Breaking iOS Apps using Cycript

4,978 views

Published on

null Hyderabad Chapter - June 2013 Meet

Published in: Education, Technology
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
4,978
On SlideShare
0
From Embeds
0
Number of Embeds
385
Actions
Shares
0
Downloads
72
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide

Breaking iOS Apps using Cycript

  1. 1. BREAKING IOS APPS WITH CYCRIPT Satish Bommisetty
  2. 2. Agenda ¨  Objective  C  Basics   ¨  iOS  App  Architecture   ¨  Decrypting  iOS  Apps   ¨  Breaking  apps  with  Cycript  
  3. 3. Native iOS Applications ¨  Objective  C  code   ¨  Developed  in  Xcode  
  4. 4. Objective C Basics ¨  Objective  C  lies  on  top  of  the  C  language   ¨  Interface  @ile  (.h)   @interface  Car  :  NSObject  {       @loat  @illLevel;    }       -­‐  (void)addGas;       @end       ¨  Implementation  @ile  (.m)   @implementation  Car       -­‐(void)  addGas  {    }       @end      
  5. 5. Objective C Basics ¨  Methods  –  pass  messages   ¨  C++   ¤  Object-­‐>Method(param1,param2)   ¨  Objective-­‐C   ¤  [Object  method:param1  param2name:param2]  
  6. 6. iOS App Architecture ¨  iOS  App  
  7. 7. iOS App Architecture ¨  Mach-­‐O  format   ¤  Header   n  Target  Architecture   ¤  Load  commands   n  Location  of  symbol  table   n  Shared  Libraries   ¤  Data   n  Organized  in  Segments  
  8. 8. iOS App Architecture ¨  Header  can  be  viewed  using  otool   ¤  Otool  –h  Binary   ¤  Cpu  type  12/6  =  ARM  6   ¤  Cpu  type  12/9  =  ARM  7  
  9. 9. iOS App Architecture ¨  Load  can  be  viewed  using  otool   ¤  Otool  –l  Binary  
  10. 10. Decrypting iOS Apps ¨  AppStore  binaries  are  encrypted   ¤  Protects  from  piracy   ¤  Similar  to  Fairplay  DRM  used  on  iTunes  music   ¨  Self  distributed  Apps  are  not  encrypted   ¨  Loader  decrypts  the  apps  when  loaded  into  memory   ¨  Debugger  can  be  used  to  dump  the  decrypted  app  from  memory   ¨  Tools  are  available:  Craculous,  Clutch,  Installous  
  11. 11. Cycript ¨  Combination  of  JavaScript  and  Objective-­‐C  interpreter   ¨  App  runtime  can  be  easily  modi@ied  using  Cycript     ¨  Can  be  hooked  to  a  running  process     ¨  Gives  access  to  all  classes  and  instance  variables  within  the  app   ¨  Used  for  runtime  analysis   ¤  Bypass  security  locks   ¤  Access  sensitive  information  from  memory   ¤  Authentication  Bypass  attacks   ¤  Accessing  restricted  areas  of  the  applications  
  12. 12. Class-dump-z ¨  Use  class-­‐dump-­‐z  on  decrypted  binary  and  map  the  application   ¨  Retrieve  class  declarations   ¨  Analyze  the  class  dump  output  and  identify  the  interesting  class  
  13. 13. iOS App Execution Flow ¨  iOS  app  centralized  point  of  control  (MVC)  –  UIApplication  class  
  14. 14. Breaking iOS Apps ¨  Create  object  for  the  class  and  directly  access  the  instance   variables    and  invoke  methods   ¨  Existing  methods  can  be  overwritten  easily    

×