SlideShare a Scribd company logo

CrikeyCon 2015 - iOS Runtime Hacking Crash Course

eightbit
eightbit

This document provides a crash course on runtime hacking of iOS applications. It discusses setting up the necessary environment, mapping out an application by decrypting and dumping binaries to obtain class information. It then demonstrates how to retrieve sensitive variables like credentials by directly accessing them at runtime using Cycript. Finally, it shows how functions can be manipulated to bypass security checks or modify application behavior persistently through injection.

1 of 44
Downloaded 32 times
iOS Runtime Hacking Crash Course Michael Gianarakis CrikeyCon 2015
#whoami @mgianarakis Managing Consultant at SpiderLabs Application Security
What Is This Presentation About? • Quick and dirty intro to runtime hacking on iOS • Help people get up to speed quickly • Hopefully practical • Focussed on third-party apps
What It’s Not • No data security • No transport security • Not touching on remediation/protection • For more comprehensive presentations on iOS pen testing or how to secure apps go to eightbit.io/presentations
Outline • Objective-C Basics • Setting Up The Environment • Mapping Out the Application • Dumping and Modifying Variables • Manipulating Functions at Runtime • Swift Considerations
Objective-C Basics
Objective-C • Native iOS applications are written in Objective-C • Objective-C is a superset of C • Objective-C is basically C with Smalltalk-style messaging and object syntax
Syntax
Syntax
Syntax // Sending the message “method” to the object pointed to by the pointer obj [obj method: argument1: argument2];
Important Takeaways • Understand basic OO principles • Rudimentary understanding of MVC • Basic Objective-C • How to call methods (embrace the square bracket!) • How to read and write variables
Setting Up The Environment
Requirements • Jailbroken device • openssh (via Cydia) • class-dump-z (http://code.google.com/p/networkpx/wiki/class_dump_z) • cycript (http://www.cycript.org/debs/ or Cydia) • gdb (via Cydia) or lldbdebugserver (http://iphonedevwiki.net/index.php/ Debugserver) • CydiaSubstrate (via Cydia) • Clutch (https://github.com/KJCracks/Clutch) • For a slightly outdated guide on setting up the environment see eightbit.io/post/ 64319534191/how-to-set-up-an-ios-pen-testing-environment
Mapping Out The Application
Mapping Out The Application • The most important part • Objective-C apps store a bunch of useful runtime information in the executable • This information provides great insight into how an application functions (and thus is useful for finding bugs)
Decrypting Binaries • Apps downloaded from the App Store are protected with Apple’s FairPlay DRM • Certain portions of the binary are encrypted • Need to decrypt these portions before we can analyse the binary
Decrypting Binaries • Can do it manually by extracting the encrypted portion after the loader decrypts it and then patch the decrypted portion it into the binary • Plenty of tools to automate this for you • dumpdecrypted • Clutch and Rasticrac
Decrypting Binaries • Not going to demonstrate this as there are plenty of guides on the web and it’s not very interesting • NOTE: Piracy is not cool
Obtaining a Class Dump • Using the excellent class-dump-z tool you can extract all of the runtime information stored in the binary in a what is essentially the equivalent of an Objective-C header file • class-dump-z -aAkRzb [BINARY]
Example: Evernote
Other Options • Disassemblers such as IDA or Hopper • Great for lower level insight • Swift binaries • otool • weak_class_dump.cy (https://github.com/limneos/ weak_classdump)
Dumping and Modifying Variables
Retrieving Sensitive Information • Very easy to retrieve sensitive information at runtime including: • Credentials • Encryption keys • PII • Sensitive business data
Quick and Dirty Approach • Review the class dump (grep ftw) • pin, password, passcode, pinlock, key, aes, account, credentials, creditCard, username, address, phone, session, token • Hook into the running application with Cycript and retrieve the information
Cycript • Ridiculous name (pronounced script) • Even more ridiculous premise • “programming language designed to blend the barrier between Objective-C and JavaScript” • Really great tool for interrogating and manipulating the runtime of an app
Example: Retrieving A User’s PIN
Manipulating Functions at Runtime
Manipulating the Runtime • Objective-C can observe and modify it’s own behaviour at runtime • Can call methods directly, modify functions and even create your own classes and methods • This has obvious security implications
What can you do? • Break security checks • Jailbreak checks • Debug prevention • Certificate validation • Bypass authentication • Subvert business logic • Get the highest possible score in Flappy Bird
Quick and Dirty Approach • Review the class dump • Look for sensitive functions • Identify simple logic • Hook into the running application with Cycript and call or modify the functions
Example: Authentication Bypass
Example: Jailbreak Detection
Phonegap/Cordova
Persistence • Using Cycript to modify the behaviour at runtime obviously will not persist when the application is terminated • For a POC on say a pen-test or a bug report it’s usually not a problem • However there may be instances where you want the modification to be persistent
Why persistence? • Security checks hindering testing • Jailbreak prevention • Anti-debug protection • Transport security controls (e.g. cert pinning) • Development of tools • For a jailbreak or actual malware
How? • Inject a library into every new process via the DYLD_INSERT_LIBRARIES environment variable #chmod +r hook.dylib #launchctl setenv DYLD_INSERT_LIBRARIES /var/root/ hook.dylib
CydiaSubstrate + Theos • CydiaSubstrate simplifies hooking with a global injected dylib • Can just install from Cydia • Theos is a port of the build tools to other platforms • So you don’t have to be an Apple fanboy to build hooks • Focus on the logic of the hook • Also available on iOS • http://iphonedevwiki.net/index.php/Theos/Setup
Example: Hooking
Swift Considerations
What is Swift? • Compiled language created by Apple • Released publicly in 2014 at WWDC • Intended to replace Objective-C eventually
Characteristics • Uses the same runtime • Binary compatibility with Objective-C • No message passing :(
Issues with Swift Apps • Runtime manipulation limited for pure Swift apps (i.e. a Swift-only runtime) • Harder to analyse • No class dump • Name mangling
Assessing Swift Apps • Can still do some runtime manipulation with the Objective-C bridge enabled • Realistically until we get Swift only frameworks all apps will have this • Can still do limited hooking with MobileSubstrate • Disassemblers for analysing Swift binaries • Hopper scripts to demangle Swift names (https:// github.com/Januzellij/hopperscripts)
Questions?

Recommended

Yow connected developing secure i os applications
Yow connected developing secure i os applicationsYow connected developing secure i os applications
Yow connected developing secure i os applications
mgianarakis
 
Ruxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration TestingRuxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration Testing
eightbit
 
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
eightbit
 
YOW! Connected 2014 - Developing Secure iOS Applications
YOW! Connected 2014 - Developing Secure iOS ApplicationsYOW! Connected 2014 - Developing Secure iOS Applications
YOW! Connected 2014 - Developing Secure iOS Applications
eightbit
 
OWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration TestingOWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration Testing
eightbit
 
Dark Side of iOS [SmartDevCon 2013]
Dark Side of iOS [SmartDevCon 2013]Dark Side of iOS [SmartDevCon 2013]
Dark Side of iOS [SmartDevCon 2013]
Kuba Břečka
 
Iphone Presentation for MuMe09
Iphone Presentation for MuMe09Iphone Presentation for MuMe09
Iphone Presentation for MuMe09
Gonzalo Parra
 
Обмен учетными данными между iOS 8 приложениями и вебом, Константин Чернухо, ...
Обмен учетными данными между iOS 8 приложениями и вебом, Константин Чернухо, ...Обмен учетными данными между iOS 8 приложениями и вебом, Константин Чернухо, ...
Обмен учетными данными между iOS 8 приложениями и вебом, Константин Чернухо, ...
Yandex
 
Mobile Security Assessment: 101
Mobile Security Assessment: 101Mobile Security Assessment: 101
Mobile Security Assessment: 101
wireharbor
 
Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1
Subhransu Behera
 
Jailbreaking iOS
Jailbreaking iOSJailbreaking iOS
Jailbreaking iOS
Kai Aras
 
iOS Application Penetation Test
iOS Application Penetation TestiOS Application Penetation Test
iOS Application Penetation Test
JongWon Kim
 
Security Best Practices for Mobile Development
Security Best Practices for Mobile DevelopmentSecurity Best Practices for Mobile Development
Security Best Practices for Mobile Development
Salesforce Developers
 
Pentesting iPhone applications
Pentesting iPhone applicationsPentesting iPhone applications
Pentesting iPhone applications
Satish b
 
iOS Application Security
iOS Application SecurityiOS Application Security
iOS Application Security
Egor Tolstoy
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3m
Prem Kumar (OSCP)
 
I Want More Ninja – iOS Security Testing
I Want More Ninja – iOS Security TestingI Want More Ninja – iOS Security Testing
I Want More Ninja – iOS Security Testing
Jason Haddix
 
Pentesting iOS Apps - Runtime Analysis and Manipulation
Pentesting iOS Apps - Runtime Analysis and ManipulationPentesting iOS Apps - Runtime Analysis and Manipulation
Pentesting iOS Apps - Runtime Analysis and Manipulation
Andreas Kurtz
 
iOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic TechniquesiOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic Techniques
Ömer Coşkun
 
Hacking and securing ios applications
Hacking and securing ios applicationsHacking and securing ios applications
Hacking and securing ios applications
Satish b
 
Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applications
jasonhaddix
 
iOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for BeginnersiOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for Beginners
RyanISI
 
iOS Application Penetration Testing
iOS Application Penetration TestingiOS Application Penetration Testing
iOS Application Penetration Testing
n|u - The Open Security Community
 
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLBreaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
iphonepentest
 
Pentesting iOS Apps
Pentesting iOS AppsPentesting iOS Apps
Pentesting iOS Apps
Herman Duarte
 
iOS 6 Exploitation: 280 days later
iOS 6 Exploitation: 280 days lateriOS 6 Exploitation: 280 days later
iOS 6 Exploitation: 280 days later
Seguridad Apple
 
[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101
OWASP
 
CNIT 128 2. Analyzing iOS Applications (Part 1)
CNIT 128 2. Analyzing iOS Applications (Part 1)CNIT 128 2. Analyzing iOS Applications (Part 1)
CNIT 128 2. Analyzing iOS Applications (Part 1)
Sam Bowne
 
Online Shopping Cart
Online Shopping CartOnline Shopping Cart
Online Shopping Cart
Vishal Chavan
 
Is hearing loss be an indicator of loss of cognitive abilities
Is hearing loss be an indicator of loss of cognitive abilities Is hearing loss be an indicator of loss of cognitive abilities
Is hearing loss be an indicator of loss of cognitive abilities
Hearing Innovations
 

More Related Content

What's hot (20)

Mobile Security Assessment: 101
Mobile Security Assessment: 101Mobile Security Assessment: 101
Mobile Security Assessment: 101
wireharbor
 
Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1
Subhransu Behera
 
Jailbreaking iOS
Jailbreaking iOSJailbreaking iOS
Jailbreaking iOS
Kai Aras
 
iOS Application Penetation Test
iOS Application Penetation TestiOS Application Penetation Test
iOS Application Penetation Test
JongWon Kim
 
Security Best Practices for Mobile Development
Security Best Practices for Mobile DevelopmentSecurity Best Practices for Mobile Development
Security Best Practices for Mobile Development
Salesforce Developers
 
Pentesting iPhone applications
Pentesting iPhone applicationsPentesting iPhone applications
Pentesting iPhone applications
Satish b
 
iOS Application Security
iOS Application SecurityiOS Application Security
iOS Application Security
Egor Tolstoy
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3m
Prem Kumar (OSCP)
 
I Want More Ninja – iOS Security Testing
I Want More Ninja – iOS Security TestingI Want More Ninja – iOS Security Testing
I Want More Ninja – iOS Security Testing
Jason Haddix
 
Pentesting iOS Apps - Runtime Analysis and Manipulation
Pentesting iOS Apps - Runtime Analysis and ManipulationPentesting iOS Apps - Runtime Analysis and Manipulation
Pentesting iOS Apps - Runtime Analysis and Manipulation
Andreas Kurtz
 
iOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic TechniquesiOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic Techniques
Ömer Coşkun
 
Hacking and securing ios applications
Hacking and securing ios applicationsHacking and securing ios applications
Hacking and securing ios applications
Satish b
 
Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applications
jasonhaddix
 
iOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for BeginnersiOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for Beginners
RyanISI
 
iOS Application Penetration Testing
iOS Application Penetration TestingiOS Application Penetration Testing
iOS Application Penetration Testing
n|u - The Open Security Community
 
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLBreaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
iphonepentest
 
Pentesting iOS Apps
Pentesting iOS AppsPentesting iOS Apps
Pentesting iOS Apps
Herman Duarte
 
iOS 6 Exploitation: 280 days later
iOS 6 Exploitation: 280 days lateriOS 6 Exploitation: 280 days later
iOS 6 Exploitation: 280 days later
Seguridad Apple
 
[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101
OWASP
 
CNIT 128 2. Analyzing iOS Applications (Part 1)
CNIT 128 2. Analyzing iOS Applications (Part 1)CNIT 128 2. Analyzing iOS Applications (Part 1)
CNIT 128 2. Analyzing iOS Applications (Part 1)
Sam Bowne
 
Mobile Security Assessment: 101
Mobile Security Assessment: 101Mobile Security Assessment: 101
Mobile Security Assessment: 101
wireharbor
 
Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1
Subhransu Behera
 
Jailbreaking iOS
Jailbreaking iOSJailbreaking iOS
Jailbreaking iOS
Kai Aras
 
iOS Application Penetation Test
iOS Application Penetation TestiOS Application Penetation Test
iOS Application Penetation Test
JongWon Kim
 
Security Best Practices for Mobile Development
Security Best Practices for Mobile DevelopmentSecurity Best Practices for Mobile Development
Security Best Practices for Mobile Development
Salesforce Developers
 
Pentesting iPhone applications
Pentesting iPhone applicationsPentesting iPhone applications
Pentesting iPhone applications
Satish b
 
iOS Application Security
iOS Application SecurityiOS Application Security
iOS Application Security
Egor Tolstoy
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3m
Prem Kumar (OSCP)
 
I Want More Ninja – iOS Security Testing
I Want More Ninja – iOS Security TestingI Want More Ninja – iOS Security Testing
I Want More Ninja – iOS Security Testing
Jason Haddix
 
Pentesting iOS Apps - Runtime Analysis and Manipulation
Pentesting iOS Apps - Runtime Analysis and ManipulationPentesting iOS Apps - Runtime Analysis and Manipulation
Pentesting iOS Apps - Runtime Analysis and Manipulation
Andreas Kurtz
 
iOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic TechniquesiOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic Techniques
Ömer Coşkun
 
Hacking and securing ios applications
Hacking and securing ios applicationsHacking and securing ios applications
Hacking and securing ios applications
Satish b
 
Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applications
jasonhaddix
 
iOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for BeginnersiOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for Beginners
RyanISI
 
iOS Application Penetration Testing
iOS Application Penetration TestingiOS Application Penetration Testing
iOS Application Penetration Testing
n|u - The Open Security Community
 
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLBreaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
iphonepentest
 
Pentesting iOS Apps
Pentesting iOS AppsPentesting iOS Apps
Pentesting iOS Apps
Herman Duarte
 
iOS 6 Exploitation: 280 days later
iOS 6 Exploitation: 280 days lateriOS 6 Exploitation: 280 days later
iOS 6 Exploitation: 280 days later
Seguridad Apple
 
[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101
OWASP
 
CNIT 128 2. Analyzing iOS Applications (Part 1)
CNIT 128 2. Analyzing iOS Applications (Part 1)CNIT 128 2. Analyzing iOS Applications (Part 1)
CNIT 128 2. Analyzing iOS Applications (Part 1)
Sam Bowne
 

Viewers also liked (13)

Online Shopping Cart
Online Shopping CartOnline Shopping Cart
Online Shopping Cart
Vishal Chavan
 
Is hearing loss be an indicator of loss of cognitive abilities
Is hearing loss be an indicator of loss of cognitive abilities Is hearing loss be an indicator of loss of cognitive abilities
Is hearing loss be an indicator of loss of cognitive abilities
Hearing Innovations
 
Case Study
Case StudyCase Study
Case Study
ILANTUS Technologies
 
Поздравление с 8 марта
Поздравление с 8 мартаПоздравление с 8 марта
Поздравление с 8 марта
SPikuleva
 
Areas of housekeeping department responsbilities
Areas of housekeeping department responsbilitiesAreas of housekeeping department responsbilities
Areas of housekeeping department responsbilities
Shahira Karim
 
U.S. Top Traffic Cities
U.S. Top Traffic Cities U.S. Top Traffic Cities
U.S. Top Traffic Cities
INRIX
 
Bible Verses About Grace
Bible Verses About GraceBible Verses About Grace
Bible Verses About Grace
Cal Staggers
 
OTA : Mettre à jour un device Android, ok mais comment ça marche ?
OTA : Mettre à jour un device Android, ok mais comment ça marche ? OTA : Mettre à jour un device Android, ok mais comment ça marche ?
OTA : Mettre à jour un device Android, ok mais comment ça marche ?
Sidereo
 
Membuat archieve outlook 2010
Membuat archieve outlook 2010Membuat archieve outlook 2010
Membuat archieve outlook 2010
Fakhrul Othman
 
Report
ReportReport
Report
Tamananis
 
Nomina 2014 (2)
Nomina 2014 (2)Nomina 2014 (2)
Nomina 2014 (2)
lilian7425
 
Ot
OtOt
Ot
Shiro Sakuma
 
одуванчики Галушко
одуванчики Галушкоодуванчики Галушко
одуванчики Галушко
ozimovska
 
Online Shopping Cart
Online Shopping CartOnline Shopping Cart
Online Shopping Cart
Vishal Chavan
 
Is hearing loss be an indicator of loss of cognitive abilities
Is hearing loss be an indicator of loss of cognitive abilities Is hearing loss be an indicator of loss of cognitive abilities
Is hearing loss be an indicator of loss of cognitive abilities
Hearing Innovations
 
Case Study
Case StudyCase Study
Case Study
ILANTUS Technologies
 
Поздравление с 8 марта
Поздравление с 8 мартаПоздравление с 8 марта
Поздравление с 8 марта
SPikuleva
 
Areas of housekeeping department responsbilities
Areas of housekeeping department responsbilitiesAreas of housekeeping department responsbilities
Areas of housekeeping department responsbilities
Shahira Karim
 
U.S. Top Traffic Cities
U.S. Top Traffic Cities U.S. Top Traffic Cities
U.S. Top Traffic Cities
INRIX
 
Bible Verses About Grace
Bible Verses About GraceBible Verses About Grace
Bible Verses About Grace
Cal Staggers
 
OTA : Mettre à jour un device Android, ok mais comment ça marche ?
OTA : Mettre à jour un device Android, ok mais comment ça marche ? OTA : Mettre à jour un device Android, ok mais comment ça marche ?
OTA : Mettre à jour un device Android, ok mais comment ça marche ?
Sidereo
 
Membuat archieve outlook 2010
Membuat archieve outlook 2010Membuat archieve outlook 2010
Membuat archieve outlook 2010
Fakhrul Othman
 
Report
ReportReport
Report
Tamananis
 
Nomina 2014 (2)
Nomina 2014 (2)Nomina 2014 (2)
Nomina 2014 (2)
lilian7425
 
Ot
OtOt
Ot
Shiro Sakuma
 
одуванчики Галушко
одуванчики Галушкоодуванчики Галушко
одуванчики Галушко
ozimovska
 

Similar to CrikeyCon 2015 - iOS Runtime Hacking Crash Course (20)

Wahckon[2] - iOS Runtime Hacking Crash Course
Wahckon[2] - iOS Runtime Hacking Crash CourseWahckon[2] - iOS Runtime Hacking Crash Course
Wahckon[2] - iOS Runtime Hacking Crash Course
eightbit
 
Runtime Analysis on Mobile Applications (February 2017)
Runtime Analysis on Mobile Applications (February 2017)Runtime Analysis on Mobile Applications (February 2017)
Runtime Analysis on Mobile Applications (February 2017)
Sandeep Jayashankar
 
iOS Application Exploitation
iOS Application ExploitationiOS Application Exploitation
iOS Application Exploitation
Positive Hack Days
 
Stackato v6
Stackato v6Stackato v6
Stackato v6
Jonas Brømsø
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container security
Volodymyr Shynkar
 
Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9
Alexey Dremin
 
Build software like a bag of marbles, not a castle of LEGO®
Build software like a bag of marbles, not a castle of LEGO®Build software like a bag of marbles, not a castle of LEGO®
Build software like a bag of marbles, not a castle of LEGO®
Hannes Lowette
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon china
Peter Hlavaty
 
Kku2011
Kku2011Kku2011
Kku2011
ทวิร พานิชสมบัติ
 
Alexey Sintsov- SDLC - try me to implement
Alexey Sintsov- SDLC - try me to implementAlexey Sintsov- SDLC - try me to implement
Alexey Sintsov- SDLC - try me to implement
DefconRussia
 
XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...
XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...
XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...
The Linux Foundation
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
How to avoid microservice pitfalls
How to avoid microservice pitfallsHow to avoid microservice pitfalls
How to avoid microservice pitfalls
Particular Software
 
DEF CON 27 - workshop - RICHARD GOLD - mind the gap
DEF CON 27 - workshop - RICHARD GOLD - mind the gapDEF CON 27 - workshop - RICHARD GOLD - mind the gap
DEF CON 27 - workshop - RICHARD GOLD - mind the gap
Felipe Prado
 
Started In Security Now I'm Here
Started In Security Now I'm HereStarted In Security Now I'm Here
Started In Security Now I'm Here
Christopher Grayson
 
Facilitating Idiomatic Swift with Objective-C
Facilitating Idiomatic Swift with Objective-CFacilitating Idiomatic Swift with Objective-C
Facilitating Idiomatic Swift with Objective-C
Aaron Taylor
 
Continuos Integration and Delivery: from Zero to Hero with TeamCity, Docker a...
Continuos Integration and Delivery: from Zero to Hero with TeamCity, Docker a...Continuos Integration and Delivery: from Zero to Hero with TeamCity, Docker a...
Continuos Integration and Delivery: from Zero to Hero with TeamCity, Docker a...
Lean IT Consulting
 
Talk DevSecOps to me
Talk DevSecOps to meTalk DevSecOps to me
Talk DevSecOps to me
Michelle Ribeiro
 
Rootcon X - Reverse Engineering Swift Applications
Rootcon X - Reverse Engineering Swift ApplicationsRootcon X - Reverse Engineering Swift Applications
Rootcon X - Reverse Engineering Swift Applications
eightbit
 
Supply Chain Security for Developers.pdf
Supply Chain Security for Developers.pdfSupply Chain Security for Developers.pdf
Supply Chain Security for Developers.pdf
ssuserc5b30e
 
Wahckon[2] - iOS Runtime Hacking Crash Course
Wahckon[2] - iOS Runtime Hacking Crash CourseWahckon[2] - iOS Runtime Hacking Crash Course
Wahckon[2] - iOS Runtime Hacking Crash Course
eightbit
 
Runtime Analysis on Mobile Applications (February 2017)
Runtime Analysis on Mobile Applications (February 2017)Runtime Analysis on Mobile Applications (February 2017)
Runtime Analysis on Mobile Applications (February 2017)
Sandeep Jayashankar
 
iOS Application Exploitation
iOS Application ExploitationiOS Application Exploitation
iOS Application Exploitation
Positive Hack Days
 
Stackato v6
Stackato v6Stackato v6
Stackato v6
Jonas Brømsø
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container security
Volodymyr Shynkar
 
Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9
Alexey Dremin
 
Build software like a bag of marbles, not a castle of LEGO®
Build software like a bag of marbles, not a castle of LEGO®Build software like a bag of marbles, not a castle of LEGO®
Build software like a bag of marbles, not a castle of LEGO®
Hannes Lowette
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon china
Peter Hlavaty
 
Kku2011
Kku2011Kku2011
Kku2011
ทวิร พานิชสมบัติ
 
Alexey Sintsov- SDLC - try me to implement
Alexey Sintsov- SDLC - try me to implementAlexey Sintsov- SDLC - try me to implement
Alexey Sintsov- SDLC - try me to implement
DefconRussia
 
XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...
XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...
XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...
The Linux Foundation
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
How to avoid microservice pitfalls
How to avoid microservice pitfallsHow to avoid microservice pitfalls
How to avoid microservice pitfalls
Particular Software
 
DEF CON 27 - workshop - RICHARD GOLD - mind the gap
DEF CON 27 - workshop - RICHARD GOLD - mind the gapDEF CON 27 - workshop - RICHARD GOLD - mind the gap
DEF CON 27 - workshop - RICHARD GOLD - mind the gap
Felipe Prado
 
Started In Security Now I'm Here
Started In Security Now I'm HereStarted In Security Now I'm Here
Started In Security Now I'm Here
Christopher Grayson
 
Facilitating Idiomatic Swift with Objective-C
Facilitating Idiomatic Swift with Objective-CFacilitating Idiomatic Swift with Objective-C
Facilitating Idiomatic Swift with Objective-C
Aaron Taylor
 
Continuos Integration and Delivery: from Zero to Hero with TeamCity, Docker a...
Continuos Integration and Delivery: from Zero to Hero with TeamCity, Docker a...Continuos Integration and Delivery: from Zero to Hero with TeamCity, Docker a...
Continuos Integration and Delivery: from Zero to Hero with TeamCity, Docker a...
Lean IT Consulting
 
Talk DevSecOps to me
Talk DevSecOps to meTalk DevSecOps to me
Talk DevSecOps to me
Michelle Ribeiro
 
Rootcon X - Reverse Engineering Swift Applications
Rootcon X - Reverse Engineering Swift ApplicationsRootcon X - Reverse Engineering Swift Applications
Rootcon X - Reverse Engineering Swift Applications
eightbit
 
Supply Chain Security for Developers.pdf
Supply Chain Security for Developers.pdfSupply Chain Security for Developers.pdf
Supply Chain Security for Developers.pdf
ssuserc5b30e
 

CrikeyCon 2015 - iOS Runtime Hacking Crash Course

  • 1. iOS Runtime Hacking Crash Course Michael Gianarakis CrikeyCon 2015
  • 2. #whoami @mgianarakis Managing Consultant at SpiderLabs Application Security
  • 3. What Is This Presentation About? • Quick and dirty intro to runtime hacking on iOS • Help people get up to speed quickly • Hopefully practical • Focussed on third-party apps
  • 4. What It’s Not • No data security • No transport security • Not touching on remediation/protection • For more comprehensive presentations on iOS pen testing or how to secure apps go to eightbit.io/presentations
  • 5. Outline • Objective-C Basics • Setting Up The Environment • Mapping Out the Application • Dumping and Modifying Variables • Manipulating Functions at Runtime • Swift Considerations
  • 7. Objective-C • Native iOS applications are written in Objective-C • Objective-C is a superset of C • Objective-C is basically C with Smalltalk-style messaging and object syntax
  • 10. Syntax // Sending the message “method” to the object pointed to by the pointer obj [obj method: argument1: argument2];
  • 11. Important Takeaways • Understand basic OO principles • Rudimentary understanding of MVC • Basic Objective-C • How to call methods (embrace the square bracket!) • How to read and write variables
  • 13. Requirements • Jailbroken device • openssh (via Cydia) • class-dump-z (http://code.google.com/p/networkpx/wiki/class_dump_z) • cycript (http://www.cycript.org/debs/ or Cydia) • gdb (via Cydia) or lldbdebugserver (http://iphonedevwiki.net/index.php/ Debugserver) • CydiaSubstrate (via Cydia) • Clutch (https://github.com/KJCracks/Clutch) • For a slightly outdated guide on setting up the environment see eightbit.io/post/ 64319534191/how-to-set-up-an-ios-pen-testing-environment
  • 15. Mapping Out The Application • The most important part • Objective-C apps store a bunch of useful runtime information in the executable • This information provides great insight into how an application functions (and thus is useful for finding bugs)
  • 16. Decrypting Binaries • Apps downloaded from the App Store are protected with Apple’s FairPlay DRM • Certain portions of the binary are encrypted • Need to decrypt these portions before we can analyse the binary
  • 17. Decrypting Binaries • Can do it manually by extracting the encrypted portion after the loader decrypts it and then patch the decrypted portion it into the binary • Plenty of tools to automate this for you • dumpdecrypted • Clutch and Rasticrac
  • 18. Decrypting Binaries • Not going to demonstrate this as there are plenty of guides on the web and it’s not very interesting • NOTE: Piracy is not cool
  • 19. Obtaining a Class Dump • Using the excellent class-dump-z tool you can extract all of the runtime information stored in the binary in a what is essentially the equivalent of an Objective-C header file • class-dump-z -aAkRzb [BINARY]
  • 21. Other Options • Disassemblers such as IDA or Hopper • Great for lower level insight • Swift binaries • otool • weak_class_dump.cy (https://github.com/limneos/ weak_classdump)
  • 23. Retrieving Sensitive Information • Very easy to retrieve sensitive information at runtime including: • Credentials • Encryption keys • PII • Sensitive business data
  • 24. Quick and Dirty Approach • Review the class dump (grep ftw) • pin, password, passcode, pinlock, key, aes, account, credentials, creditCard, username, address, phone, session, token • Hook into the running application with Cycript and retrieve the information
  • 25. Cycript • Ridiculous name (pronounced script) • Even more ridiculous premise • “programming language designed to blend the barrier between Objective-C and JavaScript” • Really great tool for interrogating and manipulating the runtime of an app
  • 28. Manipulating the Runtime • Objective-C can observe and modify it’s own behaviour at runtime • Can call methods directly, modify functions and even create your own classes and methods • This has obvious security implications
  • 29. What can you do? • Break security checks • Jailbreak checks • Debug prevention • Certificate validation • Bypass authentication • Subvert business logic • Get the highest possible score in Flappy Bird
  • 30. Quick and Dirty Approach • Review the class dump • Look for sensitive functions • Identify simple logic • Hook into the running application with Cycript and call or modify the functions
  • 34. Persistence • Using Cycript to modify the behaviour at runtime obviously will not persist when the application is terminated • For a POC on say a pen-test or a bug report it’s usually not a problem • However there may be instances where you want the modification to be persistent
  • 35. Why persistence? • Security checks hindering testing • Jailbreak prevention • Anti-debug protection • Transport security controls (e.g. cert pinning) • Development of tools • For a jailbreak or actual malware
  • 36. How? • Inject a library into every new process via the DYLD_INSERT_LIBRARIES environment variable #chmod +r hook.dylib #launchctl setenv DYLD_INSERT_LIBRARIES /var/root/ hook.dylib
  • 37. CydiaSubstrate + Theos • CydiaSubstrate simplifies hooking with a global injected dylib • Can just install from Cydia • Theos is a port of the build tools to other platforms • So you don’t have to be an Apple fanboy to build hooks • Focus on the logic of the hook • Also available on iOS • http://iphonedevwiki.net/index.php/Theos/Setup
  • 40. What is Swift? • Compiled language created by Apple • Released publicly in 2014 at WWDC • Intended to replace Objective-C eventually
  • 41. Characteristics • Uses the same runtime • Binary compatibility with Objective-C • No message passing :(
  • 42. Issues with Swift Apps • Runtime manipulation limited for pure Swift apps (i.e. a Swift-only runtime) • Harder to analyse • No class dump • Name mangling
  • 43. Assessing Swift Apps • Can still do some runtime manipulation with the Objective-C bridge enabled • Realistically until we get Swift only frameworks all apps will have this • Can still do limited hooking with MobileSubstrate • Disassemblers for analysing Swift binaries • Hopper scripts to demangle Swift names (https:// github.com/Januzellij/hopperscripts)