Reverse Engineering iOS apps. Lessons learned.

Transcript

1. Reverse Engineering iOS apps UIKonf 2014 Max Bazaliy

2. @CocoaHeadsUA iSecurityKit @mbazaliy github.com/mbazaliy

3. Security audit Competitor analysis Solution advantages Why?

4. It’s fun!

5. Analysis

6. Traffic sniffing Module call tracing I/O activity System Code Disasm\

   Decompiling Debugging Resource reversing
7. None

8. Binary file Image files Interface files Property list files CoreData

   model files App files

9. Compressed pngcrush appcrush.rb artwork extractor Image f iles

10. NIBs Storyboards nib dec nib_patch Interface files

11. *.mom momdec CoreData

12. Binary

13. otool class-dump MachOView Hopper cycript Reveal Tools

14. Mach-O binary

15. 32 bit (ARMv6,ARMv7) 0xFEEDFACE 64 bit (ARM64) 0xFEEDFACF Universal binaries

    (FAT) 0xCAFEBABE Mach-O header

16. __TEXT -> code and read only data __objc sections-> data

    used by runtime

17. __message_refs __cls_refs __symbols __module_info __class __meta_class __instance_vars __inst_meth __cls_meth __cat_cls_meth

    __protocol_ext __cat_inst_meth

18. __message_refs __cls_refs __symbols __module_info __class __meta_class __instance_vars __inst_meth __cls_meth __cat_cls_meth

    __protocol_ext __cat_inst_meth

19. class-dump-z

20. @interface  RRSubscription  :  NSObject   {        

     NSString  *_subscriptionID;        unsigned  int  _period;          float  _price;          NSDate  *_creationDate;   }     +  (id)arrayOfSubscriptionsWithJSONArray:(id)arg1;   +  (id)subscriptionWithDictionary:(id)arg1;     @property(readonly,  nonatomic)  NSDate  *creationDate;   @property(readonly,  nonatomic)  float  price;   @property(readonly,  nonatomic)  unsigned  int  period;  

21. Binary is encrypted

22. otool -arch all –Vl MyApp | grep -A5 LC_ENCRYP!

23. evasi0n.com

24. > address (cryptoff + cryptsize) size (base address + cryptoff

    + cryptsize)! > gdb dump memory decrypted.bin 0x3000 0xD23000 ! > Address space layout randomization! > 0x1000 -> 0x5000! > decrypted.bin -> binary! > patch header!
25. None

26. Rasticrac Clutch dumpdecrypted

27. Binary analysis Debugger attach ASLR bypass Binary dump Patch cryptid

    Clutch Rasticrac

28. Binary analysis

29. Disassembler Debugger Decompiler Hopper IDA Disassembler Debugger + objc_helper +

    Hex-Rays
30. None

31. id objc_msgSend(id self, SEL op, ...) 80% of calls

32. application: didFinishLaunchingWithOptions: Hopper Disassembler

33. Control flow graph Hopper Disassembler

34. Decompilation Hopper Disassembler

35. ! Method names Strings Constants

36. Dump headers Modify ivars Instantiate objects Invoking methods Swizzling methods

    cycript

37. cy# UIApp @"<UIApplication: 0x14632f70>" cy# function tryPrintIvars(a){ var x={}; for(i

    in *a){ try{ x[i] = (*a)[i]; } catch(e){} } return x;} cy# UIApp.keyWindow.subviews[0].nextResponder.topViewController @"<UINavigationController: 0x14596530>" cy# UIApp.keyWindow.subviews[0].nextResponder.topViewController. viewControllers[0] @"<JailbreakDetectionVC: 0x15a5ad10>" cy# JailbreakDetectionVC.messages['isJailbroken'] = function () { return NO }; {} cy# [[[UIView alloc] init] autorelease] @"<UIView: 0x14d71bb0; frame = (0 0; 0 0); layer = <CALayer: 0x14d702b0>>"

38. Runtime inspection Modify layer Dynamically loaded Reveal

39. Foursquare.app

40. idb iNalyzer Snoop-it Introspy iRET Special tools

41. None

42. Best practices Compile with PIE No credentials in plists Disable

    NSLog Use NSFileProtection

43. Best practices Sensitive - keychain View snapshots Cache.db URL Schemes

    Secure coding guide

44. No Objective-C Integrity checks SSL pinning Obfuscation What next ?

45. None

46. Public key Certificate SSL pinning

47. - (void)URLSession:(NSURLSession *)session didReceiveChallenge: (NSURLAuthenticationChallenge *)challenge completionHandler:(void (^) (NSURLSessionAuthChallengeDisposition, NSURLCredential

    *))completionHandler{! ""…! ""NSData *localCertificateData = [NSData dataWithContentsOfFile: [[NSBundle mainBundle] pathForResource: @"MyCert” ofType: @"crt"]];! "CFDataRef remoteCertificateData = SecCertificateCopyData(remoteVersionOfServerCertificate);! ""BOOL certificatesAreTheSame =! " [localCertificateData isEqualToData: remoteCertificateData];! ""NSURLCredential* cred = [NSURLCredential credentialForTrust: serverTrust];! ""if (certificatesAreTheSame) {! ""completionHandler(NSURLSessionAuthChallengeUseCredential,cred); " "}! ""else { " " completionHandler(NSURLSessionAuthChallengeRejectProtectionSpace,nil);! ""}!

48. - (AFSecurityPolicy*) googleSecurityPolicy {! NSString *cerPath = [[NSBundle mainBundle] pathForResource:@"google"

    ofType:@"cer"];! NSData *certData = [NSData dataWithContentsOfFile:cerPath];! AFSecurityPolicy *securityPolicy = [[AFSecurityPolicy alloc] init];! [securityPolicy setAllowInvalidCertificates:NO];! [securityPolicy setPinnedCertificates:@[certData]];! [securityPolicy setSSLPinningMode:AFSSLPinningModeCertificate];! return securityPolicy; }! ! - (void)googleRequest {! AFHTTPRequestOperationManager *manager = [AFHTTPRequestOperationManager manager]; ! [manager setSecurityPolicy:[self googleSecurityPolicy]];! [manager GET:@"www.google.com" parameters:nil success:^(AFHTTPRequestOperation *operation, NSDictionary* responseObject) { ! } failure:^(AFHTTPRequestOperation *operation, NSError *error) {! }];! }!

49. Use functions Strip symbols Use #define inline ((always_inline)) Method obfuscation

50. #define isJailbroken() gbrlp()! static inline int () gbrlp{! …! }!

51. XORs Decoding tables Don’t use one key Strings obfuscation

52. ! ! #define PTRACE_STRING @"<mlbD3Z1”! NSString *scInfoString = decodeString(PTRACE_STRING);! !

    ! NSData *encryptedData =! [RNEncryptor encryptData:data " " " " withSettings:kRNCryptorAES256Settings " " " " " password:@"passw0rd” " " " " " " error:&error];! ! NSData *decryptedData =! [RNDecryptor decryptData:data " " " " withSettings:kRNCryptorAES256Settings " " " " " password:@"passw0rd” " " " " " " error:&error];! !

53. Deny attach Constructor tricks Change values Anti debugger tricks

54. static int checkGDB() __attribute__((always_inline))! {! size_t size = sizeof(struct kinfo_proc);!

    struct kinfo_proc info;! memset(&info, 0, sizeof(struct kinfo_proc));! ! int ret, name[4];! name[0] = CTL_KERN;! name[1] = KERN_PROC;! name[2] = KERN_PROC_PID;! name[3] = getpid();! ! if ((ret = (sysctl(name, 4, &info, &size, NULL, 0))))! return ret;! return (info.kp_proc.p_flag & P_TRACED) ? 1 : 0;! }!

55. #import <dlfcn.h>! #import <sys/types.h>! ! #define PT_DENY_ATTACH 31! ! typedef

    int (*ptrace_ptr_t)! (int _request, pid_t _pid, caddr_t _addr, int _data);! ! void *handle = dlopen(0, RTLD_GLOBAL | RTLD_NOW);! ptrace_ptr_t ptrace_ptr = (ptrace_ptr_t)dlsym(handle, [ptraceString UTF8String]);! ptrace_ptr(PT_DENY_ATTACH, 0, 0, 0);! dlclose(handle);! !

56. SYSCALL

57. syscall(26, 31, 0, 0, 0); ! ptrace PT_DENY_ATTACH

58. + (PurchaseManager *)sharedManager {! ! if (isDebugged())! return nil;! !

    static PurchaseManager *sharedPurchaseManager = nil;! static dispatch_once_t onceToken;! " dispatch_once(&onceToken, ^{! sharedPurchaseManager = [[self alloc] init];! });! "! return sharedPurchaseManager ;! }!

59. Is encrypted Is patched SC_Info iTunesMetadata overdrive tricks Integrity checks

60. None

61. const struct mach_header *header =! (struct mach_header *)dlinfo.dli_fbase;! struct load_command

    *cmd = (struct load_command *) (header + 1);! for (uint32_t i = 0; cmd != NULL && i < header->ncmds; i++) {! if (cmd->cmd == LC_ENCRYPTION_INFO) {! struct encryption_info_command *crypt_cmd =! "" " " (struct encryption_info_command *)cmd;! if (crypt_cmd->cryptid < 1)! return NO;! else! return YES;! }!

62. const char * originalSignature = "5f9b18edc3666be3de79134a40deea5b";! const struct mach_header *

    header;! Dl_info dlinfo;! ! uint32_t * textSectionAddr = (uint32_t *)section->addr;! uint32_t textSectionSize = section->size;! uint32_t * vmaddr = &segment->vmaddr;! ! char * textSectionPtr = (char *)((int)header + (int)textSectionAddr - " " " " " " " " " " " " " " " "(int)vmaddr);! ! unsigned char digest[CC_MD5_DIGEST_LENGTH];! char signature[2 * CC_MD5_DIGEST_LENGTH];! CC_MD5(textSectionPtr, textSectionSize, digest);! ! for (int i = 0; i < sizeof(digest); i++)! "" "sprintf(signature + (2 * i), "%02x", digest[i]);! return strcmp(originalSignature, signature) == 0;!

63. BOOL isDirectory = NO;! ! NSString *directoryPath = [[[NSBundle mainBundle]

    bundlePath] stringByAppendingPathComponent:@"SC_Info/"];! ! BOOL directoryExists = [[NSFileManager defaultManager] fileExistsAtPath:directoryPath isDirectory:&isDirectory];! ! BOOL contentSeemsValid = ([[[NSFileManager defaultManager] contentsOfDirectoryAtPath:directoryPath error:NULL] count] == 2);

64. NSString *scInfoString = @"SC_Info/";! NSString *appleIDString = @"appleId";! NSString *appleIDMailAddress

    = @"max@bazaliy.com";! NSString *metadataString = @"iTunesMetadata.plist";! NSString *downloadInfoKeyString = @"com.apple.iTunesStore.downloadInfo";! NSString *accountInfoString = @"accountInfo";! ! NSDictionary *iTunesMetadata = [NSDictionary dictionaryWithContentsOfFile:[rootDirectoryPath stringByAppendingPathComponent:metadataString]];! NSString *appleID = [iTunesMetadata objectForKey:appleIDString];! NSDictionary *accountInfo = [[iTunesMetadata objectForKey:downloadInfoKeyString] objectForKey:accountInfoString];! BOOL isValidAppleID = (appleID.length > 0 && [appleID rangeOfString:appleIDMailAddress options:NSCaseInsensitiveSearch].location == NSNotFound);! BOOL isValidDownloadInfo = (accountInfo.count > 0);}!
65. None

66. BOOL dyLibFound = NO;! NSArray *directoryFiles = [[NSFileManager defaultManager] contentsOfDirectoryAtPath:

    [[NSBundle mainBundle] bundlePath] error:NULL];! ! for (NSString *filename in directoryFiles) {! if ([[filename pathExtension] caseInsensitiveCompare:@"dylib"] == NSOrderedSame) {! dyLibFound = YES;! break;! }! }!

67. Class hooksClass = objc_getClass("hooks");! Class descriptorsClass = objc_getClass("descriptors");! SEL allocWithZoneSelector

    = sel_registerName("allocWithZone:");! ! if (hooksClass != NULL) {! "Method method = ! " class_getClassMethod(hooksClass, allocWithZoneSelector);! " method_setImplementation(method, (IMP)nilImplementation);! }! ! if (descriptorsClass != NULL) {! Method method = ! class_getClassMethod(descriptorsClass, allocWithZoneSelector);! method_setImplementation(method, (IMP)nilImplementation);! }!

68. Terminate app Run in demo mode Change behavior What next?

69. None

70. Path check URL check File access Root check Process check

    Jailbreak detection

71. ! NSError *error;! NSString *jailTest = @"Jailbreak time!";! [jailTest writeToFile:@"/private/

    test_jail.txt" atomically:YES encoding:NSUTF8StringEncoding error:&error];! if(error==nil) {! …! }!

72. int result = fork();! "if (!result)! exit(0); ! if (result

    >= 0)! return isJail;! return noJail;! ! ! if (system(0)) ! ...! }!

73. NSURL *FakeURL = [NSURL URLWithString:! @"cydia://package/com.fake.package"];! ! if ([[UIApplication sharedApplication]

    canOpenURL:FakeURL])! return isJail;! else! return noJail;

74. NSArray *jailbrokenPaths = @[@"/Applications/Cydia.app",! @"/Applications/RockApp.app",! @"/Applications/Icy.app",! @"/usr/sbin/sshd",! @"/usr/bin/sshd",! @"/private/var/lib/apt",! @"/private/var/lib/cydia",!

    @"/usr/libexec/sftp-server”,! @"/private/var/stash"];! ! for (NSString *string in jailbrokenPaths)! if ([[NSFileManager defaultManager] " " " " "fileExistsAtPath:string]) {! …! }!

75. ! ! NSArray *processes = [self runningProcesses];! ! for (NSDictionary

    * dict in processes) {! NSString *process = dict[@"ProcessName"];! if ([process isEqualToString:@"MobileCydia"]) " " "{! ...! }! !

76. iMAS Encrypted Core Data Security checks Passcode check Memory security

77. LLVM Obfuscator Instructions substitution Control Flow flattening Bogus Control Flow

    Functions merging

78. LLVM Obfuscator Instructions substitution Control Flow flattening Bogus Control Flow

    Functions merging

79. Cracking time = Protection time

80. None

81. @mbazaliy