Upgrade to Pro — share decks privately, control downloads, hide ads and more …

OWASP Lightning Talk: Beyond The 'Cript: Practical iOS Reverse Engineering

Michael Allen
October 15, 2016

OWASP Lightning Talk: Beyond The 'Cript: Practical iOS Reverse Engineering

Michael Allen

October 15, 2016
Tweet

More Decks by Michael Allen

Other Decks in Research

Transcript

  1. Agenda So usually when we test an iOS Applica4on we

    use a combina4on of the following tools….
  2. Typical Toolkit •  Command line u4li4es –  BigBoss Recommended Tools

    (Cydia) –  Erica U4li4es (Cydia) –  iOSBinPack * •  Jonathan Levin compiled a number of commonly used binaries for iOS •  Automated toolkits –  Idb Tool, Snoop-IT, iRET, Introspy, Appmon *, Needle * –  Varying levels of support
  3. Common Approach •  Examine local storage –  Caches –  Binary

    Cookies –  Sqlite databases –  Plists –  NSLog –  Snapshots
  4. Common Approach •  Basic binary analysis –  Sta4c •  strings,

    ASLR w/ PIE flag, Encryp4on, ARC, Stack Canaries –  Dynamic •  lldb, gdb, cycript, frida –  Just scratching the surface •  Memory Forensics •  Injec4on A[acks (SQLi – Local SQLite databases, UIWebViews, XML etc)
  5. Usual Results •  Issues rela4ng to Local Storage –  Most

    require device to be unlocked •  Unsecured API’s •  Hard-coded secrets •  The truth however is that most of these bugs closed –  Binary protec4ons are now standard –  Data Protec4on API’s –  Universal links introduced with iOS 9 address IPC loophole –  etc ….. •  Some4mes we may come up short because of several other reasons…
  6. When It All Fails? •  When the tools fail? • 

    Or your Google Fu returns nothing ? •  Custom security protec4ons in place •  Extending an exis4ng tool? •  Finding deeply hidden Logic bugs –  Crypto func4ons etc •  iOS System bugs
  7. Towards A New Approach •  At this point we need

    a “new” approach one that involves Reverse Engineering and leverages knowledge of •  iOS internals •  ARM(32/64) Assembly •  Deep dive into Objec4ve-C/Swij •  …..... •  Our first step is to improve our toolkit •  And expand our knowledge base
  8. Reverse Engineer’s Toolkit •  IDA Pro •  Hopper •  jtool

    •  LLDB •  GNU Project Debugger (gdb) •  Apple CC Tools (nm, lipo, otool, codesign)
  9. Expanding The Knowledge Base •  Mach-O Binary –  SEGMENTS/Sec4ons of

    Interest •  TEXT, DATA, LINKEDIT …. •  Dynamic Linker(DYLD) •  Interposing (method swizzling) •  Force loading libraries
  10. Expanding The Knowledge Base •  Mach Tasks –  Owning and

    interac4ng with tasks •  task_for_pid, processor_set_tasks •  Inter Process Communica4on(IPC) –  Mach Ports, Mach Messages, XPC •  ARM Assembly (32/64) •  Behind the scenes with Objec4ve-C and SWIFT •  Lot more details but limited 4me see full talk here –  h"ps://www.youtube.com/watch?v=4WHEQA3GG9k&feature=youtu.be –  h"ps://speakerdeck.com/_dark_knight_/beyond-the-cript-pracIcal-ios-reverse- engineering
  11. iOS Reversing •  Let’s look at Reverse Engineering and what

    is possible •  Common jailbreak detec4on – does root par44on have read/write permissions ? •  How can we make this green? •  Mul4ple op4ons available •  Binary patching •  But first some recon
  12. iOS Reversing •  Dump the binary (facilitated by DYLD and

    DYLD_INSERT_LIBRARIES environment variable) •  _RESTRICT SEGMENT blocks this (view SEGMENTS w/ jtool –l and patch if necessary)
  13. iOS Reversing •  Is it a FAT binary? We may

    need to thin it •  Or specify ARCH with jtool •  ARCH=arm64 jtool <op4ons> <binary>
  14. iOS Reversing •  Any interes4ng strings? •  Dump cstring secIon

    (same as running strings) •  Knowledge of SEGMENTS and sec4ons important
  15. iOS Reversing •  Disassemble method to determine how logic implemented

    •  How can I bypass it? Patch here staQs func call
  16. Conclusion •  Common bugs being closed •  A “new” approach

    and break from the norm is required for in depth assessments •  Assembly knowledge a MUST for Reversing Engineering –  Low level assembly allows you to bypass many security protec4ons, discover hidden gems and then some •  Knowledge of iOS architecture will not only improve your assessments but also provide a launching pad for other research •  Disassemblers are your friends (IDA, Hopper, Jtool …..) •  Add the reverse engineering skillset to your arsenal !!!