intro | immediate reaction “Maybe it’s more interesting to analyse than Unflod.dylib!” But: original download link for the IPA was not working anymore :( Solution: start from the beginning, aka find original blog post linked with the case
osx | machook 64 bits binary only use libimobiledevice to detect when an iOS device is plugged-in com.apple.afc ProductVersion SerialNumber list of installed Apps
osx | machook starts com.apple.afc2 if worked (jailbroken device ) copy [OSX]/usr/local/machook/sfbase.dylib [iOS]Library/MobileSubstrate/DynamicLibraries/sfbase.dylib download signed IPA and push it as well using com.apple.mobile.installation_proxy URL stored in SQLite DB: foundation Enterprise cert means that first execution will bring validation pop-up code not encrypted as not from AppStore globalupdate : loop to check for updates
iOS | sfbase.dylib not signed MobileSubstrate to hook [UIWindow sendEvent] in MobileStorageMounter MobileSafari MobilePhone MobileSMS Preferences also checks for updates
iOS | sfbase.dylib if event is applicationWillResignActive, kill applications What??? Maybe I don’t have the latest version also, dead code to query URL and hide it retrieve some files SMS.db AddressBook.sqlitedb UDID post to saveinfo.php
conclusion | maybe not that “new era” did not look at the signed binary for the moment possibilities too limited except if privileges escalation is possible… hooking methods but does not use it targeted at Chinese market but logs in english still some nice functionalities update functionality OSX —> iOS, but already seen in the wild
milkmix
herumi
mhidaka
_kensh
yellowshippo
kentosuzuki
masakamayama
koudaiii
takatsunobuhiro
mottox2
bengo4com
emgsilva
senkin13
bryan
addyosmani
pauljervisheath
samanthasiow
lemiorhan
reverentgeek
aleyda
smashingmag
brettharned
lauravandoore
iamctodd
eitanlees