[MSTG-CODE-9] Update iOS Binary Protection Checks

Document/0x06i-Testing-Code-Quality-and-Build-Settings.md

@@ -613,31 +613,35 @@ There are various well written explanations which can help with taking care of m
 Although Xcode enables all binary security features by default, it may be relevant to verify this for an old application or to check for the misconfiguration of compilation options. The following features are applicable:
 
 - **ARC** - Automatic Reference Counting - A memory management feature that adds retain and release messages when required
-- **Stack Canary** - Helps prevent buffer overflow attacks by means of having a small integer right before the return pointer. A buffer overflow attack often overwrites a region of memory in order to overwrite the return pointer and take over the process-control. In that case, the canary gets overwritten as well. Therefore, the value of the canary is always checked to make sure it has not changed before a routine uses the return pointer on the stack.
-- **PIE** - Position Independent Executable - enables full ASLR for binary
+- **Stack Canary** - Stack-smashing protection - Helps prevent buffer overflow attacks by means of having a small integer right before the return pointer. A buffer overflow attack often overwrites a region of memory in order to overwrite the return pointer and take over the process-control. In that case, the canary gets overwritten as well. Therefore, the value of the canary is always checked to make sure it has not changed before a routine uses the return pointer on the stack.
+- **PIE** - Position Independent Executable - enables full ASLR for the executable binary (not applicable for libraries).
+
+Tests to detect the presence of these protection mechanisms heavily depend on the language used for developing the application. For example, existing techniques for detecting the presence of stack canaries do not work for pure Swift apps. For more details, please check the online article "[On iOS Binary Protections](https://sensepost.com/blog/2021/on-ios-binary-protections/ "On iOS Binary Protection")".
 
 ### Static Analysis
 
 #### Xcode Project Settings
 
-- Stack-smashing protection
+##### Stack Canary protection
 
-Steps for enabling Stack-smashing protection in an iOS application:
+Steps for enabling stack canary protection in an iOS application:
 
 1. In Xcode, select your target in the "Targets" section, then click the "Build Settings" tab to view the target's settings.
 2. Make sure that the "-fstack-protector-all" option is selected in the "Other C Flags" section.
 3. Make sure that Position Independent Executables (PIE) support is enabled.
 
+##### PIE protection
+
 Steps for building an iOS application as PIE:
 
 1. In Xcode, select your target in the "Targets" section, then click the "Build Settings" tab to view the target's settings.
 2. Set the iOS Deployment Target to iOS 4.3 or later.
 3. Make sure that "Generate Position-Dependent Code" is set to its default value ("NO").
 4. Make sure that "Don't Create Position Independent Executables" is set to its default value ("NO").
 
-- ARC protection
+##### ARC protection
 
-Steps for enabling ACR protection for an iOS application:
+ARC is automatically enabled for Swift apps by the `swiftc` compiler. However, for Objective-C apps you'll have ensure that it's enabled by following these steps:
 
 1. In Xcode, select your target in the "Targets" section, then click the "Build Settings" tab to view the target's settings.
 2. Make sure that "Objective-C Automatic Reference Counting" is set to its default value ("YES").
@@ -666,7 +670,9 @@ Below are procedures for checking the binary security features described above.
     WEAK_DEFINES BINDS_TO_WEAK PIE
     ```
 
-- stack canary:
+    The output shows that the Mach-O flag for `PIE` is set. This check is applicable to all - Objective-C, Swift and hybrid apps but only to the main executable.
+
+- Stack canary:
 
     ```bash
     $ otool -Iv DamnVulnerableIOSApp | grep stack
@@ -682,7 +688,9 @@ Below are procedures for checking the binary security features described above.
     0x0000000100593dc8 83414 _sigaltstack
     ```
 
-- Automatic Reference Counting:
+    In the above output, the presence of `__stack_chk_fail` indicates that stack canaries are being used. This check is applicable to pure Objective-C and hybrid apps, but not necessarily to pure Swift apps (i.e. it is OK if it's shown as disabled because Swift is memory safe by design).
+
+- ARC:
 
     ```bash
     $ otool -Iv DamnVulnerableIOSApp | grep release
@@ -695,9 +703,21 @@ Below are procedures for checking the binary security features described above.
     [SNIP]
     ```
 
+    This check is applicable to all cases, including pure Swift apps where it's automatically enabled.
+
 ### Dynamic Analysis
 
-Dynamic analysis is not applicable for finding security features offered by the toolchain.
+These checks can be performed dynamically using [objection](0x08-Testing-Tools.md#objection). Here's one example:
+
+```bash
+com.yourcompany.PPClient on (iPhone: 13.2.3) [usb] # ios info binary
+Name                  Type     Encrypted    PIE    ARC    Canary    Stack Exec    RootSafe
+--------------------  -------  -----------  -----  -----  --------  ------------  ----------
+PayPal                execute  True         True   True   True      False         False
+CardinalMobile        dylib    False        False  True   True      False         False
+FraudForce            dylib    False        False  True   True      False         False
+...
+```
 
 ## References