SlideShare a Scribd company logo
iOS Runtime Hacking
Crash Course
Michael Gianarakis
CrikeyCon 2015
#whoami
@mgianarakis
Managing Consultant at SpiderLabs
Application Security
What Is This Presentation
About?
• Quick and dirty intro to runtime hacking on iOS
• Help people get up to speed quickly
• Hopefully practical
• Focussed on third-party apps
What It’s Not
• No data security
• No transport security
• Not touching on remediation/protection
• For more comprehensive presentations on iOS
pen testing or how to secure apps go to
eightbit.io/presentations
Outline
• Objective-C Basics
• Setting Up The Environment
• Mapping Out the Application
• Dumping and Modifying Variables
• Manipulating Functions at Runtime
• Swift Considerations
Objective-C Basics
Objective-C
• Native iOS applications are written in Objective-C
• Objective-C is a superset of C
• Objective-C is basically C with Smalltalk-style
messaging and object syntax
Syntax
Syntax
Syntax
// Sending the message “method” to the object pointed to by the
pointer obj
[obj method: argument1: argument2];
Important Takeaways
• Understand basic OO principles
• Rudimentary understanding of MVC
• Basic Objective-C
• How to call methods (embrace the square
bracket!)
• How to read and write variables
Setting Up The
Environment
Requirements
• Jailbroken device
• openssh (via Cydia)
• class-dump-z (http://code.google.com/p/networkpx/wiki/class_dump_z)
• cycript (http://www.cycript.org/debs/ or Cydia)
• gdb (via Cydia) or lldbdebugserver (http://iphonedevwiki.net/index.php/
Debugserver)
• CydiaSubstrate (via Cydia)
• Clutch (https://github.com/KJCracks/Clutch)
• For a slightly outdated guide on setting up the environment see eightbit.io/post/
64319534191/how-to-set-up-an-ios-pen-testing-environment
Mapping Out The
Application
Mapping Out The Application
• The most important part
• Objective-C apps store a bunch of useful runtime
information in the executable
• This information provides great insight into how an
application functions (and thus is useful for finding
bugs)
Decrypting Binaries
• Apps downloaded from the App Store are
protected with Apple’s FairPlay DRM
• Certain portions of the binary are encrypted
• Need to decrypt these portions before we can
analyse the binary
Decrypting Binaries
• Can do it manually by extracting the encrypted
portion after the loader decrypts it and then patch
the decrypted portion it into the binary
• Plenty of tools to automate this for you
• dumpdecrypted
• Clutch and Rasticrac
Decrypting Binaries
• Not going to demonstrate this as there are plenty
of guides on the web and it’s not very interesting
• NOTE: Piracy is not cool
Obtaining a Class Dump
• Using the excellent class-dump-z tool you can
extract all of the runtime information stored in the
binary in a what is essentially the equivalent of an
Objective-C header file
• class-dump-z -aAkRzb [BINARY]
Example: Evernote
Other Options
• Disassemblers such as IDA or Hopper
• Great for lower level insight
• Swift binaries
• otool
• weak_class_dump.cy (https://github.com/limneos/
weak_classdump)
Dumping and
Modifying Variables
Retrieving Sensitive
Information
• Very easy to retrieve sensitive information at
runtime including:
• Credentials
• Encryption keys
• PII
• Sensitive business data
Quick and Dirty Approach
• Review the class dump (grep ftw)
• pin, password, passcode, pinlock, key, aes,
account, credentials, creditCard, username,
address, phone, session, token
• Hook into the running application with Cycript and
retrieve the information
Cycript
• Ridiculous name (pronounced script)
• Even more ridiculous premise
• “programming language designed to blend
the barrier between Objective-C and
JavaScript”
• Really great tool for interrogating and
manipulating the runtime of an app
Example: Retrieving
A User’s PIN
Manipulating
Functions at Runtime
Manipulating the Runtime
• Objective-C can observe and modify it’s own
behaviour at runtime
• Can call methods directly, modify functions and
even create your own classes and methods
• This has obvious security implications
What can you do?
• Break security checks
• Jailbreak checks
• Debug prevention
• Certificate validation
• Bypass authentication
• Subvert business logic
• Get the highest possible score in Flappy Bird
Quick and Dirty Approach
• Review the class dump
• Look for sensitive functions
• Identify simple logic
• Hook into the running application with Cycript and
call or modify the functions
Example:
Authentication Bypass
Example: Jailbreak
Detection
Phonegap/Cordova
Persistence
• Using Cycript to modify the behaviour at runtime
obviously will not persist when the application is
terminated
• For a POC on say a pen-test or a bug report it’s
usually not a problem
• However there may be instances where you want
the modification to be persistent
Why persistence?
• Security checks hindering testing
• Jailbreak prevention
• Anti-debug protection
• Transport security controls (e.g. cert pinning)
• Development of tools
• For a jailbreak or actual malware
How?
• Inject a library into every new process via the
DYLD_INSERT_LIBRARIES environment variable
#chmod +r hook.dylib
#launchctl setenv
DYLD_INSERT_LIBRARIES /var/root/
hook.dylib
CydiaSubstrate + Theos
• CydiaSubstrate simplifies hooking with a global injected dylib
• Can just install from Cydia
• Theos is a port of the build tools to other platforms
• So you don’t have to be an Apple fanboy to build hooks
• Focus on the logic of the hook
• Also available on iOS
• http://iphonedevwiki.net/index.php/Theos/Setup
Example: Hooking
Swift Considerations
What is Swift?
• Compiled language created by Apple
• Released publicly in 2014 at WWDC
• Intended to replace Objective-C eventually
Characteristics
• Uses the same runtime
• Binary compatibility with Objective-C
• No message passing :(
Issues with Swift Apps
• Runtime manipulation limited for pure Swift apps
(i.e. a Swift-only runtime)
• Harder to analyse
• No class dump
• Name mangling
Assessing Swift Apps
• Can still do some runtime manipulation with the
Objective-C bridge enabled
• Realistically until we get Swift only frameworks all
apps will have this
• Can still do limited hooking with MobileSubstrate
• Disassemblers for analysing Swift binaries
• Hopper scripts to demangle Swift names (https://
github.com/Januzellij/hopperscripts)
Questions?

More Related Content

What's hot (20)

PPT
Mobile Security Assessment: 101
wireharbor
 
PDF
Hacking and Securing iOS Apps : Part 1
Subhransu Behera
 
KEY
Jailbreaking iOS
Kai Aras
 
PDF
iOS Application Penetation Test
JongWon Kim
 
PDF
Security Best Practices for Mobile Development
Salesforce Developers
 
PPTX
Pentesting iPhone applications
Satish b
 
PDF
iOS Application Security
Egor Tolstoy
 
PPTX
iOS-Application-Security-iAmPr3m
Prem Kumar (OSCP)
 
PDF
I Want More Ninja – iOS Security Testing
Jason Haddix
 
PDF
Pentesting iOS Apps - Runtime Analysis and Manipulation
Andreas Kurtz
 
PPT
iOS Hacking: Advanced Pentest & Forensic Techniques
Ömer Coşkun
 
PPTX
Hacking and securing ios applications
Satish b
 
PPTX
Pentesting iOS Applications
jasonhaddix
 
PPT
iOS Application Penetration Testing for Beginners
RyanISI
 
PDF
iOS Application Penetration Testing
n|u - The Open Security Community
 
PDF
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
iphonepentest
 
PDF
Pentesting iOS Apps
Herman Duarte
 
PDF
iOS 6 Exploitation: 280 days later
Seguridad Apple
 
PPTX
[Wroclaw #2] iOS Security - 101
OWASP
 
PDF
CNIT 128 2. Analyzing iOS Applications (Part 1)
Sam Bowne
 
Mobile Security Assessment: 101
wireharbor
 
Hacking and Securing iOS Apps : Part 1
Subhransu Behera
 
Jailbreaking iOS
Kai Aras
 
iOS Application Penetation Test
JongWon Kim
 
Security Best Practices for Mobile Development
Salesforce Developers
 
Pentesting iPhone applications
Satish b
 
iOS Application Security
Egor Tolstoy
 
iOS-Application-Security-iAmPr3m
Prem Kumar (OSCP)
 
I Want More Ninja – iOS Security Testing
Jason Haddix
 
Pentesting iOS Apps - Runtime Analysis and Manipulation
Andreas Kurtz
 
iOS Hacking: Advanced Pentest & Forensic Techniques
Ömer Coşkun
 
Hacking and securing ios applications
Satish b
 
Pentesting iOS Applications
jasonhaddix
 
iOS Application Penetration Testing for Beginners
RyanISI
 
iOS Application Penetration Testing
n|u - The Open Security Community
 
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
iphonepentest
 
Pentesting iOS Apps
Herman Duarte
 
iOS 6 Exploitation: 280 days later
Seguridad Apple
 
[Wroclaw #2] iOS Security - 101
OWASP
 
CNIT 128 2. Analyzing iOS Applications (Part 1)
Sam Bowne
 

Viewers also liked (13)

PPTX
Online Shopping Cart
Vishal Chavan
 
PDF
Is hearing loss be an indicator of loss of cognitive abilities
Hearing Innovations
 
PDF
Case Study
ILANTUS Technologies
 
PPTX
Поздравление с 8 марта
SPikuleva
 
PPTX
Areas of housekeeping department responsbilities
Shahira Karim
 
PDF
U.S. Top Traffic Cities
INRIX
 
PDF
Bible Verses About Grace
Cal Staggers
 
PPTX
OTA : Mettre à jour un device Android, ok mais comment ça marche ?
Sidereo
 
DOCX
Membuat archieve outlook 2010
Fakhrul Othman
 
PDF
Report
Tamananis
 
PDF
Nomina 2014 (2)
lilian7425
 
PPTX
Ot
Shiro Sakuma
 
PPTX
одуванчики Галушко
ozimovska
 
Online Shopping Cart
Vishal Chavan
 
Is hearing loss be an indicator of loss of cognitive abilities
Hearing Innovations
 
Поздравление с 8 марта
SPikuleva
 
Areas of housekeeping department responsbilities
Shahira Karim
 
U.S. Top Traffic Cities
INRIX
 
Bible Verses About Grace
Cal Staggers
 
OTA : Mettre à jour un device Android, ok mais comment ça marche ?
Sidereo
 
Membuat archieve outlook 2010
Fakhrul Othman
 
Report
Tamananis
 
Nomina 2014 (2)
lilian7425
 
одуванчики Галушко
ozimovska
 

Similar to CrikeyCon 2015 - iOS Runtime Hacking Crash Course (20)

PDF
Wahckon[2] - iOS Runtime Hacking Crash Course
eightbit
 
PPTX
iOS Application Exploitation
Positive Hack Days
 
PDF
Introduction to iOS Penetration Testing
OWASP
 
PDF
[CONFidence 2016] Sławomir Kosowski - Introduction to iOS Application Securit...
PROIDEA
 
PPT
iOS Application Pentesting
n|u - The Open Security Community
 
PDF
Breaking iOS Apps using Cycript
n|u - The Open Security Community
 
PPTX
Hacking & Securing of iOS Apps by Saurabh Mishra
OWASP Delhi
 
PDF
Dynamic analysis with cycript
Mike Chou
 
PPTX
Runtime Analysis on Mobile Applications (February 2017)
Sandeep Jayashankar
 
PDF
2a Analyzing iOS Apps Part 1
Sam Bowne
 
PPTX
Beyond the 'cript practical i os reverse engineering lascon
Nino Ho
 
PDF
Jailbreak Detector Detector
Nick Mooney
 
PDF
iOS Internals Part -2
Anthony Jose
 
PDF
Hacking ios-on-the-run-using-cycript-viaforensics-rsa-conference-2014
viaForensics
 
PDF
Reverse Engineering iOS apps
Max Bazaliy
 
PDF
CNIT 128: 3. Attacking iOS Applications (Part 2)
Sam Bowne
 
PDF
3. Attacking iOS Applications (Part 2)
Sam Bowne
 
PDF
Hack in the Box GSEC 2016 - Reverse Engineering Swift Applications
eightbit
 
PDF
Synack at AppSec California with Patrick Wardle
Synack
 
PDF
CNIT 128 3. Attacking iOS Applications (Part 2)
Sam Bowne
 
Wahckon[2] - iOS Runtime Hacking Crash Course
eightbit
 
iOS Application Exploitation
Positive Hack Days
 
Introduction to iOS Penetration Testing
OWASP
 
[CONFidence 2016] Sławomir Kosowski - Introduction to iOS Application Securit...
PROIDEA
 
iOS Application Pentesting
n|u - The Open Security Community
 
Breaking iOS Apps using Cycript
n|u - The Open Security Community
 
Hacking & Securing of iOS Apps by Saurabh Mishra
OWASP Delhi
 
Dynamic analysis with cycript
Mike Chou
 
Runtime Analysis on Mobile Applications (February 2017)
Sandeep Jayashankar
 
2a Analyzing iOS Apps Part 1
Sam Bowne
 
Beyond the 'cript practical i os reverse engineering lascon
Nino Ho
 
Jailbreak Detector Detector
Nick Mooney
 
iOS Internals Part -2
Anthony Jose
 
Hacking ios-on-the-run-using-cycript-viaforensics-rsa-conference-2014
viaForensics
 
Reverse Engineering iOS apps
Max Bazaliy
 
CNIT 128: 3. Attacking iOS Applications (Part 2)
Sam Bowne
 
3. Attacking iOS Applications (Part 2)
Sam Bowne
 
Hack in the Box GSEC 2016 - Reverse Engineering Swift Applications
eightbit
 
Synack at AppSec California with Patrick Wardle
Synack
 
CNIT 128 3. Attacking iOS Applications (Part 2)
Sam Bowne
 

Recently uploaded (8)

PPTX
Mobile Apps Helping Business Grow in 2025
Infylo Techsolutions
 
PDF
Building Smart, Scalable Solutions with Android App Development
Brancosoft Private Limited
 
PDF
INTERLINGUAL SYNTACTIC PARSING: AN OPTIMIZED HEAD-DRIVEN PARSING FOR ENGLISH ...
kevig
 
PPT
lect 1 Introduction.ppt11112222333344455
212231
 
PDF
Call For Papers - International Journal on Natural Language Computing (IJNLC)
kevig
 
PPTX
The Intersection of Emoji and NFT. What can be the Consequences?
Refit Global
 
PDF
💡 Digital Marketing Decoded: Mastering Online Growth Strategies for 2025 🚀
marketingaura24
 
PPT
lec2 wireless transmission exlaining.ppt
212231
 
Mobile Apps Helping Business Grow in 2025
Infylo Techsolutions
 
Building Smart, Scalable Solutions with Android App Development
Brancosoft Private Limited
 
INTERLINGUAL SYNTACTIC PARSING: AN OPTIMIZED HEAD-DRIVEN PARSING FOR ENGLISH ...
kevig
 
lect 1 Introduction.ppt11112222333344455
212231
 
Call For Papers - International Journal on Natural Language Computing (IJNLC)
kevig
 
The Intersection of Emoji and NFT. What can be the Consequences?
Refit Global
 
💡 Digital Marketing Decoded: Mastering Online Growth Strategies for 2025 🚀
marketingaura24
 
lec2 wireless transmission exlaining.ppt
212231
 

CrikeyCon 2015 - iOS Runtime Hacking Crash Course

  • 1. iOS Runtime Hacking Crash Course Michael Gianarakis CrikeyCon 2015
  • 2. #whoami @mgianarakis Managing Consultant at SpiderLabs Application Security
  • 3. What Is This Presentation About? • Quick and dirty intro to runtime hacking on iOS • Help people get up to speed quickly • Hopefully practical • Focussed on third-party apps
  • 4. What It’s Not • No data security • No transport security • Not touching on remediation/protection • For more comprehensive presentations on iOS pen testing or how to secure apps go to eightbit.io/presentations
  • 5. Outline • Objective-C Basics • Setting Up The Environment • Mapping Out the Application • Dumping and Modifying Variables • Manipulating Functions at Runtime • Swift Considerations
  • 7. Objective-C • Native iOS applications are written in Objective-C • Objective-C is a superset of C • Objective-C is basically C with Smalltalk-style messaging and object syntax
  • 10. Syntax // Sending the message “method” to the object pointed to by the pointer obj [obj method: argument1: argument2];
  • 11. Important Takeaways • Understand basic OO principles • Rudimentary understanding of MVC • Basic Objective-C • How to call methods (embrace the square bracket!) • How to read and write variables
  • 13. Requirements • Jailbroken device • openssh (via Cydia) • class-dump-z (http://code.google.com/p/networkpx/wiki/class_dump_z) • cycript (http://www.cycript.org/debs/ or Cydia) • gdb (via Cydia) or lldbdebugserver (http://iphonedevwiki.net/index.php/ Debugserver) • CydiaSubstrate (via Cydia) • Clutch (https://github.com/KJCracks/Clutch) • For a slightly outdated guide on setting up the environment see eightbit.io/post/ 64319534191/how-to-set-up-an-ios-pen-testing-environment
  • 15. Mapping Out The Application • The most important part • Objective-C apps store a bunch of useful runtime information in the executable • This information provides great insight into how an application functions (and thus is useful for finding bugs)
  • 16. Decrypting Binaries • Apps downloaded from the App Store are protected with Apple’s FairPlay DRM • Certain portions of the binary are encrypted • Need to decrypt these portions before we can analyse the binary
  • 17. Decrypting Binaries • Can do it manually by extracting the encrypted portion after the loader decrypts it and then patch the decrypted portion it into the binary • Plenty of tools to automate this for you • dumpdecrypted • Clutch and Rasticrac
  • 18. Decrypting Binaries • Not going to demonstrate this as there are plenty of guides on the web and it’s not very interesting • NOTE: Piracy is not cool
  • 19. Obtaining a Class Dump • Using the excellent class-dump-z tool you can extract all of the runtime information stored in the binary in a what is essentially the equivalent of an Objective-C header file • class-dump-z -aAkRzb [BINARY]
  • 21. Other Options • Disassemblers such as IDA or Hopper • Great for lower level insight • Swift binaries • otool • weak_class_dump.cy (https://github.com/limneos/ weak_classdump)
  • 23. Retrieving Sensitive Information • Very easy to retrieve sensitive information at runtime including: • Credentials • Encryption keys • PII • Sensitive business data
  • 24. Quick and Dirty Approach • Review the class dump (grep ftw) • pin, password, passcode, pinlock, key, aes, account, credentials, creditCard, username, address, phone, session, token • Hook into the running application with Cycript and retrieve the information
  • 25. Cycript • Ridiculous name (pronounced script) • Even more ridiculous premise • “programming language designed to blend the barrier between Objective-C and JavaScript” • Really great tool for interrogating and manipulating the runtime of an app
  • 28. Manipulating the Runtime • Objective-C can observe and modify it’s own behaviour at runtime • Can call methods directly, modify functions and even create your own classes and methods • This has obvious security implications
  • 29. What can you do? • Break security checks • Jailbreak checks • Debug prevention • Certificate validation • Bypass authentication • Subvert business logic • Get the highest possible score in Flappy Bird
  • 30. Quick and Dirty Approach • Review the class dump • Look for sensitive functions • Identify simple logic • Hook into the running application with Cycript and call or modify the functions
  • 34. Persistence • Using Cycript to modify the behaviour at runtime obviously will not persist when the application is terminated • For a POC on say a pen-test or a bug report it’s usually not a problem • However there may be instances where you want the modification to be persistent
  • 35. Why persistence? • Security checks hindering testing • Jailbreak prevention • Anti-debug protection • Transport security controls (e.g. cert pinning) • Development of tools • For a jailbreak or actual malware
  • 36. How? • Inject a library into every new process via the DYLD_INSERT_LIBRARIES environment variable #chmod +r hook.dylib #launchctl setenv DYLD_INSERT_LIBRARIES /var/root/ hook.dylib
  • 37. CydiaSubstrate + Theos • CydiaSubstrate simplifies hooking with a global injected dylib • Can just install from Cydia • Theos is a port of the build tools to other platforms • So you don’t have to be an Apple fanboy to build hooks • Focus on the logic of the hook • Also available on iOS • http://iphonedevwiki.net/index.php/Theos/Setup
  • 40. What is Swift? • Compiled language created by Apple • Released publicly in 2014 at WWDC • Intended to replace Objective-C eventually
  • 41. Characteristics • Uses the same runtime • Binary compatibility with Objective-C • No message passing :(
  • 42. Issues with Swift Apps • Runtime manipulation limited for pure Swift apps (i.e. a Swift-only runtime) • Harder to analyse • No class dump • Name mangling
  • 43. Assessing Swift Apps • Can still do some runtime manipulation with the Objective-C bridge enabled • Realistically until we get Swift only frameworks all apps will have this • Can still do limited hooking with MobileSubstrate • Disassemblers for analysing Swift binaries • Hopper scripts to demangle Swift names (https:// github.com/Januzellij/hopperscripts)