Scribd
Upload
169 views

IOS Application Security Part 4 - Runtime Analysis Using Cycript (Yahoo Weather App)

A tutorial for Runtime Analysis Using Cycript (Yahoo Weather App). This manaul could be used for penetration test on iOS mobile application using CyCript. The example of the mobile application in this tutorial is "Yahoo Weather" mobile application. The tutorial shows how to hook an application process and how to directly call a page and process of the application.

Uploaded by

MelodySong
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
169 views

IOS Application Security Part 4 - Runtime Analysis Using Cycript (Yahoo Weather App)

A tutorial for Runtime Analysis Using Cycript (Yahoo Weather App). This manaul could be used for penetration test on iOS mobile application using CyCript. The example of the mobile application in this tutorial is "Yahoo Weather" mobile application. The tutorial shows how to hook an application process and how to directly call a page and process of the application.

Uploaded by

MelodySong
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 11

9/28/2015

iOSApplicationSecurityPart4RuntimeAnalysisUsingCycript(YahooWeatherApp)InfoSecResources

INFOSEC INSTITUTE

TOPICS

INTENSE SCHOOL

CONTRIBUTORS

JOB BOARD

CAREERS

CERTIFICATION TRACKER

CONTENT ARCHIVES
PHISH.IO

IOS APPLICATION SECURITY - PART 4

iOS Application
Security Part 4
Runtime Analysis Using
Cycript (Yahoo Weather
App)
JUMP TO

SELECT POST SECTION

14

Tweet

Share

submit

reddit

12
Like

Introduction
In the previous article, we learnt about
the runtime capabilities of an IOS App
written in Objective-C which uses the
Cocoa framework. In this article, we will
look at how we can use a very essential
tool named Cycript to analyze and
modify the runtime of an IOS
application. In this article, we will be
performing our analysis on the Yahoo
Weather IOS app.
http://resources.infosecinstitute.com/iosapplicationsecuritypart4runtimeanalysisusingcycriptyahooweatherapp/

1/14

9/28/2015

iOSApplicationSecurityPart4RuntimeAnalysisUsingCycript(YahooWeatherApp)InfoSecResources

Cycript
Cycript is a javascript interpreter which
also understands Objective-C syntax,
meaning we can write either Objective-C
or javascript or even both in a particular
command. It can also hook into a
running process and help us to modify a
lot of the things in the application during
runtime. As far as its application to IOS
application is concerned, here are some
of the advantages of using Cycript.
1. We can hook into a running
process and find the names of all
classes being used, i.e the view
controllers, the internal and third
party libraries being used and even
the name of the Application
delegate.
2. For a particular class, i.e View
Controller, App delegate or any
other class, we can also find the
names of all the methods being
used.
3. We can also find the names of all
the instance variable and their
values at any particular time
during the runtime of an
application.
4. We can modify the values of the
instance variable during runtime.
5. We can perform Method Swizzling,
i.e replace the code of a particular
method with some other
implementation.
6. We can call any method in the
application during runtime
without it being in the actual code
of the application .
http://resources.infosecinstitute.com/iosapplicationsecuritypart4runtimeanalysisusingcycriptyahooweatherapp/

2/14

9/28/2015

iOSApplicationSecurityPart4RuntimeAnalysisUsingCycript(YahooWeatherApp)InfoSecResources

Installing Cycript
To install Cycript on your device, you
must download the latest version from
their official download page. Make sure
to download the latest version.

Once they have been downloaded on


your system, upload them to your device
using sftp.

Then use the dpkg command to install


cycript on your device.

Then use the cycript command to check


and see if everything is working.

Runtime modification with Cycript


http://resources.infosecinstitute.com/iosapplicationsecuritypart4runtimeanalysisusingcycriptyahooweatherapp/

3/14

9/28/2015

iOSApplicationSecurityPart4RuntimeAnalysisUsingCycript(YahooWeatherApp)InfoSecResources

In this article, we will be performing all


our tests on the Yahoo Weather app. Its
a very neat app with an elegant UI that
provides information about the weather
of different places.
Once the Yahoo Weather has been
installed, run it and make sure the app is
the foreground. This is because once the
app is in the background , it is in the
paused state and you cant do much
with it. Once the app is run, you can
directly hook into the running process by
finding the PID of the weather app and
then using the cycript -p command to
hook into the process.

If the hooking is successful, you will be


provided with a Cycript interpreter. Now
we are all set. You can get the instance
of the application by using the
Objective-C syntax [UIApplication

sharedApplication].

You can also define variables using the


Cycript interpreter as shown in the figure
below. In this case, i am defining a
variable a for [UIApplication

sharedApplication]. Note that the L.H.S


of this command is Javascript whereas
the R.H.S is Objective-C syntax. This is the
beauty of Cycript.

http://resources.infosecinstitute.com/iosapplicationsecuritypart4runtimeanalysisusingcycriptyahooweatherapp/

4/14

9/28/2015

iOSApplicationSecurityPart4RuntimeAnalysisUsingCycript(YahooWeatherApp)InfoSecResources

Cycript, by default has this variable


which makes it easy to refer to the
application instance.

To find the delegate class of this


application, we can use the command

[UIApplication
sharedApplication].delegate. But since
we already defined a variable a as the
application instance, we can use the
following command as shown in the
figure below.

Hence, we now now that the delegate


class name is YWAppDelegate. So the
delegate files are defined as
YWAppDelegate.h and
YWAppDelegate.m. Now, lets try and call
some methods in the app while it is
running. A quick look at the application
gives this kind of a picture.

http://resources.infosecinstitute.com/iosapplicationsecuritypart4runtimeanalysisusingcycriptyahooweatherapp/

5/14

9/28/2015

iOSApplicationSecurityPart4RuntimeAnalysisUsingCycript(YahooWeatherApp)InfoSecResources

As you can see, the status bar of the app


is hidden. We can call a method in the
application to unhide the status bar.
Also, please make sure always that the
app is in the foreground while you are
performing runtime analysis on the
application.

And here is how the app looks now

http://resources.infosecinstitute.com/iosapplicationsecuritypart4runtimeanalysisusingcycriptyahooweatherapp/

6/14

9/28/2015

iOSApplicationSecurityPart4RuntimeAnalysisUsingCycript(YahooWeatherApp)InfoSecResources

As you can see, the status bar is now


visible. Lets try and see if we can modify
the badge count of this particular
application. A badge count is the
number shown on the top-right of an
application icon image. It usually refers
to the amount of push notification
received for the application. In mail apps,
it can also refer to the amount of unread
mails. In Yahoo Weather app, there is no
concept of push notifications and hence
there is no count shown on the top-right
of its app icon. The thing is that the
application badge number can be set
locally in the app through a simple
function call as well as remotely through
a push notification from the server. Lets
try and see if we can set the badge count
for the app. Here is the Objective-C
method that we can need to call. In this
case i am setting the badge count to 999
http://resources.infosecinstitute.com/iosapplicationsecuritypart4runtimeanalysisusingcycriptyahooweatherapp/

7/14

9/28/2015

iOSApplicationSecurityPart4RuntimeAnalysisUsingCycript(YahooWeatherApp)InfoSecResources

And now if we go back to the home


screen, we see the badge count in the
app.

Perfect !!
Lets now investigate more and see what
more we can find out about the app. In
order to find out the current view
controller of the app, we must first find
out the keyWindow property. A
keyWindow is the window which is
currently accepting user interaction
(touch events) from the user. If you want
to find out all the windows in an app,
here is how you do it. Note that a
window is of the class type UIWindow.

http://resources.infosecinstitute.com/iosapplicationsecuritypart4runtimeanalysisusingcycriptyahooweatherapp/

8/14

9/28/2015

iOSApplicationSecurityPart4RuntimeAnalysisUsingCycript(YahooWeatherApp)InfoSecResources

Now, in order to find out the keyWindow


at a particular time in the app, here is
how you do it.

Now, the root view controller for this


window is found out by using the
rootViewController property of the
keyWindow. The root view controller
property for this window is responsible
for displaying the content in the window.

As you can see, the name of the


rootViewController class is
YahooSlidingViewController. From the
name, it is pretty clear that this class is
the slider used in the app as shown in
the figure below.

http://resources.infosecinstitute.com/iosapplicationsecuritypart4runtimeanalysisusingcycriptyahooweatherapp/

9/14

9/28/2015

iOSApplicationSecurityPart4RuntimeAnalysisUsingCycript(YahooWeatherApp)InfoSecResources

Hence, this class basically acts as a


facade over all the other view controllers.
This means that whenever a menu item
is chosen in the menu as shown in the
figure above, the
YahooSlidingViewController is the class
responsible for displaying the
appropriate view controller.
Conclusion
In this article, we looked at how we can
install Cycript into a jailbroken device,
hook into a running process and find out
the information about the properties of
the application. We also looked at how
we can call functions ourselves which are
executed inside the sandbox of the
application. In the next article, we will
look at how we can find out all the
methods of a given class and modify its
implementation. We will also look at
http://resources.infosecinstitute.com/iosapplicationsecuritypart4runtimeanalysisusingcycriptyahooweatherapp/

10/14

9/28/2015

iOSApplicationSecurityPart4RuntimeAnalysisUsingCycript(YahooWeatherApp)InfoSecResources

how we can modify the values of


instance variables of a particular class.
References:
Cycript
http://www.cycript.org/
Cycript tricks
http://iphonedevwiki.net/index.php/Cycript_Tricks

PREV: IOS A

NEXT: IOS A

Prateek Gianchandani, a recent IIT


graduate, has interests in the field of
Penetration Testing, Web Application
Security and Intrusion Detection. He is
AUTHOR

Prateek
Gianchandani

currently a researcher for InfoSec


Institute. In the past he has worked for
security-based startups. You can contact
him at [email protected]
and on twitter @prateekg147 or you can
visit his personal website at
highaltitudehacks.com

http://resources.infosecinstitute.com/iosapplicationsecuritypart4runtimeanalysisusingcycriptyahooweatherapp/

11/14

You might also like