Upgrade to Pro — share decks privately, control downloads, hide ads and more …

"Securing macOS app in practice" by Dmytro Tret...

"Securing macOS app in practice" by Dmytro Tretiakov

The talk contents is:
- Mach-O header short review
- reverse engineering and tools in a nutshell
- objective-c runtime
- code obfuscation tips & tricks
- C functions & structs
- how to hide your licensing check
- other possible ways to check bundle integrity

This talk was made for CocoaHeads Kyiv #11 which took place March 04 2017.

CocoaHeads Ukraine

March 13, 2017
Tweet

More Decks by CocoaHeads Ukraine

Other Decks in Programming

Transcript

  1. • Describing a problem • Mach-O file short review •

    Reverse engineering and tools in a nutshell • Objective-C runtime • Code obfuscation in practice • C functions and structures • Other tips & tricks in practice Agenda
  2. Describing a problem • We have a cool desktop application

    and users love it :) • We want to sell licenses for it and make money for creating more cool applications
  3. Describing a problem • We have a cool desktop application

    and users love it :) • We want to sell licenses for it and make money for creating more cool applications • Another application (macOS / iOS) has brand new algorithm for doing something
  4. Describing a problem • Mac App Store version has a

    receipt validation according to Apple’s documentation
  5. Describing a problem • Mac App Store version has a

    receipt validation according to Apple’s documentation • Site version has trial, licensing and validation mechanism for it
  6. Describing a problem • Mac App Store version has a

    receipt validation according to Apple’s documentation • Site version has trial, licensing and validation mechanism for it • Both versions have code signature
  7. Describing a problem • You’ve found a cracked copy of

    your app on the torrent-tracker • A concurrent app starts using the same algorithm you’ve created
  8. What to do with it? • Every application can be

    cracked • The more time you spend on app securing, the more time it takes an attacker to crack it • To make a better code protection you should become an attacker
  9. Mach-O file short review • Mach-O is a file format

    for executables used by macOS, iOS and other systems based on Mach kernel
  10. Mach-O file short review • Mach-O is a file format

    for executables used by macOS, iOS and other systems based on Mach kernel • It’s a binary stream of bytes grouped in meaningful data chunks
  11. Mach-O file short review • Mach-O is a file format

    for executables used by macOS, iOS and other systems based on Mach kernel • It’s a binary stream of bytes grouped in meaningful data chunks • It consists of a header, load commands and data
  12. Mach-O file short review • Contains all info about its

    Objective-C classes and methods names, used constant strings, linked libraries and frameworks, etc.
  13. • Software reverse engineering involves reversing a program's machine code

    back into the source code that it was written in, using program language statements. Reverse engineering in a nutshell
  14. • Basic knowledge of asm for better understanding • Reversing

    toolkit that contains a disassembler and a debugger Reverse engineering in a nutshell You need
  15. • Basic knowledge of asm for better understanding • Reversing

    toolkit that contains a disassembler and a debugger • Articles about reverse engineering Reverse engineering in a nutshell You need ‣ http://reverse.put.as/ ‣ https://papers.put.as/
  16. • Basic knowledge of asm for better understanding • Reversing

    toolkit that contains a disassembler and a debugger • Articles about reverse engineering • Forums with fellows that can help you Reverse engineering in a nutshell You need ‣ https://forum.reverse4you.org
  17. Tools System • otool — a system command line utility

    for Mach-O files • lldb/gdb — a system debugger Open source • MachOView — a Mach-O files GUI viewer • class-dump — a command line utility for getting all info about classes and protocols used in binary files • Hex Fiend — a hex editor Free • 0xEd — a hex editor
  18. Q: Why do we need to know about this? A:

    An attacker can use this to crack your application and you can use it to hide licensing. Objective-C runtime
  19. Objective-C runtime Main features • All classes are dynamically created

    objc_allocateClassPair objc_registerClassPair class_addProtocol class_addIvar class_addProperty …
  20. Objective-C runtime Main features • Method swizzling class_getClassMethod class_getInstanceMethod class_replaceMethod

    class_addMethod class_getMethodImplementation method_exchangeImplementations …
  21. Code obfuscation Main aspects • Mangles class/protocol, method, function, variable

    names • Better to obfuscate code for each build • Problems to know about: ✓ Debug and crash report hell ✓ KVC ✓ Use property via getter/setter (is…, set…) ✓ Xib file compatibility ✓ Method inheritance
  22. Code obfuscation In practice • Open source obfuscator ‣ https://github.com/Polidea/ios-class-guard

    ‣ https://github.com/FutureWorkshops/Objc-Obfuscator • Your own obfuscaror
  23. Code obfuscation In practice • Update #import sections with obfuscated

    file #import “Licensing+Obfuscated.h” • Add $(DERIVED_FILE_DIR) to header search paths
  24. C functions and structures Main aspects • Have no names

    in disassembled code (if there’s no debug symbols) • Hard to swizzle implementation (no legal ways) • A lot of Foundation API has counterpart in CoreFoundation (CFString, CFArray, CFDictionary, …) • Inline functions static __attribute__((always_inline)) void Foo() {…}; • Functions-constructors static __attribute__((constructor)) void Foo() {…};
  25. C functions and structures In practice • Sctructures for storing

    variables • Function-constructor for preparing • Inline functions for checking
  26. Other tips & tricks in practice Get rid of constant

    strings used in securing • Result in Hopper Disassembler v4
  27. • Direct usage of system API is visible in the

    disassembler Using system API indirectly Other tips & tricks in practice
  28. Other tips & tricks in practice • Use func pointers

    to system API instead Using system API indirectly
  29. Hide getting func pointers to system API Other tips &

    tricks in practice • dlopen — load and link a dynamic library or bundle • dlsym — get address of a symbol
  30. Other tips & tricks in practice Hide getting func pointers

    to system API • Result in Hopper Disassembler v4
  31. Other tips & tricks in practice Swift • No macros

    • Hard to obfuscate • Use pure Swift classes and struct • ABI not stable • SWIFT_REFLECTION_METADATA_LEVEL = none
  32. Other tips & tricks in practice Last but not least

    • Add security check not in one place • Add it to all core functionality of the application • You can use chain of checking functions where each next function uses prepared data from previous ones • For each release slightly modify the validation code so it is never the same. • Do not move checking logic to framework or dynamic library, use static library instead
  33. Other tips & tricks in practice Last but not least

    • Do not forget tot remove debug symbols! ✓ COPY_PHASE_STRIP = YES ✓ STRIP_INSTALLED_PRODUCT = YES ✓ STRIP_STYLE = all ✓ DEPLOYMENT_POSTPROCESSING = YES
  34. Summary • Every application can be cracked • Become an

    attacker to think as an attacker • Don’t use Objective-C classes and methods • Obfuscate Objective-C code if you still need it • Use inline C functions and structures • Replace constant strings with dynamic strings • Use system API indirectly • Add checks to all your core functionality • Always strip debug symbols in release builds