5/thumbnails/16.jpg)
16
IAP 解锁 -方法 1:LocalIAPStore
![Page 17: Mobile app security](https://reader031.vdocuments.site/reader031/viewer/2022020110/55756ca9d8b42a2e248b4dd3/html5/thumbnails/17.jpg)
17
IAP 解锁 -方法 2:MITM
原理:证书伪造, DNS 欺骗,模拟app store server 进行 Receipt 验证
![Page 18: Mobile app security](https://reader031.vdocuments.site/reader031/viewer/2022020110/55756ca9d8b42a2e248b4dd3/html5/thumbnails/18.jpg)
18
IAP 解锁 -方法 2:MITM
![Page 19: Mobile app security](https://reader031.vdocuments.site/reader031/viewer/2022020110/55756ca9d8b42a2e248b4dd3/html5/thumbnails/19.jpg)
19
IAP 解锁 -方法 2:MITM
![Page 20: Mobile app security](https://reader031.vdocuments.site/reader031/viewer/2022020110/55756ca9d8b42a2e248b4dd3/html5/thumbnails/20.jpg)
20
IAP 解锁 -方法 2:MITM
![Page 21: Mobile app security](https://reader031.vdocuments.site/reader031/viewer/2022020110/55756ca9d8b42a2e248b4dd3/html5/thumbnails/21.jpg)
21
IAP 解锁 -方法 3: 存档替换
原理:通过文档替换或覆盖来解锁,我们知道应用购买前后安装包中的Documents 和 Library 目录发生的变化,就是解锁的内容。因此可以通过对比这两个目录的区别来完成 IAP内购破解
![Page 22: Mobile app security](https://reader031.vdocuments.site/reader031/viewer/2022020110/55756ca9d8b42a2e248b4dd3/html5/thumbnails/22.jpg)
22
IAP 解锁 -方法 3: 存档替换
返回
![Page 23: Mobile app security](https://reader031.vdocuments.site/reader031/viewer/2022020110/55756ca9d8b42a2e248b4dd3/html5/thumbnails/23.jpg)
23
存档修改
![Page 24: Mobile app security](https://reader031.vdocuments.site/reader031/viewer/2022020110/55756ca9d8b42a2e248b4dd3/html5/thumbnails/24.jpg)
24
存档修改- plist
![Page 25: Mobile app security](https://reader031.vdocuments.site/reader031/viewer/2022020110/55756ca9d8b42a2e248b4dd3/html5/thumbnails/25.jpg)
25
存档修改- sqlite3
![Page 26: Mobile app security](https://reader031.vdocuments.site/reader031/viewer/2022020110/55756ca9d8b42a2e248b4dd3/html5/thumbnails/26.jpg)
26
存档修改- json
![Page 27: Mobile app security](https://reader031.vdocuments.site/reader031/viewer/2022020110/55756ca9d8b42a2e248b4dd3/html5/thumbnails/27.jpg)
27
存档修改- base64
![Page 28: Mobile app security](https://reader031.vdocuments.site/reader031/viewer/2022020110/55756ca9d8b42a2e248b4dd3/html5/thumbnails/28.jpg)
28
存档修改-十六进制
返回
![Page 29: Mobile app security](https://reader031.vdocuments.site/reader031/viewer/2022020110/55756ca9d8b42a2e248b4dd3/html5/thumbnails/29.jpg)
29
内存修改
![Page 30: Mobile app security](https://reader031.vdocuments.site/reader031/viewer/2022020110/55756ca9d8b42a2e248b4dd3/html5/thumbnails/30.jpg)
30
内存修改
返回
![Page 31: Mobile app security](https://reader031.vdocuments.site/reader031/viewer/2022020110/55756ca9d8b42a2e248b4dd3/html5/thumbnails/31.jpg)
31
封包修改
返回
![Page 32: Mobile app security](https://reader031.vdocuments.site/reader031/viewer/2022020110/55756ca9d8b42a2e248b4dd3/html5/thumbnails/32.jpg)
32
越狱检测绕过
越狱检测方法 1:检查常见的越狱文件是否存在
![Page 33: Mobile app security](https://reader031.vdocuments.site/reader031/viewer/2022020110/55756ca9d8b42a2e248b4dd3/html5/thumbnails/33.jpg)
33
越狱检测绕过
越狱检测方法 2:检查 /etc/fstab 的大小该文件描述系统在启动时挂载文件系统和存储设备的详细信息,为了使得 /root 文件系统有读写权限,一般会修改该文件。虽然 app 不允许查看该文件的内容,但可以使用 stat 函数获得该文件的大小。在 iOS 5 上,未越狱的该文件大小未 80 字节,越狱的一般只有 65 字节
在安装了 xCon 的越狱设备上运行, result 的大小为 803705776 ;卸载 xCon 后在越狱设备上运行, result 的大小为 66
![Page 34: Mobile app security](https://reader031.vdocuments.site/reader031/viewer/2022020110/55756ca9d8b42a2e248b4dd3/html5/thumbnails/34.jpg)
34
越狱检测绕过
越狱检测方法 3:检查特定的文件是否是符号链接文件
iOS 磁盘通常会划分为两个分区,一个只读,容量较小的系统分区,和一个较大的用户分区。所有的预装 app (例如 appstore )都安装在系统分区的 /Application 文件夹下。在越狱设备上,为了使得第三方软件可以安装在该文件夹下同时又避免占用系统分区的空间,会创建一个符号链接到 /
var/stash/ 下。因此可以使用 lstat 函数,检测 /Applications 的属性,看是目录,还是符号链接。如果是符号链接,则能确定是越狱设备
![Page 35: Mobile app security](https://reader031.vdocuments.site/reader031/viewer/2022020110/55756ca9d8b42a2e248b4dd3/html5/thumbnails/35.jpg)
35
越狱检测绕过
越狱检测方法 4:检测 dylib (动态链接库)的内容
![Page 36: Mobile app security](https://reader031.vdocuments.site/reader031/viewer/2022020110/55756ca9d8b42a2e248b4dd3/html5/thumbnails/36.jpg)
36
越狱检测绕过
原理: hook 常见的越狱检测方法
fileExistsAtPath:fileExistsAtPath:isDirectory:filePermission:fileSystemIsValid:
返回
![Page 37: Mobile app security](https://reader031.vdocuments.site/reader031/viewer/2022020110/55756ca9d8b42a2e248b4dd3/html5/thumbnails/37.jpg)
37
patch mach-o executable
• 通过对已破解( ipa cracker 解密后)的 mach-O executable文件进行动态调试和静态反汇编逆向分析,还原软件的整体结构,通过对相应的函数进行修改(也是常说的 API hooker , malicious code injection ),例如商店道具购买函数,任务奖励函数等来实现内购的解锁。这种类型的外挂通常以游戏插件形式提供,一般采用 MobileSubstrate框架进行开发
![Page 38: Mobile app security](https://reader031.vdocuments.site/reader031/viewer/2022020110/55756ca9d8b42a2e248b4dd3/html5/thumbnails/38.jpg)
38
patch mach-o executable
工具• otool• classdump• cycript• gdb• IDA Pro• theos• MobileSubstrate
![Page 39: Mobile app security](https://reader031.vdocuments.site/reader031/viewer/2022020110/55756ca9d8b42a2e248b4dd3/html5/thumbnails/39.jpg)
39
mobile APP 主要威胁-Android
1.APK repacking
2. 存档修改3. 内存修改4. 封包修改5. 其他
![Page 40: Mobile app security](https://reader031.vdocuments.site/reader031/viewer/2022020110/55756ca9d8b42a2e248b4dd3/html5/thumbnails/40.jpg)
40
APK repacking
工具:smali/baksmali
dex2jar/JD_GUI
apktool
otertool
APKTool_GUI
Andbug
![Page 41: Mobile app security](https://reader031.vdocuments.site/reader031/viewer/2022020110/55756ca9d8b42a2e248b4dd3/html5/thumbnails/41.jpg)
41
存档修改
工具: RE 管理器(RootExplorer)
X-plore 管理器• /data/data• /sdcard/Android/
data/
![Page 42: Mobile app security](https://reader031.vdocuments.site/reader031/viewer/2022020110/55756ca9d8b42a2e248b4dd3/html5/thumbnails/42.jpg)
42
内存修改
• 工具:八门神器 GameKiller/ 游戏金手指 GameCIH/GameGuardian (需要 root 权限)
![Page 43: Mobile app security](https://reader031.vdocuments.site/reader031/viewer/2022020110/55756ca9d8b42a2e248b4dd3/html5/thumbnails/43.jpg)
43
封包修改
![Page 44: Mobile app security](https://reader031.vdocuments.site/reader031/viewer/2022020110/55756ca9d8b42a2e248b4dd3/html5/thumbnails/44.jpg)
44
其他
1. 权限安全2.组件安全
![Page 45: Mobile app security](https://reader031.vdocuments.site/reader031/viewer/2022020110/55756ca9d8b42a2e248b4dd3/html5/thumbnails/45.jpg)
45
mobile APP 安全管理流程
![Page 46: Mobile app security](https://reader031.vdocuments.site/reader031/viewer/2022020110/55756ca9d8b42a2e248b4dd3/html5/thumbnails/46.jpg)
46
mobile APP 安全管理流程
![Page 47: Mobile app security](https://reader031.vdocuments.site/reader031/viewer/2022020110/55756ca9d8b42a2e248b4dd3/html5/thumbnails/47.jpg)
47
mobile APP 安全管理流程