data in memory - finding particular memory location is not trivial* - introduced in iOS 4.3 * evasi0n jailbreak uses arm exception vector layout information to map memory layout
be signed by Apple - Each app has unique ID and directory - ‘Sandbox’ restricts app from accessing almost everything - Apps cannot access data from other apps* - Low level ‘attacks’ reduced with ‘sandbox’* General conditions
with 4 tables: genp, inet, cert, keys - keychain API performs IPC calls to securityd which handles database access - access control is based on application id - new: applications with the same keychain access group entitlement can access/share the keychain items - simple “WHERE agrp = %s” clause appended to SQL statements Keychain
only after the device is unlocked kSecAttrAccessibleAfterFirstUnl ock Keychain item is accessible only after the first unlock of the device until reboot kSecAttrAccessibleAlways Keychain item is accessible even when the device is locked kSecAttrAccessibleWhenUnlocke dThisDeviceOnly Keychain item is accessible only after the device is unlocked, and the item cannot be migrated between devices. kSecAttrAccessibleAfterFirstUnl ockThisDeviceOnly Keychain item is accessible after the first unlock of the device and the item cannot be migrated between devices. kSecAttrAccessibleAlwaysThisD eviceOnly Keychain item is accessible even when the device is locked and the item cannot be migrated between devices.
dictionaryWithObject: NSFileProtectionComplete forKey:NSFileProtectionKey]; BOOL success = [self setAttributes:attrs ofItemAtPath:<FILE> error:nil]; It’s also possible with Entitelments.plist
(compatibility version 1.0.0, curre /System/Library/Frameworks/QuartzCore.framework/QuartzCore (compatibility version 1.2 /System/Library/Frameworks/SystemConfiguration.framework/SystemConfiguration (compat version 499.0.0) /usr/lib/libxml2.2.dylib (compatibility version 10.0.0, current version 10.8.0) /System/Library/Frameworks/Security.framework/Security (compatibility version 1.0.0, curren /System/Library/Frameworks//CoreData.framework/CoreData (compatibility version 1.0.0, c /System/Library/Frameworks/UIKit.framework/UIKit (compatibility version 1.0.0, current ver /System/Library/Frameworks/Foundation.framework/Foundation (compatibility version 300.0 /System/Library/Frameworks/CoreGraphics.framework/CoreGraphics (compatibility version /usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current version 227.0.0) /usr/lib/libSystem.dylib (compatibility version 1.0.0, current version 125.0.0)
t -[WABaseProfileHeader nicknameLabel] 00040980 - 01 0000 FUN -[WABaseProfileHeader nicknameLabel] 00040360 t -[WABaseProfileHeader onClanButtonTap:] 00040360 - 01 0000 FUN -[WABaseProfileHeader onClanButtonTap:] 000402d0 t -[WABaseProfileHeader onCompareButtonTap:] 000402d0 - 01 0000 FUN -[WABaseProfileHeader onCompareButtonTap:] 00040610 t -[WABaseProfileHeader roleLabel] 00040610 - 01 0000 FUN -[WABaseProfileHeader roleLabel] *Xcode does not strip symbols by default [5]
functions MSHookFunction(CFShow, replaced_CFShow, &original_CFShow); De facto framework for developing iOS(Android!) extensions - MobileLoader dynamically loads code in running iOS process using DYLD_INSERT_LIBRARIES environment variable /Library/MobileSubstrate/DynamicLibraries/ *Use theos tool for convenience[7]
Discover encryption vulnerabilities - Bypass client-side restrictions - Execution of hidden functionality - Dump copyrighted data - Many many other not-so-obvious things
for additional obfuscation - verify In-App purchases - do not save significant info in plists/plain text - encrypt your app’s resources (artworks, sound, etc.) - check if phone is jailbroken (and act accordingly) - turn off NSLog :) Protect yourself