"Securing macOS app in practice" by Dmytro Tretiakov

Transcript

1. Securing macOS app in practice Dmytro Tretiakov, Software Developer at

   MacPaw

2. Products to practice on CleanMyMac DevMate SETAPP

3. • Describing a problem • Mach-O file short review •

   Reverse engineering and tools in a nutshell • Objective-C runtime • Code obfuscation in practice • C functions and structures • Other tips & tricks in practice Agenda

4. Describing a problem

5. Describing a problem • We have a cool desktop application

   and users love it :)

6. Describing a problem • We have a cool desktop application

   and users love it :) • We want to sell licenses for it and make money for creating more cool applications

7. Describing a problem • We have a cool desktop application

   and users love it :) • We want to sell licenses for it and make money for creating more cool applications • Another application (macOS / iOS) has brand new algorithm for doing something

8. Describing a problem • Mac App Store version has a

   receipt validation according to Apple’s documentation

9. Describing a problem • Mac App Store version has a

   receipt validation according to Apple’s documentation • Site version has trial, licensing and validation mechanism for it

10. Describing a problem • Mac App Store version has a

    receipt validation according to Apple’s documentation • Site version has trial, licensing and validation mechanism for it • Both versions have code signature

11. Describing a problem BUT…

12. Describing a problem • You’ve found a cracked copy of

    your app on the torrent-tracker • A concurrent app starts using the same algorithm you’ve created

13. What to do with it? • Every application can be

    cracked • The more time you spend on app securing, the more time it takes an attacker to crack it • To make a better code protection you should become an attacker

14. Mach-O file short review

15. Mach-O file short review • Mach-O is a file format

    for executables used by macOS, iOS and other systems based on Mach kernel

16. Mach-O file short review • Mach-O is a file format

    for executables used by macOS, iOS and other systems based on Mach kernel • It’s a binary stream of bytes grouped in meaningful data chunks

17. Mach-O file short review • Mach-O is a file format

    for executables used by macOS, iOS and other systems based on Mach kernel • It’s a binary stream of bytes grouped in meaningful data chunks • It consists of a header, load commands and data

18. Mach-O file short review • Contains all info about its

    Objective-C classes and methods names, used constant strings, linked libraries and frameworks, etc.

19. Reverse engineering in a nutshell

20. • Software reverse engineering involves reversing a program's machine code

    back into the source code that it was written in, using program language statements. Reverse engineering in a nutshell

21. • Basic knowledge of asm for better understanding Reverse engineering

    in a nutshell You need

22. • Basic knowledge of asm for better understanding • Reversing

    toolkit that contains a disassembler and a debugger Reverse engineering in a nutshell You need

23. • Basic knowledge of asm for better understanding • Reversing

    toolkit that contains a disassembler and a debugger • Articles about reverse engineering Reverse engineering in a nutshell You need ‣ http://reverse.put.as/ ‣ https://papers.put.as/

24. • Basic knowledge of asm for better understanding • Reversing

    toolkit that contains a disassembler and a debugger • Articles about reverse engineering • Forums with fellows that can help you Reverse engineering in a nutshell You need ‣ https://forum.reverse4you.org

25. Tools • Hopper Disassembler (Trial + $ 99.00)

26. Tools • IDA Pro (Trial + $ 2,350.00)

27. Tools System • otool — a system command line utility

    for Mach-O files • lldb/gdb — a system debugger Open source • MachOView — a Mach-O files GUI viewer • class-dump — a command line utility for getting all info about classes and protocols used in binary files • Hex Fiend — a hex editor Free • 0xEd — a hex editor

28. Q: Why do we need to know about this? A:

    An attacker can use this to crack your application and you can use it to hide licensing. Objective-C runtime

29. Objective-C runtime Main features

30. Objective-C runtime Main features • All classes are dynamically created

    objc_allocateClassPair objc_registerClassPair class_addProtocol class_addIvar class_addProperty …

31. Objective-C runtime Main features • Method swizzling class_getClassMethod class_getInstanceMethod class_replaceMethod

    class_addMethod class_getMethodImplementation method_exchangeImplementations …

32. Objective-C runtime Main features • Storing hidden value objc_setAssociatedObject objc_getAssociatedObject

33. Objective-C runtime Main features • Direct messaging objc_msgSend objc_msgSend_stret

34. Objective-C runtime Not to do

35. Objective-C runtime Better to do

36. Code obfuscation Main aspects • Mangles class/protocol, method, function, variable

    names • Better to obfuscate code for each build • Problems to know about: ✓ Debug and crash report hell ✓ KVC ✓ Use property via getter/setter (is…, set…) ✓ Xib file compatibility ✓ Method inheritance

37. Code obfuscation In practice

38. Code obfuscation In practice • Using macros

39. Code obfuscation In practice • Result in Hopper Disassembler v4

40. Code obfuscation In practice • Open source obfuscator ‣ https://github.com/Polidea/ios-class-guard

    ‣ https://github.com/FutureWorkshops/Objc-Obfuscator • Your own obfuscaror

41. Code obfuscation In practice • Mark elements for obfuscating

42. Code obfuscation In practice • Use script phase before compiling

43. Code obfuscation In practice • Update #import sections with obfuscated

    file #import “Licensing+Obfuscated.h” • Add $(DERIVED_FILE_DIR) to header search paths

44. C functions and structures Main aspects • Have no names

    in disassembled code (if there’s no debug symbols) • Hard to swizzle implementation (no legal ways) • A lot of Foundation API has counterpart in CoreFoundation (CFString, CFArray, CFDictionary, …) • Inline functions static __attribute__((always_inline)) void Foo() {…}; • Functions-constructors static __attribute__((constructor)) void Foo() {…};

45. C functions and structures In practice • Sctructures for storing

    variables • Function-constructor for preparing • Inline functions for checking

46. C functions and structures In practice

47. C functions and structures In practice • Result in Hopper

    Disassembler v4

48. Other tips & tricks in practice Get rid of constant

    strings used in securing

49. Other tips & tricks in practice Get rid of constant

    strings used in securing

50. Other tips & tricks in practice Get rid of constant

    strings used in securing • Result in Hopper Disassembler v4

51. Using system API indirectly Other tips & tricks in practice

52. • Direct usage of system API is visible in the

    disassembler Using system API indirectly Other tips & tricks in practice

53. Other tips & tricks in practice • Use func pointers

    to system API instead Using system API indirectly

54. Other tips & tricks in practice Using system API indirectly

    • Result in Hopper Disassembler v4

55. Hide getting func pointers to system API Other tips &

    tricks in practice

56. Hide getting func pointers to system API Other tips &

    tricks in practice

57. Hide getting func pointers to system API Other tips &

    tricks in practice • dlopen — load and link a dynamic library or bundle • dlsym — get address of a symbol

58. Hide getting func pointers to system API Other tips &

    tricks in practice

59. Other tips & tricks in practice Hide getting func pointers

    to system API • Result in Hopper Disassembler v4

60. Other tips & tricks in practice Hide Objective-C system API

    usage

61. Other tips & tricks in practice Hide Objective-C system API

    usage

62. Other tips & tricks in practice Swift • No macros

    • Hard to obfuscate • Use pure Swift classes and struct • ABI not stable • SWIFT_REFLECTION_METADATA_LEVEL = none

63. Other tips & tricks in practice Last but not least

    • Add security check not in one place • Add it to all core functionality of the application • You can use chain of checking functions where each next function uses prepared data from previous ones • For each release slightly modify the validation code so it is never the same. • Do not move checking logic to framework or dynamic library, use static library instead

64. Other tips & tricks in practice Last but not least

    • Do not forget tot remove debug symbols! ✓ COPY_PHASE_STRIP = YES ✓ STRIP_INSTALLED_PRODUCT = YES ✓ STRIP_STYLE = all ✓ DEPLOYMENT_POSTPROCESSING = YES

65. Summary • Every application can be cracked • Become an

    attacker to think as an attacker • Don’t use Objective-C classes and methods • Obfuscate Objective-C code if you still need it • Use inline C functions and structures • Replace constant strings with dynamic strings • Use system API indirectly • Add checks to all your core functionality • Always strip debug symbols in release builds

66. Thank You! Contact me: [email protected]