dark side of ios [smartdevcon 2013]
DESCRIPTION
A workshop about the "dark side" of iOS, Objective-C and Xcode. Discussion about private API, why Apple doesn't want you to use it and how they enforce that. What information can you extract from a compiled binary? Let's take a look at the possibilities of reverse engineering including demos and showcases.TRANSCRIPT
Dark Side of iOS Kuba Brecka @kubabrecka Play Ragtime Czech Republic
@kubabrecka www.kubabrecka.com
How important is it for a developer to know… � OOP � Functional programming � Compiler theory, automata theory � Algorithm complexity � Databases � Networking � UI/UX � Reverse engineering
But actually…
� …let’s take a look how deep the rabbit hole goes
� I’ll try to answer some “forbidden” questions � private API � app validation, review � binary structure, app encryption � some security consequences
The goal � To show…
� what Apple can do with your application � what can you (or others) find out from the app
binary � what can you do with a jailbroken device � where do “cracked” apps come from � what can a determined “black hat” do
� Not: to break the law � Disclaimer: for educational purposes only � Disclaimer 2: I’m no security expert, I’m just
some guy who likes digging into things
Sandbox
� Every application has its own sandbox � it can see its directory + a few of system
directories � for writing, it has only a few specific
directories � There is no point in creating a file
manager � App-to-app file transfers are ad-hoc
Jailbreak � No signature verification � Disabled sandbox
� read and write anywhere in the filesystem (!) � Turns off ASLR � Re-allows blocked syscalls
� fork, exec, … � Debugging, attach to process � Cydia � tethered (easy), untethered (very hard)
� jailbreakers are saving exploits for later
iOS 6.1 jailbreak – evasi0n
� http://theiphonewiki.com/wiki/Evasi0n
Private API � Header files in Xcode are “stripped”
� plenty of hidden classes and methods � the reason? ○ published APIs must be supported by Apple for a
long time ○ Apple wants to be able to change the internals
� Class-dump � http://stevenygard.com/projects/class-dump/ � https://github.com/nst/iOS-Runtime-Headers � dumps all classes and methods from a binary
Method swizzling � All selectors are called using a dynamic
dispatch � a method can be replaced by changing a record
in the method lookup tables � http://darkdust.net/writings/objective-c/method-
swizzling - (BOOL)swizzled_synchronize { ... [self swizzled_synchronize]; ...}+ (void)load { Method original = class_getInstanceMethod(self, @selector(synchronize)); Method swizzled = class_getInstanceMethod(self, @selector(swizzled_synchronize)); method_exchangeImplementations(original, swizzled);}
App validation
� What exactly is sent over to Apple? � Compiled binary for ARMv6 (?), ARMv7,
ARMv7s � Not: source code, binary for simulator
� What happens with the app during validation? � checks of some “boring stuff” ○ icon, profile, plist, …
� checks for private API usage
App review � What happens to the app during review?
� Officially: only App Store Review Guidelines � <my guess> ○ much less testing than you would think ○ they don’t have the source code ○ validation + automated tests
� CPU load, battery consumption ○ manual tests
� can the app be run? does it do something? � no extensive testing of all app features
○ individual teams have different results ○ hard-to-detect violation of rules are solved later
� when the app is popular enough that someone cares � </my guess>
FairPlay and app encryption � App Store apps are encrypted
� just the binary, and only individual sections # otool -arch all -Vl ...cmd LC_ENCRYPTION_INFOcmdsize 20cryptoff 4096cryptsize 724992cryptid 1
� Imports are intact � iOS kernel validates the signature and
deciphers the binary in memory
Encrypted binary
How to obtain a decrypted binary? � .ipa files floating around the Internet
� AppTrackr, apps.su, apps-ipa.com etc. � iReSign
� How to create it? � Basically the only way is to extract the
deciphered memory image from a jailbroken device ○ using gdb, pause the process, dump memory
A quick comparison – Android � Java, Dalvik, Dalvik VM, .apk files
� bytecode (.dex) � dex2jar tool will convert it into common .class files � then use your favorite Java decompiler (there’s lots
of them) � Where to get an .apk?
� google for “<appname> apk” � directly from a device ○ usually pretty straightforward, sometimes you need to
root the device first
� Protection: obfuscation � but the effect of it is questionable at best
The reality � Obtaining an .ipa or .apk is easy � Getting information out of a binary
� Android ○ it’s Java, decompilation is a no-brainer
� iOS ○ it’s ARM assembly ○ but you get plenty of metainformation for free, e.g.
class names and method names � Modifying an app is a completely different
story � definitely doable with ordinary developer access
Hacker’s toolbox � IDA 6.4
� Great Obj-C support � Trial version for Mac OS ○ analyzes x86 + ARM
� iFunBox � Free � uses iTunes internal libraries
� Charles – Web Debugging Proxy Application � http://www.charlesproxy.com/, $50 � Settings – Wi-Fi – (network) – HTTP Proxy – Manual � SSL (!)
What can you do about it?
� Short answer: nothing � Long answer:
� you can invent plenty of “security by obscurity” mechanisms, but these are always breakable, it’s just a matter of attacker’s determination
� get a realistic point of view, instead of a paranoid one ○ okay: what’s the worse thing that can happen? ○ better: risk assessment
My message � You want to know how something is
done? � Just take a look! � /Applications/Xcode.app/Contents/Developer/Platforms/
iPhoneSimulator.platform/Developer/SDKs/iPhoneSimulator6.1.sdk/System/Library/Frameworks/ ○ UIKit, QuartzCore, Foundation, CoreGraphics,
CoreFoundation, … � Be reasonable about security and
question the implementation � e.g. iFunBox
Questions?
Thank you. Kuba Brecka
@kubabrecka www.kubabrecka.com
Dark Side of iOS Kuba Brecka @kubabrecka Play Ragtime Czech Republic