"Securing macOS app in practice" by Dmytro Tretiakov

"Securing macOS app in practice" by Dmytro Tretiakov

The talk contents is:
- Mach-O header short review
- reverse engineering and tools in a nutshell
- objective-c runtime
- code obfuscation tips & tricks
- C functions & structs
- how to hide your licensing check
- other possible ways to check bundle integrity

This talk was made for CocoaHeads Kyiv #11 which took place March 04 2017.

Db84cf61fdada06b63f43f310b68b462?s=128

CocoaHeads Ukraine

March 13, 2017
Tweet

Transcript

  1. Securing macOS app in practice Dmytro Tretiakov, Software Developer at

    MacPaw
  2. Products to practice on CleanMyMac DevMate SETAPP

  3. • Describing a problem • Mach-O file short review •

    Reverse engineering and tools in a nutshell • Objective-C runtime • Code obfuscation in practice • C functions and structures • Other tips & tricks in practice Agenda
  4. Describing a problem

  5. Describing a problem • We have a cool desktop application

    and users love it :)
  6. Describing a problem • We have a cool desktop application

    and users love it :) • We want to sell licenses for it and make money for creating more cool applications
  7. Describing a problem • We have a cool desktop application

    and users love it :) • We want to sell licenses for it and make money for creating more cool applications • Another application (macOS / iOS) has brand new algorithm for doing something
  8. Describing a problem • Mac App Store version has a

    receipt validation according to Apple’s documentation
  9. Describing a problem • Mac App Store version has a

    receipt validation according to Apple’s documentation • Site version has trial, licensing and validation mechanism for it
  10. Describing a problem • Mac App Store version has a

    receipt validation according to Apple’s documentation • Site version has trial, licensing and validation mechanism for it • Both versions have code signature
  11. Describing a problem BUT…

  12. Describing a problem • You’ve found a cracked copy of

    your app on the torrent-tracker • A concurrent app starts using the same algorithm you’ve created
  13. What to do with it? • Every application can be

    cracked • The more time you spend on app securing, the more time it takes an attacker to crack it • To make a better code protection you should become an attacker
  14. Mach-O file short review

  15. Mach-O file short review • Mach-O is a file format

    for executables used by macOS, iOS and other systems based on Mach kernel
  16. Mach-O file short review • Mach-O is a file format

    for executables used by macOS, iOS and other systems based on Mach kernel • It’s a binary stream of bytes grouped in meaningful data chunks
  17. Mach-O file short review • Mach-O is a file format

    for executables used by macOS, iOS and other systems based on Mach kernel • It’s a binary stream of bytes grouped in meaningful data chunks • It consists of a header, load commands and data
  18. Mach-O file short review • Contains all info about its

    Objective-C classes and methods names, used constant strings, linked libraries and frameworks, etc.
  19. Reverse engineering in a nutshell

  20. • Software reverse engineering involves reversing a program's machine code

    back into the source code that it was written in, using program language statements. Reverse engineering in a nutshell
  21. • Basic knowledge of asm for better understanding Reverse engineering

    in a nutshell You need
  22. • Basic knowledge of asm for better understanding • Reversing

    toolkit that contains a disassembler and a debugger Reverse engineering in a nutshell You need
  23. • Basic knowledge of asm for better understanding • Reversing

    toolkit that contains a disassembler and a debugger • Articles about reverse engineering Reverse engineering in a nutshell You need ‣ http://reverse.put.as/ ‣ https://papers.put.as/
  24. • Basic knowledge of asm for better understanding • Reversing

    toolkit that contains a disassembler and a debugger • Articles about reverse engineering • Forums with fellows that can help you Reverse engineering in a nutshell You need ‣ https://forum.reverse4you.org
  25. Tools • Hopper Disassembler (Trial + $ 99.00)

  26. Tools • IDA Pro (Trial + $ 2,350.00)

  27. Tools System • otool — a system command line utility

    for Mach-O files • lldb/gdb — a system debugger Open source • MachOView — a Mach-O files GUI viewer • class-dump — a command line utility for getting all info about classes and protocols used in binary files • Hex Fiend — a hex editor Free • 0xEd — a hex editor
  28. Q: Why do we need to know about this? A:

    An attacker can use this to crack your application and you can use it to hide licensing. Objective-C runtime
  29. Objective-C runtime Main features

  30. Objective-C runtime Main features • All classes are dynamically created

    objc_allocateClassPair objc_registerClassPair class_addProtocol class_addIvar class_addProperty …
  31. Objective-C runtime Main features • Method swizzling class_getClassMethod class_getInstanceMethod class_replaceMethod

    class_addMethod class_getMethodImplementation method_exchangeImplementations …
  32. Objective-C runtime Main features • Storing hidden value objc_setAssociatedObject objc_getAssociatedObject

  33. Objective-C runtime Main features • Direct messaging objc_msgSend objc_msgSend_stret

  34. Objective-C runtime Not to do

  35. Objective-C runtime Better to do

  36. Code obfuscation Main aspects • Mangles class/protocol, method, function, variable

    names • Better to obfuscate code for each build • Problems to know about: ✓ Debug and crash report hell ✓ KVC ✓ Use property via getter/setter (is…, set…) ✓ Xib file compatibility ✓ Method inheritance
  37. Code obfuscation In practice

  38. Code obfuscation In practice • Using macros

  39. Code obfuscation In practice • Result in Hopper Disassembler v4

  40. Code obfuscation In practice • Open source obfuscator ‣ https://github.com/Polidea/ios-class-guard

    ‣ https://github.com/FutureWorkshops/Objc-Obfuscator • Your own obfuscaror
  41. Code obfuscation In practice • Mark elements for obfuscating

  42. Code obfuscation In practice • Use script phase before compiling

  43. Code obfuscation In practice • Update #import sections with obfuscated

    file #import “Licensing+Obfuscated.h” • Add $(DERIVED_FILE_DIR) to header search paths
  44. C functions and structures Main aspects • Have no names

    in disassembled code (if there’s no debug symbols) • Hard to swizzle implementation (no legal ways) • A lot of Foundation API has counterpart in CoreFoundation (CFString, CFArray, CFDictionary, …) • Inline functions static __attribute__((always_inline)) void Foo() {…}; • Functions-constructors static __attribute__((constructor)) void Foo() {…};
  45. C functions and structures In practice • Sctructures for storing

    variables • Function-constructor for preparing • Inline functions for checking
  46. C functions and structures In practice

  47. C functions and structures In practice • Result in Hopper

    Disassembler v4
  48. Other tips & tricks in practice Get rid of constant

    strings used in securing
  49. Other tips & tricks in practice Get rid of constant

    strings used in securing
  50. Other tips & tricks in practice Get rid of constant

    strings used in securing • Result in Hopper Disassembler v4
  51. Using system API indirectly Other tips & tricks in practice

  52. • Direct usage of system API is visible in the

    disassembler Using system API indirectly Other tips & tricks in practice
  53. Other tips & tricks in practice • Use func pointers

    to system API instead Using system API indirectly
  54. Other tips & tricks in practice Using system API indirectly

    • Result in Hopper Disassembler v4
  55. Hide getting func pointers to system API Other tips &

    tricks in practice
  56. Hide getting func pointers to system API Other tips &

    tricks in practice
  57. Hide getting func pointers to system API Other tips &

    tricks in practice • dlopen — load and link a dynamic library or bundle • dlsym — get address of a symbol
  58. Hide getting func pointers to system API Other tips &

    tricks in practice
  59. Other tips & tricks in practice Hide getting func pointers

    to system API • Result in Hopper Disassembler v4
  60. Other tips & tricks in practice Hide Objective-C system API

    usage
  61. Other tips & tricks in practice Hide Objective-C system API

    usage
  62. Other tips & tricks in practice Swift • No macros

    • Hard to obfuscate • Use pure Swift classes and struct • ABI not stable • SWIFT_REFLECTION_METADATA_LEVEL = none
  63. Other tips & tricks in practice Last but not least

    • Add security check not in one place • Add it to all core functionality of the application • You can use chain of checking functions where each next function uses prepared data from previous ones • For each release slightly modify the validation code so it is never the same. • Do not move checking logic to framework or dynamic library, use static library instead
  64. Other tips & tricks in practice Last but not least

    • Do not forget tot remove debug symbols! ✓ COPY_PHASE_STRIP = YES ✓ STRIP_INSTALLED_PRODUCT = YES ✓ STRIP_STYLE = all ✓ DEPLOYMENT_POSTPROCESSING = YES
  65. Summary • Every application can be cracked • Become an

    attacker to think as an attacker • Don’t use Objective-C classes and methods • Obfuscate Objective-C code if you still need it • Use inline C functions and structures • Replace constant strings with dynamic strings • Use system API indirectly • Add checks to all your core functionality • Always strip debug symbols in release builds
  66. Thank You! Contact me: dimaty@macpaw.com