iGoat v2.0 (https://www.owasp.org/index.php/OWASP_iGoat_Project) is a program that demonstrates common iOS mobile application security weaknesses and their remediation. There are other resources that show the use of this tool. One example, https://www.owasp.org/index.php/Mobile_Top_10_2012-M1, is the OWASP Top 10 entry for Insecure Data Storage (which is the exercise we are going to do). The purpose of this post is to walk through all the steps needed to get iGoat setup “Soup to Nuts”. There is nothing here that is too difficult, but there are a few pitfalls in making this work, so I thought it might be nice to provide some simple steps that take you from having nothing setup to being able to test the iGoat application for Local Data Storage weaknesses (and then be setup to work through the rest of the exercises included in iGoat). OK, here we go! Install and Setup Software
Run the Local Data Storage Application
View the Insecure Data Enter any user name and password of your choice into the application and click the login button. Now all we have to do is view the insecure local storage. Finding the virtual file system of the simulated device is not quite as straightforward as we might hope. My virtual device is located here: /Users/mike/Library/Application Support/iPhone Simulator/6/1/Applications/A02E4E0C-AA84-4408-9006-7B85D25374C6 Yours should be in a similar location (/Users/your_name/etc). From here, /Documents/credenitals.sqlite is where the file in question is located. Below I use strings to see that there is an issue (in this example I used the fantastic username/password combo of mike/test):
strings is nice, but in a larger application, this might be difficult to read. Here is a screen shot using SQLite Manager (a super cool Firefox Add-on). Just open SQLite Manager and use it to open the credentials.sqlite file.
So there you have it. You now have iGoat setup and have worked through an exercise! There are a number of additional exercises you can try in order to better understand mobile application security weaknesses and their remediation. Bonus: Understand the Code behind the ‘Remember Me’ Slider If you take a look at LocalDataStorageExcerciseController.m in xcode you will see this code: if (credentialStorageSwitch.on) { [self storeCredentialsForUsername:username withPassword:password]; } This does exactly what you think it might, if the application has the ‘Remember Me’ slider set to ON then the credentials are written to the SQLite database. If the slider is set to OFF then the credentials are not written to local storage. Test it out, it works! Additionally, once you are examining the source code of iGoat, you can scroll down in the relevant file to see comments that explain a possible solution approach.
Wrap Up iGoat is a great tool to help developers understand basic security concerns in iOS applications. The exercise that we used to demonstrate iGoat and make sure that it was setup maps to the OWASP Mobile Top Ten Mobile Risks M1 - Insecure Data Storage. I strongly encourage you to check out the rest of the OWASP Top Ten and also to try out the rest of the exercises in iGoat!
Very informative and useful. We at Endeavour however take a different approach to enterprise security. We have a framework driven approach, which we call as EnSURE (Endeavour, Secure, Unified and Reliable Enterprise) which address the security concerns of the mobile user with regard to data residing on teh device, data during communication and authentication. More details can be seen at our website