| Message | Description |
|---|---|
| Address Reference Counting Check |
Checks if the application was compiled with flags, improving its performance and preventing some stack overflow vulnerabilities. Automatic Reference Counting is a memory management system that automatically takes care of the reference count of objects at compile time, instead of leaving this task to the developer. The compiler automatically inserts the release and retains calls, making the developer’s life easier and eliminating risks of introducing vulnerabilities related to the object’s memory life cycle. The process is completely done at compile time, so it does not introduce any runtime overhead and there are no drawbacks for developers switching to this system. This feature was introduced with iOS 5, but it can be backported to previous versions since operations are performed at the time of compilation. Analysis Type: Static |
| Address Space Layout Rand Check |
Checks to see if the application binary was compiled with the -PIE flag. Address space layout randomization (ASLR) is a security feature introduced in iOS 4.3 that randomizes how an app is loaded and maintained in memory. ASLR randomizes the address space used in the application, making it difficult to execute malicious code without first causing the application to crash. It also complicates the process of dumping allocated memory of the application. Analysis Category: Code |
| AFNetworking Detected |
Checks for vulnerable code in the AFNetworking implementation setting used by the application to add networking functionality. Analysis Type: Dynamic |
| App Transport Security |
New in iOS 9, App Transport Security (ATS) ensures secure connections between an app and the backend server. It is on by default when an app is linked against iOS 9.0 SDK or later. With ATS enabled, HTTP connections are forced to use HTTPS (TLS 1.2). Any attempts to connect using insecure HTTP will fail. There are a couple of options when implementing ATS: (1) ATS can be globally enabled by linking to iOS 9.0 or later SDK. The developer can choose to decrease ATS restrictions on a specific server using an exception key. (2) ATS can be globally disabled by setting the “NSAllowsArbitraryLoads” key to “YES.” An exception could then allow the developer to increase ATS restrictions on a specific server. Analysis Category: Network |
| Application Behaviors |
Forensic data highlights a list of the potential behaviors that might have been observed while interacting with the application. A brief description of each behavior, potential use, and the applicable architecture (MACH–O slice) in which that behavior was detected are included. Analysis Type: Static |
| ASL |
Debug logs are designed to detect and correct application flaws. Detected Apple System Logger (ASL) messages while performing dynamic analysis are presented as forensic data. These messages were written to specific locations on the disk (such as /etc/system.log) and can leak sensitive information that might allow an attacker to carry out a more powerful attack. Analysis Type: Dynamic |
| Background Modes |
Most iOS apps do not have/require background processes to be run. However, background modes must be set if an app plays music, needs location, etc. The forensic data highlights a list of the background modes that were detected. It is recommended to review all enabled background modes and disable any that are not required. Analysis Type: Static |
| Cert |
Any certificates used by the application are displayed as forensic data, covering the type of key, number of bits, serial number, URL, and common name associated with each certificate. Analysis Type: Dynamic |
| Change Cipher Spec Check |
Certain versions of OpenSSL do not properly restrict the processing of ChangeCipherSpec messages during the TLS/SSL handshake, which could lead to a man-in-the-middle exploit. This is also referred to as the “CCS Injection” vulnerability. For additional details, refer to CVE-2014-0224. Analysis Category: Code |
| Crypto Methods |
CommonCrypto API requests are hooked during dynamic analysis. Detected methods are listed in the forensic data. When applicable, additional contextual data are also provided. Analysis Type: Dynamic |
| Entitlements |
Confers specific capabilities or security permissions to an iOS application. Forensic data show specific entitlements along with associated values. Analysis Type: Static |
| Frameworks |
Detected frameworks, which are self-contained, reusable chunks of code and resources that can be imported into any number of apps shared across iOS, tvOS, watchOS, and macOS apps. These are similar to frameworks used in other languages (e.g. node modules). Analysis Type: Dynamic |
| GeoIP |
Network communications are monitored as the application is running to locate where the application is sending its data. Analysis Type: Dynamic |
| Heartbleed Check |
Checks to see if the application is vulnerable to the Heartbleed vulnerability. Heartbleed is a serious issue caused by a vulnerable version of the library called “OpenSSL 1.0.1” with heartbeats support enabled. In this version, the “tls1_process_heartbeat” function does not properly validate its input and can lead to information disclosure due to buffer overreading, potentially allowing a malicious attacker to retrieve sensitive information like credentials or encryption keys. Analysis Category: Code |
| iOS Keychain |
Highlights any activity where the app calls the iOS Keychain, indicating when keychain items were created, deleted, or queried. Analysis Type: Dynamic |
| IPA Crypto Data Flows |
CommonCrypto calls are analyzed to determine if any sensitive data is protected using symmetric encryption, hash-based message authentication codes, and digests. Analysis Type: Dynamic |
| IPA Dynamic Log |
Analysis Type: Dynamic |
| IPA Metadata |
Informational details about the compiled binary that were observed during dynamic analysis of the application. Example metadata includes the supported app versions, various flags set in the application, bundle information, identified behaviors, important libraries, and more. Many of these items are already being analyzed and separated out into their own individual checks and results. Analysis Type: Static |
| IPA Network Data Flows |
CFURLConnection requests are analyzed to determine if any sensitive data is transmitted over the network. Analysis Type: Dynamic |
| IPA Sensitive Data Cert Validation |
Related to the hostname verification issue, sensitive data that can be intercepted over the network due to improper certificate validation and/or hostname verification is searched. Sensitive data includes usernames, passwords, GPS coordinates, wi-fi MAC address, International Mobile Equipment Identity (IMEI), device serial number, and phone number. Analysis Type: Dynamic |
| IPA Sensitive Data HTTP AdID |
Traffic is analyzed to determine if the advertising ID (AdID) is insecurely transmitted over the network without encryption. Analysis Type: Dynamic |
| IPA Sensitive Data HTTP (Custom Values) |
Traffic is analyzed to determine if custom terms are insecurely transmitted over the network without encryption. Analysis Type: Dynamic |
| IPA Sensitive Data HTTP Device Information |
Traffic is analyzed to determine if device information is insecurely transmitted over the network without encryption. Analysis Type: Dynamic |
| IPA Sensitive Data HTTP Email |
Traffic is analyzed to determine if any email addresses are insecurely transmitted over the network without encryption. Analysis Type: Dynamic |
| IPA Sensitive Data HTTP First Name |
Traffic is analyzed to determine if the user’s first name is insecurely transmitted over the network without encryption. Analysis Type: Dynamic |
| IPA Sensitive Data HTTP GPS Latitude |
Traffic is analyzed to determine if the user’s GPS latitude coordinate is insecurely transmitted over the network without encryption. Analysis Type: Dynamic |
| IPA Sensitive Data HTTP GPS Longitude |
Traffic is analyzed to determine if the user’s GPS longitude coordinate is insecurely transmitted over the network without encryption. Analysis Type: Dynamic |
| IPA Sensitive Data HTTP Idfv |
Traffic is analyzed to determine if the Identifier for Vendors (IDFV) is insecurely transmitted over the network without encryption. Analysis Type: Dynamic |
| IPA Sensitive Data HTTP Last Name |
Traffic is analyzed to determine if the user’s last name is insecurely transmitted over the network without encryption. Analysis Type: Dynamic |
| IPA Sensitive Data HTTP Local WiFi MAC |
Traffic is analyzed to determine if the local wi-fi MAC address is insecurely transmitted over the network without encryption. Analysis Type: Dynamic |
| IPA Sensitive Data HTTP Password |
Traffic is analyzed to determine if the user’s password is insecurely transmitted over the network without encryption. Analysis Type: Dynamic |
| IPA Sensitive Data HTTP Phone Number |
Traffic is analyzed to determine if the user’s phone number is insecurely transmitted over the network without encryption. Analysis Type: Dynamic |
| IPA Sensitive Data HTTP Surrounding WiFi MAC |
Traffic is analyzed to determine if the surrounding wi-fi MAC address is insecurely transmitted over the network without encryption. Analysis Type: Dynamic |
| IPA Sensitive Data HTTP Username |
Traffic is analyzed to determine if the username is insecurely transmitted over the network without encryption. Analysis Type: Dynamic |
| IPA Sensitive Data HTTP ZIP Code |
Traffic is analyzed to determine if the user’s ZIP code is insecurely transmitted over the network without encryption. Analysis Type: Dynamic |
| IPA Sensitive Data Keychain (Custom Values) |
iOS Keychain entries are monitored and custom terms are searched. Analysis Type: Dynamic |
| IPA Sensitive Data Keychain Other |
iOS Keychain entries and values related to the instrumented test device (e.g., Device ID, GPS coordinates, etc.) are searched. Analysis Type: Dynamic |
| IPA Sensitive Data Keychain Password |
iOS Keychain entries are monitored and instances of the password are searched. Analysis Type: Dynamic |
| IPA Sensitive Data Keychain Username |
iOS Keychain entries are monitored and instances of the username are searched. Analysis Type: Dynamic |
| IPA Zip File in Transit Check |
Determines if ZIP files are being sent by the application over HTTP. ZIP files can lead to a remote arbitrary file write, which could allow an attacker to carry out a remote code execution attack. Analysis Type: Dynamic |
| IPA Zip File in Transit Check Https |
Determines if ZIP files are being sent by the application over HTTPS. ZIP files can lead to a remote arbitrary file write, which could allow an attacker to carry out a remote code execution attack. Analysis Type: Dynamic |
| Jailbreak Detection |
Files and actions pertaining to dynamic analysis observations on jailbreak methods are listed in the forensic data. Analysis Type: Dynamic |
| Leaked ASL Data AdID |
ASL messages are analyzed for advertising ID (AdID) exposure. Debug logs, which are designed to detect and correct flaws in an application, can leak sensitive information that might help an attacker craft a more powerful attack. Analysis Type: Dynamic |
| Leaked ASL Data (Custom Values) |
ASL messages are analyzed for sensitive user or application data. Debug logs, which are designed to detect and correct flaws in an application, can leak sensitive information that might help an attacker craft a more powerful attack. Analysis Type: Dynamic |
| Leaked ASL Data Email |
ASL messages are analyzed for evidence of exposing the user’s email. Debug logs, which are designed to detect and correct flaws in an application, can leak sensitive information that might help an attacker craft a more powerful attack. Analysis Type: Dynamic |
| Leaked ASL Data First Name |
ASL messages are analyzed for evidence of exposing the user’s first name. Debug logs, which are designed to detect and correct flaws in an application, can leak sensitive information that might help an attacker craft a more powerful attack. Analysis Type: Dynamic |
| Leaked ASL Data GPS Latitude |
ASL messages are analyzed for exposure of the GPS latitude. Debug logs, which are designed to detect and correct flaws in an application, can leak sensitive information that might help an attacker craft a more powerful attack. Analysis Type: Dynamic |
| Leaked ASL Data GPS Longitude |
ASL messages are analyzed for exposure of the GPS longitude. Debug logs, which are designed to detect and correct flaws in an application, can leak sensitive information that might help an attacker craft a more powerful attack. Analysis Type: Dynamic |
| Leaked ASL Data Idfv |
ASL messages are analyzed for Identifier for Vendors (IDFV) exposure. Debug logs, which are designed to detect and correct flaws in an application, can leak sensitive information that might help an attacker craft a more powerful attack. Analysis Type: Dynamic |
| Leaked ASL Data Last Name |
ASL messages are analyzed for user last name exposure. Debug logs, which are designed to detect and correct flaws in an application, can leak sensitive information that might help an attacker craft a more powerful attack. Analysis Type: Dynamic |
| Leaked ASL Data Local WiFi MAC |
ASL messages are analyzed for local wi-fi MAC address exposure. Debug logs, which are designed to detect and correct flaws in an application, can leak sensitive information that might help an attacker craft a more powerful attack. Analysis Type: Dynamic |
| Leaked ASL Data Name |
ASL messages are analyzed for exposure of the user’s name. Debug logs, which are designed to detect and correct flaws in an application, can leak sensitive information that might help an attacker craft a more powerful attack. Analysis Type: Dynamic |
| Leaked ASL Data Password |
ASL messages are analyzed for password exposure. Debug logs, which are designed to detect and correct flaws in an application, can leak sensitive information that might help an attacker craft a more powerful attack. Analysis Type: Dynamic |
| Leaked ASL Data Phone Number |
ASL messages are analyzed for phone number exposure. Debug logs, which are designed to detect and correct flaws in an application, can leak sensitive information that might help an attacker craft a more powerful attack. Analysis Type: Dynamic |
| Leaked ASL Data Surrounding WiFi MAC |
ASL messages are analyzed for surrounding wi-fi MAC address exposure. Debug logs, which are designed to detect and correct flaws in an application, can leak sensitive information that might help an attacker craft a more powerful attack. Analysis Type: Dynamic |
| Leaked ASL Data Username |
ASL messages are analyzed for username exposure. Debug logs, which are designed to detect and correct flaws in an application, can leak sensitive information that might help an attacker craft a more powerful attack. Analysis Type: Dynamic |
| Leaked ASL Data ZIP Code |
ASL messages are analyzed for exposure of the user’s ZIP code. Debug logs, which are designed to detect and correct flaws in an application, can leak sensitive information that might help an attacker craft a more powerful attack. Analysis Type: Dynamic |
| Network |
An NSURLConnection object allows the developer to load the contents of a URL by providing a URL request object. The forensic data highlights each of these connections and provides contextual details, including the type of NSURLConnection, the associated method, URL, body, and status code. Analysis Type: Dynamic |
| SQLite |
Any interaction with SQLite databases is monitored as the application is running to determine how the application interacts with its data. Analysis Type: Dynamic |
| Stack Smashing Protection Check |
Checks if the application was compiled with flags preventing some stack overflow vulnerabilities. When an application is compiled with stack smashing protection, a known value or “canary” is placed on the stack directly before the local variables to protect the saved base pointer, saved instruction pointer, and function arguments. The value of the canary is verified upon the function return to see if it has been overwritten. The compiler uses a heuristic to intelligently apply stack protection to a function, which are typically functions using character arrays. Analysis Category: Code |
| Uses HTTP |
Network requests are evaluated for unencrypted (HTTP) connections. Any such detected endpoints are available in the forensic data. Analysis Type: Static |
Mobile Application Analysis: iOS
Publication Date – May 27, 2021