Download as PDF, PPTX
Uploaded byviaForensics
Hacking ios-on-the-run-using-cycript-viaforensics-rsa-conference-2014
This document discusses analyzing and abusing iOS applications at runtime using Cycript. It begins with an overview of the Mach-O binary format and class-dump-z tool for analyzing iOS application binaries. It then covers decrypting encrypted App Store applications and using Cycript to modify runtime behavior by directly accessing classes, methods, and variables. Examples are given of bypassing locks and retrieving sensitive data from applications like Evernote. The document concludes with recommendations for securing applications by making the runtime more resistant to tampering.
More Related Content
![[HES2013] Hacking apple accessories to pown iDevices – Wake up Neo! Your phon...](https://cdn.slidesharecdn.com/ss_thumbnails/day3-04-140412124031-phpapp01-thumbnail.jpg?width=640&height=640&fit=bounds)
Similar to Hacking ios-on-the-run-using-cycript-viaforensics-rsa-conference-2014
![Wahckon[2] - iOS Runtime Hacking Crash Course](https://cdn.slidesharecdn.com/ss_thumbnails/wahckon2-170531224825-thumbnail.jpg?width=640&height=640&fit=bounds)
![[Wroclaw #2] iOS Security - 101](https://cdn.slidesharecdn.com/ss_thumbnails/owaspios101-160429210915-thumbnail.jpg?width=640&height=640&fit=bounds)
Hacking ios-on-the-run-using-cycript-viaforensics-rsa-conference-2014
- 1. SESSION ID: HackingiOS on the Run: Using Cycript HTA-R04A Sebastián Guerrero Mobile Security Analyst viaForensics @0xroot
- 2. #RSAC Agenda Analyzing binaries Encrypted binaries Abusing the Runtime with Cycript Securing the Runtime 2
- 3.
- 4. #RSAC iOS AppArchitecture 4
- 5. #RSAC The Mach-Oformat 5 Header Target architecture Load commands Location of symbol table Shared libraries Data Organized in segments
- 6. #RSAC The Mach-Oformat Header section can be inspected using Otool utility ‘Load command’ section can be analyzed too 6
- 7. #RSAC Introduction toclass-dump-z Outputs the equivalent of an Objective-C header Classes compiled into the program Its associated methods Instance variables and properties 7
- 8.
- 9. #RSAC Encrypted binaries AppStore binaries are always encrypted Similar to FairPlay DRM used on iTunes music Self distributed apps are not encrypted Loader decrypts the apps when loaded into memory Debugger can be used to dump the decrypted app from memory Manual process is tedious, there are tools available: Craculous, Clutch, Installous 9
- 10. #RSAC Decrypting iOSApps Find the starting offset and the size of the encrypted data in the app binary. Find the memory loading address of the application (changes every time the app is compiled with PIE). Dump the decrypted portion of the application from memory using a debugger. Overwrite the application’s encrypted area with the dumped binary data. Change the cycript value to 0. 10
- 11.
- 12. Abusing the runtimewith Cycript
- 14. #RSAC Cycript Combination of JavaScript and Objective-C interpreter App runtime can be easily modified using Cycript Can be hooked to a running process Gives access to all classes and instance variables within the app Used for runtime analysis Bypass security locks / Authentication Bypass attacks Access sensitive information from memory Accessing restricted areas of the applications 14
- 15. #RSAC iOS AppExecution Flow 15
- 16. #RSAC Breaking simplelocks Create object for the class and directly access the instance variables and invoke methods 16
- 17. #RSAC Trawling fordata Instance variables – Provides a simple way to display an object’s instance variable 17
- 18. #RSAC Trawling fordata Methods– List methods as well as memory locations of their respective implementations 18
- 19. #RSAC Trawling fordata Classes – A complete listing of classes can be dumped by referencing Cycript’s built-in ObjectiveC object cy# ObjectiveC.classes 19
- 20. #RSAC Evernote Demo 20 Activate premium features. Retrieve the PIN access code. Disable PIN access code.
- 21.
- 22. #RSAC More seriousimplications Fun applications aren’t the only programs suffering from terrible security holes in their applications. Financial and enterprise applications are just as bad. Personal data vaults Payment processing applications Electronic banking … 22
- 23.
- 24. #RSAC Securing theRuntime Tamper response Process trace checking Blocking debuggers Runtime Class integrity checks Complicating disassembly 24
- 25. #RSAC Summary Mobile devices are a hostile environment Is important to protect your apps Identify the common app vulnerabilities and remediate them 25
- 26. #RSAC References https://viaforensics.com/blog/ https://viaforensics.com/resources/reports/best-practices-ios-android- secure-mobile-development/ http://www.cycript.org/ http://resources.infosecinstitute.com/ios-application-security-part-8- method-swizzling-using-cycript/ http://resources.infosecinstitute.com/ios-application-security-part-4- runtime-analysis-using-cycript-yahoo-weather-app/ 26
- 27. #RSAC Q&A |Contact | Feedback Thanks for listening… @0xroot github/0xroot sguerrero@viaforensics.com 27