Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Beyond The 'Cript: Practical iOS Reverse Engineering

Michael Allen
September 26, 2016
Research
0
450

Beyond The 'Cript: Practical iOS Reverse Engineering

Today there is an app for almost everything. But all apps come with security vulnerabilities, many of which have been relatively easy to find with the help of increasingly available frameworks. So developers are now generally better about hardening apps against the most common issues using jailbreak detection and best practices, and many of the known “low hanging” security issues are resident less frequently.

But there are still vulnerabilities not as well known that can only be found with a deeper knowledge of iOS and its underlying assembly code. The aim of this talk is to provide a bridge between the mundane methodologies and vulnerabilities that are easy to find, and a new approach for identifying vulnerabilities that require assembly knowledge to discover.

The talk will include fundamentals of reversing, a primer on iOS architecture, binary patching, reversing MACH-0 binaries, and conclude with real-world examples involving bypassing jailbreak detection routines.

Michael Allen

September 26, 2016
Tweet

More Decks by Michael Allen

See All by Michael Allen
Beyond The 'Cript: Practical iOS Reverse Engineering (Lascon Edition)
_dark_knight_
0
530
OWASP Lightning Talk: Beyond The 'Cript: Practical iOS Reverse Engineering
_dark_knight_
1
170

Other Decks in Research

See All in Research
Julia Tokyo #11 トーク: 「Juliaで歩く自動微分」
abap34
2
1.3k
Rの機械学習フレームワークの紹介〜tidymodelsを中心に〜 / machine_learning_with_r2024
s_uryu
0
230
DeepCrysTet: A Deep Learning Approach Using Tetrahedral Mesh for Predicting Properties of Crystalline Materials
tsurubee
0
380
方策の長期性能に対する 効率的なオフライン評価・学習 (Long-term Off-Policy Evaluation and Learning)
usaito
PRO
2
190
Refactoring Mining - The key to unlock software evolution
tsantalis
0
280
[Human-AI Decision Making勉強会] 説明の更新はユーザにどのような影響をもたらすか
okoso
1
210
機械学習と数理最適化の融合-文脈付き確率的最短路を例として-
mickey_kubo
2
460
Webスケールデータセットに対する実用的なポイズニング手法 / Poisoning Web-Scale Training Datasets is Practical
nttcom
0
120
2024-01-23-az
sofievl
1
780
一般化ランダムフォレストの理論と統計的因果推論への応用
tomoshige_n
10
1.8k
10-ot-generic-bio.pdf
gpeyre
0
140
眠眠ガチャ:ガチャを活用した睡眠意欲向上アプリの開発 / EC71inui
yumulab
1
160

Featured

See All Featured
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
7
3.4k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
14
1.5k
How STYLIGHT went responsive
nonsquared
92
4.8k
Making Projects Easy
brettharned
109
5.5k
Building Adaptive Systems
keathley
32
1.9k
Large-scale JavaScript Application Architecture
addyosmani
504
110k
The MySQL Ecosystem @ GitHub 2015
samlambert
244
12k
Keith and Marios Guide to Fast Websites
keithpitt
408
22k
Ruby is Unlike a Banana
tanoku
96
10k
A designer walks into a library…
pauljervisheath
201
23k
Making the Leap to Tech Lead
cromwellryan
125
8.5k
Typedesign – Prime Four
hannesfritz
36
2.1k

Transcript

  1. IOActive, Inc. Copyright ©2016. All Rights Reserved. Beyond The ‘Cript:

    Practical iOS Reverse Engineering Michael Allen (@_dark_knight_) Security Consultant

  2. IOActive, Inc. Copyright ©2016. All Rights Reserved. Why This Talk?

    •  Apps more hardened against common attacks •  Bridge the gap •  Deeper understanding of what happens under the hood •  Foundation for additional research

  3. IOActive, Inc. Copyright ©2016. All Rights Reserved. Outline/Agenda •  Building

    A General Toolkit •  iOS Application Assessment 101 –  Usual results –  “New” approach •  The Reverse Engineer’s Toolkit •  Reverse Engineering iOS Applications •  Mach-O Binary Format •  Mach Tasks •  ARM(32/64) •  Objective-C •  Swift •  Identifying and bypassing Simple Jailbreak Detection Routines •  Conclusion

  4. IOActive, Inc. Copyright ©2016. All Rights Reserved. Outline/Agenda •  Building

    A General Toolkit •  iOS Application Assessment 101 •  The Reverse Engineer’s Toolkit •  Reverse Engineering iOS Applications •  Identifying and bypassing Simple Jailbreak Detection Routines •  Conclusion

  5. IOActive, Inc. Copyright ©2016. All Rights Reserved. Building A General

    Toolkit •  Jailbroken Device •  File System •  Network •  Instrumentation •  Automating Common Tasks •  Essentials

  6. IOActive, Inc. Copyright ©2016. All Rights Reserved. Jailbroken Device • 

    Removing software restrictions imposed by iOS, through the use of software exploits •  Recommend dedicated device for testing •  Latest jailbreak –  Pangu (iOS 9.2 – 9.3.3 64-bit devices only)

  7. IOActive, Inc. Copyright ©2016. All Rights Reserved. Jailbroken Device (contd.)

    •  Tethered •  Does not persist across reboots •  Requires computer to start device •  Untethered •  Persists on device across reboots •  Semi-tethered •  Requires computer to start into jailbroken state •  Rebooting or starting device without assistance possible. But boots into non-jailbroken state

  8. IOActive, Inc. Copyright ©2016. All Rights Reserved. Jailbroken Device (ProTip)

    •  Change default root password from alpine •  Access device over usb using usbmuxd –  sudo python tcprelay.py -t 22:22 •  Generate ssh keys –  ssh-keygen -t rsa -f ~/.ssh/ironman -N "” •  Copy public key to device –  ssh-copy-id -i ~/.ssh/ironman.pub root@localhost •  Create an alias on (~/.ssh/config)

  9. IOActive, Inc. Copyright ©2016. All Rights Reserved. File System: Moving

    Files •  iFunbox •  iExplorer •  Sftp

  10. IOActive, Inc. Copyright ©2016. All Rights Reserved. Network: BurpSuite Pro

    Intercepting Proxy

  11. IOActive, Inc. Copyright ©2016. All Rights Reserved. Network: SSL Kill

    Switch 2 •  “Disables SSL certificate validation - including certificate pinning - within iOS Apps.”

  12. IOActive, Inc. Copyright ©2016. All Rights Reserved. Instrumentation: Cycript • 

    Injects into target process •  Interactive console •  Objective-C and Javascript syntax •  Supported Architectures(iOS, Mac OS X) •  NowSecure fork where runtime powered by Frida* (Cycript on steroids)

  13. IOActive, Inc. Copyright ©2016. All Rights Reserved. Instrumentation: Cycript (contd.)

  14. IOActive, Inc. Copyright ©2016. All Rights Reserved. Instrumentation: Frida • 

    Injects Google’s V8 engine into target process •  Javascript executed with full access to memory •  Function hooking •  Access to native methods •  Inject into starting process •  Multiple architectures (Windows, Mac, Linux, iOS and Android)

  15. IOActive, Inc. Copyright ©2016. All Rights Reserved. •  Method tracing

    Instrumentation: Frida (contd.)

  16. IOActive, Inc. Copyright ©2016. All Rights Reserved. Automating Common Tasks

    •  Idb Tool - http://www.idbtool.com/ •  Snoop-IT - http://repo.nesolabs.de/ •  iRet - https://www.veracode.com/blog/2014/03/introducing-the-ios-reverse-engineering-toolkit •  IntroSpy - https://github.com/iSECPartners/Introspy-iOS •  AppMon - https://dpnishant.github.io/appmon/ •  Needle - https://github.com/mwrlabs/needle •  Varying levels of support

  17. IOActive, Inc. Copyright ©2016. All Rights Reserved. Automating Common Tasks:

    Idb Tool •  Idb Tool •  “idb is a tool to simplify some common tasks for iOS app security assessments and research.” •  Provides general app info •  URL Handler •  Keychain dumping •  Pasteboard •  Logging

  18. IOActive, Inc. Copyright ©2016. All Rights Reserved. Automating Common Tasks:

    Idb Tool (contd.)

  19. IOActive, Inc. Copyright ©2016. All Rights Reserved. Essentials: Command Line

    Utilities •  Command Line –  BigBoss Recommended Tools (Cydia) –  Erica Utilities (Cydia) –  Jonathan Levin compiled a number of commonly used binaries for iOS

  20. IOActive, Inc. Copyright ©2016. All Rights Reserved. Essentials: iOSBinpack (Jonathan

    Levin) •  Listing of available tools

  21. IOActive, Inc. Copyright ©2016. All Rights Reserved. Outline/Agenda •  Building

    A General Toolkit •  iOS Application Assessment 101 •  The Reverse Engineer’s Toolkit •  Reverse Engineering iOS Applications •  Identifying and bypassing Simple Jailbreak Detection Routines •  Conclusion

  22. IOActive, Inc. Copyright ©2016. All Rights Reserved. Common Attack Vectors:

    Sniffing On A Remote Virtual Interface

  23. IOActive, Inc. Copyright ©2016. All Rights Reserved. Common Attack Vectors:

    Sniffing On A Remote Virtual Interface (contd.)

  24. IOActive, Inc. Copyright ©2016. All Rights Reserved. Common Attack Vectors:

    Insecure Storage •  Property list files (.plist) •  SQLite databases •  Keychain •  Snapshots •  Cache

  25. IOActive, Inc. Copyright ©2016. All Rights Reserved. Insecure Storage: Property

    Lists (.plist) •  Stores serialized objects •  Key value pairs •  Maybe compacted to bplist (binary plist) –  cat filename.plist | plutil -convert xml1 - -o -

  26. IOActive, Inc. Copyright ©2016. All Rights Reserved. Insecure Storage: Client-Side

    Data Stores •  Often see SQLite being used for client-side storage •  Lightweight client-side database •  Query using SQL

  27. IOActive, Inc. Copyright ©2016. All Rights Reserved. Insecure Storage: Fun

    Fact About SQLite Data Stores •  Delete doesn’t do what you think •  Deleted data added to free list •  Free records not overwritten until more space required •  End result is data may not be overwritten for a while •  May be recovered with SQLite-parser

  28. IOActive, Inc. Copyright ©2016. All Rights Reserved. Insecure Storage: Dumping

    The Keychain •  SQLite database stored in /var/Keychains

  29. IOActive, Inc. Copyright ©2016. All Rights Reserved. Insecure Storage: Snapshots

  30. IOActive, Inc. Copyright ©2016. All Rights Reserved. Insecure Storage: Inspecting

    The Cache •  Caches directory similar function to that of a web browser’s cache •  Aimed at improving performance •  May store web cache content

  31. IOActive, Inc. Copyright ©2016. All Rights Reserved. Insecure Storage: Dumping

    Binary Cookies •  Created by URL loading system or webview •  Stored on local file system in binary format.

  32. IOActive, Inc. Copyright ©2016. All Rights Reserved. Common Attack Vectors:

    Inter-process Communication •  Application registers custom URL scheme •  Invoked when scheme called

  33. IOActive, Inc. Copyright ©2016. All Rights Reserved. Common Attack Vectors:

    Inter-process Communication •  Suggest using lsdtrip to identify URL’s •  Use publicurls | privateurls option

  34. IOActive, Inc. Copyright ©2016. All Rights Reserved. Inter-process Communication (Side

    Note) •  Malicious app could register your URL scheme •  [[UIApplication sharedApplication] openURL:myURL]; •  Universal Links introduced in iOS 9 •  Kills the openURL problem •  Developer specifies what URL’s will be processed by app (association file) •  Communication over HTTPS •  No more enumerating apps via can canOpenURL method

  35. IOActive, Inc. Copyright ©2016. All Rights Reserved. Common Attack Vectors:

    Injection Attacks •  UIWebViews •  File-Handling Routine •  XML

  36. IOActive, Inc. Copyright ©2016. All Rights Reserved. Summary: Usual Results

    •  Issues relating to Local Storage –  Keep in mind most of these attacks requires the device to be unlocked •  Unsecured API’s (via Burpsuite Pro) •  Some hard-coded secrets maybe (typically run strings against binary) •  The truth however is that most of these bugs closed –  Binary protections are now standard –  Data Protection API’s (keychain etc) –  Universal links introduced with iOS 9 address IPC loophole –  …...

  37. IOActive, Inc. Copyright ©2016. All Rights Reserved. Additionally What Happens

    When? •  The common tools fail? •  Your Google Fu returns nothing? •  There are custom security protections in place •  You want to extend an existing tool? •  You want start investigating deeply hidden logic bugs –  Crypto functions etc •  Move beyond 3rd party applications

  38. IOActive, Inc. Copyright ©2016. All Rights Reserved. Towards A “New”

    Approach •  At this point we need to take a different approach one that involves Reverse Engineering and leverages knowledge of : •  iOS internals •  ARM(32/64) Assembly •  Deep dive into Objective-C/Swift •  ….... •  Let’s improve our toolkit •  And expand our knowledge base

  39. IOActive, Inc. Copyright ©2016. All Rights Reserved. Outline/Agenda •  Building

    A General Toolkit •  iOS Application Assessment 101 •  The Reverse Engineer’s Toolkit •  Reverse Engineering iOS Applications •  Identifying and bypassing Simple Jailbreak Detection Routines •  Conclusion

  40. IOActive, Inc. Copyright ©2016. All Rights Reserved. The Reverse Engineer’s

    Toolkit •  IDA Pro •  Hopper •  LLDB •  Jtool •  Procexp •  GNU Project Debugger (gdb) •  Apple CC Tools

  41. IOActive, Inc. Copyright ©2016. All Rights Reserved. The Reverse Engineer’s

    Toolkit: IDA Pro

  42. IOActive, Inc. Copyright ©2016. All Rights Reserved. The Reverse Engineer’s

    Toolkit: Hopper

  43. IOActive, Inc. Copyright ©2016. All Rights Reserved. The Reverse Engineer’s

    Toolkit: lldb •  Debugging an application binary with lldb •  iOS Device 1.  debugserver -x backboard ip:port </path/to/executable> •  MAC Host 1.  lldb 2.  process connect connect://<remote_host>:<port> 3.  image list –o –f (ASLR)

  44. IOActive, Inc. Copyright ©2016. All Rights Reserved. The Reverse Engineer’s

    Toolkit: lldb (contd.)

  45. IOActive, Inc. Copyright ©2016. All Rights Reserved. •  Breakpoint =

    offset1 + offset2 •  Or just use the symbols J The Reverse Engineer’s Toolkit: lldb ASLR (contd.) 1 2

  46. IOActive, Inc. Copyright ©2016. All Rights Reserved. The Reverse Engineer’s

    Toolkit: jtool •  otool type functionality with way more options •  MACH-O analysis (atos, dyldinfo, nm, strings etc) •  Multi-platform (OS X, iOS, Linux) •  ARM64 disassembler

  47. IOActive, Inc. Copyright ©2016. All Rights Reserved. The Reverse Engineer’s

    Toolkit: jtool (contd.)

  48. IOActive, Inc. Copyright ©2016. All Rights Reserved. The Reverse Engineer’s

    Toolkit: jtool (bonus)

  49. IOActive, Inc. Copyright ©2016. All Rights Reserved. The Reverse Engineer’s

    Toolkit: procexp •  Getting task related info •  Display threads, mach ports, dump core (memory image) etc..

  50. IOActive, Inc. Copyright ©2016. All Rights Reserved. The Reverse Engineer’s

    Toolkit: gdb •  Use source from http://cydia.radare.org •  No support for arm64 architectures

  51. IOActive, Inc. Copyright ©2016. All Rights Reserved. The Reverse Engineer’s

    Toolkit: filemon •  Tracing file system activity with FSEvents

  52. IOActive, Inc. Copyright ©2016. All Rights Reserved. Apple’s CC Tools

    •  otool •  MACH-O Binary Swiss army knife •  nm •  Displays symbol table •  lipo •  Architectures embedded in binary •  Codesign •  Binary signing

  53. IOActive, Inc. Copyright ©2016. All Rights Reserved. Outline/Agenda •  Building

    A General Toolkit •  iOS Application Assessment 101 •  The Reverse Engineer’s Toolkit •  Reverse Engineering iOS Applications •  Identifying and bypassing Simple Jailbreak Detection Routines •  Conclusion

  54. IOActive, Inc. Copyright ©2016. All Rights Reserved. Reverse Engineering iOS

    Applications (Under The Hood) •  Mach-O Binary Format •  Mach Tasks •  ARM(32/64) •  Objective-C •  Swift

  55. IOActive, Inc. Copyright ©2016. All Rights Reserved. Mach-O Binary Format

  56. IOActive, Inc. Copyright ©2016. All Rights Reserved. Application Binary Version

    Location < iOS 8 /var/mobile/Application/<app bundle id> iOS 8 + §  /var/mobile/Containers/Bundle/Application/<app bundle id> §  App binary, nibs, Code Signature §  /var/mobile/Containers/Data/Application/<app bundle id> §  Documents, Library, tmp folder iOS 9.3.x §  /var/containers/Bundle/Application/<app bundle id> §  App binary

  57. IOActive, Inc. Copyright ©2016. All Rights Reserved. Mach-O Binary • 

    Header – Identifies file type, architecture etc •  Load Commands – Details layout and linkage specifications •  Data – Code

  58. IOActive, Inc. Copyright ©2016. All Rights Reserved. Mach-O: Header <mach-o/loader.h>

  59. IOActive, Inc. Copyright ©2016. All Rights Reserved. Mach-O: Flags • 

    PIE: Commonly checked flag during an assessment. •  ASLR for executable types

  60. IOActive, Inc. Copyright ©2016. All Rights Reserved. Mach-O: Load Commands

    (Kernel) •  LC_SEGMENT[_64] main load command –  Memory regions with same r/w/x protection <mach-o/loader.h>

  61. IOActive, Inc. Copyright ©2016. All Rights Reserved. Mach-O: SEGMENTS • 

    __PAGEZERO(NULL pointer trap, all access permissions revoked ) •  _TEXT(program code) •  _DATA (readable/writeable program data) •  _LINKEDIT (symbol and other tables used by linker) •  _RESTRICT (see dyld.cpp, will not load DYLD_INSERT_LIBRARIES) •  Optional sections

  62. IOActive, Inc. Copyright ©2016. All Rights Reserved. Mach-O: Common Segments

    and Sections

  63. IOActive, Inc. Copyright ©2016. All Rights Reserved. Mach-O: Viewing Segments

    and Sections

  64. IOActive, Inc. Copyright ©2016. All Rights Reserved. MachOView (GUI)

  65. IOActive, Inc. Copyright ©2016. All Rights Reserved. Mach-O: Load Commands

    (dyld) •  Kernel hands off to DYLD(dynamic linker) •  Uses dynamic linker specified in LC_LOAD_DYLINKER •  Loads each LC_LOAD_DYLIB •  Resolves symbols •  Interposing (method switching) •  add __interpose section to __DATA SEGMENT •  Force library loading with DYLD_INSERT_LIBRARIES •  code with __attribute(constructor) auto runs

  66. IOActive, Inc. Copyright ©2016. All Rights Reserved. Mach Tasks

  67. IOActive, Inc. Copyright ©2016. All Rights Reserved. Mach Tasks • 

    At this point binary mapped into memory •  Process on other systems •  Port (IPC Endpoint) •  Own the port, own the task •  Mach Trap task_for_pid() •  Requires jailbreak tfp0 patch for kernel(PID0) •  processor_set_tasks() •  Any task port in system

  68. IOActive, Inc. Copyright ©2016. All Rights Reserved. Mach Tasks –

    Interacting with the task •  Get the task port •  Read/write memory with mach_vm* api’s •  Inject your own shellcode •  Left to your imagination

  69. IOActive, Inc. Copyright ©2016. All Rights Reserved. Mach Tasks –

    Owning The Port * mach_vm_region returns information about a memory region in a given address space.

  70. IOActive, Inc. Copyright ©2016. All Rights Reserved. Mach Tasks –

    Dumping Memory •  Write your own code and call appropriate mach_vm* api’s •  Use procexp <pid> regions

  71. IOActive, Inc. Copyright ©2016. All Rights Reserved. Mach Tasks –

    Dumping Memory •  Read using lldb (memory read –outfile <outfile> –count <size> <address>)

  72. IOActive, Inc. Copyright ©2016. All Rights Reserved. ARM Assembly

  73. IOActive, Inc. Copyright ©2016. All Rights Reserved. ARM32 - Registers

    Register Purpose R0 – R12 General purpose registers R13 Stack pointer R14 Link register. Holds return address during a function call. R15 Program counter (PC) CPSR Information on current execution state (Endianness bit, Thumb bit, Mode bit)

  74. IOActive, Inc. Copyright ©2016. All Rights Reserved. ARM32 – Function

    Calling Convention •  Functions are invoked via a B, BX, BL, BLX Register Purpose r0-r3 §  First four function parameters. §  Other arguments passed on stack r0 Stores return value

  75. IOActive, Inc. Copyright ©2016. All Rights Reserved. ARM32 – Basic

    Loading Instructions Register Purpose LDR Loads a word. Ex. LDR R3, [R0] Loads the word value at R0 into R3 STR Stores a word. Ex. STR R3, [R4] Takes the value in R3 and stores at memory address R4 •  Arm is a load/store architecture •  Data must be loaded into registers before they can be used

  76. IOActive, Inc. Copyright ©2016. All Rights Reserved. ARM64 - Registers

    Register Purpose x0-x28 General purpose registers (64 bit) w0-w30 General purpose registers (32 bit) x29 Frame pointer x30 Link register (return address) SP Stack pointer PC Program counter

  77. IOActive, Inc. Copyright ©2016. All Rights Reserved. ARM64 – Function

    Calling Convention Register Purpose x0-x7 Arguments/return values x9-x15 Local variables x19-x29 Callee-saved registers

  78. IOActive, Inc. Copyright ©2016. All Rights Reserved. Objective-C

  79. IOActive, Inc. Copyright ©2016. All Rights Reserved. Objective-C •  objc_msgSend

    •  Equivalent of calling functions in C •  id objc_msgSend(id self, SEL op,…) •  receiver(id self) •  selector(SEL op) •  Receiver is a pointer to class message is intended for •  Selector is the method to handle message

  80. IOActive, Inc. Copyright ©2016. All Rights Reserved. Objective-C (contd.)

  81. IOActive, Inc. Copyright ©2016. All Rights Reserved. Objective-C (contd.) x0

    – receiver x1 – selector x2 – argument objc_msgSend – func call -v –d objc retrieves info on classes, methods etc *ARM64

  82. IOActive, Inc. Copyright ©2016. All Rights Reserved. Objective-C: Method Swizzling

    Under The Hood •  objc_method struct holds information about method of a class [/usr/include/objc/ runtime.h] •  Hooking Frameworks [/Library/Frameworks/CydiaSubstrate.framework] Member Description method_name Method name method_types Accepted parameters method_imp Pointer to implementation Swizzling just changes implementation using underlying C functions: •  class_replaceMethod •  method_exchangeImplementations •  method_setImplementation CydiaSubstrate: •  MSHookMessageEx •  MSHookFunction

  83. IOActive, Inc. Copyright ©2016. All Rights Reserved. CydiaSubstrate Method Swizzling

  84. IOActive, Inc. Copyright ©2016. All Rights Reserved. SWIFT

  85. IOActive, Inc. Copyright ©2016. All Rights Reserved. Swift •  Introduced

    with iOS 8 •  Still uses traditional message passing for Swift classes that inherit from Objective-C classes •  Swift classes may use •  Direct function calls •  Vtables •  C++ like mangled function names •  Method Swizzling if subclass of NSObject

  86. IOActive, Inc. Copyright ©2016. All Rights Reserved. Swift: Mangled Function

    Names Swift Objective-C

  87. IOActive, Inc. Copyright ©2016. All Rights Reserved. Swift: Mangled Function

    Names •  __TFC9jailbreak14ViewController12btnFileCheckfS0_FPSs9AnyObject_T_ –  __T Swift Symbol –  F indicates function –  C indicates it is a function belonging to a class –  9jailbreak module name prefixed with length –  14ViewController class name prefixed with length –  12btnFileCheck function name prefixed with length –  S0_FPSs no clue ?? J –  f function attribute –  9AnyObject function parameter –  T_ return type

  88. IOActive, Inc. Copyright ©2016. All Rights Reserved. Swift: demangle Tool

    •  See also hopper-swift-demangle plugin

  89. IOActive, Inc. Copyright ©2016. All Rights Reserved. Outline/Agenda •  Building

    A General Toolkit •  iOS Application Assessment 101 •  The Reverse Engineer’s Toolkit •  Reverse Engineering iOS Applications •  Identifying and bypassing Simple Jailbreak Detection Routines •  Conclusion

  90. IOActive, Inc. Copyright ©2016. All Rights Reserved. Disclaimer •  We

    will discuss binary patching next •  Yeah but I could do this with ? •  Yes there are several other options: •  xCon •  tsProtector •  Officer •  Tools discussed earlier(remember CydiaSubstrate hooking with MSHookFunction) •  What happens when you can’t? •  Get comfortable reading/modifying ARM assembly •  Start with simple examples

  91. IOActive, Inc. Copyright ©2016. All Rights Reserved. But First A

    Note On Patching 101 •  Replace instruction with NOP •  No Operation •  Change conditional instructions to unconditional ones •  BNE, BEQ, BLT….changes to just B etc •  Update the register that determines branch taken •  reg write <register> •  p $<reg> = <value> •  Remove SEGMENT •  __RESETRICT

  92. IOActive, Inc. Copyright ©2016. All Rights Reserved. Identifying and bypassing

    Simple Jailbreak Detection Routines •  Known file paths •  Inline functions •  Sandbox integrity •  Anti-debugging •  P_TRACED •  PT_DENY_ATTACH

  93. IOActive, Inc. Copyright ©2016. All Rights Reserved. Common Jailbreak Detection

    Routines: Known File Paths

  94. IOActive, Inc. Copyright ©2016. All Rights Reserved. Common Jailbreak Detection

    Routines: Known File Paths (contd.) Patch here

  95. IOActive, Inc. Copyright ©2016. All Rights Reserved. Ticketmaster Case Study:

    Known File Paths

  96. IOActive, Inc. Copyright ©2016. All Rights Reserved. Write 0 Ticketmaster

    Case Study: Known File Paths (contd.)

  97. IOActive, Inc. Copyright ©2016. All Rights Reserved. Common Jailbreak Detection

    Routines: Inline Functions

  98. IOActive, Inc. Copyright ©2016. All Rights Reserved. Common Jailbreak Detection

    Routines: Inline Functions (contd.) Note no more bl _isJailbroken

  99. IOActive, Inc. Copyright ©2016. All Rights Reserved. Common Jailbreak Detection

    Routines: Inline Functions (contd.) Patch here

  100. IOActive, Inc. Copyright ©2016. All Rights Reserved. Common Jailbreak Detection

    Routines: Sandbox Integrity with fork()

  101. IOActive, Inc. Copyright ©2016. All Rights Reserved. Common Jailbreak Detection

    Routines: Sandbox Integrity Patch here

  102. IOActive, Inc. Copyright ©2016. All Rights Reserved. Anti-Debugging: P_TRACED

  103. IOActive, Inc. Copyright ©2016. All Rights Reserved. •  P_TRACED defined

    in /sys/proc.h Anti-Debugging: P_TRACED (contd.)

  104. IOActive, Inc. Copyright ©2016. All Rights Reserved. Patch here Anti-Debugging:

    P_TRACED (contd.)

  105. IOActive, Inc. Copyright ©2016. All Rights Reserved. •  Setting w10

    to 0 is enough to bypass the check Anti-Debugging: PTRACED (contd.) Just change the register value

  106. IOActive, Inc. Copyright ©2016. All Rights Reserved. Anti-Debugging: PT_DENY_ATTACH

  107. IOActive, Inc. Copyright ©2016. All Rights Reserved. •  Defined in

    /bsd/sys/ptrace.h Anti-Debugging: PT_DENY_ATTACH (contd.)

  108. IOActive, Inc. Copyright ©2016. All Rights Reserved. Anti-Debugging: PT_DENY_ATTACH (contd.)

    0x1f = 31 Patch here

  109. IOActive, Inc. Copyright ©2016. All Rights Reserved. Simple Jailbreak Detection

    Routine Bypass: Swift

  110. IOActive, Inc. Copyright ©2016. All Rights Reserved. Simple Jailbreak Detection

    Routine Bypass: Swift (contd.)

  111. IOActive, Inc. Copyright ©2016. All Rights Reserved. Simple Jailbreak Detection

    Routine Bypass: Swift (contd.) jailbreak function call return value in w0 patch cmp w0, #1

  112. IOActive, Inc. Copyright ©2016. All Rights Reserved. Outline/Agenda •  Building

    A General Toolkit •  iOS Application Assessment 101 •  The Reverse Engineer’s Toolkit •  Reverse Engineering iOS Applications •  Identifying and bypassing Simple Jailbreak Detection Routines •  Conclusion

  113. IOActive, Inc. Copyright ©2016. All Rights Reserved. Conclusion •  Common

    bugs being closed •  A “new” approach and break from the norm is required for in depth assessments •  Assembly knowledge a MUST for Reversing Engineering –  Low level assembly allows you to bypass many security protections, discover hidden gems and then some •  Knowledge of iOS architecture will not only improve your assessments but also provide a launching pad for other research •  Disassemblers are your friends (IDA, Hopper, Jtool …..) •  Add the reverse engineering skillset to your arsenal !!!

  114. IOActive, Inc. Copyright ©2016. All Rights Reserved. References •  Books:

    •  Mac OS X and iOS Internals To the Apple’s Core (Jonathan Levin) •  The Mobile Application Hacker’s Handbook (Dominic Chell, Tyrone Erasmus et al. ) •  Hacking and Securing iOS Applications (Jonathan Zdziarski) •  iOS Application Security: The Definitive Guide for Hackers and Developers (David Thiel) •  Blogs and Tools: •  processor_set_tasks() - http://newosxbook.com/articles/PST2.html •  procexp – http://newosxbook.com/tools/procexp.html •  iOSBinaries - http://newosxbook.com/tools/iOSBinaries.html •  jtool - http://newosxbook.com/tools/jtool.html •  filemon - http://newosxbook.com/tools/filemon.html •  AmIBeingDebugged - https://developer.apple.com/library/mac/qa/qa1361/_index.html •  Frida - http://www.frida.re/ •  Cycript - http://www.cycript.org/ •  iFunBox - http://www.i-funbox.com/ •  SSL Kill Switch – https://github.com/iSECPartners/ios-ssl-kill-switch •  BurpSuite - https://portswigger.net/burp/ •  IDA - https://www.hex-rays.com/products/ida/ •  Hopper - https://www.hopperapp.com/ •  Idb - http://www.idbtool.com/ •  PT_DENY_ATTACH - https://www.theiphonewiki.com/wiki/Bugging_Debuggers •  ARM - http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.den0024a/ch05s01s03.html •  SQLite-parser - https://github.com/mdegrazia/SQLite-Deleted-Records-Parser •  SQLite Deletion - http://www.zdziarski.com/blog/?p=6143 •  lsdtrip - http://newosxbook.com/src.jl?tree=listings&file=ls.m#dumpURL