Q&A: Adventures in iOS App Security ResearchPosted by Amy Schurr
What motivates people to participate in bug bounty programs to uncover security exploits and vulnerabilities in apps? Is it the sense of accomplishment, the feeling of community or the draw of recognition and prizes? For Dawn Isabel, it’s all of the above.
Isabel, a mobile security research engineer with NowSecure, has been an avid contributor to bug bounties over the years. She won Best Bug awards in 2019 from HackerOne and BugCrowd hackathons, has been chosen for Show and Tell at live events and landed in the hall of fame with companies such as Etsy. Oh, and she once bagged a $19,000 reward for a single bug.
Bringing well-rounded experience from IOActive, Hewlett Packard Enterprise, the University of Michigan and Ford Motor Company, Isabel joined our expert research team in late 2019. To shine a spotlight on some of her amazing work, we recently spoke about testing the security of iOS and Apple Watch apps, the bug bounty community, and the tools she uses most.
Q: Why did you join NowSecure?
A: I started out as a web developer and got into pen testing from there. I’ve bounced back and forth between 100% pen testing and roles where I was building infrastructure or tools. I’ve always enjoyed getting back to my development roots. Knowing about the company’s involvement in open source with Frida and Radare and that it has super smart, amazing developers and researchers was very appealing.
Q: What do you do as a mobile security research engineer?
A: Most of my time is spent improving and adding to our iOS dynamic analysis automation. There are a couple of aspects to that. One is creating tests that automate certain checks on an iOS device, and then there’s the more macro level automation of making sure that interactions between the device and our scripts run smoothly and efficiently. I spend a lot of time examining code, debugging and looking at logs. It’s a lot of fun and there’s never a dull moment.
Q: What are the challenges of manually testing iOS apps?
A: True manual testing gets very tedious. There are a lot of tools out there for doing small pieces of work, but every tool is a little different. You have to remember a million different command lines, flags and switches. And every time there’s a new version of iOS, things change enough to break everything. It can get repetitive and a lot less fun than you would think pen testing would be. Automation is crucial because you can automate the boring things away and focus on the fun stuff, the creative exploitation.
Q: Why might you need both jailed and unjailed testing of iOS?
A: Everyone’s go-to tends to be jailbroken devices because you have the most visibility and the least restrictions. But for every new version of iOS, we have to wait for a jailbreak and retool everything around it.
With jailed testing, you can support new versions of iOS as soon as they’re out. If you’re bleeding edge and you want the newest OS, jailed testing is the way to go. But you have a more limited vantage point to what’s going on inside the mobile app and don’t have visibility into information leaking outside the app that jailed testing gives you. There are arguments for being able to test your application both ways so that you can see the difference between the two.
Q: What are some of the drawbacks of testing iOS apps on emulators versus real devices?
A: With Android, you can create emulators and specify any device configuration, OS version and SDKs and deploy it on your desktop. The difference with iOS is that the official simulator traditionally runs on your laptop. It has different architecture and chipset and the applications are not compatible.
Simulators are great for development purposes and for learning about iOS security. But I’m reluctant to rely on a simulator for everyday testing and prefer having a physical device. I’d worry that app exploits tested on the simulator might not consistently and reliably transfer to a physical device. That may change as Apple unifies products to share the same architecture.
Q: How do you automate iOS app testing?
A: I prefer implementing my own versions of tools using Frida versus trying to glue a lot of disparate tools together. We use Frida extensively in our automation. While there’s a learning curve and it can be intimidating, once you get the hang of it and see how powerful it is, it’s hard to use anything else.
Using NowSecure Platform, you get hooked on the idea of being able to click a button and get all these things done for you automatically. I often start in the NowSecure Platform when I want a baseline view into an app. It’s extremely powerful and handles the grunt work.
Q: Why is it difficult to test Apple Watch apps?
A: Apple’s watchOS is very similar to iOS if you look at the internals of it; it’s a pared-down version. The big difference is the architecture; watchOS runs on a mix of 32-bit and 64-bit versions of the instruction set that modern iPhones and iPads use. The problem is watchOS apps from the App Store can only be decrypted on the Apple Watch itself, which complicates analysis. The other challenge is that Apple Watch devices have to be paired to phones, which introduces complexities in automating testing.
Q: What do you like about researching wearables?
A: Wearables are really fun and I was interested before I even got an Apple Watch. There was this thing called Ringly which was a pretty cocktail ring that you could program to buzz when you received a text message or phone call and your phone was out of the room. Since then, we’ve seen incredible uptick of smart watches, fitness trackers and health gadgets.
Once I began using an Apple Watch, I started to think about all the sensitive and private data on my phone and Watch and crafted a few jailbreaks. The end goal, ultimately, would be to put some automation around that to test Watch apps. We’re going to see more interesting targets on Watches versus iPhones and wearables are going to continue to be an interesting area of research.
Dawn Isabel shares her discoveries about watchOS jailbreaking with Nexient employees in early 2020. [Photo by David Luxford.]
Q: What tools do you use most frequently?
A: Definitely Frida. I also was introduced to Radare after taking the NowSecure Frida and Radare training at Black Hat 2019. Now it’s my go-to when I’m analyzing an application for the first time and looking for specific indicators of interesting vulnerabilities or paths to explore.
Q: How can a beginner get into mobile application security research?
A: Come at it with your own strengths in mind. If you already have a background in web security testing or API security testing, start by figuring out how to capture network traffic and then work backwards from there. What generates those requests? What’s the implication of changing some of them? If you modify a request, what else does it affect? And if you have a background in forensics, think about where data lands, if it’s cached, and where and how sensitive data is stored. If you already have a traditional background in reversing or static analysis, then start by looking at the application binary and deconstructing it and figuring out how all of the pieces work together.
While you can use a simulator or emulator, I recommend getting your hands on an inexpensive device. You can buy something on eBay for $50 that has a cracked screen which doesn’t matter as long it functions. Just make sure it’s cheap because there’s at least a 50% chance that you’ll break it at some point. Interacting with the device and muddling through how things work and how to break them is probably the best experience.
Q: What do you like best about participating in bug bounties?
A: One of my favorite things is the community. There’s so many people who want to teach, share information and collaborate. When you’re stuck, there are six people who will come over and help because that’s what they love to do. You can learn and absorb so much by being at in-person bug bounty events and talking with people. The other thing I enjoy is the collaborative learning that takes place. It’s a phenomenal experience.
Q: How have things changed now that events have gone virtual?
A: It’s definitely more of a challenge. With everyone at home, it’s hard to free yourself of distractions and get in the mode where you can focus and participate. I’m looking forward to when we can have in-person live events again and get together and see everyone.
Q: What have been some of your most interesting discoveries?
A: I wish I could tell you — I’m under so many NDAs that I’ve lost track. At a high level, the things that are most memorable and interesting to me are those cases where a lot of smaller bugs came together to form this giant, impactful bug. It takes some effort to connect the dots and by stringing them together, there’s a prize or pot of gold at the end of the rainbow.
Q: Speaking of prizes, what’s the largest bounty that you’ve collected?
A: The biggest single award that I’ve received was $19,000 for one bug. That was fun!
Q: Who outside of NowSecure do you collaborate most with?
A: A lot of the collaboration is with the bug bounty team that I’m on, which is called The Syndicate. We’ve done a few HackerOne events as a group and have different areas of expertise. I have done a few HackerOne panels, community day volunteer forums and the like with them that I’ve really enjoyed. I’ve also done some work with the Women’s Society of Cyberjutsu. It’s nice to give back and pull people up behind you whenever you can.
Q: How does NowSecure apply your learnings?
A: I keep an eye out for things that we can incorporate and automate. There have been a couple of things I found that I’ve folded back into instrumentation and created tests and checks around those specific items. The bug bounties end up being a testbed or playground for new ideas.
Q: As a parent of two girls, how do you approach digital privacy and security at home?
A: Only my teenager has her own device, which we held out on until about eighth grade. Otherwise, they share devices and those are locked down so we have to approve app purchases. We’ve disabled the web browser on tablets and the browser on my teen’s phone is restricted. If they need to look at something on the web, we have computers they can use that are in common areas of our homes. That’s worked pretty well for us.
Both of my kids have understood from a fairly young age that apps can collect data about you even if you’re not explicitly providing it. We have frequent conversations around digital privacy and security concepts, and now their friends even come to me for advice! Fortunately, we’re at a point where I can extend them a certain amount of trust. I don’t advocate monitoring everything they do because we live in an age where there’s already a lot of surveillance, and I don’t want to normalize that.
To hear from other expert NowSecure researchers including Sergi (Pancake) Àlvarez, Grant Douglas and Austin Emmitt, join the r2con 2020 virtual conference from Sept. 2 – 6 to experiment, hack, teach, discuss all things radare2 and code from the comfort of your own home. NowSecure CTO David Weinstein leads the globally distributed team of researchers and shares his take on mobile appsec in the Modern CTO podcast.