Tweet
Tweet

Slide 1

Slide 1 text

Reverse Engineering iOS Apps with Swi' Conrad Kramer @conradev

Slide 2

Slide 2 text

Reverse Engineering Analyzing out how something works by examining the final product.

Slide 3

Slide 3 text

Opera&ng the tools Knowing what to look for

Slide 4

Slide 4 text

Frame the ques,on Why does this bug occur? What component do they use in their UI? What does the app's REST API look like?

Slide 5

Slide 5 text

Test Subject: Ly# (Wri%en en)rely in Swy.)

Slide 6

Slide 6 text

Ques%ons What does Ly,'s REST API look like? How does Ly*'s URL scheme work?

Slide 7

Slide 7 text

What is in the Ly, app? • Metadata • Assets • Executable (Encrypted) • Lots of frameworks (Encrypted)

Slide 8

Slide 8 text

What can we work with? • When it is running • Network traffic • Injec6ng code • When it isn't running • Inspec6ng the binaries

Slide 9

Slide 9 text

Inspect Network Traffic using Charles charlesproxy.com

Slide 10

Slide 10 text

HTTP(S) Proxy Performs SSL man-in-the-middle Pre$y prints JSON, YAML, XML, Mul8part, Form encoding, etc.

Slide 11

Slide 11 text

Inject Code using cycript (jailbreak required for third party apps) cycript.org

Slide 12

Slide 12 text

Cycript JavaScript/Objec/ve-C hybrid Interact with the app using the REPL, live: var application = [UIApplication sharedApplication]; [application openURL:[NSURL URLWithString:@"https://google.com"]];

Slide 13

Slide 13 text

Decrypt The Executable with dumpdecrypted (jailbreak required) bit.ly/dumpd

Slide 14

Slide 14 text

Analyze The Executable using IDA Pro bit.ly/idatrial

Slide 15

Slide 15 text

Swi$ vs. Objec.ve-C Swi$ assembly is more verbose Swi$ class informa/on is harder to extract

Slide 16

Slide 16 text

Looking at -applica.on:openURL: _TZFV4Lyft15DeepLinkManager13handleOpenURLfMS0_FC So5NSURLSb Mangled symbol name

Slide 17

Slide 17 text

Looking at -applica.on:openURL: _TZFV4Lyft15DeepLinkManager13handleOpenURLfMS0_FC So5NSURLSb • _T -> Swi( symbol • F -> Func3on • 4Lyft -> Module name • A lot more informa3on (see Mike Ash's Friday Q&A)

Slide 18

Slide 18 text

Looking at -applica.on:openURL: var url = NSURL(string: "lyft://") var manager : Lyft.DeepLinkManager = ... manager.handleOpenURL(url)

Slide 19

Slide 19 text

Think like the developer

Slide 20

Slide 20 text

Looking at Ly+.DeepLinkManager • DeepLinkRequest • DeepLinkable • DeepLinkToRide • DeepLinkToHelp • DeepLinkToSe6ngs • DeepLinkToDriveMode • etc.

Slide 21

Slide 21 text

Looking at Ly+.DeepLinkManager lyft://action?paramter=value

Slide 22

Slide 22 text

Looking at Ly+.DeepLinkToRide lyft://ridetype ?id=lyft_line &pickup[latitude]=0 &pickup[longitude]=0 &destination[latitude]=0 &destination[longitude]=0

Slide 23

Slide 23 text

Thanks!