Dark Side of iOS Kuba Brecka @kubabrecka Play Ragtime Czech Republic

@kubabrecka www.kubabrecka.com

How important is it for a developer to know… � OOP �  Functional programming � Compiler theory, automata theory � Algorithm complexity � Databases � Networking � UI/UX � Reverse engineering

But actually…

� …let’s take a look how deep the rabbit hole goes

�  I’ll try to answer some “forbidden” questions �  private API �  app validation, review �  binary structure, app encryption �  some security consequences

The goal �  To show…

�  what Apple can do with your application �  what can you (or others) find out from the app

binary �  what can you do with a jailbroken device �  where do “cracked” apps come from �  what can a determined “black hat” do

�  Not: to break the law �  Disclaimer: for educational purposes only �  Disclaimer 2: I’m no security expert, I’m just

some guy who likes digging into things

Sandbox

� Every application has its own sandbox �  it can see its directory + a few of system

directories �  for writing, it has only a few specific

directories �  There is no point in creating a file

manager � App-to-app file transfers are ad-hoc

Jailbreak �  No signature verification �  Disabled sandbox

�  read and write anywhere in the filesystem (!) �  Turns off ASLR �  Re-allows blocked syscalls

�  fork, exec, … �  Debugging, attach to process �  Cydia �  tethered (easy), untethered (very hard)

�  jailbreakers are saving exploits for later

iOS 6.1 jailbreak – evasi0n

�  http://theiphonewiki.com/wiki/Evasi0n

Private API �  Header files in Xcode are “stripped”

�  plenty of hidden classes and methods �  the reason? ○  published APIs must be supported by Apple for a

long time ○  Apple wants to be able to change the internals

�  Class-dump �  http://stevenygard.com/projects/class-dump/ �  https://github.com/nst/iOS-Runtime-Headers �  dumps all classes and methods from a binary

Method swizzling �  All selectors are called using a dynamic

dispatch �  a method can be replaced by changing a record

in the method lookup tables �  http://darkdust.net/writings/objective-c/method-

swizzling - (BOOL)swizzled_synchronize { ... [self swizzled_synchronize]; ...}+ (void)load { Method original = class_getInstanceMethod(self, @selector(synchronize)); Method swizzled = class_getInstanceMethod(self, @selector(swizzled_synchronize)); method_exchangeImplementations(original, swizzled);}

App validation

� What exactly is sent over to Apple? � Compiled binary for ARMv6 (?), ARMv7,

ARMv7s � Not: source code, binary for simulator

� What happens with the app during validation? �  checks of some “boring stuff” ○  icon, profile, plist, …

�  checks for private API usage

App review �  What happens to the app during review?

�  Officially: only App Store Review Guidelines �  <my guess> ○  much less testing than you would think ○  they don’t have the source code ○  validation + automated tests

�  CPU load, battery consumption ○  manual tests

�  can the app be run? does it do something? �  no extensive testing of all app features

○  individual teams have different results ○  hard-to-detect violation of rules are solved later

�  when the app is popular enough that someone cares �  </my guess>

FairPlay and app encryption �  App Store apps are encrypted

�  just the binary, and only individual sections # otool -arch all -Vl ...cmd LC_ENCRYPTION_INFOcmdsize 20cryptoff 4096cryptsize 724992cryptid 1

�  Imports are intact �  iOS kernel validates the signature and

deciphers the binary in memory

Encrypted binary

How to obtain a decrypted binary? �  .ipa files floating around the Internet

�  AppTrackr, apps.su, apps-ipa.com etc. �  iReSign

� How to create it? �  Basically the only way is to extract the

deciphered memory image from a jailbroken device ○  using gdb, pause the process, dump memory

A quick comparison – Android �  Java, Dalvik, Dalvik VM, .apk files

�  bytecode (.dex) �  dex2jar tool will convert it into common .class files �  then use your favorite Java decompiler (there’s lots

of them) �  Where to get an .apk?

�  google for “<appname> apk” �  directly from a device ○  usually pretty straightforward, sometimes you need to

root the device first

�  Protection: obfuscation �  but the effect of it is questionable at best

The reality �  Obtaining an .ipa or .apk is easy �  Getting information out of a binary

�  Android ○  it’s Java, decompilation is a no-brainer

�  iOS ○  it’s ARM assembly ○  but you get plenty of metainformation for free, e.g.

class names and method names �  Modifying an app is a completely different

story �  definitely doable with ordinary developer access

Hacker’s toolbox �  IDA 6.4

�  Great Obj-C support �  Trial version for Mac OS ○  analyzes x86 + ARM

�  iFunBox �  Free �  uses iTunes internal libraries

�  Charles – Web Debugging Proxy Application �  http://www.charlesproxy.com/, $50 �  Settings – Wi-Fi – (network) – HTTP Proxy – Manual �  SSL (!)

What can you do about it?

� Short answer: nothing �  Long answer:

�  you can invent plenty of “security by obscurity” mechanisms, but these are always breakable, it’s just a matter of attacker’s determination

�  get a realistic point of view, instead of a paranoid one ○  okay: what’s the worse thing that can happen? ○  better: risk assessment

My message � You want to know how something is

done? �  Just take a look! �  /Applications/Xcode.app/Contents/Developer/Platforms/

iPhoneSimulator.platform/Developer/SDKs/iPhoneSimulator6.1.sdk/System/Library/Frameworks/ ○  UIKit, QuartzCore, Foundation, CoreGraphics,

CoreFoundation, … � Be reasonable about security and

question the implementation �  e.g. iFunBox

Questions?

Thank you. Kuba Brecka

@kubabrecka www.kubabrecka.com

Dark Side of iOS Kuba Brecka @kubabrecka Play Ragtime Czech Republic