美文网首页iOS Developer程序员
针对某移动办公App的网络安全分析

针对某移动办公App的网络安全分析

作者: tomatobin | 来源:发表于2018-05-01 22:38 被阅读398次

    0 前言

    逆向的目标之一是评定App安全等级,找到存在的安全隐患,并以有效手段进行反破解。之前实现任意位置打卡的几种方法,都是修改实际的GPS位置信息,并没有从网络、代码层面进行深入的分析。乘着假期,将网络请求的流程梳理出来,看看能否从网络层,获取相关的请求、参数及加密方法。

    1 网络流程分析

    Charels抓包,网络请求走的都是HTTPS,没有可参考的价值。

    回归代码,结合头文件,网络请求用的AFNetworking。既然如此,直接Hook住AFHTTPSessionManager类中最常用的POST请求方法 - POST:parameters:progress:success:failure:,将url、参数打印出来:

    //Hook的class
    CHDeclareClass(AFHTTPSessionManager);
    
    // - (id)POST:(id)arg1 parameters:(id)arg2 progress:(id)arg3 success:(id)arg4 failure:(id)arg5
    CHMethod(5, void, AFHTTPSessionManager, POST, id, arg1, parameters, id, arg2, progress, id, arg3, success, id, arg4, failure, id, arg5)
    {
        NSLog(@"%s::%@\n %@", __func__, arg1, arg2);
        return CHSuper(5, AFHTTPSessionManager, POST, arg1, parameters,arg2, progress, arg3, success, arg4, failure, arg5);
    }
    
    __attribute__((constructor)) static void entry()
    {
        CHLoadLateClass(AFHTTPSessionManager);
        CHClassHook(5, AFHTTPSessionManager, POST, parameters, progress, success, failure);
    }
    
    

    1.1 登录请求分析

    接下来,打开App进行登录,看看发送了哪些内容。打印信息如下:

    https://app.xxxxtech.com/GetAndroidDataService.svc/LoginVerify
    {
        jsonData = 0e10de0e07c7f127d43b326cb30ceac2566b2dfabd8facbd431e7e31708ffaf8bb310fd0abd77570e10fa3a61c36aac11261b59889c0aa606b64cbde9f43d6814503211a0e0a2a55552646c393e8e9fa72ab0703685cf19308f9a16522d58e405874fa9956a40a99313b01cdb6d3eab702019d3a2eedd819b0a2fab032a8fff52258133eb42b828a80fd4d15df199f4ab83cd4a2df67a5fac0906694ede697abde35c29587de9ca894036f785f0c2d94164a363cb6e92c4a0072d21e1f8b9b0843b1c2af7c90d3c89117318ef8e1c86fa32f99ec9182d57b5191a8e10ad0d80e6ee8de8cb0a3398be971e5e261d77b93858ed103b91af91570a832a95f42ac658737739cd60f46920d21b1154158a0ecae8f8cb7dbcb2ac6c3894e51a290c033715f11bb9e3ce18cb48429f4e5ba69be4e7d17861b355d96ce64d8ac472fafcf04ed891f29a98fa276086fc4d57d10ca;
    }
    

    得到请求url 【https://app.xxxxtech.com/GetAndroidDataService.svc/LoginVerify

    参数是字典格式NSDictionary<NSString *, NSString *>的数据,key值为 jsonData,value值是一串很长的字符串,显然是加密过的。单从value的字符串形式来看,是由十六进制格式的字符组成的。可能是某种加密方式与MD5的结合,但如果进行了MD5,服务端是无法解析数据的;App和服务采用对称加密的方法最常用,AES/DES等,这里有可能先进行了对称加密,再将每个字符进行转换。如果能找到原始的请求参数、加密方法,整个网络请求层应该都可以破解掉了。

    1.2 请求回溯

    要找到原始的参数,就需要找到哪个类调用了POST方法。然后往前一步一步回溯,将每个步骤串起来,就可以倒推网络请求的流程。

    借助Hopper,搜索字符串POST:parameters:progress:success:failure:,发现ServiceUtil中的几个方法使用了:

    queryService:
    queryListService:
    updateArrayService:
    updateService:
    
    
    POST.png

    登录一般只是检验密码,hook住queryService,打印请求参数类型,确实有相应的输出:

    UserInfoModel
    

    进一步分析,queryService并没有被其他类直接调用,而是通过在RegisteredServicesMonitor函数内,注册xxxx_MOBILE_ServiceQuery的通知方法被动调用的。

    void -[ServiceUtil RegisteredServicesMonitor](void * self, void * _cmd) {
       ...
        r0 = [NSNotificationCenter defaultCenter];
        r0 = [r0 retain];
        stack[2032] = r0;
        _objc_msgSend(r0, *r0, self, @selector(queryService:), @"xxxx_MOBILE_ServiceQuery", 0x0);
        [stack[2032] release];
       ...
        return;
    }
    

    搜索通知xxxx_MOBILE_ServiceQuery,再根据[LoginViewController login]伪代码,将整个代码调用顺序串起来,最终发现参数通过DESUtil类进行加密:

    Login.png

    2 加密分析

    整个请求的流程清晰了,回过头来看UserInfoModel是如何转化为成十六进制字符串的。

    queryService的参数是在ServiceUtil类的函数dictionaryFormQueryData被转化了,具体过程分为两步:

    • 模型转字典

    先用UserInfoModel对象的convertToUpdateDictionary 方法(其中敏感信息FItemNumber、FPassword作了隐藏处理),将对象转化成字典结构

    {
        FAppVersion = "v4.0.2.Basics (51)";
        FItemNumber = *****;
        FMobileType = IOS;
        FModuleId = 2990;
        FOSVersion = "10.3.2";
        FPassword = "*****";
        FVerSion = 51;
    }
    
    • 字典转查询条件、并加密
      ObjectForDesAndReturnData函数内,将前面步骤的字典转化成加密的字符串,并组成新的字典,作为请求的参数
    {
        jsonData = 0e10de0e07c7f127d43b326cb30ceac25...
        }
    

    2.1 DES加密

    进入最终的加密函数 [DESUtil doCipher:key:context:],查看伪代码:

    void * +[DESUtil doCipher:key:context:](void * self, void * _cmd, void * arg2, void * arg3, unsigned int ret_addr) {
        r7 = (sp - 0x14) + 0xc;
        sp = sp - 0x1a4;
        var_20 = *___stack_chk_guard;
        objc_storeStrong(r7 - 0x2c, arg2);
        objc_storeStrong(r7 - 0x30, arg3);
        var_34 = ret_addr;
        var_3C = 0x0;
        if (var_34 == 0x1) {
                ...
        }
        else {
                r0 = [0x0 dataUsingEncoding:0x4, r0];
                r7 = r7;
                r0 = [r0 retain];
                var_C8 = r0;
                r1 = var_3C;
                var_3C = [r0 mutableCopy];
                [r1 release];
                [var_C8 release];
        }
        r0 = [0x0 dataUsingEncoding:0x4, r0];
        r7 = r7;
        r0 = [r0 retain];
        var_60 = [r0 mutableCopy];
        [r0 release];
        [var_60 setLength:0x8, r0];
        var_68 = [0x0 length] + 0x8 & 0xfffffff8;
        var_64 = malloc(var_68);
        __memset_chk();
        var_F0 = [objc_retainAutorelease(var_60) bytes];
        var_F8 = [var_60 length];
        *(r7 - 0x100) = [objc_retainAutorelease(var_60) bytes];
        objc_retainAutorelease(var_3C);
        *((r7 - 0x100) + 0xfffffffffffffffc) = _objc_msgSend;
        *((r7 - 0x100) + 0xfffffffffffffff8) = (*((r7 - 0x100) + 0xfffffffffffffffc))();
        *((r7 - 0x100) + 0xfffffffffffffff4) = _objc_msgSend;
        r2 = *((r7 - 0x100) + 0xfffffffffffffff4);
        *((r7 - 0x100) + 0xfffffffffffffff0) = (r2)(var_3C, @selector(length), r2, var_3C);
        *(var_34 + 0xffffffffffffffec) = 0x1;
        r12 = *(var_34 + 0xffffffffffffffec);
        *(var_34 + 0xffffffffffffffe8) = r7 - 0x6c;
        *(var_34 + 0xffffffffffffffe4) = var_64;
        var_70 = 0x0;
        *((r7 - 0x100) + 0xffffffffffffffe0) = CCCrypt(var_34, 0x1, r12, var_F0, var_F8, *(r7 - 0x100), *((r7 - 0x100) + 0xfffffffffffffff8), *((r7 - 0x100) + 0xfffffffffffffff0), *((r7 - 0x100) + 0xffffffffffffffe4), var_68, *((r7 - 0x100) + 0xffffffffffffffe8));
        if (var_34 == 0x1) {
               ...
        }
        else {
                *((r7 - 0x100) + 0xffffffffffffffc8) = _objc_msgSend;
                r0 = (*((r7 - 0x100) + 0xffffffffffffffc8))(@class(NSData), @selector(dataWithBytes:length:), var_64, 0x0);
                r7 = r7;
                var_74 = [r0 retain];
                free(var_64);
                *((r7 - 0x100) + 0xffffffffffffffc4) = _objc_msgSend;
                r2 = *((r7 - 0x100) + 0xffffffffffffffc4);
                (r2)(@class(NSMutableString), @selector(alloc), r2);
                *((r7 - 0x100) + 0xffffffffffffffc0) = @"";
                r3 = *((r7 - 0x100) + 0xffffffffffffffc0);
                *((r7 - 0x100) + 0xffffffffffffffbc) = _objc_msgSend;
                var_78 = (*((r7 - 0x100) + 0xffffffffffffffbc))();
                objc_retainAutorelease(var_74);
                *((r7 - 0x100) + 0xffffffffffffffb8) = _objc_msgSend;
                var_7C = (*((r7 - 0x100) + 0xffffffffffffffb8))();
                var_80 = 0x0;
                do {
                        *((r7 - 0x100) + 0xffffffffffffffb4) = _objc_msgSend;
                        r3 = *((r7 - 0x100) + 0xffffffffffffffb4);
                        *((r7 - 0x100) + 0xffffffffffffffb0) = var_80;
                        if (*((r7 - 0x100) + 0xffffffffffffffb0) >= (r3)(var_74, @selector(length), var_80, r3)) {
                            break;
                        }
                        s0 = *@"%x";
                        *((r7 - 0x100) + 0xffffffffffffffac) = @"%x";
                        *((r7 - 0x100) + 0xffffffffffffffa8) = _objc_msgSend;
                        r0 = (*((r7 - 0x100) + 0xffffffffffffffa8))(@class(NSString), @selector(stringWithFormat:), *((r7 - 0x100) + 0xffffffffffffffac), s0 & 0xff);
                        r7 = r7;
                        var_84 = [r0 retain];
                        *((r7 - 0x100) + 0xffffffffffffffa4) = _objc_msgSend;
                        r2 = *((r7 - 0x100) + 0xffffffffffffffa4);
                        if ((r2)(var_84, @selector(length), r2) == 0x1) {
                                r2 = *(("/System/Library/Frameworks/CoreGraphics.framework/CoreGraphics" | 0x2c0000) + 0x4bd9c);
                                *((r7 - 0x100) + 0xffffffffffffffa0) = @"0%@";
                                *((r7 - 0x100) + 0xffffffffffffff9c) = _objc_msgSend;
                                r1 = r2;
                                r2 = *((r7 - 0x100) + 0xffffffffffffffa0);
                                r12 = *((r7 - 0x100) + 0xffffffffffffff9c);
                                *((r7 - 0x100) + 0xffffffffffffff98) = var_78;
                                r0 = (r12)(@class(NSString), r1, r2, var_84);
                                r0 = [r0 retain];
                                r3 = *((r7 - 0x100) + 0xffffffffffffff98);
                                *((r7 - 0x100) + 0xffffffffffffff94) = r0;
                                r0 = r3;
                                *((r7 - 0x100) + 0xffffffffffffff90) = _objc_msgSend;
                                r2 = *((r7 - 0x100) + 0xffffffffffffff94);
                                r3 = *((r7 - 0x100) + 0xffffffffffffff90);
                                r0 = (r3)(r0, @selector(stringByAppendingString:), r2, r3);
                                r7 = r7;
                                r0 = [r0 retain];
                                *((r7 - 0x100) + 0xffffffffffffff8c) = r0;
                                *((r7 - 0x100) + 0xffffffffffffff88) = _objc_msgSend;
                                r2 = *((r7 - 0x100) + 0xffffffffffffff88);
                                r1 = var_78;
                                var_78 = (r2)(r0, @selector(mutableCopy), r2, r0);
                                [r1 release];
                                r0 = *((r7 - 0x100) + 0xffffffffffffff8c);
                                [r0 release];
                                r0 = *((r7 - 0x100) + 0xffffffffffffff94);
                                [r0 release];
                        }
                        else {
                                *((r7 - 0x100) + 0xffffffffffffff84) = @"%@";
                                *((r7 - 0x100) + 0xffffffffffffff80) = _objc_msgSend;
                                r2 = *((r7 - 0x100) + 0xffffffffffffff84);
                                r12 = *((r7 - 0x100) + 0xffffffffffffff80);
                                *((r7 - 0x100) + 0xffffffffffffff7c) = var_78;
                                r0 = (r12)(@class(NSString), @selector(stringWithFormat:), r2, var_84);
                                r0 = [r0 retain];
                                r3 = *((r7 - 0x100) + 0xffffffffffffff7c);
                                *((r7 - 0x100) + 0xffffffffffffff78) = r0;
                                r0 = r3;
                                *((r7 - 0x100) + 0xffffffffffffff74) = _objc_msgSend;
                                r2 = *((r7 - 0x100) + 0xffffffffffffff78);
                                r3 = *((r7 - 0x100) + 0xffffffffffffff74);
                                r0 = (r3)(r0, @selector(stringByAppendingString:), r2, r3);
                                r7 = r7;
                                r0 = [r0 retain];
                                *((r7 - 0x100) + 0xffffffffffffff70) = r0;
                                *((r7 - 0x100) + 0xffffffffffffff6c) = _objc_msgSend;
                                r2 = *((r7 - 0x100) + 0xffffffffffffff6c);
                                r1 = var_78;
                                var_78 = (r2)(r0, @selector(mutableCopy), r2, r0);
                                [r1 release];
                                r0 = *((r7 - 0x100) + 0xffffffffffffff70);
                                [r0 release];
                                r0 = *((r7 - 0x100) + 0xffffffffffffff78);
                                [r0 release];
                        }
                        objc_storeStrong(r7 - 0x84, 0x0);
                        var_80 = var_80 + 0x1;
                } while (true);
                objc_storeStrong(r7 - 0x70, var_78);
                objc_storeStrong(r7 - 0x78, 0x0);
                objc_storeStrong(r7 - 0x74, 0x0);
        }
        *((r7 - 0x100) + 0xffffffffffffff68) = [var_70 retain];
        objc_storeStrong(r7 - 0x70, 0x0);
        objc_storeStrong(r7 - 0x60, 0x0);
        objc_storeStrong(r7 - 0x3c, 0x0);
        objc_storeStrong(r7 - 0x30, 0x0);
        objc_storeStrong(r7 - 0x2c, 0x0);
        r0 = *((r7 - 0x100) + 0xffffffffffffff68);
        r0 = [r0 autorelease];
        r1 = *___stack_chk_guard;
        *((r7 - 0x100) + 0xffffffffffffff64) = r0;
        if (r1 == var_20) {
                r0 = *((r7 - 0x100) + 0xffffffffffffff64);
        }
        else {
                r0 = __stack_chk_fail();
        }
        return r0;
    }
    

    代码很长,看起来很头疼,其实也没必要一行一行去看懂。利用CCCrypt的各个参数进行对比分析,大概的加密逻辑也是很容易推测出来的。

    CCCryptorStatus CCCrypt(
        CCOperation op,         /* kCCEncrypt, etc. */
        CCAlgorithm alg,        /* kCCAlgorithmAES128, etc. */
        CCOptions options,      /* kCCOptionPKCS7Padding, etc. */
        const void *key,
        size_t keyLength,
        const void *iv,         /* optional initialization vector */
        const void *dataIn,     /* optional per op and alg */
        size_t dataInLength,
        void *dataOut,          /* data RETURNED here */
        size_t dataOutAvailable,
        size_t *dataOutMoved)
    
    • op,操作类型,由变量var_34控制,即doCipher:key:context最后一个参数,为0时,进行加密操作
      enum { kCCEncrypt = 0, kCCDecrypt, };

    • alg,加密算法,伪代码为0x1,即kCCAlgorithmDES,为DES加密方式

    enum {
        kCCAlgorithmAES128 = 0,
        kCCAlgorithmAES = 0,
        kCCAlgorithmDES,
        kCCAlgorithm3DES,       
        kCCAlgorithmCAST,       
        kCCAlgorithmRC4,
        kCCAlgorithmRC2,   
        kCCAlgorithmBlowfish    
    };
    typedef uint32_t CCAlgorithm;
    
    • options,代码对应变量r12 = 0x1,对应枚举为kCCOptionPKCS7Padding
    *(var_34 + 0xffffffffffffffec) = 0x1;
    r12 = *(var_34 + 0xffffffffffffffec)
    
    • key,密钥,对应到doCipher:key:context的第2个参数,需要转化成char *型,在[DESUtil encode]中,可以找到相应的密钥02****5a(8位,属于敏感信息,中间4位隐藏处理),伪代码 对应 var_F0的值:
    [[DESUtil doCipher:r0 key:@"02****5a" context:stack[2033], stack[2034], stack[2035]] retain]
    
    
    var_F0 = [objc_retainAutorelease(var_60) bytes]
    
    • keyLength,密钥长度,伪代码var_F8 = [var_60 length]
    • iv,加密向量,代码对应(r7 - 0x100)的值,与var_F0一致
    *(r7 - 0x100) = [objc_retainAutorelease(var_60) bytes];
    
    • dataIn,需要加密的内容,即doCipher:key:context的1个参数
    • dataInLength,加密内容的长度
    • dataOut,加密后的内容
    • dataOutAvailable,加密后内容长度
    var_68 = [0x0 length] + 0x8 & 0xfffffff8;
    
    • dataOutMoved,输出值,不用关心

    至此,明确了函数使用DES加密方式,并且加密向量与密钥相同,继续住下分析。

    2.2 DES结果处理

    • 先将加密后的内容转化成NSData值:
    r0 = (*((r7 - 0x100) + 0xffffffffffffffc8))(@class(NSData), @selector(dataWithBytes:length:), var_64, 0x0)
    
    • 按字节读取NSData值,并转化成十六进制格式的字符串r2:
     r3 = *((r7 - 0x100) + 0xffffffffffffffb4);
     *((r7 - 0x100) + 0xffffffffffffffb0) = var_80;
     if (*((r7 - 0x100) + 0xffffffffffffffb0) >= (r3)(var_74, @selector(length), var_80, r3)) {
            break;
       }
      s0 = *@"%x";
      *((r7 - 0x100) + 0xffffffffffffffac) = @"%x";
      *((r7 - 0x100) + 0xffffffffffffffa8) = _objc_msgSend;
      r0 = (*((r7 - 0x100) + 0xffffffffffffffa8))(@class(NSString), @selector(stringWithFormat:), *((r7 - 0x100) + 0xffffffffffffffac), s0 & 0xff);
      r7 = r7;
      var_84 = [r0 retain];
      *((r7 - 0x100) + 0xffffffffffffffa4) = _objc_msgSend;
      r2 = *((r7 - 0x100) + 0xffffffffffffffa4);
    
    • 判断r2长度,如果长度为1,则在前面补0;这也是为什么在解密代码中,会有高16位、低16位判断的原因
    if ((r2)(var_84, @selector(length), r2) == 0x1) {
       r2 = *(("/System/Library/Frameworks/CoreGraphics.framework/CoreGraphics" | 0x2c0000) + 0x4bd9c);
       *((r7 - 0x100) + 0xffffffffffffffa0) = @"0%@";
       *((r7 - 0x100) + 0xffffffffffffff9c) = _objc_msgSend;
       r1 = r2;
       r2 = *((r7 - 0x100) + 0xffffffffffffffa0);
       r12 = *((r7 - 0x100) + 0xffffffffffffff9c);
      ...
       r0 = *((r7 - 0x100) + 0xffffffffffffff94);
      [r0 release];
    }
    
    • 其实整个循环,就是将NSData的值按字节转化成十六进制格式的字符串:
      比如字符串“a”,经过上述DES加密后,得到的NSData值为<ed531e0b 195ec5b7>,转化成字符串后为 ed531e0b195ec5b7,即为最终加密的结果。而通常AES/DES加密后,会将结果直接转换成Base64。

    为了测试方便,在NSString增加了一个DES的类别,实现与伪代码相似的功能,具体见附录。

    3 ServiceUtil

    网络请求部分都在ServiceUtil里面,设置AFNetWorking参数、HTTP请求头等。

    3.1 请求头设置

    看伪代码,只是简单设置了AcceptUser-agentAccept-LanguageContent-TypeContent-Length这几个值,并没有做过多的校验,通过WEB模拟发送POST请求,应该也能通过。

    void -[ServiceUtil setRequestHead:len:](void * self, void * _cmd, void * arg2, void * arg3) {
        objc_storeStrong((sp - 0x54) + 0x40, arg2);
        objc_storeStrong((sp - 0x54) + 0x3c, arg3);
        [0x0 addValue:@"application/json" forHTTPHeaderField:@"Accept", stack[2027], stack[2028], stack[2029]];
        [0x0 addValue:@"Mozilla/5.0" forHTTPHeaderField:@"User-agent", stack[2027], stack[2028], stack[2029]];
        [0x0 addValue:@"ZH-CN,zh;q=0.8,en-US;q=0.6,en;q=0.4" forHTTPHeaderField:@"Accept-Language", stack[2027], stack[2028], stack[2029]];
        [0x0 addValue:@"application/json" forHTTPHeaderField:@"Content-Type", stack[2027], stack[2028], r2];
        [0x0 addValue:0x0 forHTTPHeaderField:@"Content-Length", r1, @"Content-Length"];
        objc_storeStrong((sp - 0x54) + 0x3c, 0x0);
        objc_storeStrong((sp - 0x54) + 0x40, 0x0);
        return;
    }
    

    3.2 HTTP端口

    代码内部有一个HTTP的端口:http://app.xxxxtech.com:8080,结合登录url,可以推测,其他的请求都是用特定的功能字符串拼接起来的,用web模拟,发现8080端口也是有效的。
    http://app.xxxxtech.com:8080/GetAndroidDataService.svc/xxxx
    https://app.xxxxtech.com/GetAndroidDataService.svc/xxxx

    void * -[ServiceUtil http](void * self, void * _cmd) {
        stack[2043] = r4;
        r7 = (sp - 0x14) + 0xc;
        *((sp - 0x14) + 0xfffffffffffffffc) = r8;
        sp = (sp - 0x14) + 0xfffffffffffffffc - 0x40;
        stack[2042] = self;
        if (stack[2042]->_http == 0x0) {
                r0 = (*@"%@%@%@")(@class(NSString), @selector(stringWithFormat:), @"%@%@%@", @"http://", @"app.xxxxtech.com:8080", @"/");
                r0 = [r0 retain];
                stack[2034] = r0;
                r0 = (*r0)(@class(NSMutableString), @selector(stringWithFormat:), @"%@%@%@", stack[2034], @"GetAndroidDataService.svc", @"/");
    
        ...
        }
        r0 = stack[2042]->_http;
        r0 = loc_239340(r0, *0x31aa04);
        return r0;
    }
    

    4 安全检验

    登入App后,试了其他几个请求,发现请求参数、请求头并没有登录返回的FToken信息,难道登录只是进入App的壳子,后续的请求根本不需要检验?找一个接口一试究竟。

    查询打卡时间的接口,参数只有工号是可变的:

    https://app.xxxxtech.com/GetAndroidDataService.svc/GetCheckStatusData
    
    {
      "FOSVersion" : "10.3.2",
      "FMobileType" : "IOS",
      "FAppVersion" : "v4.0.2.Basics (51)",
      "FModuleId" : "3093",
      "FItemNumber" : "*****"
    }
    

    FItemNumber修改为其他的5位数,并对参数加密,得到请求参数(敏感信息隐藏处理):

    {"jsonData":"0e10de0e07c7f12758af1e31ffdea690c040bb8ecab59985f118ebfbb6d0500cafaa48ff3194a97be6eb6053ec6c6206db03e151be4b528d78db3becbcb1629fc29d0e049cff1a27e5584d684d8b78e7a925a47801cd1511d6a98c7b1c33debbe446eed7fe7674987e52e6b64bd3f73fb9ebfb7a986b5c16537..."}
    

    使用web发送请求,可以得到正常返回:

        "FID": "",
        "IsSuccess": true,
        "Result": "{\"FStatus\":0,\"FAttendId\":0,\"FCheckInTime\":\"**:**\",\"FCheckOutTime\":\"22:04\"}",
        "ResultCode": 200
    }
    

    再试其他接口,也是可以直接通过的,可见除了登录协议外,其他协议都没有做安全性校验。

    5 总结

    虽然App是内部用的,但有几点还是可以再提高一下的:

    增加请求头、安全检验
    增加DES加密的复杂度
    关闭8080端口
    关键几处函数进行代码混淆,反正不需要AppStore审核

    附录:加解密代码

    #import "NSString+DES.h"
    #import <CommonCrypto/CommonDigest.h>
    #import <CommonCrypto/CommonCryptor.h>
    
    @implementation NSString (DES)
    
    - (NSData *)jm_hexStringConvertToBytesData
    {
        //异常字符串
        if (self.length % 2 != 0) {
            return nil;
        }
        
        Byte bytes[1024*3] = {0};
        int bytesIndex = 0;
        
        for(int i = 0; i < [self length]; i++)
        {
            int int_char;  /// 两位16进制数转化后的10进制数
            
            unichar hex_charUpper = [self characterAtIndex:i]; ///两位16进制数中的第一位(高位*16)
            int int_charUpper;
            if(hex_charUpper >= '0' && hex_charUpper <='9') {
                int_charUpper = (hex_charUpper - 48 ) * 16;   // 0 的Ascll - 48
            } else if(hex_charUpper >= 'A' && hex_charUpper <= 'F') {
                int_charUpper = (hex_charUpper - 55 ) * 16; /// A 的Ascll - 65
            } else {
                int_charUpper = (hex_charUpper - 87 ) * 16; // a 的Ascll - 97
            }
            
            i++;
            
            unichar hex_charLower = [self characterAtIndex:i]; ///两位16进制数中的第二位(低位)
            int int_charLower;
            if(hex_charLower >= '0' && hex_charLower <= '9') {
                int_charLower = (hex_charLower - 48); /// 0 的Ascll - 48
            } else if(hex_charUpper >= 'A' && hex_charUpper <='F') {
                int_charLower = (hex_charLower - 55); ///  A 的Ascll - 65
            } else {
                int_charLower = hex_charLower - 87; /// a 的Ascll - 97
            }
            
            int_char = int_charUpper + int_charLower;
            bytes[bytesIndex] = int_char;  ///将转化后的数放入Byte数组里
            bytesIndex++;
        }
        
        NSUInteger dataLength = self.length / 2;
        NSData *data = [[NSData alloc] initWithBytes:bytes length:dataLength];
        return data;
    }
    
    - (NSString *)jm_urlDecode {
        NSString *decodedString = [self stringByRemovingPercentEncoding];
        return decodedString;
    }
    
    - (NSString *)jm_urlEncode {
        NSString *encodedString = [self stringByAddingPercentEncodingWithAllowedCharacters:[NSCharacterSet characterSetWithCharactersInString:@"!*'();:@&=+$,/?%#[]"]];
        return encodedString;
    }
    
    - (NSString *)jm_encryptUseDESByKey:(NSString *)key iv:(NSString *)iv
    {
        NSString *ciphertext;
        NSString *encode = [self jm_urlEncode];
    //    NSLog(@"%s encode::%@", __func__, encode);
        
        NSData *data = [encode dataUsingEncoding:NSUTF8StringEncoding];
        NSUInteger dataLength = data.length;
        NSUInteger bufferLength = 1024;
        unsigned char buffer[bufferLength];
        memset(buffer, 0, sizeof(char));
        
        size_t numBytesEncrypted = 0;
    
        CCCryptorStatus cryptStatus = CCCrypt(kCCEncrypt,
                                              kCCAlgorithmDES,
                                              kCCOptionPKCS7Padding,
                                              [key UTF8String],
                                              kCCKeySizeDES,
                                              [iv UTF8String] , //iv向量
                                              [data bytes],
                                              dataLength,
                                              buffer,
                                              bufferLength,
                                              &numBytesEncrypted);
        if (cryptStatus == kCCSuccess) {
            NSData *data = [NSData dataWithBytes:buffer length:(NSUInteger)numBytesEncrypted];
            //NSLog(@"%s buffer::%s", __func__, buffer);
            //NSLog(@"%s data::%@", __func__, data);
        
            ciphertext = @"";
            for (int index = 0; index < data.length; index++) {
                char byte;
                [data getBytes:&byte range:NSMakeRange(index, 1)];
                NSString *text = [NSString stringWithFormat:@"%x", byte&0xff];
                
                //不足两位,前面补0
                if([text length] == 1) {
                    text = [NSString stringWithFormat:@"0%@", text];
                }
                
                ciphertext = [ciphertext stringByAppendingString:text];
            }
        }
        
        NSLog(@"%s encryptText::%@", __func__, ciphertext);
        return ciphertext;
    }
    
    - (NSString *)jm_decryptUseDesByKey:(NSString *)key iv:(NSString *)iv
    {
        NSString *decryptText;
        
        NSData *encryptData = [self jm_hexStringConvertToBytesData];
        const char *textBytes = [encryptData bytes];
        
        NSUInteger dataLength = encryptData.length;
        NSUInteger bufferLength = dataLength + 0x8 & 0xfffffff8;
        unsigned char buffer[bufferLength];
        memset(buffer, 0, sizeof(char));
    
        size_t numBytesEncrypted = 0;
        
        //将encryptText转化为bytes
        CCCryptorStatus decryptStatus = CCCrypt(kCCDecrypt,
                                                kCCAlgorithmDES,
                                                kCCOptionPKCS7Padding,
                                                [key UTF8String],
                                                kCCKeySizeDES,
                                                [iv UTF8String] , //iv向量
                                                textBytes,
                                                dataLength,
                                                buffer,
                                                bufferLength,
                                                &numBytesEncrypted);
        if (decryptStatus == kCCSuccess ) {
            
            NSLog(@"%s buffer::%s", __func__, buffer);
            NSData *data = [NSData dataWithBytes:buffer length:(NSUInteger)numBytesEncrypted];
            
            NSLog(@"%s data::%@", __func__, data);
            
            decryptText = [[NSString alloc] initWithData:data encoding:NSUTF8StringEncoding];
            NSLog(@"%s decryptText::%@", __func__, decryptText);
            
            decryptText = [decryptText jm_urlDecode];
            NSLog(@"%s decodeUrl::%@", __func__, decryptText);
            
        }
        
        return decryptText;
    }
    @end
    

    相关文章

      网友评论

        本文标题:针对某移动办公App的网络安全分析

        本文链接:https://www.haomeiwen.com/subject/mmwfrftx.html