hooking101 - deeper on ios island
TRANSCRIPT
Hooking 101Deeper on iOS Island
Alex Soler@as0ler
30/03/2016
Barcelona Cybersecurity
3
Mobile Security is….
4
Dynamic Analysis is…
Runtime Instrumentation.Runtime Manipulation.Know what is done, when is done.
5
iOS Runtime
6
iOS RuntimeCurrent Execution point…Person *somePerson = [[Person alloc] init];[somePerson saySomething];…
Person implementation@implementation Person - (void) saySomething {
NSLog(@”Say Hello”);}
@end
7
OnEnter: implementation@implementation- (void) onEnter_saySomething
{} @end
iOS RuntimeCurrent Execution point…Person *somePerson = [[Person alloc] init];[somePerson saySomething];…
Person implementation@implementation Person - (void) saySomething {
NSLog(@”Say Hello”);} @end
OnLeave: implementation@implementation- (void) onLeave_saySomething
{} @end
8
Frida
What is Frida?- Dynamic instrumentation toolkit- Debug live processes- Scriptable- Execute your own debug scripts inside another process
- Multi-platform- Windows, Mac, Linux, iOS, Android, QNX
- Open Source- More info @ http://www.frida.re
9
Frida
Basic Usage- Scripting (Python / Javascript)- Frida-trace- FridaCLI- Frida-ps- Frida-discover
10
Keychain
Key-Value store/private/var/Keychains/keychain-2.db
11
Keychain
OSStatus SecItemDelete ( CFDictionaryRef query );
OSStatus SecItemUpdate ( CFDictionaryRef query, CFDictionaryRef attributesToUpdate );
OSStatus SecItemAdd ( CFDictionaryRef attributes, CFTypeRef _Nullable *result );
12
Files
Files on iOS are protected by Data Protection Classes
- (BOOL)createFileAtPath:(NSString *)path contents:(NSData *)contents attributes:(NSDictionary<NSString *id> *)attributes
13
Jailbreak detection
Some apps doesn’t like jailbreak Devices
14
Thank you for your attention
Questions?