iOS App Reverse Engineering Guide

IOActive, Inc. Copyright ©2016. All Rights Reserved.
Beyond The ‘Cript: Practical
iOS Reverse Engineering
Michael Allen (@_dark_knight_)
Security Consultant

Why This Talk?
• Apps more hardened against
common attacks
• Bridge the gap
• Deeper understanding of what
happens under the hood
• Foundation for additional
research

Outline/Agenda
• Building A General Toolkit
• iOS Application Assessment 101
– Usual results
– “New” approach
• The Reverse Engineer’s Toolkit
• Reverse Engineering iOS Applications
• Mach-O Binary Format
• Mach Tasks
• ARM(32/64)
• Objective-C
• Swift
• Identifying and bypassing Simple Jailbreak Detection Routines
• Conclusion

Outline/Agenda
• Building A General Toolkit
• iOS Application Assessment 101
• The Reverse Engineer’s Toolkit
• Reverse Engineering iOS Applications
• Identifying and bypassing Simple Jailbreak
Detection Routines
• Conclusion

Building A General Toolkit
• Jailbroken Device
• File System
• Network
• Instrumentation
• Automating Common Tasks
• Essentials

Jailbroken Device
• Removing software restrictions
imposed by iOS, through the use of
software exploits
• Recommend dedicated device for
testing
• Latest jailbreak
– Pangu (iOS 9.2 – 9.3.3 64-bit
devices only)

Jailbroken Device (contd.)
• Tethered
• Does not persist across reboots
• Requires computer to start device
• Untethered
• Persists on device across reboots
• Semi-tethered
• Requires computer to start into jailbroken state
• Rebooting or starting device without assistance possible. But boots into
non-jailbroken state

Jailbroken Device (ProTip)
• Change default root password from alpine
• Access device over usb using usbmuxd
– sudo python tcprelay.py -t 22:22
• Generate ssh keys
– ssh-keygen -t rsa -f ~/.ssh/ironman -N "”
• Copy public key to device
– ssh-copy-id -i ~/.ssh/ironman.pub root@localhost
• Create an alias on (~/.ssh/config)

File System: Moving Files
• iFunbox
• iExplorer
• Sftp

Network: BurpSuite Pro Intercepting Proxy

Network: SSL Kill Switch 2
• “Disables SSL certificate validation - including certificate pinning -
within iOS Apps.”

Instrumentation: Cycript
• Injects into target process
• Interactive console
• Objective-C and Javascript syntax
• Supported Architectures(iOS, Mac OS X)
• NowSecure fork where runtime powered by Frida* (Cycript on
steroids)

Instrumentation: Cycript (contd.)

Instrumentation: Frida
• Injects Google’s V8 engine into target process
• Javascript executed with full access to memory
• Function hooking
• Access to native methods
• Inject into starting process
• Multiple architectures (Windows, Mac, Linux, iOS and Android)

• Method tracing
Instrumentation: Frida (contd.)

Automating Common Tasks
• Idb Tool - http://www.idbtool.com/
• Snoop-IT - http://repo.nesolabs.de/
• iRet - https://www.veracode.com/blog/2014/03/introducing-the-ios-reverse-engineering-
toolkit
• IntroSpy - https://github.com/iSECPartners/Introspy-iOS
• AppMon - https://dpnishant.github.io/appmon/
• Needle - https://github.com/mwrlabs/needle
• Varying levels of support

Automating Common Tasks: Idb Tool
• Idb Tool
• “idb is a tool to simplify some common tasks for iOS app
security assessments and research.”
• Provides general app info
• URL Handler
• Keychain dumping
• Pasteboard
• Logging

Automating Common Tasks: Idb Tool (contd.)

Essentials: Command Line Utilities
• Command Line
– BigBoss Recommended Tools (Cydia)
– Erica Utilities (Cydia)
– Jonathan Levin compiled a number of commonly used binaries
for iOS

Essentials: iOSBinpack (Jonathan Levin)
• Listing of available tools

Common Attack Vectors: Sniffing On A
Remote Virtual Interface

Common Attack Vectors: Sniffing On A
Remote Virtual Interface (contd.)

Common Attack Vectors: Insecure Storage
• Property list files (.plist)
• SQLite databases
• Keychain
• Snapshots
• Cache

Insecure Storage: Property Lists (.plist)
• Stores serialized objects
• Key value pairs
• Maybe compacted to bplist (binary plist)
– cat filename.plist | plutil -convert xml1 - -o -

Insecure Storage: Client-Side Data Stores
• Often see SQLite being used for client-side storage
• Lightweight client-side database
• Query using SQL

Insecure Storage: Fun Fact About SQLite
Data Stores
• Delete doesn’t do what you think
• Deleted data added to free list
• Free records not overwritten until more space required
• End result is data may not be overwritten for a while
• May be recovered with SQLite-parser

Insecure Storage: Dumping The Keychain
• SQLite database stored in /var/Keychains

Insecure Storage: Snapshots

Insecure Storage: Inspecting The Cache
• Caches directory similar function to that of a web browser’s
cache
• Aimed at improving performance
• May store web cache content

Insecure Storage: Dumping Binary Cookies
• Created by URL loading system or webview
• Stored on local file system in binary format.

Common Attack Vectors: Inter-process
Communication
• Application registers custom URL scheme
• Invoked when scheme called

Common Attack Vectors: Inter-process
Communication
• Suggest using lsdtrip to identify URL’s
• Use publicurls | privateurls option

Inter-process Communication (Side Note)
• Malicious app could register your URL scheme
• [[UIApplication sharedApplication] openURL:myURL];
• Universal Links introduced in iOS 9
• Kills the openURL problem
• Developer specifies what URL’s will be processed by
app (association file)
• Communication over HTTPS
• No more enumerating apps via can canOpenURL
method

Common Attack Vectors: Injection Attacks
• UIWebViews
• File-Handling Routine
• XML

Summary: Usual Results
• Issues relating to Local Storage
– Keep in mind most of these attacks requires the device to be unlocked
• Unsecured API’s (via Burpsuite Pro)
• Some hard-coded secrets maybe (typically run strings against binary)
• The truth however is that most of these bugs closed
– Binary protections are now standard
– Data Protection API’s (keychain etc)
– Universal links introduced with iOS 9 address IPC loophole
– …...

Additionally What Happens When?
• The common tools fail?
• Your Google Fu returns nothing?
• There are custom security protections in place
• You want to extend an existing tool?
• You want start investigating deeply hidden logic bugs
– Crypto functions etc
• Move beyond 3rd party applications

Towards A “New” Approach
• At this point we need to take a different approach one that
involves Reverse Engineering and leverages knowledge of :
• iOS internals
• ARM(32/64) Assembly
• Deep dive into Objective-C/Swift
• …....
• Let’s improve our toolkit
• And expand our knowledge base

The Reverse Engineer’s Toolkit
• IDA Pro
• Hopper
• LLDB
• Jtool
• Procexp
• GNU Project Debugger (gdb)
• Apple CC Tools

The Reverse Engineer’s Toolkit: IDA Pro

The Reverse Engineer’s Toolkit: Hopper

The Reverse Engineer’s Toolkit: lldb
• Debugging an application binary with lldb
• iOS Device
1. debugserver -x backboard ip:port </path/to/executable>
• MAC Host
1. lldb
2. process connect connect://<remote_host>:<port>
3. image list –o –f (ASLR)

The Reverse Engineer’s Toolkit: lldb (contd.)

• Breakpoint = offset1 + offset2
• Or just use the symbols 
The Reverse Engineer’s Toolkit: lldb ASLR
(contd.)
1
2

The Reverse Engineer’s Toolkit: jtool
• otool type functionality with way more options
• MACH-O analysis (atos, dyldinfo, nm, strings etc)
• Multi-platform (OS X, iOS, Linux)
• ARM64 disassembler

The Reverse Engineer’s Toolkit: jtool (contd.)

The Reverse Engineer’s Toolkit: jtool (bonus)

The Reverse Engineer’s Toolkit: procexp
• Getting task related info
• Display threads, mach ports, dump core (memory image) etc..

The Reverse Engineer’s Toolkit: gdb
• Use source from http://cydia.radare.org
• No support for arm64 architectures

The Reverse Engineer’s Toolkit: filemon
• Tracing file system activity with FSEvents

Apple’s CC Tools
• otool
• MACH-O Binary Swiss army knife
• nm
• Displays symbol table
• lipo
• Architectures embedded in binary
• Codesign
• Binary signing

Reverse Engineering iOS Applications
(Under The Hood)
• Mach-O Binary Format
• Mach Tasks
• ARM(32/64)
• Objective-C
• Swift

Mach-O Binary Format

Application Binary
Version Location
< iOS 8 /var/mobile/Application/<app bundle id>
iOS 8 +
 /var/mobile/Containers/Bundle/Application/<app
bundle id>
 App binary, nibs, Code Signature
 /var/mobile/Containers/Data/Application/<app
bundle id>
 Documents, Library, tmp folder
iOS 9.3.x  /var/containers/Bundle/Application/<app bundle id>
 App binary

Mach-O Binary
• Header – Identifies file type,
architecture etc
• Load Commands – Details layout
and linkage specifications
• Data – Code

Mach-O: Header
<mach-o/loader.h>

Mach-O: Flags
• PIE: Commonly checked flag during an assessment.
• ASLR for executable types

Mach-O: Load Commands (Kernel)
• LC_SEGMENT[_64] main load command
– Memory regions with same r/w/x protection
<mach-o/loader.h>

Mach-O: SEGMENTS
• __PAGEZERO(NULL pointer trap, all access permissions revoked )
• _TEXT(program code)
• _DATA (readable/writeable program data)
• _LINKEDIT (symbol and other tables used by linker)
• _RESTRICT (see dyld.cpp, will not load DYLD_INSERT_LIBRARIES)
• Optional sections

Mach-O: Common Segments and Sections

Mach-O: Viewing Segments and Sections

MachOView (GUI)

Mach-O: Load Commands (dyld)
• Kernel hands off to DYLD(dynamic linker)
• Uses dynamic linker specified in LC_LOAD_DYLINKER
• Loads each LC_LOAD_DYLIB
• Resolves symbols
• Interposing (method switching)
• add __interpose section to __DATA SEGMENT
• Force library loading with DYLD_INSERT_LIBRARIES
• code with __attribute(constructor) auto runs

Mach Tasks

Mach Tasks
• At this point binary mapped into memory
• Process on other systems
• Port (IPC Endpoint)
• Own the port, own the task
• Mach Trap task_for_pid()
• Requires jailbreak tfp0 patch for kernel(PID0)
• processor_set_tasks()
• Any task port in system

Mach Tasks – Interacting with the task
• Get the task port
• Read/write memory with mach_vm* api’s
• Inject your own shellcode
• Left to your imagination

Mach Tasks – Owning The Port
* mach_vm_region returns information about a memory region in a given
address space.

Mach Tasks – Dumping Memory
• Write your own code and call appropriate mach_vm* api’s
• Use procexp <pid> regions

Mach Tasks – Dumping Memory
• Read using lldb (memory read –outfile <outfile> –count <size> <address>)

ARM Assembly

ARM32 - Registers
Register Purpose
R0 – R12 General purpose registers
R13 Stack pointer
R14 Link register. Holds return address during a
function call.
R15 Program counter (PC)
CPSR Information on current execution state
(Endianness bit, Thumb bit, Mode bit)

ARM32 – Function Calling Convention
• Functions are invoked via a B, BX, BL, BLX
Register Purpose
r0-r3  First four function parameters.
 Other arguments passed on stack
r0 Stores return value

ARM32 – Basic Loading Instructions
Register Purpose
LDR Loads a word.
Ex. LDR R3, [R0]
Loads the word value at R0 into R3
STR Stores a word.
Ex. STR R3, [R4]
Takes the value in R3 and stores at memory
address R4
• Arm is a load/store architecture
• Data must be loaded into registers before they can be used

ARM64 - Registers
Register Purpose
x0-x28 General purpose registers (64 bit)
w0-w30 General purpose registers (32 bit)
x29 Frame pointer
x30 Link register (return address)
SP Stack pointer
PC Program counter

ARM64 – Function Calling Convention
Register Purpose
x0-x7 Arguments/return values
x9-x15 Local variables
x19-x29 Callee-saved registers

Objective-C

Objective-C
• objc_msgSend
• Equivalent of calling functions in C
• id objc_msgSend(id self, SEL op,…)
• receiver(id self)
• selector(SEL op)
• Receiver is a pointer to class message is intended for
• Selector is the method to handle message

Objective-C (contd.)

Objective-C (contd.)
x0 – receiver
x1 – selector
x2 – argument
objc_msgSend – func call
-v –d objc retrieves info on
classes, methods etc
*ARM64

Objective-C: Method Swizzling Under The
Hood
• objc_method struct holds information about method of a class
[/usr/include/objc/runtime.h]
• Hooking Frameworks [/Library/Frameworks/CydiaSubstrate.framework]
Member Description
method_name Method name
method_types Accepted parameters
method_imp Pointer to implementation
Swizzling just changes implementation using
underlying C functions:
• class_replaceMethod
• method_exchangeImplementations
• method_setImplementation
CydiaSubstrate:
• MSHookMessageEx
• MSHookFunction

CydiaSubstrate Method Swizzling

SWIFT

Swift
• Introduced with iOS 8
• Still uses traditional message passing for Swift classes that inherit from
Objective-C classes
• Swift classes may use
• Direct function calls
• Vtables
• C++ like mangled function names
• Method Swizzling if subclass of NSObject

Swift: Mangled Function Names
Swift Objective-C

Swift: Mangled Function Names
• __TFC9jailbreak14ViewController12btnFileCheckfS0_FPSs9AnyObject_T_
– __T Swift Symbol
– F indicates function
– C indicates it is a function belonging to a class
– 9jailbreak module name prefixed with length
– 14ViewController class name prefixed with length
– 12btnFileCheck function name prefixed with length
– S0_FPSs no clue ?? 
– f function attribute
– 9AnyObject function parameter
– T_ return type

Swift: demangle Tool
• See also hopper-swift-demangle plugin

Disclaimer
• We will discuss binary patching next
• Yeah but I could do this with ?
• Yes there are several other options:
• xCon
• tsProtector
• Officer
• Tools discussed earlier(remember CydiaSubstrate
hooking with MSHookFunction)
• What happens when you can’t?
• Get comfortable reading/modifying ARM assembly
• Start with simple examples

But First A Note On Patching 101
• Replace instruction with NOP
• No Operation
• Change conditional instructions to unconditional ones
• BNE, BEQ, BLT….changes to just B etc
• Update the register that determines branch taken
• reg write <register> <value>
• p $<reg> = <value>
• Remove SEGMENT
• __RESTRICT

Identifying and bypassing Simple Jailbreak
Detection Routines Case Study

Case Study: Viewing File System Activity
• Using filemon -l
• Creates hard links to temporary files

Case Study: Viewing Logs
• Using idevicesyslog [libimobiledevice]

Case Study: Obtaining The Binary
• Dump the binary (facilitated by DYLD and DYLD_INSERT_LIBRARIES
environment variable)

Case Study: Obtaining Symbols
• Dump the symbols along with dylib’s to which they belong

Case Study: Extracting strings
• Any interesting strings?
• Dump cstring section (same as running strings)
• Knowledge of SEGMENTS and sections important

Case Study: Extracting DYLIB’S
• procexp <pid> regions
Dump the library with lldb

Case Study: Extracting DYLIB’S

Case Study: Obtaining Classes

Case Study: Bypassing RootFS Check

statfs func call
Patch here
statfs argument

Patch here
• Patch register w8

Case Study: Bypassing Debugger Checks
Changes when
debugger attached

(ppid)

(ppid)
ppid func callPatch here

(ppid)
• parent process id of calling process
Patch here

(p_traced)
sysctl func call
Patch here

(p_traced)
Patch here

Case Study: Bypassing Fork Check
Call to fork
Return value in X0
Patch CMN W19, #1

Case Study: Bypassing Fork Check
Patch here

Conclusion
• Common bugs being closed
• A “new” approach and break from the norm is required for in depth assessments
• Assembly knowledge a MUST for Reversing Engineering
– Low level assembly allows you to bypass many security protections, discover hidden gems and
then some
• Knowledge of iOS architecture will not only improve your assessments but also provide a
launching pad for other research
• Disassemblers are your friends (IDA, Hopper, Jtool …..)
• Add the reverse engineering skillset to your arsenal !!!

References
• Books:
• Mac OS X and iOS Internals To the Apple’s Core (Jonathan Levin)
• The Mobile Application Hacker’s Handbook (Dominic Chell, Tyrone Erasmus et al. )
• Hacking and Securing iOS Applications (Jonathan Zdziarski)
• iOS Application Security: The Definitive Guide for Hackers and Developers (David Thiel)
• Blogs and Tools:
• processor_set_tasks() - http://newosxbook.com/articles/PST2.html
• procexp – http://newosxbook.com/tools/procexp.html
• iOSBinaries - http://newosxbook.com/tools/iOSBinaries.html
• jtool - http://newosxbook.com/tools/jtool.html
• filemon - http://newosxbook.com/tools/filemon.html
• AmIBeingDebugged - https://developer.apple.com/library/mac/qa/qa1361/_index.html
• Frida - http://www.frida.re/
• Cycript - http://www.cycript.org/
• iFunBox - http://www.i-funbox.com/
• SSL Kill Switch – https://github.com/iSECPartners/ios-ssl-kill-switch
• BurpSuite - https://portswigger.net/burp/
• IDA - https://www.hex-rays.com/products/ida/
• Hopper - https://www.hopperapp.com/
• Idb - http://www.idbtool.com/
• PT_DENY_ATTACH - https://www.theiphonewiki.com/wiki/Bugging_Debuggers
• ARM - http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.den0024a/ch05s01s03.html
• SQLite-parser - https://github.com/mdegrazia/SQLite-Deleted-Records-Parser
• SQLite Deletion - http://www.zdziarski.com/blog/?p=6143
• lsdtrip - http://newosxbook.com/src.jl?tree=listings&file=ls.m#dumpURL

iOS App Reverse Engineering Guide

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to iOS App Reverse Engineering Guide

Similar to iOS App Reverse Engineering Guide (20)

Recently uploaded

Recently uploaded (20)

iOS App Reverse Engineering Guide

Editor's Notes