Upgrade to Pro — share decks privately, control downloads, hide ads and more …

"Securing macOS app in practice" by Dmytro Tretiakov

"Securing macOS app in practice" by Dmytro Tretiakov

The talk contents is:
- Mach-O header short review
- reverse engineering and tools in a nutshell
- objective-c runtime
- code obfuscation tips & tricks
- C functions & structs
- how to hide your licensing check
- other possible ways to check bundle integrity

This talk was made for CocoaHeads Kyiv #11 which took place March 04 2017.

Db84cf61fdada06b63f43f310b68b462?s=128

CocoaHeads Ukraine

March 13, 2017
Tweet

More Decks by CocoaHeads Ukraine

Other Decks in Programming

Transcript

  1. Securing macOS app in practice Dmytro Tretiakov, Software Developer at

    MacPaw
  2. Products to practice on CleanMyMac DevMate SETAPP

  3. • Describing a problem • Mach-O file short review •

    Reverse engineering and tools in a nutshell • Objective-C runtime • Code obfuscation in practice • C functions and structures • Other tips & tricks in practice Agenda
  4. Describing a problem

  5. Describing a problem • We have a cool desktop application

    and users love it :)
  6. Describing a problem • We have a cool desktop application

    and users love it :) • We want to sell licenses for it and make money for creating more cool applications
  7. Describing a problem • We have a cool desktop application

    and users love it :) • We want to sell licenses for it and make money for creating more cool applications • Another application (macOS / iOS) has brand new algorithm for doing something
  8. Describing a problem • Mac App Store version has a

    receipt validation according to Apple’s documentation
  9. Describing a problem • Mac App Store version has a

    receipt validation according to Apple’s documentation • Site version has trial, licensing and validation mechanism for it
  10. Describing a problem • Mac App Store version has a

    receipt validation according to Apple’s documentation • Site version has trial, licensing and validation mechanism for it • Both versions have code signature
  11. Describing a problem BUT…

  12. Describing a problem • You’ve found a cracked copy of

    your app on the torrent-tracker • A concurrent app starts using the same algorithm you’ve created
  13. What to do with it? • Every application can be

    cracked • The more time you spend on app securing, the more time it takes an attacker to crack it • To make a better code protection you should become an attacker
  14. Mach-O file short review

  15. Mach-O file short review • Mach-O is a file format

    for executables used by macOS, iOS and other systems based on Mach kernel
  16. Mach-O file short review • Mach-O is a file format

    for executables used by macOS, iOS and other systems based on Mach kernel • It’s a binary stream of bytes grouped in meaningful data chunks
  17. Mach-O file short review • Mach-O is a file format

    for executables used by macOS, iOS and other systems based on Mach kernel • It’s a binary stream of bytes grouped in meaningful data chunks • It consists of a header, load commands and data
  18. Mach-O file short review • Contains all info about its

    Objective-C classes and methods names, used constant strings, linked libraries and frameworks, etc.
  19. Reverse engineering in a nutshell

  20. • Software reverse engineering involves reversing a program's machine code

    back into the source code that it was written in, using program language statements. Reverse engineering in a nutshell
  21. • Basic knowledge of asm for better understanding Reverse engineering

    in a nutshell You need
  22. • Basic knowledge of asm for better understanding • Reversing

    toolkit that contains a disassembler and a debugger Reverse engineering in a nutshell You need
  23. • Basic knowledge of asm for better understanding • Reversing

    toolkit that contains a disassembler and a debugger • Articles about reverse engineering Reverse engineering in a nutshell You need ‣ http://reverse.put.as/ ‣ https://papers.put.as/
  24. • Basic knowledge of asm for better understanding • Reversing

    toolkit that contains a disassembler and a debugger • Articles about reverse engineering • Forums with fellows that can help you Reverse engineering in a nutshell You need ‣ https://forum.reverse4you.org
  25. Tools • Hopper Disassembler (Trial + $ 99.00)

  26. Tools • IDA Pro (Trial + $ 2,350.00)

  27. Tools System • otool — a system command line utility

    for Mach-O files • lldb/gdb — a system debugger Open source • MachOView — a Mach-O files GUI viewer • class-dump — a command line utility for getting all info about classes and protocols used in binary files • Hex Fiend — a hex editor Free • 0xEd — a hex editor
  28. Q: Why do we need to know about this? A:

    An attacker can use this to crack your application and you can use it to hide licensing. Objective-C runtime
  29. Objective-C runtime Main features

  30. Objective-C runtime Main features • All classes are dynamically created

    objc_allocateClassPair objc_registerClassPair class_addProtocol class_addIvar class_addProperty …
  31. Objective-C runtime Main features • Method swizzling class_getClassMethod class_getInstanceMethod class_replaceMethod

    class_addMethod class_getMethodImplementation method_exchangeImplementations …
  32. Objective-C runtime Main features • Storing hidden value objc_setAssociatedObject objc_getAssociatedObject

  33. Objective-C runtime Main features • Direct messaging objc_msgSend objc_msgSend_stret

  34. Objective-C runtime Not to do

  35. Objective-C runtime Better to do

  36. Code obfuscation Main aspects • Mangles class/protocol, method, function, variable

    names • Better to obfuscate code for each build • Problems to know about: ✓ Debug and crash report hell ✓ KVC ✓ Use property via getter/setter (is…, set…) ✓ Xib file compatibility ✓ Method inheritance
  37. Code obfuscation In practice

  38. Code obfuscation In practice • Using macros

  39. Code obfuscation In practice • Result in Hopper Disassembler v4

  40. Code obfuscation In practice • Open source obfuscator ‣ https://github.com/Polidea/ios-class-guard

    ‣ https://github.com/FutureWorkshops/Objc-Obfuscator • Your own obfuscaror
  41. Code obfuscation In practice • Mark elements for obfuscating

  42. Code obfuscation In practice • Use script phase before compiling

  43. Code obfuscation In practice • Update #import sections with obfuscated

    file #import “Licensing+Obfuscated.h” • Add $(DERIVED_FILE_DIR) to header search paths
  44. C functions and structures Main aspects • Have no names

    in disassembled code (if there’s no debug symbols) • Hard to swizzle implementation (no legal ways) • A lot of Foundation API has counterpart in CoreFoundation (CFString, CFArray, CFDictionary, …) • Inline functions static __attribute__((always_inline)) void Foo() {…}; • Functions-constructors static __attribute__((constructor)) void Foo() {…};
  45. C functions and structures In practice • Sctructures for storing

    variables • Function-constructor for preparing • Inline functions for checking
  46. C functions and structures In practice

  47. C functions and structures In practice • Result in Hopper

    Disassembler v4
  48. Other tips & tricks in practice Get rid of constant

    strings used in securing
  49. Other tips & tricks in practice Get rid of constant

    strings used in securing
  50. Other tips & tricks in practice Get rid of constant

    strings used in securing • Result in Hopper Disassembler v4
  51. Using system API indirectly Other tips & tricks in practice

  52. • Direct usage of system API is visible in the

    disassembler Using system API indirectly Other tips & tricks in practice
  53. Other tips & tricks in practice • Use func pointers

    to system API instead Using system API indirectly
  54. Other tips & tricks in practice Using system API indirectly

    • Result in Hopper Disassembler v4
  55. Hide getting func pointers to system API Other tips &

    tricks in practice
  56. Hide getting func pointers to system API Other tips &

    tricks in practice
  57. Hide getting func pointers to system API Other tips &

    tricks in practice • dlopen — load and link a dynamic library or bundle • dlsym — get address of a symbol
  58. Hide getting func pointers to system API Other tips &

    tricks in practice
  59. Other tips & tricks in practice Hide getting func pointers

    to system API • Result in Hopper Disassembler v4
  60. Other tips & tricks in practice Hide Objective-C system API

    usage
  61. Other tips & tricks in practice Hide Objective-C system API

    usage
  62. Other tips & tricks in practice Swift • No macros

    • Hard to obfuscate • Use pure Swift classes and struct • ABI not stable • SWIFT_REFLECTION_METADATA_LEVEL = none
  63. Other tips & tricks in practice Last but not least

    • Add security check not in one place • Add it to all core functionality of the application • You can use chain of checking functions where each next function uses prepared data from previous ones • For each release slightly modify the validation code so it is never the same. • Do not move checking logic to framework or dynamic library, use static library instead
  64. Other tips & tricks in practice Last but not least

    • Do not forget tot remove debug symbols! ✓ COPY_PHASE_STRIP = YES ✓ STRIP_INSTALLED_PRODUCT = YES ✓ STRIP_STYLE = all ✓ DEPLOYMENT_POSTPROCESSING = YES
  65. Summary • Every application can be cracked • Become an

    attacker to think as an attacker • Don’t use Objective-C classes and methods • Obfuscate Objective-C code if you still need it • Use inline C functions and structures • Replace constant strings with dynamic strings • Use system API indirectly • Add checks to all your core functionality • Always strip debug symbols in release builds
  66. Thank You! Contact me: dimaty@macpaw.com