Upload
eightbit
View
87
Download
0
Tags:
Embed Size (px)
Citation preview
What Is This Presentation About?
• Quick and dirty intro to runtime hacking on iOS
• Help people get up to speed quickly
• Hopefully practical
• Focussed on third-party apps
What It’s Not• No data security
• No transport security
• Not touching on remediation/protection
• For more comprehensive presentations on iOS pen testing or how to secure apps go to eightbit.io/presentations
Outline• Objective-C Basics
• Setting Up The Environment
• Mapping Out the Application
• Dumping and Modifying Variables
• Manipulating Functions at Runtime
• Swift Considerations
Objective-C
• Native iOS applications are written in Objective-C
• Objective-C is a superset of C
• Objective-C is basically C with Smalltalk-style messaging and object syntax
Syntax
// Sending the message “method” to the object pointed to by the pointer obj
[obj method: argument1: argument2];
Important Takeaways• Understand basic OO principles
• Rudimentary understanding of MVC
• Basic Objective-C
• How to call methods (embrace the square bracket!)
• How to read and write variables
Requirements• Jailbroken device
• openssh (via Cydia)
• class-dump-z (http://code.google.com/p/networkpx/wiki/class_dump_z)
• cycript (http://www.cycript.org/debs/ or Cydia)
• gdb (via Cydia) or lldbdebugserver (http://iphonedevwiki.net/index.php/Debugserver)
• CydiaSubstrate (via Cydia)
• Clutch (https://github.com/KJCracks/Clutch)
• For a slightly outdated guide on setting up the environment see eightbit.io/post/64319534191/how-to-set-up-an-ios-pen-testing-environment
Mapping Out The Application
• The most important part
• Objective-C apps store a bunch of useful runtime information in the executable
• This information provides great insight into how an application functions (and thus is useful for finding bugs)
Decrypting Binaries
• Apps downloaded from the App Store are protected with Apple’s FairPlay DRM
• Certain portions of the binary are encrypted
• Need to decrypt these portions before we can analyse the binary
Decrypting Binaries• Can do it manually by extracting the encrypted
portion after the loader decrypts it and then patch the decrypted portion it into the binary
• Plenty of tools to automate this for you
• dumpdecrypted
• Clutch and Rasticrac
Decrypting Binaries
• Not going to demonstrate this as there are plenty of guides on the web and it’s not very interesting
• NOTE: Piracy is not cool
Obtaining a Class Dump
• Using the excellent class-dump-z tool you can extract all of the runtime information stored in the binary in a what is essentially the equivalent of an Objective-C header file
• class-dump-z -aAkRzb [BINARY]
Other Options• Disassemblers such as IDA or Hopper
• Great for lower level insight
• Swift binaries
• otool
• weak_class_dump.cy (https://github.com/limneos/weak_classdump)
Retrieving Sensitive Information
• Very easy to retrieve sensitive information at runtime including:
• Credentials
• Encryption keys
• PII
• Sensitive business data
Quick and Dirty Approach
• Review the class dump (grep ftw)
• pin, password, passcode, pinlock, key, aes, account, credentials, creditCard, username, address, phone, session, token
• Hook into the running application with Cycript and retrieve the information
Cycript• Ridiculous name (pronounced script)
• Even more ridiculous premise
• “programming language designed to blend the barrier between Objective-C and JavaScript”
• Really great tool for interrogating and manipulating the runtime of an app
Manipulating the Runtime
• Objective-C can observe and modify it’s own behaviour at runtime
• Can call methods directly, modify functions and even create your own classes and methods
• This has obvious security implications
What can you do?• Break security checks
• Jailbreak checks
• Debug prevention
• Certificate validation
• Bypass authentication
• Subvert business logic
• Get the highest possible score in Flappy Bird
Quick and Dirty Approach
• Review the class dump
• Look for sensitive functions
• Identify simple logic
• Hook into the running application with Cycript and call or modify the functions
Persistence• Using Cycript to modify the behaviour at runtime
obviously will not persist when the application is terminated
• For a POC on say a pen-test or a bug report it’s usually not a problem
• However there may be instances where you want the modification to be persistent
Why persistence?• Security checks hindering testing
• Jailbreak prevention
• Anti-debug protection
• Transport security controls (e.g. cert pinning)
• Development of tools
• For a jailbreak or actual malware
How?
• Inject a library into every new process via the DYLD_INSERT_LIBRARIES environment variable
#chmod +r hook.dylib
#launchctl setenv DYLD_INSERT_LIBRARIES /var/root/ hook.dylib
CydiaSubstrate + Theos• CydiaSubstrate simplifies hooking with a global injected dylib
• Can just install from Cydia
• Theos is a port of the build tools to other platforms
• So you don’t have to be an Apple fanboy to build hooks
• Focus on the logic of the hook
• Also available on iOS
• http://iphonedevwiki.net/index.php/Theos/Setup
What is Swift?
• Compiled language created by Apple
• Released publicly in 2014 at WWDC
• Intended to replace Objective-C eventually
Characteristics
• Uses the same runtime
• Binary compatibility with Objective-C
• No message passing :(
Issues with Swift Apps
• Runtime manipulation limited for pure Swift apps (i.e. a Swift-only runtime)
• Harder to analyse
• No class dump
• Name mangling
Assessing Swift Apps• Can still do some runtime manipulation with the
Objective-C bridge enabled
• Realistically until we get Swift only frameworks all apps will have this
• Can still do limited hooking with MobileSubstrate
• Disassemblers for analysing Swift binaries
• Hopper scripts to demangle Swift names (https://github.com/Januzellij/hopperscripts)