SlideShare a Scribd company logo

Hack in the Box GSEC 2016 - Reverse Engineering Swift Applications

eightbit
eightbit

Swift apps present some challenges for reverse engineering compared to Objective-C apps. The main challenges are that Swift is less dynamic and there is limited tooling available. To analyze Swift apps, one can disassemble the binary and demangle Swift function names using the swift-demangle utility. For apps with Objective-C code as well, the class-dump tool can provide some class information. Runtime inspection using debuggers is also possible but less straightforward than with Objective-C. Overall, while more difficult, many typical reverse engineering tasks can still be performed on Swift apps.

1 of 60
Download to read offline
Reverse Engineering Swift Apps Michael Gianarakis Hack In The Box GSEC 2016
# whoami @mgianarakis Director of SpiderLabs at Trustwave Flat Duck Justice Warrior (FDJW)
Motivation • Seeing more and more Swift being used in apps that we test (fan boys like me tend to adopt new Apple technology quickly) • Google is even considering using Swift as a first class language on Android… (http://thenextweb.com/dd/2016/04/07/google- facebook-uber-swift/) • Wanted to dive into some of the key differences with Swift and look at the challenges with respect to Swift app pen testing • Focus is on “black box” app pen testing - for a deeper dive into Swift language RE I recommend Ryan Stortz’s talk at Infiltrate (http://infiltratecon.com/archives/swift_Ryan_Stortz.pdf)
How Does Swift Affect Testing? • Will dive into the detail in the presentation but the reality is not much in most areas, quite a bit in others? • Most issues in iOS and OS X apps are due to poor design decisions or misconfiguration and incorrect implementation of Apple and third party frameworks and libraries. • The main thing that has changed is how you reverse engineer the application
Quick Overview of Swift
What is Swift? • Compiled language created by Apple • Released publicly in 2014 at WWDC and has seen multiple revisions since. • Open source with official implementations for iOS, OS X and Linux. • Intended to replace Objective-C eventually
Syntax (just the basics to follow along)
Syntax (just the basics to follow along)
Syntax (just the basics to follow along)
Syntax (just the basics to follow along)
Types • All basic C and Objective-C types -> String, Bool, Int , Float etc. • Collection Types -> Array, Set, Dictionary • Optional Types -> works with all types, no more nil pointers like Objective-C • Swift is a type safe language
Objective-C Compatibility • Objective-C compatibility and interoperability • Uses the same runtime environment • Still supports C and C++ in the same app but can’t be called from Swift like Objective-C • Can allow for some dynamic features and runtime manipulation
Other Language Features • Barely scratched the surface • Structs, Protocols, Extensions, Closures, Enumerations, Optionals, Generics, Type Casting, Access Control, Error Handling, Assertions…. • Automatic Reference Counting • Unicode… • var 💩 = 💩 💩 💩 💩 💩 ()
Other Language Features
Challenges Reversing Swift Apps
Challenges • Less dynamic than Objective-C • Less flexible than Objective-C in some areas • Can make it harder to do some of the standard tasks you would do on a standard app pen test • Less of an issue now because most Swift apps will include be mixed with Objective-C • Limited tooling • We will explore this in more detail
Challenges • Rapidly evolving syntax, APIs and features and Apple doesn’t care too much about breaking changes. • v1.0 - September 2014 • v1.1 - October 2014 • v1.2 - April 2015 • v2.0 - September 2015 (Open Sourced, Linux) • v2.2 - March 2016 • v3.0 - Late 2016
Reversing Swift Apps • Two primary reverse engineering activities when conducting a “black box” pen test • Dumping and analysing class information from the binary • Retrieving information at runtime using debuggers, function hooking, tracing etc.
Retrieving Class Information
Class Dump? • The most common and easiest way to retrieve class data from an Objective-C binary is the class- dump utility • class-dump retrieves class information and formats to look like the equivalent of an Objective-C header file • Usually one of the first things you do when looking at an app
Class Dump?
Class Dump?
What next? • So class-dump-z doesn’t work with Swift binaries :( • Now what? • Let’s start diving into the binary
Symbol Table • What do we get if we dump the symbol table?
Symbol Table • What if we look for something we know is in the binary?
Name Mangling • Looks promising but it’s a far cry from the output of class-dump and is kind of hard to make out • Swift stores metadata about a function in it’s symbols in the process “mangling” the name.
Name Mangling __TFC9hitb_demo4Duck13printDuckTypefT_T_ Indicates it’s a Swift method
Name Mangling __TFC9hitb_demo4Duck13printDuckTypefT_T_ Indicates it’s a Swift method Indicates it’s a function
Name Mangling __TFC9hitb_demo4Duck13printDuckTypefT_T_ Indicates it’s a Swift method Indicates it’s a function Function of a class
Name Mangling __TFC9hitb_demo4Duck13printDuckTypefT_T_ Indicates it’s a Swift method Indicates it’s a function Function of a class Module name with length
Name Mangling __TFC9hitb_demo4Duck13printDuckTypefT_T_ Indicates it’s a Swift method Indicates it’s a function Function of a class Module name with length Class name with length
Name Mangling __TFC9hitb_demo4Duck13printDuckTypefT_T_ Indicates it’s a Swift method Indicates it’s a function Function of a class Module name with length Class name with length Function name with length
Name Mangling __TFC9hitb_demo4Duck13printDuckTypefT_T_ Indicates it’s a Swift method Indicates it’s a function Function of a class Module name with length Class name with length Function name with length Function attribute
Name Mangling __TFC9hitb_demo4Duck13printDuckTypefT_T_ Indicates it’s a Swift method Indicates it’s a function Function of a class Module name with length Class name with length Function name with length Function attribute Parameters
Name Mangling __TFC9hitb_demo4Duck13printDuckTypefT_T_ Indicates it’s a Swift method Indicates it’s a function Function of a class Module name with length Class name with length Function name with length Function attribute Parameters Return Type
Function Attributes f Normal function s Setter g Getter d Destructor D Deallocator c Constructor C Allocator
Return Types a Array b Boolean c Unicode Scalar d Double f Float i Integer u Unsigned Integer Q Implicitly Unwrapped Optional S String
swift-demangle • So now we know roughly the way the names are mangle you could use this to create a script that “de-mangles” the names • Apple has already thought of that and includes a utility called swift-demangle to do just that
swift-demangle
swift-demangle • With nm and swift-demangle and some shell scripting you should be able to easily grab the function signatures from an app • Should be all you need to get basically the same information you would from class-dump to start assessing the app
class-dump-s • Hacked together script that demangles names and formats the output to approximate the output of class-dump • Written in Swift • Demo
Stripped Binaries • CAVEAT: If the developer stripped symbols from the binary then these techniques obviously won’t work. • Reverse engineering stripped binaries is a bit more complicated
Objective-C Compatibility • Part of the reason it’s much easier to get class information from Objective-C binaries is because it’s necessary for the Objective-C runtime to have that info • So what happens when you import Objective-C frameworks or use Objective-C in your app?
Revisiting Class Dump • The latest branch of class-dump by Steven Nygard (the original class-dump utility) has limited support for Swift. • Need to download and build from source (no binary release yet) • https://github.com/nygard/class-dump
Revisiting Class Dump
Revisiting Class Dump
Revisiting Class Dump
Revisiting Class Dump
Other Options • Disassemblers (i.e. Hopper, IDA Pro) • Necessary for lower level insight into the app • To demangle Swift function names https:// github.com/Januzellij/hopperscripts
Function Hooking
Hooking Swift Methods • Still possible. • Much easier with in mixed Swift/Objective-C binaries. • Can still write tweaks with Mobile Substrate.
Hooking Swift Methods
Hooking Swift Methods • Hooking getter method (works!)
Hooking Swift Methods • Hooking setter method (kinda works…)
Hooking Swift Methods • Certain functions in Swift are inlined and the class constructor is one of them (which is directly setting the instance variable) • So in this case the setter will only be called again by the top level code. • If you call from there it works.
Hooking Swift Methods • Changing the instance variable directly (works but not a good idea probably)
Wrap Up
Wrap Up • So not all hope is lost when it comes to your standard pen test workflows with Swift apps • A bit more of a pain in the arse if you don’t get access to the source code • Most issues in iOS and OS X apps are due to poor design decisions or misconfiguration and incorrect implementation of Apple and third party frameworks and libraries.
Next Steps • Improve the class-dump-s script :) • Runtime inspection (was going to demo this but ran out of time :( ) • cycript works but not as straightforward as with Objective-C • LLDB works well if you are familiar with it • Will hopefully write a blog post soon
Q&A?

Recommended

Rootcon X - Reverse Engineering Swift Applications
Rootcon X - Reverse Engineering Swift ApplicationsRootcon X - Reverse Engineering Swift Applications
Rootcon X - Reverse Engineering Swift Applications
eightbit
 
Wahckon[2] - iOS Runtime Hacking Crash Course
Wahckon[2] - iOS Runtime Hacking Crash CourseWahckon[2] - iOS Runtime Hacking Crash Course
Wahckon[2] - iOS Runtime Hacking Crash Course
eightbit
 
Handout 00 0
Handout 00 0Handout 00 0
Handout 00 0Mahmoud
 
Bootstrapping iPhone Development
Bootstrapping iPhone DevelopmentBootstrapping iPhone Development
Bootstrapping iPhone Development
ThoughtWorks
 
Tech breakfast 18
Tech breakfast 18Tech breakfast 18
Tech breakfast 18
James Leone
 
Kevin Whinnery: Write Better JavaScript
Kevin Whinnery: Write Better JavaScriptKevin Whinnery: Write Better JavaScript
Kevin Whinnery: Write Better JavaScript
Axway Appcelerator
 
Practices and Tools for Building Better APIs
Practices and Tools for Building Better APIsPractices and Tools for Building Better APIs
Practices and Tools for Building Better APIs
Peter Hendriks
 
API workshop: Deep dive into Java
API workshop: Deep dive into JavaAPI workshop: Deep dive into Java
API workshop: Deep dive into Java
Tom Johnson
 

Recommended

Rootcon X - Reverse Engineering Swift Applications
Rootcon X - Reverse Engineering Swift ApplicationsRootcon X - Reverse Engineering Swift Applications
Rootcon X - Reverse Engineering Swift Applications
eightbit
 
Wahckon[2] - iOS Runtime Hacking Crash Course
Wahckon[2] - iOS Runtime Hacking Crash CourseWahckon[2] - iOS Runtime Hacking Crash Course
Wahckon[2] - iOS Runtime Hacking Crash Course
eightbit
 
Handout 00 0
Handout 00 0Handout 00 0
Handout 00 0Mahmoud
 
Bootstrapping iPhone Development
Bootstrapping iPhone DevelopmentBootstrapping iPhone Development
Bootstrapping iPhone Development
ThoughtWorks
 
Tech breakfast 18
Tech breakfast 18Tech breakfast 18
Tech breakfast 18
James Leone
 
Kevin Whinnery: Write Better JavaScript
Kevin Whinnery: Write Better JavaScriptKevin Whinnery: Write Better JavaScript
Kevin Whinnery: Write Better JavaScript
Axway Appcelerator
 
Practices and Tools for Building Better APIs
Practices and Tools for Building Better APIsPractices and Tools for Building Better APIs
Practices and Tools for Building Better APIs
Peter Hendriks
 
API workshop: Deep dive into Java
API workshop: Deep dive into JavaAPI workshop: Deep dive into Java
API workshop: Deep dive into Java
Tom Johnson
 
API workshop: Introduction to APIs (TC Camp)
API workshop: Introduction to APIs (TC Camp)API workshop: Introduction to APIs (TC Camp)
API workshop: Introduction to APIs (TC Camp)
Tom Johnson
 
API Documentation -- Presentation to East Bay STC Chapter
API Documentation -- Presentation to East Bay STC ChapterAPI Documentation -- Presentation to East Bay STC Chapter
API Documentation -- Presentation to East Bay STC Chapter
Tom Johnson
 
C#/.NET Little Wonders
C#/.NET Little WondersC#/.NET Little Wonders
C#/.NET Little Wonders
BlackRabbitCoder
 
Survival Strategies for API Documentation: Presentation to Southwestern Ontar...
Survival Strategies for API Documentation: Presentation to Southwestern Ontar...Survival Strategies for API Documentation: Presentation to Southwestern Ontar...
Survival Strategies for API Documentation: Presentation to Southwestern Ontar...
Tom Johnson
 
Object oriented-programming-in-c-sharp
Object oriented-programming-in-c-sharpObject oriented-programming-in-c-sharp
Object oriented-programming-in-c-sharpAbefo
 
API Workshop: Deep dive into code samples
API Workshop: Deep dive into code samplesAPI Workshop: Deep dive into code samples
API Workshop: Deep dive into code samples
Tom Johnson
 
Functional Programming In Jdk8
Functional Programming In Jdk8 Functional Programming In Jdk8
Functional Programming In Jdk8
Bansilal Haudakari
 
Writing code samples for API/SDK documentation
Writing code samples for API/SDK documentationWriting code samples for API/SDK documentation
Writing code samples for API/SDK documentation
Tom Johnson
 
Generating UML Models with Inferred Types from Pharo Code
Generating UML Models with Inferred Types from Pharo CodeGenerating UML Models with Inferred Types from Pharo Code
Generating UML Models with Inferred Types from Pharo Code
ESUG
 
Pigaios: A Tool for Diffing Source Codes against Binaries (Hacktivity 2018)
Pigaios: A Tool for Diffing Source Codes against Binaries (Hacktivity 2018)Pigaios: A Tool for Diffing Source Codes against Binaries (Hacktivity 2018)
Pigaios: A Tool for Diffing Source Codes against Binaries (Hacktivity 2018)
Joxean Koret
 
API Documentation Workshop tcworld India 2015
API Documentation Workshop tcworld India 2015API Documentation Workshop tcworld India 2015
API Documentation Workshop tcworld India 2015
Tom Johnson
 
Scala Jump Start
Scala Jump StartScala Jump Start
Scala Jump Start
Haim Michael
 
API Workshop: Deep dive into REST APIs
API Workshop: Deep dive into REST APIsAPI Workshop: Deep dive into REST APIs
API Workshop: Deep dive into REST APIs
Tom Johnson
 
Java Basics for selenium
Java Basics for seleniumJava Basics for selenium
Java Basics for selenium
apoorvams
 
C# 9 and 10 - What's cool?
C# 9 and 10 - What's cool?C# 9 and 10 - What's cool?
C# 9 and 10 - What's cool?
Christian Nagel
 
Language Engineering in the Cloud
Language Engineering in the CloudLanguage Engineering in the Cloud
Language Engineering in the Cloudlennartkats
 
Using Swift for all Apple platforms (iOS, watchOS, tvOS and OS X)
Using Swift for all Apple platforms (iOS, watchOS, tvOS and OS X)Using Swift for all Apple platforms (iOS, watchOS, tvOS and OS X)
Using Swift for all Apple platforms (iOS, watchOS, tvOS and OS X)
Aniruddha Chakrabarti
 
T4 presentation
T4 presentationT4 presentation
T4 presentation
Gary Pedretti
 
C# language
C# languageC# language
C# language
Akanksha Shukla
 
Intro To AOP
Intro To AOPIntro To AOP
Intro To AOPDonald Belcham
 
Better Swift from the Foundation up #tryswiftnyc17 09-06
Better Swift from the Foundation up #tryswiftnyc17 09-06Better Swift from the Foundation up #tryswiftnyc17 09-06
Better Swift from the Foundation up #tryswiftnyc17 09-06
Carl Brown
 
Алексей Ященко и Ярослав Волощук "False simplicity of front-end applications"
Алексей Ященко и Ярослав Волощук "False simplicity of front-end applications"Алексей Ященко и Ярослав Волощук "False simplicity of front-end applications"
Алексей Ященко и Ярослав Волощук "False simplicity of front-end applications"
Fwdays
 

More Related Content

What's hot

API workshop: Introduction to APIs (TC Camp)
API workshop: Introduction to APIs (TC Camp)API workshop: Introduction to APIs (TC Camp)
API workshop: Introduction to APIs (TC Camp)
Tom Johnson
 
API Documentation -- Presentation to East Bay STC Chapter
API Documentation -- Presentation to East Bay STC ChapterAPI Documentation -- Presentation to East Bay STC Chapter
API Documentation -- Presentation to East Bay STC Chapter
Tom Johnson
 
C#/.NET Little Wonders
C#/.NET Little WondersC#/.NET Little Wonders
C#/.NET Little Wonders
BlackRabbitCoder
 
Survival Strategies for API Documentation: Presentation to Southwestern Ontar...
Survival Strategies for API Documentation: Presentation to Southwestern Ontar...Survival Strategies for API Documentation: Presentation to Southwestern Ontar...
Survival Strategies for API Documentation: Presentation to Southwestern Ontar...
Tom Johnson
 
Object oriented-programming-in-c-sharp
Object oriented-programming-in-c-sharpObject oriented-programming-in-c-sharp
Object oriented-programming-in-c-sharpAbefo
 
API Workshop: Deep dive into code samples
API Workshop: Deep dive into code samplesAPI Workshop: Deep dive into code samples
API Workshop: Deep dive into code samples
Tom Johnson
 
Functional Programming In Jdk8
Functional Programming In Jdk8 Functional Programming In Jdk8
Functional Programming In Jdk8
Bansilal Haudakari
 
Writing code samples for API/SDK documentation
Writing code samples for API/SDK documentationWriting code samples for API/SDK documentation
Writing code samples for API/SDK documentation
Tom Johnson
 
Generating UML Models with Inferred Types from Pharo Code
Generating UML Models with Inferred Types from Pharo CodeGenerating UML Models with Inferred Types from Pharo Code
Generating UML Models with Inferred Types from Pharo Code
ESUG
 
Pigaios: A Tool for Diffing Source Codes against Binaries (Hacktivity 2018)
Pigaios: A Tool for Diffing Source Codes against Binaries (Hacktivity 2018)Pigaios: A Tool for Diffing Source Codes against Binaries (Hacktivity 2018)
Pigaios: A Tool for Diffing Source Codes against Binaries (Hacktivity 2018)
Joxean Koret
 
API Documentation Workshop tcworld India 2015
API Documentation Workshop tcworld India 2015API Documentation Workshop tcworld India 2015
API Documentation Workshop tcworld India 2015
Tom Johnson
 
Scala Jump Start
Scala Jump StartScala Jump Start
Scala Jump Start
Haim Michael
 
API Workshop: Deep dive into REST APIs
API Workshop: Deep dive into REST APIsAPI Workshop: Deep dive into REST APIs
API Workshop: Deep dive into REST APIs
Tom Johnson
 
Java Basics for selenium
Java Basics for seleniumJava Basics for selenium
Java Basics for selenium
apoorvams
 
C# 9 and 10 - What's cool?
C# 9 and 10 - What's cool?C# 9 and 10 - What's cool?
C# 9 and 10 - What's cool?
Christian Nagel
 
Language Engineering in the Cloud
Language Engineering in the CloudLanguage Engineering in the Cloud
Language Engineering in the Cloudlennartkats
 
Using Swift for all Apple platforms (iOS, watchOS, tvOS and OS X)
Using Swift for all Apple platforms (iOS, watchOS, tvOS and OS X)Using Swift for all Apple platforms (iOS, watchOS, tvOS and OS X)
Using Swift for all Apple platforms (iOS, watchOS, tvOS and OS X)
Aniruddha Chakrabarti
 
T4 presentation
T4 presentationT4 presentation
T4 presentation
Gary Pedretti
 
C# language
C# languageC# language
C# language
Akanksha Shukla
 

What's hot (20)

API workshop: Introduction to APIs (TC Camp)
API workshop: Introduction to APIs (TC Camp)API workshop: Introduction to APIs (TC Camp)
API workshop: Introduction to APIs (TC Camp)
 
API Documentation -- Presentation to East Bay STC Chapter
API Documentation -- Presentation to East Bay STC ChapterAPI Documentation -- Presentation to East Bay STC Chapter
API Documentation -- Presentation to East Bay STC Chapter
 
C#/.NET Little Wonders
C#/.NET Little WondersC#/.NET Little Wonders
C#/.NET Little Wonders
 
Survival Strategies for API Documentation: Presentation to Southwestern Ontar...
Survival Strategies for API Documentation: Presentation to Southwestern Ontar...Survival Strategies for API Documentation: Presentation to Southwestern Ontar...
Survival Strategies for API Documentation: Presentation to Southwestern Ontar...
 
Object oriented-programming-in-c-sharp
Object oriented-programming-in-c-sharpObject oriented-programming-in-c-sharp
Object oriented-programming-in-c-sharp
 
API Workshop: Deep dive into code samples
API Workshop: Deep dive into code samplesAPI Workshop: Deep dive into code samples
API Workshop: Deep dive into code samples
 
Functional Programming In Jdk8
Functional Programming In Jdk8 Functional Programming In Jdk8
Functional Programming In Jdk8
 
Writing code samples for API/SDK documentation
Writing code samples for API/SDK documentationWriting code samples for API/SDK documentation
Writing code samples for API/SDK documentation
 
Generating UML Models with Inferred Types from Pharo Code
Generating UML Models with Inferred Types from Pharo CodeGenerating UML Models with Inferred Types from Pharo Code
Generating UML Models with Inferred Types from Pharo Code
 
Pigaios: A Tool for Diffing Source Codes against Binaries (Hacktivity 2018)
Pigaios: A Tool for Diffing Source Codes against Binaries (Hacktivity 2018)Pigaios: A Tool for Diffing Source Codes against Binaries (Hacktivity 2018)
Pigaios: A Tool for Diffing Source Codes against Binaries (Hacktivity 2018)
 
API Documentation Workshop tcworld India 2015
API Documentation Workshop tcworld India 2015API Documentation Workshop tcworld India 2015
API Documentation Workshop tcworld India 2015
 
Scala Jump Start
Scala Jump StartScala Jump Start
Scala Jump Start
 
API Workshop: Deep dive into REST APIs
API Workshop: Deep dive into REST APIsAPI Workshop: Deep dive into REST APIs
API Workshop: Deep dive into REST APIs
 
Java Basics for selenium
Java Basics for seleniumJava Basics for selenium
Java Basics for selenium
 
C# 9 and 10 - What's cool?
C# 9 and 10 - What's cool?C# 9 and 10 - What's cool?
C# 9 and 10 - What's cool?
 
Language Engineering in the Cloud
Language Engineering in the CloudLanguage Engineering in the Cloud
Language Engineering in the Cloud
 
Using Swift for all Apple platforms (iOS, watchOS, tvOS and OS X)
Using Swift for all Apple platforms (iOS, watchOS, tvOS and OS X)Using Swift for all Apple platforms (iOS, watchOS, tvOS and OS X)
Using Swift for all Apple platforms (iOS, watchOS, tvOS and OS X)
 
T4 presentation
T4 presentationT4 presentation
T4 presentation
 
C# language
C# languageC# language
C# language
 
Intro To AOP
Intro To AOPIntro To AOP
Intro To AOP
 

Similar to Hack in the Box GSEC 2016 - Reverse Engineering Swift Applications

Better Swift from the Foundation up #tryswiftnyc17 09-06
Better Swift from the Foundation up #tryswiftnyc17 09-06Better Swift from the Foundation up #tryswiftnyc17 09-06
Better Swift from the Foundation up #tryswiftnyc17 09-06
Carl Brown
 
Алексей Ященко и Ярослав Волощук "False simplicity of front-end applications"
Алексей Ященко и Ярослав Волощук "False simplicity of front-end applications"Алексей Ященко и Ярослав Волощук "False simplicity of front-end applications"
Алексей Ященко и Ярослав Волощук "False simplicity of front-end applications"
Fwdays
 
Swift programming language
Swift programming languageSwift programming language
Swift programming language
Nijo Job
 
AngularConf2015
AngularConf2015AngularConf2015
AngularConf2015
Alessandro Giorgetti
 
The advantage of developing with TypeScript
The advantage of developing with TypeScript The advantage of developing with TypeScript
The advantage of developing with TypeScript
Corley S.r.l.
 
Orthogonality: A Strategy for Reusable Code
Orthogonality: A Strategy for Reusable CodeOrthogonality: A Strategy for Reusable Code
Orthogonality: A Strategy for Reusable Codersebbe
 
Java Fundamentals in Mule
Java Fundamentals in MuleJava Fundamentals in Mule
Java Fundamentals in Mule
Anand kalla
 
iOS Application Exploitation
iOS Application ExploitationiOS Application Exploitation
iOS Application Exploitation
Positive Hack Days
 
CrikeyCon 2015 - iOS Runtime Hacking Crash Course
CrikeyCon 2015 - iOS Runtime Hacking Crash CourseCrikeyCon 2015 - iOS Runtime Hacking Crash Course
CrikeyCon 2015 - iOS Runtime Hacking Crash Course
eightbit
 
2R-3KS03-OOP_UNIT-I (Part-A)_2023-24.pptx
2R-3KS03-OOP_UNIT-I (Part-A)_2023-24.pptx2R-3KS03-OOP_UNIT-I (Part-A)_2023-24.pptx
2R-3KS03-OOP_UNIT-I (Part-A)_2023-24.pptx
GauravGamer2
 
Introduction to java
Introduction to java Introduction to java
Introduction to java
sanjay joshi
 
Java for C++ programers
Java for C++ programersJava for C++ programers
Java for C++ programers
Salahaddin University-Erbil
 
The Ring programming language version 1.6 book - Part 6 of 189
The Ring programming language version 1.6 book - Part 6 of 189The Ring programming language version 1.6 book - Part 6 of 189
The Ring programming language version 1.6 book - Part 6 of 189
Mahmoud Samir Fayed
 
ASP.NET Session 3
ASP.NET Session 3ASP.NET Session 3
ASP.NET Session 3Sisir Ghosh
 
Angular 2 overview
Angular 2 overviewAngular 2 overview
Angular 2 overview
Jesse Warden
 
Java Closures
Java ClosuresJava Closures
Java Closures
Ben Evans
 
Swift should I switch?
Swift should I switch?Swift should I switch?
Swift should I switch?
wulfgeng
 
Exploring the power of Gradle in android studio - Basics & Beyond
Exploring the power of Gradle in android studio - Basics & BeyondExploring the power of Gradle in android studio - Basics & Beyond
Exploring the power of Gradle in android studio - Basics & Beyond
Kaushal Dhruw
 
Shuzworld Analysis
Shuzworld AnalysisShuzworld Analysis
Shuzworld Analysis
Brenda Thomas
 
C# .NET - Um overview da linguagem
C# .NET - Um overview da linguagem C# .NET - Um overview da linguagem
C# .NET - Um overview da linguagem
Claudson Oliveira
 

Similar to Hack in the Box GSEC 2016 - Reverse Engineering Swift Applications (20)

Better Swift from the Foundation up #tryswiftnyc17 09-06
Better Swift from the Foundation up #tryswiftnyc17 09-06Better Swift from the Foundation up #tryswiftnyc17 09-06
Better Swift from the Foundation up #tryswiftnyc17 09-06
 
Алексей Ященко и Ярослав Волощук "False simplicity of front-end applications"
Алексей Ященко и Ярослав Волощук "False simplicity of front-end applications"Алексей Ященко и Ярослав Волощук "False simplicity of front-end applications"
Алексей Ященко и Ярослав Волощук "False simplicity of front-end applications"
 
Swift programming language
Swift programming languageSwift programming language
Swift programming language
 
AngularConf2015
AngularConf2015AngularConf2015
AngularConf2015
 
The advantage of developing with TypeScript
The advantage of developing with TypeScript The advantage of developing with TypeScript
The advantage of developing with TypeScript
 
Orthogonality: A Strategy for Reusable Code
Orthogonality: A Strategy for Reusable CodeOrthogonality: A Strategy for Reusable Code
Orthogonality: A Strategy for Reusable Code
 
Java Fundamentals in Mule
Java Fundamentals in MuleJava Fundamentals in Mule
Java Fundamentals in Mule
 
iOS Application Exploitation
iOS Application ExploitationiOS Application Exploitation
iOS Application Exploitation
 
CrikeyCon 2015 - iOS Runtime Hacking Crash Course
CrikeyCon 2015 - iOS Runtime Hacking Crash CourseCrikeyCon 2015 - iOS Runtime Hacking Crash Course
CrikeyCon 2015 - iOS Runtime Hacking Crash Course
 
2R-3KS03-OOP_UNIT-I (Part-A)_2023-24.pptx
2R-3KS03-OOP_UNIT-I (Part-A)_2023-24.pptx2R-3KS03-OOP_UNIT-I (Part-A)_2023-24.pptx
2R-3KS03-OOP_UNIT-I (Part-A)_2023-24.pptx
 
Introduction to java
Introduction to java Introduction to java
Introduction to java
 
Java for C++ programers
Java for C++ programersJava for C++ programers
Java for C++ programers
 
The Ring programming language version 1.6 book - Part 6 of 189
The Ring programming language version 1.6 book - Part 6 of 189The Ring programming language version 1.6 book - Part 6 of 189
The Ring programming language version 1.6 book - Part 6 of 189
 
ASP.NET Session 3
ASP.NET Session 3ASP.NET Session 3
ASP.NET Session 3
 
Angular 2 overview
Angular 2 overviewAngular 2 overview
Angular 2 overview
 
Java Closures
Java ClosuresJava Closures
Java Closures
 
Swift should I switch?
Swift should I switch?Swift should I switch?
Swift should I switch?
 
Exploring the power of Gradle in android studio - Basics & Beyond
Exploring the power of Gradle in android studio - Basics & BeyondExploring the power of Gradle in android studio - Basics & Beyond
Exploring the power of Gradle in android studio - Basics & Beyond
 
Shuzworld Analysis
Shuzworld AnalysisShuzworld Analysis
Shuzworld Analysis
 
C# .NET - Um overview da linguagem
C# .NET - Um overview da linguagem C# .NET - Um overview da linguagem
C# .NET - Um overview da linguagem
 

More from eightbit

Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain AccessDefcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
eightbit
 
AusCERT - Developing Secure iOS Applications
AusCERT - Developing Secure iOS ApplicationsAusCERT - Developing Secure iOS Applications
AusCERT - Developing Secure iOS Applications
eightbit
 
CrikeyCon 2017 - Rumours of our Demise Have Been Greatly Exaggerated
CrikeyCon 2017 - Rumours of our Demise Have Been Greatly ExaggeratedCrikeyCon 2017 - Rumours of our Demise Have Been Greatly Exaggerated
CrikeyCon 2017 - Rumours of our Demise Have Been Greatly Exaggerated
eightbit
 
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
eightbit
 
YOW! Connected 2014 - Developing Secure iOS Applications
YOW! Connected 2014 - Developing Secure iOS ApplicationsYOW! Connected 2014 - Developing Secure iOS Applications
YOW! Connected 2014 - Developing Secure iOS Applications
eightbit
 
Ruxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration TestingRuxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration Testingeightbit
 
OWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration TestingOWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration Testingeightbit
 

More from eightbit (7)

Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain AccessDefcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
 
AusCERT - Developing Secure iOS Applications
AusCERT - Developing Secure iOS ApplicationsAusCERT - Developing Secure iOS Applications
AusCERT - Developing Secure iOS Applications
 
CrikeyCon 2017 - Rumours of our Demise Have Been Greatly Exaggerated
CrikeyCon 2017 - Rumours of our Demise Have Been Greatly ExaggeratedCrikeyCon 2017 - Rumours of our Demise Have Been Greatly Exaggerated
CrikeyCon 2017 - Rumours of our Demise Have Been Greatly Exaggerated
 
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
 
YOW! Connected 2014 - Developing Secure iOS Applications
YOW! Connected 2014 - Developing Secure iOS ApplicationsYOW! Connected 2014 - Developing Secure iOS Applications
YOW! Connected 2014 - Developing Secure iOS Applications
 
Ruxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration TestingRuxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration Testing
 
OWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration TestingOWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration Testing
 

Recently uploaded

The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
Product School
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
Elena Simperl
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Tobias Schneck
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
Frank van Harmelen
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
DianaGray10
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
Paul Groth
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Product School
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Thierry Lestable
 

Recently uploaded (20)

The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 

Hack in the Box GSEC 2016 - Reverse Engineering Swift Applications

  • 1. Reverse Engineering Swift Apps Michael Gianarakis Hack In The Box GSEC 2016
  • 2. # whoami @mgianarakis Director of SpiderLabs at Trustwave Flat Duck Justice Warrior (FDJW)
  • 3. Motivation • Seeing more and more Swift being used in apps that we test (fan boys like me tend to adopt new Apple technology quickly) • Google is even considering using Swift as a first class language on Android… (http://thenextweb.com/dd/2016/04/07/google- facebook-uber-swift/) • Wanted to dive into some of the key differences with Swift and look at the challenges with respect to Swift app pen testing • Focus is on “black box” app pen testing - for a deeper dive into Swift language RE I recommend Ryan Stortz’s talk at Infiltrate (http://infiltratecon.com/archives/swift_Ryan_Stortz.pdf)
  • 4. How Does Swift Affect Testing? • Will dive into the detail in the presentation but the reality is not much in most areas, quite a bit in others? • Most issues in iOS and OS X apps are due to poor design decisions or misconfiguration and incorrect implementation of Apple and third party frameworks and libraries. • The main thing that has changed is how you reverse engineer the application
  • 6. What is Swift? • Compiled language created by Apple • Released publicly in 2014 at WWDC and has seen multiple revisions since. • Open source with official implementations for iOS, OS X and Linux. • Intended to replace Objective-C eventually
  • 7. Syntax (just the basics to follow along)
  • 8. Syntax (just the basics to follow along)
  • 9. Syntax (just the basics to follow along)
  • 10. Syntax (just the basics to follow along)
  • 11. Types • All basic C and Objective-C types -> String, Bool, Int , Float etc. • Collection Types -> Array, Set, Dictionary • Optional Types -> works with all types, no more nil pointers like Objective-C • Swift is a type safe language
  • 12. Objective-C Compatibility • Objective-C compatibility and interoperability • Uses the same runtime environment • Still supports C and C++ in the same app but can’t be called from Swift like Objective-C • Can allow for some dynamic features and runtime manipulation
  • 13. Other Language Features • Barely scratched the surface • Structs, Protocols, Extensions, Closures, Enumerations, Optionals, Generics, Type Casting, Access Control, Error Handling, Assertions…. • Automatic Reference Counting • Unicode… • var 💩 = 💩 💩 💩 💩 💩 ()
  • 16. Challenges • Less dynamic than Objective-C • Less flexible than Objective-C in some areas • Can make it harder to do some of the standard tasks you would do on a standard app pen test • Less of an issue now because most Swift apps will include be mixed with Objective-C • Limited tooling • We will explore this in more detail
  • 17. Challenges • Rapidly evolving syntax, APIs and features and Apple doesn’t care too much about breaking changes. • v1.0 - September 2014 • v1.1 - October 2014 • v1.2 - April 2015 • v2.0 - September 2015 (Open Sourced, Linux) • v2.2 - March 2016 • v3.0 - Late 2016
  • 18. Reversing Swift Apps • Two primary reverse engineering activities when conducting a “black box” pen test • Dumping and analysing class information from the binary • Retrieving information at runtime using debuggers, function hooking, tracing etc.
  • 20. Class Dump? • The most common and easiest way to retrieve class data from an Objective-C binary is the class- dump utility • class-dump retrieves class information and formats to look like the equivalent of an Objective-C header file • Usually one of the first things you do when looking at an app
  • 23. What next? • So class-dump-z doesn’t work with Swift binaries :( • Now what? • Let’s start diving into the binary
  • 24. Symbol Table • What do we get if we dump the symbol table?
  • 25. Symbol Table • What if we look for something we know is in the binary?
  • 26. Name Mangling • Looks promising but it’s a far cry from the output of class-dump and is kind of hard to make out • Swift stores metadata about a function in it’s symbols in the process “mangling” the name.
  • 29. Name Mangling __TFC9hitb_demo4Duck13printDuckTypefT_T_ Indicates it’s a Swift method Indicates it’s a function Function of a class
  • 30. Name Mangling __TFC9hitb_demo4Duck13printDuckTypefT_T_ Indicates it’s a Swift method Indicates it’s a function Function of a class Module name with length
  • 31. Name Mangling __TFC9hitb_demo4Duck13printDuckTypefT_T_ Indicates it’s a Swift method Indicates it’s a function Function of a class Module name with length Class name with length
  • 32. Name Mangling __TFC9hitb_demo4Duck13printDuckTypefT_T_ Indicates it’s a Swift method Indicates it’s a function Function of a class Module name with length Class name with length Function name with length
  • 33. Name Mangling __TFC9hitb_demo4Duck13printDuckTypefT_T_ Indicates it’s a Swift method Indicates it’s a function Function of a class Module name with length Class name with length Function name with length Function attribute
  • 34. Name Mangling __TFC9hitb_demo4Duck13printDuckTypefT_T_ Indicates it’s a Swift method Indicates it’s a function Function of a class Module name with length Class name with length Function name with length Function attribute Parameters
  • 35. Name Mangling __TFC9hitb_demo4Duck13printDuckTypefT_T_ Indicates it’s a Swift method Indicates it’s a function Function of a class Module name with length Class name with length Function name with length Function attribute Parameters Return Type
  • 36. Function Attributes f Normal function s Setter g Getter d Destructor D Deallocator c Constructor C Allocator
  • 37. Return Types a Array b Boolean c Unicode Scalar d Double f Float i Integer u Unsigned Integer Q Implicitly Unwrapped Optional S String
  • 38. swift-demangle • So now we know roughly the way the names are mangle you could use this to create a script that “de-mangles” the names • Apple has already thought of that and includes a utility called swift-demangle to do just that
  • 40. swift-demangle • With nm and swift-demangle and some shell scripting you should be able to easily grab the function signatures from an app • Should be all you need to get basically the same information you would from class-dump to start assessing the app
  • 41. class-dump-s • Hacked together script that demangles names and formats the output to approximate the output of class-dump • Written in Swift • Demo
  • 42. Stripped Binaries • CAVEAT: If the developer stripped symbols from the binary then these techniques obviously won’t work. • Reverse engineering stripped binaries is a bit more complicated
  • 43. Objective-C Compatibility • Part of the reason it’s much easier to get class information from Objective-C binaries is because it’s necessary for the Objective-C runtime to have that info • So what happens when you import Objective-C frameworks or use Objective-C in your app?
  • 44. Revisiting Class Dump • The latest branch of class-dump by Steven Nygard (the original class-dump utility) has limited support for Swift. • Need to download and build from source (no binary release yet) • https://github.com/nygard/class-dump
  • 49. Other Options • Disassemblers (i.e. Hopper, IDA Pro) • Necessary for lower level insight into the app • To demangle Swift function names https:// github.com/Januzellij/hopperscripts
  • 51. Hooking Swift Methods • Still possible. • Much easier with in mixed Swift/Objective-C binaries. • Can still write tweaks with Mobile Substrate.
  • 53. Hooking Swift Methods • Hooking getter method (works!)
  • 54. Hooking Swift Methods • Hooking setter method (kinda works…)
  • 55. Hooking Swift Methods • Certain functions in Swift are inlined and the class constructor is one of them (which is directly setting the instance variable) • So in this case the setter will only be called again by the top level code. • If you call from there it works.
  • 56. Hooking Swift Methods • Changing the instance variable directly (works but not a good idea probably)
  • 58. Wrap Up • So not all hope is lost when it comes to your standard pen test workflows with Swift apps • A bit more of a pain in the arse if you don’t get access to the source code • Most issues in iOS and OS X apps are due to poor design decisions or misconfiguration and incorrect implementation of Apple and third party frameworks and libraries.
  • 59. Next Steps • Improve the class-dump-s script :) • Runtime inspection (was going to demo this but ran out of time :( ) • cycript works but not as straightforward as with Objective-C • LLDB works well if you are familiar with it • Will hopefully write a blog post soon
  • 60. Q&A?