Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Pim Stolk - Jailbreak & Crypto and why you should care.

Swift Usergroup Netherlands
November 28, 2017
Programming
1
54

Pim Stolk - Jailbreak & Crypto and why you should care.

This was presented at the Swift Usergroup Netherlands. Would you like to speak/present? Visit https://swift.amsterdam for more information.

A quick deepdive into iOS jailbraking and crypto. Pim will guide us through the simple steps of jailbreaking a device and shows us why you should care as a developer, where are all your secrets located and how you should protect them. Also if time permits he will perform a live demo of jailbreaking an device.
Pim Stolk (https://twitter.com/stolkcc) mobile enthusiast since forever. He works at ING on mobile innovations and is shaping the future of payments.

Swift Usergroup Netherlands

November 28, 2017
Tweet

More Decks by Swift Usergroup Netherlands

See All by Swift Usergroup Netherlands
Joannis Orleandos - Vapor 3
swiftugnl
0
69
Alex Tan Qui - Blockchains & serverside Swift
swiftugnl
0
33
Jeroen Willemsen - To pin or not to pin
swiftugnl
1
91
Oleksii Dykan - Secure Coding guidlines
swiftugnl
1
180
Joannis Orlandos - Asynchronous programming in Swift
swiftugnl
0
68
Samuel Goodwin - Core Data Performance
swiftugnl
0
28
Donny Wals - JSON and Swift, Still A Better Love Story Than Twilight
swiftugnl
0
28
Erwin Zwart - Writing future proof Swift
swiftugnl
0
25
Sidney de Koning - Swift 4 Strings
swiftugnl
0
29

Other Decks in Programming

See All in Programming
AWS Application Composerで始める、 サーバーレスなデータ基盤構築 / 20240406-jawsug-hokuriku-shinkansen
kasacchiful
1
250
Changed Rules: Architectures with Lightweight Stores
manfredsteyer
PRO
0
230
CQRS/ES avec Symfony, c’est (trop) bien !
jeremyfreeagent
1
630
Build with AI 2024 Seoul - 제로부터 시작하는 Flutter with Gemini 생활 - 박제창
itsmedreamwalker
0
200
チーム力を高めるスクラム実践法:カンバン公開と課題攻略について - ニフティのスクラムトーク Vol. 2 - NIFTY Tech Talk #18
niftycorp
PRO
1
110
Git Rebase
bkuhlmann
11
1.6k
GitHub Actionsで泣かないためにやっておきたい設定 / Recommended GHA settings to avoid crying
pinkumohikan
3
500
PHPの次期バージョンはこの時期どうなっているのか - Internalsの開発体制について - PHPカンファレンス小田原
youkidearitai
PRO
1
180
入門 AWS Amplify Gen2 / Introduction to AWS Amplify Gen2
genkiogasawara
1
320
⼤規模⾔語モデルの拡張(RAG)が 終わったかも知れない件について
nearme_tech
22
15k
Ruby Pattern Matching
bkuhlmann
0
920
FigmaとPHPで作る1ミリたりとも表示崩れしない最強の帳票印刷ソリューション
ttskch
39
18k

Featured

See All Featured
KATA
mclloyd
14
12k
What’s in a name? Adding method to the madness
productmarketing
PRO
15
2.6k
GraphQLとの向き合い方2022年版
quramy
31
12k
The Pragmatic Product Professional
lauravandoore
24
5.8k
Building Flexible Design Systems
yeseniaperezcruz
318
37k
Scaling GitHub
holman
457
140k
We Have a Design System, Now What?
morganepeng
42
6.7k
A Modern Web Designer's Workflow
chriscoyier
688
190k
Reflections from 52 weeks, 52 projects
jeffersonlam
344
19k
jQuery: Nuts, Bolts and Bling
dougneiner
59
7.1k
Adopting Sorbet at Scale
ufuk
67
8.6k
Fireside Chat
paigeccino
20
2.6k

Transcript

  1. Jailbreak and why should youcare Pim Stolk @stolkcc

  2. “I feel like jailbreak's basically dead at this point” Comex

  3. Jailbreak and why should still you care

  4. None
  5. None
  6. None

  7. “It’s much easier to build something with security in mind

    from the start than to build something and then try to tack some security onto it.”
  8. None

  9. 192.168.25.200 f0:99:bf:6e:a1:72 Apple, Inc. 192.168.25.211 04:4b:ed:13:2c:b3 Apple, Inc. 192.168.25.253 2c:33:61:2a:f7:1f

    Apple, Inc. 192.168.25.255 00:cd:fe:e7:23:d8 Apple, Inc. 192.168.26.32 48:43:7c:34:46:ae Apple, Inc. 192.168.26.57 b8:44:d9:c5:4c:11 Apple, Inc. 192.168.26.62 70:70:0d:ef:0a:83 Apple, Inc. 192.168.26.70 ac:29:3a:09:ce:2b Apple, Inc. 192.168.26.80 d0:c5:f3:47:bd:43 Apple, Inc. 192.168.26.87 54:72:4f:76:31:81 Apple, Inc. 192.168.26.88 60:f4:45:0c:66:b4 Apple, Inc. 192.168.26.103 f0:99:bf:38:c7:67 Apple, Inc. 192.168.26.126 68:fb:7e:8b:bc:6d Apple, Inc. 192.168.26.128 cc:29:f5:1b:e5:7f Apple, Inc. 192.168.26.129 78:31:c1:b8:63:b6 Apple, Inc. 192.168.26.147 a8:66:7f:3b:15:d7 Apple, Inc. 192.168.26.159 28:a0:2b:d7:16:a5 Apple, Inc. 192.168.26.165 40:4d:7f:9c:43:ac Apple, Inc. 192.168.26.194 e0:c7:67:74:6d:f9 Apple, Inc. 192.168.26.197 70:ec:e4:ca:a9:32 Apple, Inc. 192.168.26.203 a4:31:35:eb:32:5c Apple, Inc. 192.168.26.207 d4:f4:6f:b1:38:86 Apple, Inc. 192.168.26.213 c8:e0:eb:c1:73:1b Apple, Inc. 192.168.26.215 54:4e:90:ac:c8:00 Apple, Inc. 192.168.26.226 70:14:a6:28:45:ea Apple, Inc. 192.168.26.243 74:1b:b2:60:a6:36 Apple, Inc. 192.168.27.10 64:9a:be:d6:88:d4 Apple, Inc.

  10. Apple Samsung Sony Intel HUAWEI Others

  11. Apple Samsung Sony Intel HUAWEI Others

  12. None
  13. None

  14. Jailed Jailbroken

  15. None
  16. None
  17. None

  18. The basics • How to Jailbreak • SSH into a

    device • Bigboss tools • Data in sqlfiles / NSUserDefaults / PLists

  19. The basics • How to Jailbreak
 Yalu, Saïgon • SSH

    into a device
 Install SSH Daemon trough Cydia • Bigboss tools
 All the cool unix tools apple “forgot” • Data in sqlfiles / NSUserDefaults / PLists
  20. None
  21. None
  22. None

  23. Keychain dumper Even though keychain is one of the most

    secure places to store information, consider adding an extra layer of encryption before saving data in the application to make the job for the attacker more difficult. See the Siri implementation for more details.

  24. Generic Password ---------------- Service: Account: com.fb.nl.sav.padding Entitlement Group: ED83ZJR6DX.nl.ing.keychain.whatsapp Label:

    Generic Field: com.fb.nl.sav.padding Keychain Data: (null) Generic Password ---------------- Service: Account: com.fb.nl.sav.profileid Entitlement Group: ED83ZJR6DX.nl.ing.keychain.whatsapp Label: Generic Field: com.fb.nl.sav.profileid Keychain Data: 5E9AECAE-CF45-4159-8626-26936691B94F Generic Password ---------------- Service: Account: B1287934-2DC0-4D71-8416-3F741BB8CB18 Entitlement Group: ED83ZJR6DX.nl.fb.keychain.whatsapp Label: Generic Field: com.teams.mmf.uuid.unencryptediPhone7,2 Keychain Data:

  25. Clutch Used to decrypt iOS applications . https://github.com/KJCracks/ Clutch/releases

  26. SSL Kill Switch 2 Certificate pinning can be bypassed by

    hooking into some low level methods during runtime. https://github.com/nabla-c0d3/ssl-kill-switch2
  27. None
  28. None

  29. "No source code?"

  30. "No source code? No problem"

  31. None
  32. None
  33. None

  34. Hopper / IDA Pro Disassembler, the reverse engineering tool that

    lets you disassemble, decompile and debug your applications.
  35. None
  36. None
  37. None
  38. None
  39. None

  40. Cycript Allows developers to explore and modify running applications

  41. • Runs on the device • Connects to PID or

    App name • Understand Javascript and OBJC • Also works on Swift but its difficult

  42. iPhone:/ root# /private/var/root/cycript -p 1660 cy# UIApp #"<UIApplication: 0x1446112d0>"

  43. cy# UIApp.delegate #"<AppDelegate: 0x14461d680>" cy# AppDelegate.messages cy# UIApp.keyWindow.rootViewController.topViewController #"<GroupAccountsViewController: 0x1446dc530>"

  44. cy# LocalProtectedStorage.prototype.isRegistered = function() { return true;} cy#

  45. So?

  46. You still need access to a device?

  47. while true do PIDS=$(ps aux | awk '/Whatsapp.app/ { print

    $2}' | wc -w) if [ "$PIDS" != "1" ]; then PID=$(ps aux | awk '/Whatsapp.app/ { print $2}' | awk '{print $1; exit}') echo 'Found' /usr/bin/test/cycript -p Whatsapp /usr/bin/test/inject break fi done test.sh

  48. while true do PIDS=$(ps aux | awk '/Whatsapp.app/ { print

    $2}' | wc -w) if [ "$PIDS" != "1" ]; then PID=$(ps aux | awk '/Whatsapp.app/ { print $2}' | awk '{print $1; exit}') echo 'Found' /usr/bin/test/cycript -p Whatsapp /usr/bin/test/inject break fi done test.sh

  49. [[[[UIAlertView alloc] initWithTitle:@“Credit Card Number" message:@“Please enter your credit card

    number:” delegate:nil cancelButtonTitle:@"Ok" otherButtonTitles:nil] autorelease] show] Inject

  50. Test.tar.gz ├── System │ └── Library │ └── LaunchDaemons │

    └── com.myApp.test.plist └── usr └── bin ├── test │ ├── Cycript.ios │ │ └── Cycript.framework │ │ ├── Cycript │ ├── cycript │ └── inject └── test.sh

  51. Free WIFI

  52. Prevent?

  53. func isJailbroken() -> Bool { if let urlScheme = NSURL(string:

    "cydia://home"), UIApplication.sharedApplication().canOpenURL(urlScheme) { return true } return false }
  54. None

  55. • It is better to rename the method to something

    that doesn’t look important. • Something like +(BOOL)isDefaultColour • Yeah i know, we do ignore the coding guidelines, but in this case, the guidelines are something that gives everything away. • After analyzing the class-dump output of the application, the hacker is most likely to ignore this method. • He can always reverse engineer this method to see what’s going on inside, so this method is also not foolproof. 


  56. Jailbreak detection • /Library/MobileSubstrate/MobileSubstrate.dylib • /bin/bash • Write to: "/private/jailbreak.txt"

  57. inline void preventDebugger () __attribute__((always_inline)); void preventDebugger() { ptrace_ptr_t ptrace_ptr

    = dlsym(RTLD_SELF, "ptrace"); ptrace_ptr(PT_DENY_ATTACH, 0, 0, 0); }” Jailbreak detection

  58. But its okay….

  59. Think about your data

  60. 
 Encrypt your data…

  61. None

  62. Thank you…