Platform

ios

MASVS v1 MSTG-CODE-9

MASVS v2 MASVS-CODE-4

Make Sure That Free Security Features Are Activated

Overview

Static Analysis

You can use otool to check the binary security features described above. All the features are enabled in these examples.

• PIE:

  $ unzip DamnVulnerableiOSApp.ipa
  $ cd Payload/DamnVulnerableIOSApp.app
  $ otool -hv DamnVulnerableIOSApp
  DamnVulnerableIOSApp (architecture armv7):
  Mach header
  magic cputype cpusubtype caps filetype ncmds sizeofcmds flags
  MH_MAGIC ARM V7 0x00 EXECUTE 38 4292 NOUNDEFS DYLDLINK TWOLEVEL
  WEAK_DEFINES BINDS_TO_WEAK PIE
  DamnVulnerableIOSApp (architecture arm64):
  Mach header
  magic cputype cpusubtype caps filetype ncmds sizeofcmds flags
  MH_MAGIC_64 ARM64 ALL 0x00 EXECUTE 38 4856 NOUNDEFS DYLDLINK TWOLEVEL
  WEAK_DEFINES BINDS_TO_WEAK PIE
  

  The output shows that the Mach-O flag for PIE is set. This check is applicable to all - Objective-C, Swift and hybrid apps but only to the main executable.

• Stack canary:

  $ otool -Iv DamnVulnerableIOSApp | grep stack
  0x0046040c 83177 ___stack_chk_fail
  0x0046100c 83521 _sigaltstack
  0x004fc010 83178 ___stack_chk_guard
  0x004fe5c8 83177 ___stack_chk_fail
  0x004fe8c8 83521 _sigaltstack
  0x00000001004b3fd8 83077 ___stack_chk_fail
  0x00000001004b4890 83414 _sigaltstack
  0x0000000100590cf0 83078 ___stack_chk_guard
  0x00000001005937f8 83077 ___stack_chk_fail
  0x0000000100593dc8 83414 _sigaltstack
  

  In the above output, the presence of __stack_chk_fail indicates that stack canaries are being used. This check is applicable to pure Objective-C and hybrid apps, but not necessarily to pure Swift apps (i.e. it is OK if it's shown as disabled because Swift is memory safe by design).

• ARC:

  $ otool -Iv DamnVulnerableIOSApp | grep release
  0x0045b7dc 83156 ___cxa_guard_release
  0x0045fd5c 83414 _objc_autorelease
  0x0045fd6c 83415 _objc_autoreleasePoolPop
  0x0045fd7c 83416 _objc_autoreleasePoolPush
  0x0045fd8c 83417 _objc_autoreleaseReturnValue
  0x0045ff0c 83441 _objc_release
  [SNIP]
  

  This check is applicable to all cases, including pure Swift apps where it's automatically enabled.

Dynamic Analysis

These checks can be performed dynamically using objection. Here's one example:

```bash com.yourcompany.PPClient on (iPhone: 13.2.3) [usb] # ios info binary Name Type Encrypted PIE ARC Canary Stack Exec RootSafe

Resources

Internal

• objection
• otool