IOActive, Inc. Copyright ©2016. All Rights Reserved. Beyond The ‘Cript: Practical iOS Reverse Engineering Michael Allen (@_dark_knight_) Security Consultant 

IOActive, Inc. Copyright ©2016. All Rights Reserved. Why This Talk? •  Apps more hardened against common attacks •  Bridge the gap •  Deeper understanding of what happens under the hood •  Foundation for additional research 

IOActive, Inc. Copyright ©2016. All Rights Reserved. Outline/Agenda •  Building A General Toolkit •  iOS Application Assessment 101 –  Usual results –  “New” approach •  The Reverse Engineer’s Toolkit •  Reverse Engineering iOS Applications •  Mach-O Binary Format •  Mach Tasks •  ARM(32/64) •  Objective-C •  Swift •  Identifying and bypassing Simple Jailbreak Detection Routines •  Conclusion 

IOActive, Inc. Copyright ©2016. All Rights Reserved. Outline/Agenda •  Building A General Toolkit •  iOS Application Assessment 101 •  The Reverse Engineer’s Toolkit •  Reverse Engineering iOS Applications •  Identifying and bypassing Simple Jailbreak Detection Routines •  Conclusion 

IOActive, Inc. Copyright ©2016. All Rights Reserved. Building A General Toolkit •  Jailbroken Device •  File System •  Network •  Instrumentation •  Automating Common Tasks •  Essentials 

IOActive, Inc. Copyright ©2016. All Rights Reserved. Jailbroken Device •  Removing software restrictions imposed by iOS, through the use of software exploits •  Recommend dedicated device for testing •  Latest jailbreak –  Pangu (iOS 9.2 – 9.3.3 64-bit devices only) 

IOActive, Inc. Copyright ©2016. All Rights Reserved. Jailbroken Device (contd.) •  Tethered •  Does not persist across reboots •  Requires computer to start device •  Untethered •  Persists on device across reboots •  Semi-tethered •  Requires computer to start into jailbroken state •  Rebooting or starting device without assistance possible. But boots into non-jailbroken state 

IOActive, Inc. Copyright ©2016. All Rights Reserved. Jailbroken Device (ProTip) •  Change default root password from alpine •  Access device over usb using usbmuxd –  sudo python tcprelay.py -t 22:22 •  Generate ssh keys –  ssh-keygen -t rsa -f ~/.ssh/ironman -N "” •  Copy public key to device –  ssh-copy-id -i ~/.ssh/ironman.pub root@localhost •  Create an alias on (~/.ssh/config) 

IOActive, Inc. Copyright ©2016. All Rights Reserved. File System: Moving Files •  iFunbox •  iExplorer •  Sftp 

IOActive, Inc. Copyright ©2016. All Rights Reserved. Network: BurpSuite Pro Intercepting Proxy 

IOActive, Inc. Copyright ©2016. All Rights Reserved. Network: SSL Kill Switch 2 •  “Disables SSL certificate validation - including certificate pinning - within iOS Apps.” 

IOActive, Inc. Copyright ©2016. All Rights Reserved. Instrumentation: Cycript •  Injects into target process •  Interactive console •  Objective-C and Javascript syntax •  Supported Architectures(iOS, Mac OS X) •  NowSecure fork where runtime powered by Frida* (Cycript on steroids) 

IOActive, Inc. Copyright ©2016. All Rights Reserved. Instrumentation: Cycript (contd.) 

IOActive, Inc. Copyright ©2016. All Rights Reserved. Instrumentation: Frida •  Injects Google’s V8 engine into target process •  Javascript executed with full access to memory •  Function hooking •  Access to native methods •  Inject into starting process •  Multiple architectures (Windows, Mac, Linux, iOS and Android) 

IOActive, Inc. Copyright ©2016. All Rights Reserved. •  Method tracing Instrumentation: Frida (contd.) 

IOActive, Inc. Copyright ©2016. All Rights Reserved. Automating Common Tasks •  Idb Tool - http://www.idbtool.com/ •  Snoop-IT - http://repo.nesolabs.de/ •  iRet - https://www.veracode.com/blog/2014/03/introducing-the-ios-reverse-engineering-toolkit •  IntroSpy - https://github.com/iSECPartners/Introspy-iOS •  AppMon - https://dpnishant.github.io/appmon/ •  Needle - https://github.com/mwrlabs/needle •  Varying levels of support 

IOActive, Inc. Copyright ©2016. All Rights Reserved. Automating Common Tasks: Idb Tool •  Idb Tool •  “idb is a tool to simplify some common tasks for iOS app security assessments and research.” •  Provides general app info •  URL Handler •  Keychain dumping •  Pasteboard •  Logging 

IOActive, Inc. Copyright ©2016. All Rights Reserved. Automating Common Tasks: Idb Tool (contd.) 

IOActive, Inc. Copyright ©2016. All Rights Reserved. Essentials: Command Line Utilities •  Command Line –  BigBoss Recommended Tools (Cydia) –  Erica Utilities (Cydia) –  Jonathan Levin compiled a number of commonly used binaries for iOS 

IOActive, Inc. Copyright ©2016. All Rights Reserved. Essentials: iOSBinpack (Jonathan Levin) •  Listing of available tools 

IOActive, Inc. Copyright ©2016. All Rights Reserved. Outline/Agenda •  Building A General Toolkit •  iOS Application Assessment 101 •  The Reverse Engineer’s Toolkit •  Reverse Engineering iOS Applications •  Identifying and bypassing Simple Jailbreak Detection Routines •  Conclusion 

IOActive, Inc. Copyright ©2016. All Rights Reserved. Common Attack Vectors: Sniffing On A Remote Virtual Interface 

IOActive, Inc. Copyright ©2016. All Rights Reserved. Common Attack Vectors: Sniffing On A Remote Virtual Interface (contd.) 

IOActive, Inc. Copyright ©2016. All Rights Reserved. Common Attack Vectors: Insecure Storage •  Property list files (.plist) •  SQLite databases •  Keychain •  Snapshots •  Cache 

IOActive, Inc. Copyright ©2016. All Rights Reserved. Insecure Storage: Property Lists (.plist) •  Stores serialized objects •  Key value pairs •  Maybe compacted to bplist (binary plist) –  cat filename.plist | plutil -convert xml1 - -o - 

IOActive, Inc. Copyright ©2016. All Rights Reserved. Insecure Storage: Client-Side Data Stores •  Often see SQLite being used for client-side storage •  Lightweight client-side database •  Query using SQL 

IOActive, Inc. Copyright ©2016. All Rights Reserved. Insecure Storage: Fun Fact About SQLite Data Stores •  Delete doesn’t do what you think •  Deleted data added to free list •  Free records not overwritten until more space required •  End result is data may not be overwritten for a while •  May be recovered with SQLite-parser 

IOActive, Inc. Copyright ©2016. All Rights Reserved. Insecure Storage: Dumping The Keychain •  SQLite database stored in /var/Keychains 

IOActive, Inc. Copyright ©2016. All Rights Reserved. Insecure Storage: Snapshots 

IOActive, Inc. Copyright ©2016. All Rights Reserved. Insecure Storage: Inspecting The Cache •  Caches directory similar function to that of a web browser’s cache •  Aimed at improving performance •  May store web cache content 

IOActive, Inc. Copyright ©2016. All Rights Reserved. Insecure Storage: Dumping Binary Cookies •  Created by URL loading system or webview •  Stored on local file system in binary format. 

IOActive, Inc. Copyright ©2016. All Rights Reserved. Common Attack Vectors: Inter-process Communication •  Application registers custom URL scheme •  Invoked when scheme called 

IOActive, Inc. Copyright ©2016. All Rights Reserved. Common Attack Vectors: Inter-process Communication •  Suggest using lsdtrip to identify URL’s •  Use publicurls | privateurls option 

IOActive, Inc. Copyright ©2016. All Rights Reserved. Inter-process Communication (Side Note) •  Malicious app could register your URL scheme •  [[UIApplication sharedApplication] openURL:myURL]; •  Universal Links introduced in iOS 9 •  Kills the openURL problem •  Developer specifies what URL’s will be processed by app (association file) •  Communication over HTTPS •  No more enumerating apps via can canOpenURL method 

IOActive, Inc. Copyright ©2016. All Rights Reserved. Common Attack Vectors: Injection Attacks •  UIWebViews •  File-Handling Routine •  XML 

IOActive, Inc. Copyright ©2016. All Rights Reserved. Summary: Usual Results •  Issues relating to Local Storage –  Keep in mind most of these attacks requires the device to be unlocked •  Unsecured API’s (via Burpsuite Pro) •  Some hard-coded secrets maybe (typically run strings against binary) •  The truth however is that most of these bugs closed –  Binary protections are now standard –  Data Protection API’s (keychain etc) –  Universal links introduced with iOS 9 address IPC loophole –  …... 

IOActive, Inc. Copyright ©2016. All Rights Reserved. Additionally What Happens When? •  The common tools fail? •  Your Google Fu returns nothing? •  There are custom security protections in place •  You want to extend an existing tool? •  You want start investigating deeply hidden logic bugs –  Crypto functions etc •  Move beyond 3rd party applications 

IOActive, Inc. Copyright ©2016. All Rights Reserved. Towards A “New” Approach •  At this point we need to take a different approach one that involves Reverse Engineering and leverages knowledge of : •  iOS internals •  ARM(32/64) Assembly •  Deep dive into Objective-C/Swift •  ….... •  Let’s improve our toolkit •  And expand our knowledge base 

IOActive, Inc. Copyright ©2016. All Rights Reserved. Outline/Agenda •  Building A General Toolkit •  iOS Application Assessment 101 •  The Reverse Engineer’s Toolkit •  Reverse Engineering iOS Applications •  Identifying and bypassing Simple Jailbreak Detection Routines •  Conclusion 

IOActive, Inc. Copyright ©2016. All Rights Reserved. The Reverse Engineer’s Toolkit •  IDA Pro •  Hopper •  LLDB •  Jtool •  Procexp •  GNU Project Debugger (gdb) •  Apple CC Tools 

IOActive, Inc. Copyright ©2016. All Rights Reserved. The Reverse Engineer’s Toolkit: IDA Pro 

IOActive, Inc. Copyright ©2016. All Rights Reserved. The Reverse Engineer’s Toolkit: Hopper 

IOActive, Inc. Copyright ©2016. All Rights Reserved. The Reverse Engineer’s Toolkit: lldb •  Debugging an application binary with lldb •  iOS Device 1.  debugserver -x backboard ip:port •  MAC Host 1.  lldb 2.  process connect connect://: 3.  image list –o –f (ASLR) 

IOActive, Inc. Copyright ©2016. All Rights Reserved. The Reverse Engineer’s Toolkit: lldb (contd.) 

IOActive, Inc. Copyright ©2016. All Rights Reserved. •  Breakpoint = offset1 + offset2 •  Or just use the symbols J The Reverse Engineer’s Toolkit: lldb ASLR (contd.) 1 2 

IOActive, Inc. Copyright ©2016. All Rights Reserved. The Reverse Engineer’s Toolkit: jtool •  otool type functionality with way more options •  MACH-O analysis (atos, dyldinfo, nm, strings etc) •  Multi-platform (OS X, iOS, Linux) •  ARM64 disassembler 

IOActive, Inc. Copyright ©2016. All Rights Reserved. The Reverse Engineer’s Toolkit: jtool (contd.) 

IOActive, Inc. Copyright ©2016. All Rights Reserved. The Reverse Engineer’s Toolkit: jtool (bonus) 

IOActive, Inc. Copyright ©2016. All Rights Reserved. The Reverse Engineer’s Toolkit: procexp •  Getting task related info •  Display threads, mach ports, dump core (memory image) etc.. 

IOActive, Inc. Copyright ©2016. All Rights Reserved. The Reverse Engineer’s Toolkit: gdb •  Use source from http://cydia.radare.org •  No support for arm64 architectures 

IOActive, Inc. Copyright ©2016. All Rights Reserved. The Reverse Engineer’s Toolkit: filemon •  Tracing file system activity with FSEvents 

IOActive, Inc. Copyright ©2016. All Rights Reserved. Apple’s CC Tools •  otool •  MACH-O Binary Swiss army knife •  nm •  Displays symbol table •  lipo •  Architectures embedded in binary •  Codesign •  Binary signing 

IOActive, Inc. Copyright ©2016. All Rights Reserved. Outline/Agenda •  Building A General Toolkit •  iOS Application Assessment 101 •  The Reverse Engineer’s Toolkit •  Reverse Engineering iOS Applications •  Identifying and bypassing Simple Jailbreak Detection Routines •  Conclusion 

IOActive, Inc. Copyright ©2016. All Rights Reserved. Reverse Engineering iOS Applications (Under The Hood) •  Mach-O Binary Format •  Mach Tasks •  ARM(32/64) •  Objective-C •  Swift 

IOActive, Inc. Copyright ©2016. All Rights Reserved. Mach-O Binary Format 

IOActive, Inc. Copyright ©2016. All Rights Reserved. Application Binary Version Location < iOS 8 /var/mobile/Application/ iOS 8 + §  /var/mobile/Containers/Bundle/Application/ §  App binary, nibs, Code Signature §  /var/mobile/Containers/Data/Application/ §  Documents, Library, tmp folder iOS 9.3.x §  /var/containers/Bundle/Application/ §  App binary 

IOActive, Inc. Copyright ©2016. All Rights Reserved. Mach-O Binary •  Header – Identifies file type, architecture etc •  Load Commands – Details layout and linkage specifications •  Data – Code 

IOActive, Inc. Copyright ©2016. All Rights Reserved. Mach-O: Header 

IOActive, Inc. Copyright ©2016. All Rights Reserved. Mach-O: Flags •  PIE: Commonly checked flag during an assessment. •  ASLR for executable types 

IOActive, Inc. Copyright ©2016. All Rights Reserved. Mach-O: Load Commands (Kernel) •  LC_SEGMENT[_64] main load command –  Memory regions with same r/w/x protection 

IOActive, Inc. Copyright ©2016. All Rights Reserved. Mach-O: SEGMENTS •  __PAGEZERO(NULL pointer trap, all access permissions revoked ) •  _TEXT(program code) •  _DATA (readable/writeable program data) •  _LINKEDIT (symbol and other tables used by linker) •  _RESTRICT (see dyld.cpp, will not load DYLD_INSERT_LIBRARIES) •  Optional sections 

IOActive, Inc. Copyright ©2016. All Rights Reserved. Mach-O: Common Segments and Sections 

IOActive, Inc. Copyright ©2016. All Rights Reserved. Mach-O: Viewing Segments and Sections 

IOActive, Inc. Copyright ©2016. All Rights Reserved. MachOView (GUI) 

IOActive, Inc. Copyright ©2016. All Rights Reserved. Mach-O: Load Commands (dyld) •  Kernel hands off to DYLD(dynamic linker) •  Uses dynamic linker specified in LC_LOAD_DYLINKER •  Loads each LC_LOAD_DYLIB •  Resolves symbols •  Interposing (method switching) •  add __interpose section to __DATA SEGMENT •  Force library loading with DYLD_INSERT_LIBRARIES •  code with __attribute(constructor) auto runs 

IOActive, Inc. Copyright ©2016. All Rights Reserved. Mach Tasks 

IOActive, Inc. Copyright ©2016. All Rights Reserved. Mach Tasks •  At this point binary mapped into memory •  Process on other systems •  Port (IPC Endpoint) •  Own the port, own the task •  Mach Trap task_for_pid() •  Requires jailbreak tfp0 patch for kernel(PID0) •  processor_set_tasks() •  Any task port in system 

IOActive, Inc. Copyright ©2016. All Rights Reserved. Mach Tasks – Interacting with the task •  Get the task port •  Read/write memory with mach_vm* api’s •  Inject your own shellcode •  Left to your imagination 

IOActive, Inc. Copyright ©2016. All Rights Reserved. Mach Tasks – Owning The Port * mach_vm_region returns information about a memory region in a given address space. 

IOActive, Inc. Copyright ©2016. All Rights Reserved. Mach Tasks – Dumping Memory •  Write your own code and call appropriate mach_vm* api’s •  Use procexp regions 

IOActive, Inc. Copyright ©2016. All Rights Reserved. Mach Tasks – Dumping Memory •  Read using lldb (memory read –outfile –count

) 

IOActive, Inc. Copyright ©2016. All Rights Reserved. ARM Assembly 

IOActive, Inc. Copyright ©2016. All Rights Reserved. ARM32 - Registers Register Purpose R0 – R12 General purpose registers R13 Stack pointer R14 Link register. Holds return address during a function call. R15 Program counter (PC) CPSR Information on current execution state (Endianness bit, Thumb bit, Mode bit) 

IOActive, Inc. Copyright ©2016. All Rights Reserved. ARM32 – Function Calling Convention •  Functions are invoked via a B, BX, BL, BLX Register Purpose r0-r3 §  First four function parameters. §  Other arguments passed on stack r0 Stores return value 

IOActive, Inc. Copyright ©2016. All Rights Reserved. ARM32 – Basic Loading Instructions Register Purpose LDR Loads a word. Ex. LDR R3, [R0] Loads the word value at R0 into R3 STR Stores a word. Ex. STR R3, [R4] Takes the value in R3 and stores at memory address R4 •  Arm is a load/store architecture •  Data must be loaded into registers before they can be used 

IOActive, Inc. Copyright ©2016. All Rights Reserved. ARM64 - Registers Register Purpose x0-x28 General purpose registers (64 bit) w0-w30 General purpose registers (32 bit) x29 Frame pointer x30 Link register (return address) SP Stack pointer PC Program counter 

IOActive, Inc. Copyright ©2016. All Rights Reserved. ARM64 – Function Calling Convention Register Purpose x0-x7 Arguments/return values x9-x15 Local variables x19-x29 Callee-saved registers 

IOActive, Inc. Copyright ©2016. All Rights Reserved. Objective-C 

IOActive, Inc. Copyright ©2016. All Rights Reserved. Objective-C •  objc_msgSend •  Equivalent of calling functions in C •  id objc_msgSend(id self, SEL op,…) •  receiver(id self) •  selector(SEL op) •  Receiver is a pointer to class message is intended for •  Selector is the method to handle message 

IOActive, Inc. Copyright ©2016. All Rights Reserved. Objective-C (contd.) 

IOActive, Inc. Copyright ©2016. All Rights Reserved. Objective-C (contd.) x0 – receiver x1 – selector x2 – argument objc_msgSend – func call -v –d objc retrieves info on classes, methods etc *ARM64 

IOActive, Inc. Copyright ©2016. All Rights Reserved. Objective-C: Method Swizzling Under The Hood •  objc_method struct holds information about method of a class [/usr/include/objc/ runtime.h] •  Hooking Frameworks [/Library/Frameworks/CydiaSubstrate.framework] Member Description method_name Method name method_types Accepted parameters method_imp Pointer to implementation Swizzling just changes implementation using underlying C functions: •  class_replaceMethod •  method_exchangeImplementations •  method_setImplementation CydiaSubstrate: •  MSHookMessageEx •  MSHookFunction 

IOActive, Inc. Copyright ©2016. All Rights Reserved. CydiaSubstrate Method Swizzling 

IOActive, Inc. Copyright ©2016. All Rights Reserved. SWIFT 

IOActive, Inc. Copyright ©2016. All Rights Reserved. Swift •  Introduced with iOS 8 •  Still uses traditional message passing for Swift classes that inherit from Objective-C classes •  Swift classes may use •  Direct function calls •  Vtables •  C++ like mangled function names •  Method Swizzling if subclass of NSObject 

IOActive, Inc. Copyright ©2016. All Rights Reserved. Swift: Mangled Function Names Swift Objective-C 

IOActive, Inc. Copyright ©2016. All Rights Reserved. Swift: Mangled Function Names •  __TFC9jailbreak14ViewController12btnFileCheckfS0_FPSs9AnyObject_T_ –  __T Swift Symbol –  F indicates function –  C indicates it is a function belonging to a class –  9jailbreak module name prefixed with length –  14ViewController class name prefixed with length –  12btnFileCheck function name prefixed with length –  S0_FPSs no clue ?? J –  f function attribute –  9AnyObject function parameter –  T_ return type 

IOActive, Inc. Copyright ©2016. All Rights Reserved. Swift: demangle Tool •  See also hopper-swift-demangle plugin 

IOActive, Inc. Copyright ©2016. All Rights Reserved. Outline/Agenda •  Building A General Toolkit •  iOS Application Assessment 101 •  The Reverse Engineer’s Toolkit •  Reverse Engineering iOS Applications •  Identifying and bypassing Simple Jailbreak Detection Routines •  Conclusion 

IOActive, Inc. Copyright ©2016. All Rights Reserved. Disclaimer •  We will discuss binary patching next •  Yeah but I could do this with ? •  Yes there are several other options: •  xCon •  tsProtector •  Officer •  Tools discussed earlier(remember CydiaSubstrate hooking with MSHookFunction) •  What happens when you can’t? •  Get comfortable reading/modifying ARM assembly •  Start with simple examples 

IOActive, Inc. Copyright ©2016. All Rights Reserved. But First A Note On Patching 101 •  Replace instruction with NOP •  No Operation •  Change conditional instructions to unconditional ones •  BNE, BEQ, BLT….changes to just B etc •  Update the register that determines branch taken •  reg write •  p $ = •  Remove SEGMENT •  __RESETRICT 

IOActive, Inc. Copyright ©2016. All Rights Reserved. Identifying and bypassing Simple Jailbreak Detection Routines •  Known file paths •  Inline functions •  Sandbox integrity •  Anti-debugging •  P_TRACED •  PT_DENY_ATTACH 

IOActive, Inc. Copyright ©2016. All Rights Reserved. Common Jailbreak Detection Routines: Known File Paths 

IOActive, Inc. Copyright ©2016. All Rights Reserved. Common Jailbreak Detection Routines: Known File Paths (contd.) Patch here 

IOActive, Inc. Copyright ©2016. All Rights Reserved. Ticketmaster Case Study: Known File Paths 

IOActive, Inc. Copyright ©2016. All Rights Reserved. Write 0 Ticketmaster Case Study: Known File Paths (contd.) 

IOActive, Inc. Copyright ©2016. All Rights Reserved. Common Jailbreak Detection Routines: Inline Functions 

IOActive, Inc. Copyright ©2016. All Rights Reserved. Common Jailbreak Detection Routines: Inline Functions (contd.) Note no more bl _isJailbroken 

IOActive, Inc. Copyright ©2016. All Rights Reserved. Common Jailbreak Detection Routines: Inline Functions (contd.) Patch here 

IOActive, Inc. Copyright ©2016. All Rights Reserved. Common Jailbreak Detection Routines: Sandbox Integrity with fork() 

IOActive, Inc. Copyright ©2016. All Rights Reserved. Common Jailbreak Detection Routines: Sandbox Integrity Patch here 

IOActive, Inc. Copyright ©2016. All Rights Reserved. Anti-Debugging: P_TRACED 

IOActive, Inc. Copyright ©2016. All Rights Reserved. •  P_TRACED defined in /sys/proc.h Anti-Debugging: P_TRACED (contd.) 

IOActive, Inc. Copyright ©2016. All Rights Reserved. Patch here Anti-Debugging: P_TRACED (contd.) 

IOActive, Inc. Copyright ©2016. All Rights Reserved. •  Setting w10 to 0 is enough to bypass the check Anti-Debugging: PTRACED (contd.) Just change the register value 

IOActive, Inc. Copyright ©2016. All Rights Reserved. Anti-Debugging: PT_DENY_ATTACH 

IOActive, Inc. Copyright ©2016. All Rights Reserved. •  Defined in /bsd/sys/ptrace.h Anti-Debugging: PT_DENY_ATTACH (contd.) 

IOActive, Inc. Copyright ©2016. All Rights Reserved. Anti-Debugging: PT_DENY_ATTACH (contd.) 0x1f = 31 Patch here 

IOActive, Inc. Copyright ©2016. All Rights Reserved. Simple Jailbreak Detection Routine Bypass: Swift 

IOActive, Inc. Copyright ©2016. All Rights Reserved. Simple Jailbreak Detection Routine Bypass: Swift (contd.) 

IOActive, Inc. Copyright ©2016. All Rights Reserved. Simple Jailbreak Detection Routine Bypass: Swift (contd.) jailbreak function call return value in w0 patch cmp w0, #1 

IOActive, Inc. Copyright ©2016. All Rights Reserved. Outline/Agenda •  Building A General Toolkit •  iOS Application Assessment 101 •  The Reverse Engineer’s Toolkit •  Reverse Engineering iOS Applications •  Identifying and bypassing Simple Jailbreak Detection Routines •  Conclusion 

IOActive, Inc. Copyright ©2016. All Rights Reserved. Conclusion •  Common bugs being closed •  A “new” approach and break from the norm is required for in depth assessments •  Assembly knowledge a MUST for Reversing Engineering –  Low level assembly allows you to bypass many security protections, discover hidden gems and then some •  Knowledge of iOS architecture will not only improve your assessments but also provide a launching pad for other research •  Disassemblers are your friends (IDA, Hopper, Jtool …..) •  Add the reverse engineering skillset to your arsenal !!! 

IOActive, Inc. Copyright ©2016. All Rights Reserved. References •  Books: •  Mac OS X and iOS Internals To the Apple’s Core (Jonathan Levin) •  The Mobile Application Hacker’s Handbook (Dominic Chell, Tyrone Erasmus et al. ) •  Hacking and Securing iOS Applications (Jonathan Zdziarski) •  iOS Application Security: The Definitive Guide for Hackers and Developers (David Thiel) •  Blogs and Tools: •  processor_set_tasks() - http://newosxbook.com/articles/PST2.html •  procexp – http://newosxbook.com/tools/procexp.html •  iOSBinaries - http://newosxbook.com/tools/iOSBinaries.html •  jtool - http://newosxbook.com/tools/jtool.html •  filemon - http://newosxbook.com/tools/filemon.html •  AmIBeingDebugged - https://developer.apple.com/library/mac/qa/qa1361/_index.html •  Frida - http://www.frida.re/ •  Cycript - http://www.cycript.org/ •  iFunBox - http://www.i-funbox.com/ •  SSL Kill Switch – https://github.com/iSECPartners/ios-ssl-kill-switch •  BurpSuite - https://portswigger.net/burp/ •  IDA - https://www.hex-rays.com/products/ida/ •  Hopper - https://www.hopperapp.com/ •  Idb - http://www.idbtool.com/ •  PT_DENY_ATTACH - https://www.theiphonewiki.com/wiki/Bugging_Debuggers •  ARM - http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.den0024a/ch05s01s03.html •  SQLite-parser - https://github.com/mdegrazia/SQLite-Deleted-Records-Parser •  SQLite Deletion - http://www.zdziarski.com/blog/?p=6143 •  lsdtrip - http://newosxbook.com/src.jl?tree=listings&file=ls.m#dumpURL