44
iOS Runtime Hacking Crash Course Michael Gianarakis CrikeyCon 2015

CrikeyCon 2015 - iOS Runtime Hacking Crash Course

Embed Size (px)

Citation preview

iOS Runtime Hacking Crash Course

Michael Gianarakis CrikeyCon 2015

#whoami

@mgianarakis

Managing Consultant at SpiderLabs

Application Security

What Is This Presentation About?

• Quick and dirty intro to runtime hacking on iOS

• Help people get up to speed quickly

• Hopefully practical

• Focussed on third-party apps

What It’s Not• No data security

• No transport security

• Not touching on remediation/protection

• For more comprehensive presentations on iOS pen testing or how to secure apps go to eightbit.io/presentations

Outline• Objective-C Basics

• Setting Up The Environment

• Mapping Out the Application

• Dumping and Modifying Variables

• Manipulating Functions at Runtime

• Swift Considerations

Objective-C Basics

Objective-C

• Native iOS applications are written in Objective-C

• Objective-C is a superset of C

• Objective-C is basically C with Smalltalk-style messaging and object syntax

Syntax

Syntax

Syntax

// Sending the message “method” to the object pointed to by the pointer obj

[obj method: argument1: argument2];

Important Takeaways• Understand basic OO principles

• Rudimentary understanding of MVC

• Basic Objective-C

• How to call methods (embrace the square bracket!)

• How to read and write variables

Setting Up The Environment

Requirements• Jailbroken device

• openssh (via Cydia)

• class-dump-z (http://code.google.com/p/networkpx/wiki/class_dump_z)

• cycript (http://www.cycript.org/debs/ or Cydia)

• gdb (via Cydia) or lldbdebugserver (http://iphonedevwiki.net/index.php/Debugserver)

• CydiaSubstrate (via Cydia)

• Clutch (https://github.com/KJCracks/Clutch)

• For a slightly outdated guide on setting up the environment see eightbit.io/post/64319534191/how-to-set-up-an-ios-pen-testing-environment

Mapping Out The Application

Mapping Out The Application

• The most important part

• Objective-C apps store a bunch of useful runtime information in the executable

• This information provides great insight into how an application functions (and thus is useful for finding bugs)

Decrypting Binaries

• Apps downloaded from the App Store are protected with Apple’s FairPlay DRM

• Certain portions of the binary are encrypted

• Need to decrypt these portions before we can analyse the binary

Decrypting Binaries• Can do it manually by extracting the encrypted

portion after the loader decrypts it and then patch the decrypted portion it into the binary

• Plenty of tools to automate this for you

• dumpdecrypted

• Clutch and Rasticrac

Decrypting Binaries

• Not going to demonstrate this as there are plenty of guides on the web and it’s not very interesting

• NOTE: Piracy is not cool

Obtaining a Class Dump

• Using the excellent class-dump-z tool you can extract all of the runtime information stored in the binary in a what is essentially the equivalent of an Objective-C header file

• class-dump-z -aAkRzb [BINARY]

Example: Evernote

Other Options• Disassemblers such as IDA or Hopper

• Great for lower level insight

• Swift binaries

• otool

• weak_class_dump.cy (https://github.com/limneos/weak_classdump)

Dumping and Modifying Variables

Retrieving Sensitive Information

• Very easy to retrieve sensitive information at runtime including:

• Credentials

• Encryption keys

• PII

• Sensitive business data

Quick and Dirty Approach

• Review the class dump (grep ftw)

• pin, password, passcode, pinlock, key, aes, account, credentials, creditCard, username, address, phone, session, token

• Hook into the running application with Cycript and retrieve the information

Cycript• Ridiculous name (pronounced script)

• Even more ridiculous premise

• “programming language designed to blend the barrier between Objective-C and JavaScript”

• Really great tool for interrogating and manipulating the runtime of an app

Example: Retrieving A User’s PIN

Manipulating Functions at Runtime

Manipulating the Runtime

• Objective-C can observe and modify it’s own behaviour at runtime

• Can call methods directly, modify functions and even create your own classes and methods

• This has obvious security implications

What can you do?• Break security checks

• Jailbreak checks

• Debug prevention

• Certificate validation

• Bypass authentication

• Subvert business logic

• Get the highest possible score in Flappy Bird

Quick and Dirty Approach

• Review the class dump

• Look for sensitive functions

• Identify simple logic

• Hook into the running application with Cycript and call or modify the functions

Example: Authentication Bypass

Example: Jailbreak Detection

Phonegap/Cordova

Persistence• Using Cycript to modify the behaviour at runtime

obviously will not persist when the application is terminated

• For a POC on say a pen-test or a bug report it’s usually not a problem

• However there may be instances where you want the modification to be persistent

Why persistence?• Security checks hindering testing

• Jailbreak prevention

• Anti-debug protection

• Transport security controls (e.g. cert pinning)

• Development of tools

• For a jailbreak or actual malware

How?

• Inject a library into every new process via the DYLD_INSERT_LIBRARIES environment variable

#chmod +r hook.dylib

#launchctl setenv DYLD_INSERT_LIBRARIES /var/root/ hook.dylib

CydiaSubstrate + Theos• CydiaSubstrate simplifies hooking with a global injected dylib

• Can just install from Cydia

• Theos is a port of the build tools to other platforms

• So you don’t have to be an Apple fanboy to build hooks

• Focus on the logic of the hook

• Also available on iOS

• http://iphonedevwiki.net/index.php/Theos/Setup

Example: Hooking

Swift Considerations

What is Swift?

• Compiled language created by Apple

• Released publicly in 2014 at WWDC

• Intended to replace Objective-C eventually

Characteristics

• Uses the same runtime

• Binary compatibility with Objective-C

• No message passing :(

Issues with Swift Apps

• Runtime manipulation limited for pure Swift apps (i.e. a Swift-only runtime)

• Harder to analyse

• No class dump

• Name mangling

Assessing Swift Apps• Can still do some runtime manipulation with the

Objective-C bridge enabled

• Realistically until we get Swift only frameworks all apps will have this

• Can still do limited hooking with MobileSubstrate

• Disassemblers for analysing Swift binaries

• Hopper scripts to demangle Swift names (https://github.com/Januzellij/hopperscripts)

Questions?