Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Reverse Engineering iOS Apps

Conrad Kramer
August 20, 2015
Programming
11
250k

Reverse Engineering iOS Apps

Talk given at Swift Language User Group in SF on 20 August 2015

If you've ever needed to know how another piece of code works, or if you've ever been at the mercy of someone else's bugs – you can always look at the source code... unless you don't have it. I'll be giving an introduction to the art of reverse engineering on iOS and OS X, including Swift apps. I'll be cover sniffing network traffic as well as static and dynamic analysis, with tools like Charles, cycript, IDA, Hopper and class-dump.

Conrad Kramer

August 20, 2015
Tweet

More Decks by Conrad Kramer

See All by Conrad Kramer
How (not) to write an iOS SDK
conradev
1
43k
Memory Use in Extensions
conradev
2
410

Other Decks in Programming

See All in Programming
Zero Waste, Radical Magic, and Italian Graft – Quarkus Efficiency Secrets
hollycummins
0
230
ゆるい個人開発のススメ
kuroppe1819
10
970
Git Rebase
bkuhlmann
11
1.6k
try! Swift Tokyo 2024のLT枠に採択されたプロポーザルを出すときに考えていたこと
ski
0
350
Snowflakeで眠ったデータを起こそう!
estie
0
110
Git Lint
bkuhlmann
4
750
Site Reliability Engineering for GMO
pyama86
7
1k
GitHub Copilotのススメ
marcy731
0
190
スキーマ駆動開発による品質とスピードの両立 - 私達は何故、スキーマを書くのか
kentaroutakeda
0
160
PostmanでAPIの動作確認が楽になった話
h455h1
0
160
雑に思考を整理する技術と効能
konifar
58
28k
Blue/Greenデプロイの導入による 運用フローの改善
kudoas
1
360

Featured

See All Featured
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
60
14k
Git: the NoSQL Database
bkeepers
PRO
422
63k
Code Reviewing Like a Champion
maltzj
513
39k
Designing with Data
zakiwarfel
95
4.8k
BBQ
matthewcrist
80
8.8k
Build your cross-platform service in a week with App Engine
jlugia
225
17k
VelocityConf: Rendering Performance Case Studies
addyosmani
320
23k
Code Review Best Practice
trishagee
54
15k
Principles of Awesome APIs and How to Build Them.
keavy
120
16k
4 Signs Your Business is Dying
shpigford
175
21k
A Modern Web Designer's Workflow
chriscoyier
689
190k
Docker and Python
trallard
33
2.7k

Transcript

  1. Reverse Engineering iOS Apps with Swi' Conrad Kramer @conradev

  2. Reverse Engineering Analyzing out how something works by examining the

    final product.

  3. Opera&ng the tools Knowing what to look for

  4. Frame the ques,on Why does this bug occur? What component

    do they use in their UI? What does the app's REST API look like?

  5. Test Subject: Ly# (Wri%en en)rely in Swy.)

  6. Ques%ons What does Ly,'s REST API look like? How does

    Ly*'s URL scheme work?

  7. What is in the Ly, app? • Metadata • Assets

    • Executable (Encrypted) • Lots of frameworks (Encrypted)

  8. What can we work with? • When it is running

    • Network traffic • Injec6ng code • When it isn't running • Inspec6ng the binaries

  9. Inspect Network Traffic using Charles charlesproxy.com

  10. HTTP(S) Proxy Performs SSL man-in-the-middle Pre$y prints JSON, YAML, XML,

    Mul8part, Form encoding, etc.

  11. Inject Code using cycript (jailbreak required for third party apps)

    cycript.org

  12. Cycript JavaScript/Objec/ve-C hybrid Interact with the app using the REPL,

    live: var application = [UIApplication sharedApplication]; [application openURL:[NSURL URLWithString:@"https://google.com"]];

  13. Decrypt The Executable with dumpdecrypted (jailbreak required) bit.ly/dumpd

  14. Analyze The Executable using IDA Pro bit.ly/idatrial

  15. Swi$ vs. Objec.ve-C Swi$ assembly is more verbose Swi$ class

    informa/on is harder to extract

  16. Looking at -applica.on:openURL: _TZFV4Lyft15DeepLinkManager13handleOpenURLfMS0_FC So5NSURLSb Mangled symbol name

  17. Looking at -applica.on:openURL: _TZFV4Lyft15DeepLinkManager13handleOpenURLfMS0_FC So5NSURLSb • _T -> Swi( symbol

    • F -> Func3on • 4Lyft -> Module name • A lot more informa3on (see Mike Ash's Friday Q&A)

  18. Looking at -applica.on:openURL: var url = NSURL(string: "lyft://") var manager

    : Lyft.DeepLinkManager = ... manager.handleOpenURL(url)

  19. Think like the developer

  20. Looking at Ly+.DeepLinkManager • DeepLinkRequest • DeepLinkable • DeepLinkToRide •

    DeepLinkToHelp • DeepLinkToSe6ngs • DeepLinkToDriveMode • etc.

  21. Looking at Ly+.DeepLinkManager lyft://action?paramter=value

  22. Looking at Ly+.DeepLinkToRide lyft://ridetype ?id=lyft_line &pickup[latitude]=0 &pickup[longitude]=0 &destination[latitude]=0 &destination[longitude]=0

  23. Thanks!