OWASP Lightning Talk: Beyond The 'Cript: Practical iOS Reverse Engineering

Transcript

1. Beyond The ‘Cript: Prac4cal iOS Reverse Engineering Michael Allen (@_dark_knight_)

2. Agenda So usually when we test an iOS Applica4on we

   use a combina4on of the following tools….

3. Typical Toolkit •  Jailbroken device •  Burpsuite Pro •  Cycript

   •  Frida

4. Typical Toolkit •  Command line u4li4es –  BigBoss Recommended Tools

   (Cydia) –  Erica U4li4es (Cydia) –  iOSBinPack * •  Jonathan Levin compiled a number of commonly used binaries for iOS •  Automated toolkits –  Idb Tool, Snoop-IT, iRET, Introspy, Appmon *, Needle * –  Varying levels of support

5. Common Approach And the common tests we perform are along

   the lines of….

6. Common Approach •  Examine local storage –  Caches –  Binary

   Cookies –  Sqlite databases –  Plists –  NSLog –  Snapshots

7. Common Approach •  Basic binary analysis –  Sta4c •  strings,

   ASLR w/ PIE flag, Encryp4on, ARC, Stack Canaries –  Dynamic •  lldb, gdb, cycript, frida –  Just scratching the surface •  Memory Forensics •  Injec4on A[acks (SQLi – Local SQLite databases, UIWebViews, XML etc)

8. Usual Results These tests typically result in findings that include…..

9. Usual Results •  Issues rela4ng to Local Storage –  Most

   require device to be unlocked •  Unsecured API’s •  Hard-coded secrets •  The truth however is that most of these bugs closed –  Binary protec4ons are now standard –  Data Protec4on API’s –  Universal links introduced with iOS 9 address IPC loophole –  etc ….. •  Some4mes we may come up short because of several other reasons…

10. When It All Fails? •  When the tools fail? • 

    Or your Google Fu returns nothing ? •  Custom security protec4ons in place •  Extending an exis4ng tool? •  Finding deeply hidden Logic bugs –  Crypto func4ons etc •  iOS System bugs

11. Towards A New Approach •  At this point we need

    a “new” approach one that involves Reverse Engineering and leverages knowledge of •  iOS internals •  ARM(32/64) Assembly •  Deep dive into Objec4ve-C/Swij •  …..... •  Our first step is to improve our toolkit •  And expand our knowledge base

12. Reverse Engineer’s Toolkit •  IDA Pro •  Hopper •  jtool

    •  LLDB •  GNU Project Debugger (gdb) •  Apple CC Tools (nm, lipo, otool, codesign)

13. Expanding The Knowledge Base •  Mach-O Binary –  SEGMENTS/Sec4ons of

    Interest •  TEXT, DATA, LINKEDIT …. •  Dynamic Linker(DYLD) •  Interposing (method swizzling) •  Force loading libraries

14. Expanding The Knowledge Base •  Mach Tasks –  Owning and

    interac4ng with tasks •  task_for_pid, processor_set_tasks •  Inter Process Communica4on(IPC) –  Mach Ports, Mach Messages, XPC •  ARM Assembly (32/64) •  Behind the scenes with Objec4ve-C and SWIFT •  Lot more details but limited 4me see full talk here –  h"ps://www.youtube.com/watch?v=4WHEQA3GG9k&feature=youtu.be –  h"ps://speakerdeck.com/_dark_knight_/beyond-the-cript-pracIcal-ios-reverse- engineering

15. iOS Reversing •  Let’s look at Reverse Engineering and what

    is possible •  Common jailbreak detec4on – does root par44on have read/write permissions ? •  How can we make this green? •  Mul4ple op4ons available •  Binary patching •  But first some recon

16. iOS Reversing •  Dump the binary (facilitated by DYLD and

    DYLD_INSERT_LIBRARIES environment variable) •  _RESTRICT SEGMENT blocks this (view SEGMENTS w/ jtool –l and patch if necessary)

17. iOS Reversing •  Is it a FAT binary? We may

    need to thin it •  Or specify ARCH with jtool •  ARCH=arm64 jtool <op4ons> <binary>

18. iOS Reversing •  Dump the symbols along with dylib’s to

    which they belong

19. iOS Reversing •  Any interes4ng strings? •  Dump cstring secIon

    (same as running strings) •  Knowledge of SEGMENTS and sec4ons important

20. iOS Reversing •  What are the classes, instance methods etc?

21. iOS Reversing •  Disassemble method to determine how logic implemented

    •  How can I bypass it? Patch here staQs func call

22. iOS Reversing •  Patch register w8 Patch here

23. iOS Reversing •  Ajer patch:

24. Conclusion •  Common bugs being closed •  A “new” approach

    and break from the norm is required for in depth assessments •  Assembly knowledge a MUST for Reversing Engineering –  Low level assembly allows you to bypass many security protec4ons, discover hidden gems and then some •  Knowledge of iOS architecture will not only improve your assessments but also provide a launching pad for other research •  Disassemblers are your friends (IDA, Hopper, Jtool …..) •  Add the reverse engineering skillset to your arsenal !!!