dynamic analysis of ios apps w/o jailbreak · 2018-04-23 · dynamic analysis of ios apps w/o...

Dynamic analysis of iOS apps w/o Jailbreak

Egor Saltykov Web & Mobile pentester Digital Security

© 2002—2017, Digital Security


whoamiDigital SecurityWeb & mobile pentesterBugBounty

Digital SecurityResearch

Apple / Safari XSSCVE-2017-7038

Cure53 / DomPurify Safari XSS

2



Agenda

• Types of application analysis

• Superuser privileges on mobile

• Graybox pentest

• Jailbreak free iOS app analysis

3



App analysis

4



App analysis

• A huge number of mobile devices

• More private information inside

• Proprietary mobile OS and unclear how this works

5



App analysisStatic Dynamic

6



App analysisCriterion Static analysis Dynamic analysis

Code vs. data Problem No problem

Code coverage Big (but not all) One way

Information about values No information All information

Self-modifying code Problem No problem

Runtime vulns No Yes

Unused code Analysis No analysis

Autoscan Yes No

Programming language Not all Any

7



but

8



Dynamic analysis ❤ root/jb

9



Dynamic analysis ❤ root

• Android – one button hack

• Each version

• Some corp.'ve built-in root (e.g. old Meizu, Xiaomi)

10



Dynamic analysis ❤ jb

• iOS – difficult to hack

• Increase difficulty of hack w/each system update

• Frequent rewriting applications for a new iOS

12



Root/JB for Pentest

13



Root for Pentest

• Too much devices

• Too much iOS versions

• Difficult to keep fresh versions

14



<any>boxWhite Gray Black

Input point Input point Input point

Output point Output point Output point

Source code Our lib or snippet injection

NODISCLOSURESOURCE

15



Customer developer

• Inject our lines of codeGitHub: /bang590/JSPatch

• Inject our library

• Build special test versionSSLPinning free ver.

16



How to start dynamic analysis w/o Jailbreak

of iOS app?

17



Preparations• Xcode

• iOS Developer account (paid better)

• iOS non-jailbroken device

• Decrypted .ipa

• Framework for injection

18

Step: 0



How to change binary for iOS w/o Jailbreak and start research it?• Download .ipa file from device/store

• Decrypt and extract data from .ipa

• Change/inject code into binary

• Repack .ipa

• Resign binary

• Upload to device

• ???

• Magic

+⬇

19



⬇ .ipa file from store/device

• From iTunes Store, just download

• From iFunBox (even TestFlight iOS≤8.3)

• Downgrade .ipa files w/iTunes through request forgery

• Online (danger) ipastore.me

⬇

📱

20

Step: 1



Download old ver. .ipa file

• Run any mitm-proxy tool (Charles/Burp/any..)

• Run iTunes and download app

• Intercept request and change version value from XML below in request

• Enjoy old version

21

Useful links: Malware wellbeing on iOSLifehacker video manual

Step: 1.3

https://dsec.ru/upload/medialibrary/29f/29f57cef406125e9169da733e1aaf83f.pdf

https://lifehacker.com/download-old-versions-of-ios-apps-with-a-clever-workaro-1749950092



📦 data from .ipaExtract decrypted .ipa

• From jailbroken deviceGitHub: /stefanesser/dumpdecryptedGitHub: /KJCracks/ClutchGitHub: /easonoutlook/Rasticrac

• From iphonecake.com

• From 4pda.ru

⬇

22

Step: 2-3



↪ or 🔀 data and re📦.ipa

• GitHub: /jamie72/IPAPatch (reveal / cycript)

• GitHub: /vtky/resign (any framework / frida)

23

Step: 4



What I can put .ipa inside?

Answer: whatever you want!

24



FRIDA• frida.re

GitHub: /frida/frida

• Portable, scalable, scriptable

• Inject JS into process

• Can inject a hook into starting process

• Calling understand

25

Useful links: ZeroNights'15 workshop

Frida Objection Awesome Frida (examples)

https://www.frida.re/docs/presentations/zeronights-2015-cross-platform-reversing-with-frida.pdf

https://github.com/sensepost/objection

https://github.com/dweinstein/awesome-frida



Cycript• www.cycript.org

• GitHub: /nowsecure/frida-cycript

• Inject into process and enables to manipulate the runtime w/interactive console

• Supports Objective-C and JS

26

Useful links: Manual

Cycript @ 360|iDev 2013

http://www.cycript.org/manual/%2330c0af0e-a64c-4a2d-a1f4-ca25590eeb94

https://www.youtube.com/watch?v=5d1cK0nq4GY



Reveal

• revealapp.com

• Design inspect

• Support even TV Watch

• More for UI/UX debug

27



CydiaSubstrate• cydiasubstrate.com

• apt.saurik.com/debs/mobilesubstrate_0.9.6301_iphoneos-arm.deb

• Modify app w/o source code

• Provide API for manipulation

• Functioning depends on iOS

28



🛅.ipa

• GitHub: /nowsecure/node-applesign

• GitHub: /DanTheMan827/ios-app-signer

• Xcode w/dev account

29

Step: 5



📦📲.ipa to iOS device

• Xcode (free Developer Account)

• Impactor (any AppleID)

• iFunBox (iOS≤8.3)

• JB GitHub: /autopear/ipainstaller

📦➡

30

Step: 6



*+ exec own code

Press “X” to Hack

• Write your code & exec it on iOS device

• Connect to device and control your app

31

Step: pwn



One-slide-schema

33



Demo

34



Thank you!Questions?

[email protected]

@ansjdnakjdnajkd

35

Digital Security in Moskow: (495) 223-07-86 Digital Security in Saint-Petersburg: (812) 703-15-47

dynamic analysis of ios apps w/o jailbreak · 2018-04-23 · dynamic analysis of ios apps w/o...

Documents