dynamic analysis of ios apps w/o jailbreak · 2018-04-23 · dynamic analysis of ios apps w/o...
TRANSCRIPT
Dynamic analysis of iOS apps w/o Jailbreak
Egor Saltykov Web & Mobile pentester Digital Security
© 2002—2017, Digital Security
Dynamic analysis of iOS apps w/o Jailbreak
whoamiDigital SecurityWeb & mobile pentesterBugBounty
Digital SecurityResearch
Apple / Safari XSSCVE-2017-7038
Cure53 / DomPurify Safari XSS
2
© 2002—2017, Digital Security
Dynamic analysis of iOS apps w/o Jailbreak
Agenda
• Types of application analysis
• Superuser privileges on mobile
• Graybox pentest
• Jailbreak free iOS app analysis
3
© 2002—2017, Digital Security
Dynamic analysis of iOS apps w/o Jailbreak
App analysis
4
© 2002—2017, Digital Security
Dynamic analysis of iOS apps w/o Jailbreak
App analysis
• A huge number of mobile devices
• More private information inside
• Proprietary mobile OS and unclear how this works
5
© 2002—2017, Digital Security
Dynamic analysis of iOS apps w/o Jailbreak
App analysisStatic Dynamic
6
© 2002—2017, Digital Security
Dynamic analysis of iOS apps w/o Jailbreak
App analysisCriterion Static analysis Dynamic analysis
Code vs. data Problem No problem
Code coverage Big (but not all) One way
Information about values No information All information
Self-modifying code Problem No problem
Runtime vulns No Yes
Unused code Analysis No analysis
Autoscan Yes No
Programming language Not all Any
7
© 2002—2017, Digital Security
Dynamic analysis of iOS apps w/o Jailbreak
but
8
© 2002—2017, Digital Security
Dynamic analysis of iOS apps w/o Jailbreak
Dynamic analysis ❤ root/jb
9
© 2002—2017, Digital Security
Dynamic analysis of iOS apps w/o Jailbreak
Dynamic analysis ❤ root
• Android – one button hack
• Each version
• Some corp.'ve built-in root (e.g. old Meizu, Xiaomi)
10
11
© 2002—2017, Digital Security
Dynamic analysis of iOS apps w/o Jailbreak
Dynamic analysis ❤ jb
• iOS – difficult to hack
• Increase difficulty of hack w/each system update
• Frequent rewriting applications for a new iOS
12
© 2002—2017, Digital Security
Dynamic analysis of iOS apps w/o Jailbreak
Root/JB for Pentest
13
© 2002—2017, Digital Security
Dynamic analysis of iOS apps w/o Jailbreak
Root for Pentest
• Too much devices
• Too much iOS versions
• Difficult to keep fresh versions
14
© 2002—2017, Digital Security
Dynamic analysis of iOS apps w/o Jailbreak
<any>boxWhite Gray Black
Input point Input point Input point
Output point Output point Output point
Source code Our lib or snippet injection
NODISCLOSURESOURCE
15
© 2002—2017, Digital Security
Dynamic analysis of iOS apps w/o Jailbreak
Customer developer
• Inject our lines of codeGitHub: /bang590/JSPatch
• Inject our library
• Build special test versionSSLPinning free ver.
16
© 2002—2017, Digital Security
Dynamic analysis of iOS apps w/o Jailbreak
How to start dynamic analysis w/o Jailbreak
of iOS app?
17
© 2002—2017, Digital Security
Dynamic analysis of iOS apps w/o Jailbreak
Preparations• Xcode
• iOS Developer account (paid better)
• iOS non-jailbroken device
• Decrypted .ipa
• Framework for injection
18
Step: 0
© 2002—2017, Digital Security
Dynamic analysis of iOS apps w/o Jailbreak
How to change binary for iOS w/o Jailbreak and start research it?• Download .ipa file from device/store
• Decrypt and extract data from .ipa
• Change/inject code into binary
• Repack .ipa
• Resign binary
• Upload to device
• ???
• Magic
+⬇
19
© 2002—2017, Digital Security
Dynamic analysis of iOS apps w/o Jailbreak
⬇ .ipa file from store/device
• From iTunes Store, just download
• From iFunBox (even TestFlight iOS≤8.3)
• Downgrade .ipa files w/iTunes through request forgery
• Online (danger) ipastore.me
⬇
📱
20
Step: 1
© 2002—2017, Digital Security
Dynamic analysis of iOS apps w/o Jailbreak
Download old ver. .ipa file
• Run any mitm-proxy tool (Charles/Burp/any..)
• Run iTunes and download app
• Intercept request and change version value from XML below in request
• Enjoy old version
21
Useful links: Malware wellbeing on iOSLifehacker video manual
Step: 1.3
© 2002—2017, Digital Security
Dynamic analysis of iOS apps w/o Jailbreak
📦 data from .ipaExtract decrypted .ipa
• From jailbroken deviceGitHub: /stefanesser/dumpdecryptedGitHub: /KJCracks/ClutchGitHub: /easonoutlook/Rasticrac
• From iphonecake.com
• From 4pda.ru
⬇
22
Step: 2-3
© 2002—2017, Digital Security
Dynamic analysis of iOS apps w/o Jailbreak
↪ or 🔀 data and re📦.ipa
• GitHub: /jamie72/IPAPatch (reveal / cycript)
• GitHub: /vtky/resign (any framework / frida)
23
Step: 4
© 2002—2017, Digital Security
Dynamic analysis of iOS apps w/o Jailbreak
What I can put .ipa inside?
Answer: whatever you want!
24
© 2002—2017, Digital Security
Dynamic analysis of iOS apps w/o Jailbreak
FRIDA• frida.re
GitHub: /frida/frida
• Portable, scalable, scriptable
• Inject JS into process
• Can inject a hook into starting process
• Calling understand
25
Useful links: ZeroNights'15 workshop
Frida Objection Awesome Frida (examples)
© 2002—2017, Digital Security
Dynamic analysis of iOS apps w/o Jailbreak
Cycript• www.cycript.org
• GitHub: /nowsecure/frida-cycript
• Inject into process and enables to manipulate the runtime w/interactive console
• Supports Objective-C and JS
26
Useful links: Manual
Cycript @ 360|iDev 2013
© 2002—2017, Digital Security
Dynamic analysis of iOS apps w/o Jailbreak
Reveal
• revealapp.com
• Design inspect
• Support even TV Watch
• More for UI/UX debug
27
© 2002—2017, Digital Security
Dynamic analysis of iOS apps w/o Jailbreak
CydiaSubstrate• cydiasubstrate.com
• apt.saurik.com/debs/mobilesubstrate_0.9.6301_iphoneos-arm.deb
• Modify app w/o source code
• Provide API for manipulation
• Functioning depends on iOS
28
© 2002—2017, Digital Security
Dynamic analysis of iOS apps w/o Jailbreak
🛅.ipa
• GitHub: /nowsecure/node-applesign
• GitHub: /DanTheMan827/ios-app-signer
• Xcode w/dev account
29
Step: 5
© 2002—2017, Digital Security
Dynamic analysis of iOS apps w/o Jailbreak
📦📲.ipa to iOS device
• Xcode (free Developer Account)
• Impactor (any AppleID)
• iFunBox (iOS≤8.3)
• JB GitHub: /autopear/ipainstaller
📦➡
30
Step: 6
© 2002—2017, Digital Security
Dynamic analysis of iOS apps w/o Jailbreak
*+ exec own code
Press “X” to Hack
• Write your code & exec it on iOS device
• Connect to device and control your app
31
Step: pwn
© 2002—2017, Digital Security
Dynamic analysis of iOS apps w/o Jailbreak
One-slide-schema
33
© 2002—2017, Digital Security
Dynamic analysis of iOS apps w/o Jailbreak
Demo
34
© 2002—2017, Digital Security
Dynamic analysis of iOS apps w/o Jailbreak
Thank you!Questions?
@ansjdnakjdnajkd
35
Digital Security in Moskow: (495) 223-07-86 Digital Security in Saint-Petersburg: (812) 703-15-47