SlideShare a Scribd company logo

iOS recon with Radare2

NowSecure
NowSecure

Originally presented April 4, 2020 @ VirSecCon2020

Technology
1 of 9
© Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.© Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. iOS recon with r2 Dawn Isabel Mobile Security Research Engineer
© Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. ▪ Portable reverse engineering framework ▪ Assemble / disassemble ▪ Analyze and emulate code ▪ Native debugger ▪ Various interactive modes ▪ Control-flow graphs ▪ Automate your mobile app static analysis 2 What is radare2, and why use it?
© Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. ▪ Apps are packaged in a zip file ▪ Native binaries will be ▪ Objective-C ▪ Swift ▪ C, C++ ▪ Analysis and emulation makes our job easier! ▪ aar - Analyze opcode absolute and relative references ▪ aae - Emulate code to identify new pointer references ▪ aao - Analyze all objc references ▪ e emu.str=true – Enable string emulation 3 iOS binary basics
© Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. Why use multiple tools? ▪ i – Binary information ▪ il – List libraries ▪ ic / icc – Examine and dump classes ▪ izz – Dump and search strings 4 Gathering basic app info
© Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. ▪ Objective-C methods are invoked using message-passing ▪ objc_msgSend ▪ arg0: class or instance receiving the message ▪ arg1: method name / “selector” ▪ arg2…argN: method arguments ▪ Finding cross-references to methods requires looking for the selector string, not the address of the method implementation 5 Finding method cross-references
© Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. ▪ izz~ / izzq~ - Search for a string ▪ axt – Find cross-references (xrefs) to an address ▪ s – Seek to address ▪ n / N - Jump next / previous flag ▪ df – Define function ▪ pdsf – Print disassemble summary for function 6 Simple Workflow – finding functions and references
© Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. ▪ _ - Search using HUD ▪ x – Find xrefs to/from data ▪ u / U – Undo / redo seek ▪ p – change view ▪ V – Graph mode! 7 Getting fancy - visual mode
© Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. ▪ Recon can be easily automated using python and r2pipe import r2pipe r2 = r2pipe.open("ipa://decrypted-app.ipa") print("[*] Dumping classes...") r2.cmd('icc > classdump.txt') print("[*] Dumping strings...") r2.cmd("izz > strings.txt") 8 Automation with r2pipe
© Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. ▪ https://rada.re/n/ ▪ https://radare.gitbooks.io/radare2book/ ▪ https://www.youtube.com/results?search_query=r2con ▪ https://github.com/prateek147/DVIA Dawn Isabel (she/her) @dawnisabel 9 Happy hacking!

Recommended

Breaking iOS Apps using Cycript
Breaking iOS Apps using CycriptBreaking iOS Apps using Cycript
Breaking iOS Apps using Cycriptn|u - The Open Security Community
 
System models 2 in distributed system
System models 2 in distributed systemSystem models 2 in distributed system
System models 2 in distributed systemishapadhy
 
Algoritmos 05 - Estruturas de repetição
Algoritmos 05 - Estruturas de repetiçãoAlgoritmos 05 - Estruturas de repetição
Algoritmos 05 - Estruturas de repetiçãoProfessor Samuel Ribeiro
 
Programas Desarrolla Aplicaciones Moviles
Programas Desarrolla Aplicaciones MovilesProgramas Desarrolla Aplicaciones Moviles
Programas Desarrolla Aplicaciones MovilesSykesPonce
 
Aula 7 pc - estrutura
Aula 7 pc - estruturaAula 7 pc - estrutura
Aula 7 pc - estruturaElaine Cecília Gatto
 
Introduction to System Calls
Introduction to System CallsIntroduction to System Calls
Introduction to System CallsVandana Salve
 
POO - Aula 10 - Polimorfismo
POO - Aula 10 - PolimorfismoPOO - Aula 10 - Polimorfismo
POO - Aula 10 - PolimorfismoFelipe J. R. Vieira
 
Process Management in Android
Process Management in AndroidProcess Management in Android
Process Management in AndroidShrey Verma
 

Recommended

Breaking iOS Apps using Cycript
Breaking iOS Apps using CycriptBreaking iOS Apps using Cycript
Breaking iOS Apps using Cycriptn|u - The Open Security Community
 
System models 2 in distributed system
System models 2 in distributed systemSystem models 2 in distributed system
System models 2 in distributed systemishapadhy
 
Algoritmos 05 - Estruturas de repetição
Algoritmos 05 - Estruturas de repetiçãoAlgoritmos 05 - Estruturas de repetição
Algoritmos 05 - Estruturas de repetiçãoProfessor Samuel Ribeiro
 
Programas Desarrolla Aplicaciones Moviles
Programas Desarrolla Aplicaciones MovilesProgramas Desarrolla Aplicaciones Moviles
Programas Desarrolla Aplicaciones MovilesSykesPonce
 
Aula 7 pc - estrutura
Aula 7 pc - estruturaAula 7 pc - estrutura
Aula 7 pc - estruturaElaine Cecília Gatto
 
Introduction to System Calls
Introduction to System CallsIntroduction to System Calls
Introduction to System CallsVandana Salve
 
POO - Aula 10 - Polimorfismo
POO - Aula 10 - PolimorfismoPOO - Aula 10 - Polimorfismo
POO - Aula 10 - PolimorfismoFelipe J. R. Vieira
 
Process Management in Android
Process Management in AndroidProcess Management in Android
Process Management in AndroidShrey Verma
 
Coding standard
Coding standardCoding standard
Coding standardFAROOK Samath
 
Method Overloading In Java
Method Overloading In JavaMethod Overloading In Java
Method Overloading In JavaCharthaGaglani
 
Polymorphism in oop
Polymorphism in oopPolymorphism in oop
Polymorphism in oopMustafaIbrahimy
 
Bankers algorithm
Bankers algorithmBankers algorithm
Bankers algorithmAAQIB PARREY
 
Operating system 24 mutex locks and semaphores
Operating system 24 mutex locks and semaphoresOperating system 24 mutex locks and semaphores
Operating system 24 mutex locks and semaphoresVaibhav Khanna
 
Deadlock Prevention
Deadlock PreventionDeadlock Prevention
Deadlock Preventionprachi mewara
 
Virtual memory ppt
Virtual memory pptVirtual memory ppt
Virtual memory pptRITULDE
 
Operating System Process Synchronization
Operating System Process SynchronizationOperating System Process Synchronization
Operating System Process SynchronizationHaziq Naeem
 
Refactoring: A First Example - Martin Fowler’s First Example of Refactoring, ...
Refactoring: A First Example - Martin Fowler’s First Example of Refactoring, ...Refactoring: A First Example - Martin Fowler’s First Example of Refactoring, ...
Refactoring: A First Example - Martin Fowler’s First Example of Refactoring, ...Philip Schwarz
 
The Art Of Debugging
The Art Of DebuggingThe Art Of Debugging
The Art Of Debuggingsvilen.ivanov
 
System call
System callSystem call
System callSumant Diwakar
 
Ferramentas Case de Teste
Ferramentas Case de TesteFerramentas Case de Teste
Ferramentas Case de TesteBeatriz Marques
 
Deadlock Avoidance - OS
Deadlock Avoidance - OSDeadlock Avoidance - OS
Deadlock Avoidance - OSMsAnita2
 
Implementation of FIFO in Linux
Implementation of FIFO in LinuxImplementation of FIFO in Linux
Implementation of FIFO in LinuxTushar B Kute
 
Writing php extensions in golang
Writing php extensions in golangWriting php extensions in golang
Writing php extensions in golangdo_aki
 
Deadlock and Banking Algorithm
Deadlock and Banking AlgorithmDeadlock and Banking Algorithm
Deadlock and Banking AlgorithmMD.ANISUR RAHMAN
 
2 Object Oriented Programming
2 Object Oriented Programming2 Object Oriented Programming
2 Object Oriented ProgrammingPraveen M Jigajinni
 
Programação Orientada a Objetos (POO) com PHP - Parte 1
Programação Orientada a Objetos (POO) com PHP - Parte 1Programação Orientada a Objetos (POO) com PHP - Parte 1
Programação Orientada a Objetos (POO) com PHP - Parte 1Israel Messias
 
Chapter 7 - Deadlocks
Chapter 7 - DeadlocksChapter 7 - Deadlocks
Chapter 7 - DeadlocksWayne Jones Jnr
 
polymorphism ppt
polymorphism pptpolymorphism ppt
polymorphism pptsheetal singh
 
OSS Tools: Creating a Reverse Engineering Plug-in for r2frida
OSS Tools: Creating a Reverse Engineering Plug-in for r2fridaOSS Tools: Creating a Reverse Engineering Plug-in for r2frida
OSS Tools: Creating a Reverse Engineering Plug-in for r2fridaNowSecure
 
How To Use Scala At Work - Airframe In Action at Arm Treasure Data
How To Use Scala At Work - Airframe In Action at Arm Treasure DataHow To Use Scala At Work - Airframe In Action at Arm Treasure Data
How To Use Scala At Work - Airframe In Action at Arm Treasure DataTaro L. Saito
 

More Related Content

What's hot

Method Overloading In Java
Method Overloading In JavaMethod Overloading In Java
Method Overloading In JavaCharthaGaglani
 
Operating system 24 mutex locks and semaphores
Operating system 24 mutex locks and semaphoresOperating system 24 mutex locks and semaphores
Operating system 24 mutex locks and semaphoresVaibhav Khanna
 
Virtual memory ppt
Virtual memory pptVirtual memory ppt
Virtual memory pptRITULDE
 
Operating System Process Synchronization
Operating System Process SynchronizationOperating System Process Synchronization
Operating System Process SynchronizationHaziq Naeem
 
Refactoring: A First Example - Martin Fowler’s First Example of Refactoring, ...
Refactoring: A First Example - Martin Fowler’s First Example of Refactoring, ...Refactoring: A First Example - Martin Fowler’s First Example of Refactoring, ...
Refactoring: A First Example - Martin Fowler’s First Example of Refactoring, ...Philip Schwarz
 
The Art Of Debugging
The Art Of DebuggingThe Art Of Debugging
The Art Of Debuggingsvilen.ivanov
 
Ferramentas Case de Teste
Ferramentas Case de TesteFerramentas Case de Teste
Ferramentas Case de TesteBeatriz Marques
 
Deadlock Avoidance - OS
Deadlock Avoidance - OSDeadlock Avoidance - OS
Deadlock Avoidance - OSMsAnita2
 
Implementation of FIFO in Linux
Implementation of FIFO in LinuxImplementation of FIFO in Linux
Implementation of FIFO in LinuxTushar B Kute
 
Writing php extensions in golang
Writing php extensions in golangWriting php extensions in golang
Writing php extensions in golangdo_aki
 
Deadlock and Banking Algorithm
Deadlock and Banking AlgorithmDeadlock and Banking Algorithm
Deadlock and Banking AlgorithmMD.ANISUR RAHMAN
 
Programação Orientada a Objetos (POO) com PHP - Parte 1
Programação Orientada a Objetos (POO) com PHP - Parte 1Programação Orientada a Objetos (POO) com PHP - Parte 1
Programação Orientada a Objetos (POO) com PHP - Parte 1Israel Messias
 

What's hot (20)

Coding standard
Coding standardCoding standard
Coding standard
 
Method Overloading In Java
Method Overloading In JavaMethod Overloading In Java
Method Overloading In Java
 
Polymorphism in oop
Polymorphism in oopPolymorphism in oop
Polymorphism in oop
 
Bankers algorithm
Bankers algorithmBankers algorithm
Bankers algorithm
 
Operating system 24 mutex locks and semaphores
Operating system 24 mutex locks and semaphoresOperating system 24 mutex locks and semaphores
Operating system 24 mutex locks and semaphores
 
Deadlock Prevention
Deadlock PreventionDeadlock Prevention
Deadlock Prevention
 
Virtual memory ppt
Virtual memory pptVirtual memory ppt
Virtual memory ppt
 
Operating System Process Synchronization
Operating System Process SynchronizationOperating System Process Synchronization
Operating System Process Synchronization
 
Refactoring: A First Example - Martin Fowler’s First Example of Refactoring, ...
Refactoring: A First Example - Martin Fowler’s First Example of Refactoring, ...Refactoring: A First Example - Martin Fowler’s First Example of Refactoring, ...
Refactoring: A First Example - Martin Fowler’s First Example of Refactoring, ...
 
The Art Of Debugging
The Art Of DebuggingThe Art Of Debugging
The Art Of Debugging
 
System call
System callSystem call
System call
 
Ferramentas Case de Teste
Ferramentas Case de TesteFerramentas Case de Teste
Ferramentas Case de Teste
 
Deadlock Avoidance - OS
Deadlock Avoidance - OSDeadlock Avoidance - OS
Deadlock Avoidance - OS
 
Implementation of FIFO in Linux
Implementation of FIFO in LinuxImplementation of FIFO in Linux
Implementation of FIFO in Linux
 
Writing php extensions in golang
Writing php extensions in golangWriting php extensions in golang
Writing php extensions in golang
 
Deadlock and Banking Algorithm
Deadlock and Banking AlgorithmDeadlock and Banking Algorithm
Deadlock and Banking Algorithm
 
2 Object Oriented Programming
2 Object Oriented Programming2 Object Oriented Programming
2 Object Oriented Programming
 
Programação Orientada a Objetos (POO) com PHP - Parte 1
Programação Orientada a Objetos (POO) com PHP - Parte 1Programação Orientada a Objetos (POO) com PHP - Parte 1
Programação Orientada a Objetos (POO) com PHP - Parte 1
 
Chapter 7 - Deadlocks
Chapter 7 - DeadlocksChapter 7 - Deadlocks
Chapter 7 - Deadlocks
 
polymorphism ppt
polymorphism pptpolymorphism ppt
polymorphism ppt
 

Similar to iOS recon with Radare2

OSS Tools: Creating a Reverse Engineering Plug-in for r2frida
OSS Tools: Creating a Reverse Engineering Plug-in for r2fridaOSS Tools: Creating a Reverse Engineering Plug-in for r2frida
OSS Tools: Creating a Reverse Engineering Plug-in for r2fridaNowSecure
 
How To Use Scala At Work - Airframe In Action at Arm Treasure Data
How To Use Scala At Work - Airframe In Action at Arm Treasure DataHow To Use Scala At Work - Airframe In Action at Arm Treasure Data
How To Use Scala At Work - Airframe In Action at Arm Treasure DataTaro L. Saito
 
Aerospike Data Modeling - Meetup Dec 2019
Aerospike Data Modeling - Meetup Dec 2019Aerospike Data Modeling - Meetup Dec 2019
Aerospike Data Modeling - Meetup Dec 2019Aerospike
 
05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR mattersAlexandre Moneger
 
Experiences with serverless for high throughput low usage applications | ryan...
Experiences with serverless for high throughput low usage applications | ryan...Experiences with serverless for high throughput low usage applications | ryan...
Experiences with serverless for high throughput low usage applications | ryan...AWSCOMSUM
 
The Cool Interface
The Cool InterfaceThe Cool Interface
The Cool InterfaceDavid Hohl
 
Deep dive into Ruby's require - RubyConf Taiwan 2023
Deep dive into Ruby's require - RubyConf Taiwan 2023Deep dive into Ruby's require - RubyConf Taiwan 2023
Deep dive into Ruby's require - RubyConf Taiwan 2023Hiroshi SHIBATA
 
Lightning Talk: From Sinatra to Grape.pdf
Lightning Talk: From Sinatra to Grape.pdfLightning Talk: From Sinatra to Grape.pdf
Lightning Talk: From Sinatra to Grape.pdfRenato675806
 
CIS14: Best Practices You Must Apply to Secure Your APIs
CIS14: Best Practices You Must Apply to Secure Your APIsCIS14: Best Practices You Must Apply to Secure Your APIs
CIS14: Best Practices You Must Apply to Secure Your APIsCloudIDSummit
 
Future of pandas
Future of pandasFuture of pandas
Future of pandasJeff Reback
 
Padrino is agnostic
Padrino is agnosticPadrino is agnostic
Padrino is agnosticTakeshi Yabe
 
Node.js Deeper Dive
Node.js Deeper DiveNode.js Deeper Dive
Node.js Deeper DiveJustin Reock
 
A Holistic View on SAP Security Why Securing Production Systems Is Not Enough
A Holistic View on SAP Security Why Securing Production Systems Is Not Enough A Holistic View on SAP Security Why Securing Production Systems Is Not Enough
A Holistic View on SAP Security Why Securing Production Systems Is Not EnoughOnapsis Inc.
 
A Java Implementer's Guide to Better Apache Spark Performance
A Java Implementer's Guide to Better Apache Spark PerformanceA Java Implementer's Guide to Better Apache Spark Performance
A Java Implementer's Guide to Better Apache Spark PerformanceTim Ellison
 
MOBILE PENTESTING Frida.pdf
MOBILE PENTESTING Frida.pdfMOBILE PENTESTING Frida.pdf
MOBILE PENTESTING Frida.pdfAdityamd4
 
IDERA Live | Working with Complex Data Environments
IDERA Live | Working with Complex Data EnvironmentsIDERA Live | Working with Complex Data Environments
IDERA Live | Working with Complex Data EnvironmentsIDERA Software
 
Kernel Recipes 2018 - Zinc: minimal lightweight crypto API - Jason Donenfeld
Kernel Recipes 2018 - Zinc: minimal lightweight crypto API - Jason DonenfeldKernel Recipes 2018 - Zinc: minimal lightweight crypto API - Jason Donenfeld
Kernel Recipes 2018 - Zinc: minimal lightweight crypto API - Jason DonenfeldAnne Nicolas
 
Interactive Analytics using Apache Spark
Interactive Analytics using Apache SparkInteractive Analytics using Apache Spark
Interactive Analytics using Apache SparkSachin Aggarwal
 

Similar to iOS recon with Radare2 (20)

OSS Tools: Creating a Reverse Engineering Plug-in for r2frida
OSS Tools: Creating a Reverse Engineering Plug-in for r2fridaOSS Tools: Creating a Reverse Engineering Plug-in for r2frida
OSS Tools: Creating a Reverse Engineering Plug-in for r2frida
 
How To Use Scala At Work - Airframe In Action at Arm Treasure Data
How To Use Scala At Work - Airframe In Action at Arm Treasure DataHow To Use Scala At Work - Airframe In Action at Arm Treasure Data
How To Use Scala At Work - Airframe In Action at Arm Treasure Data
 
Aerospike Data Modeling - Meetup Dec 2019
Aerospike Data Modeling - Meetup Dec 2019Aerospike Data Modeling - Meetup Dec 2019
Aerospike Data Modeling - Meetup Dec 2019
 
05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters
 
Experiences with serverless for high throughput low usage applications | ryan...
Experiences with serverless for high throughput low usage applications | ryan...Experiences with serverless for high throughput low usage applications | ryan...
Experiences with serverless for high throughput low usage applications | ryan...
 
The Cool Interface
The Cool InterfaceThe Cool Interface
The Cool Interface
 
Deep dive into Ruby's require - RubyConf Taiwan 2023
Deep dive into Ruby's require - RubyConf Taiwan 2023Deep dive into Ruby's require - RubyConf Taiwan 2023
Deep dive into Ruby's require - RubyConf Taiwan 2023
 
Lightning Talk: From Sinatra to Grape.pdf
Lightning Talk: From Sinatra to Grape.pdfLightning Talk: From Sinatra to Grape.pdf
Lightning Talk: From Sinatra to Grape.pdf
 
CIS14: Best Practices You Must Apply to Secure Your APIs
CIS14: Best Practices You Must Apply to Secure Your APIsCIS14: Best Practices You Must Apply to Secure Your APIs
CIS14: Best Practices You Must Apply to Secure Your APIs
 
Useful C++ Features You Should be Using
Useful C++ Features You Should be UsingUseful C++ Features You Should be Using
Useful C++ Features You Should be Using
 
Future of pandas
Future of pandasFuture of pandas
Future of pandas
 
Padrino is agnostic
Padrino is agnosticPadrino is agnostic
Padrino is agnostic
 
Node.js Deeper Dive
Node.js Deeper DiveNode.js Deeper Dive
Node.js Deeper Dive
 
A Holistic View on SAP Security Why Securing Production Systems Is Not Enough
A Holistic View on SAP Security Why Securing Production Systems Is Not Enough A Holistic View on SAP Security Why Securing Production Systems Is Not Enough
A Holistic View on SAP Security Why Securing Production Systems Is Not Enough
 
A Java Implementer's Guide to Better Apache Spark Performance
A Java Implementer's Guide to Better Apache Spark PerformanceA Java Implementer's Guide to Better Apache Spark Performance
A Java Implementer's Guide to Better Apache Spark Performance
 
MOBILE PENTESTING Frida.pdf
MOBILE PENTESTING Frida.pdfMOBILE PENTESTING Frida.pdf
MOBILE PENTESTING Frida.pdf
 
IDERA Live | Working with Complex Data Environments
IDERA Live | Working with Complex Data EnvironmentsIDERA Live | Working with Complex Data Environments
IDERA Live | Working with Complex Data Environments
 
Kernel Recipes 2018 - Zinc: minimal lightweight crypto API - Jason Donenfeld
Kernel Recipes 2018 - Zinc: minimal lightweight crypto API - Jason DonenfeldKernel Recipes 2018 - Zinc: minimal lightweight crypto API - Jason Donenfeld
Kernel Recipes 2018 - Zinc: minimal lightweight crypto API - Jason Donenfeld
 
Interactive Analytics using Apache Spark
Interactive Analytics using Apache SparkInteractive Analytics using Apache Spark
Interactive Analytics using Apache Spark
 
Scala and spark
Scala and sparkScala and spark
Scala and spark
 

More from NowSecure

From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference Architecture
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference ArchitectureFrom Tangled Mess to Organized Flow: A Mobile DevSecOps Reference Architecture
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference ArchitectureNowSecure
 
Android Q & iOS 13 Privacy Enhancements
Android Q & iOS 13 Privacy EnhancementsAndroid Q & iOS 13 Privacy Enhancements
Android Q & iOS 13 Privacy EnhancementsNowSecure
 
Debunking the Top 5 Myths About Mobile AppSec
Debunking the Top 5 Myths About Mobile AppSecDebunking the Top 5 Myths About Mobile AppSec
Debunking the Top 5 Myths About Mobile AppSecNowSecure
 
Building a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing BlueprintBuilding a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing BlueprintNowSecure
 
Mobile App Security Predictions 2019
Mobile App Security Predictions 2019Mobile App Security Predictions 2019
Mobile App Security Predictions 2019NowSecure
 
Jeff's Journey: Best Practices for Securing Mobile App DevOps
Jeff's Journey: Best Practices for Securing Mobile App DevOpsJeff's Journey: Best Practices for Securing Mobile App DevOps
Jeff's Journey: Best Practices for Securing Mobile App DevOpsNowSecure
 
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated IndustriesCASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated IndustriesNowSecure
 
A Risk-Based Mobile App Security Testing Strategy
A Risk-Based Mobile App Security Testing StrategyA Risk-Based Mobile App Security Testing Strategy
A Risk-Based Mobile App Security Testing StrategyNowSecure
 
Android P Security Updates: What You Need to Know
Android P Security Updates: What You Need to KnowAndroid P Security Updates: What You Need to Know
Android P Security Updates: What You Need to KnowNowSecure
 
iOS 12 Preview - What You Need To Know
iOS 12 Preview - What You Need To KnowiOS 12 Preview - What You Need To Know
iOS 12 Preview - What You Need To KnowNowSecure
 
5 Tips for Agile Mobile App Security Testing
5 Tips for Agile Mobile App Security Testing5 Tips for Agile Mobile App Security Testing
5 Tips for Agile Mobile App Security TestingNowSecure
 
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDATop OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDANowSecure
 
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?NowSecure
 
5 Mobile App Security MUST-DOs in 2018
5 Mobile App Security MUST-DOs in 20185 Mobile App Security MUST-DOs in 2018
5 Mobile App Security MUST-DOs in 2018NowSecure
 
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App RiskMobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App RiskNowSecure
 
What attackers know about your mobile apps that you don’t: Banking & FinTech
What attackers know about your mobile apps that you don’t: Banking & FinTechWhat attackers know about your mobile apps that you don’t: Banking & FinTech
What attackers know about your mobile apps that you don’t: Banking & FinTechNowSecure
 
Solving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial servicesSolving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial servicesNowSecure
 
Leaky Mobile Apps: What You Need to Know
Leaky Mobile Apps: What You Need to KnowLeaky Mobile Apps: What You Need to Know
Leaky Mobile Apps: What You Need to KnowNowSecure
 
Vetting Mobile Apps for Corporate Use: Security Essentials
Vetting Mobile Apps for Corporate Use: Security EssentialsVetting Mobile Apps for Corporate Use: Security Essentials
Vetting Mobile Apps for Corporate Use: Security EssentialsNowSecure
 
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...NowSecure
 

More from NowSecure (20)

From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference Architecture
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference ArchitectureFrom Tangled Mess to Organized Flow: A Mobile DevSecOps Reference Architecture
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference Architecture
 
Android Q & iOS 13 Privacy Enhancements
Android Q & iOS 13 Privacy EnhancementsAndroid Q & iOS 13 Privacy Enhancements
Android Q & iOS 13 Privacy Enhancements
 
Debunking the Top 5 Myths About Mobile AppSec
Debunking the Top 5 Myths About Mobile AppSecDebunking the Top 5 Myths About Mobile AppSec
Debunking the Top 5 Myths About Mobile AppSec
 
Building a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing BlueprintBuilding a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing Blueprint
 
Mobile App Security Predictions 2019
Mobile App Security Predictions 2019Mobile App Security Predictions 2019
Mobile App Security Predictions 2019
 
Jeff's Journey: Best Practices for Securing Mobile App DevOps
Jeff's Journey: Best Practices for Securing Mobile App DevOpsJeff's Journey: Best Practices for Securing Mobile App DevOps
Jeff's Journey: Best Practices for Securing Mobile App DevOps
 
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated IndustriesCASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
 
A Risk-Based Mobile App Security Testing Strategy
A Risk-Based Mobile App Security Testing StrategyA Risk-Based Mobile App Security Testing Strategy
A Risk-Based Mobile App Security Testing Strategy
 
Android P Security Updates: What You Need to Know
Android P Security Updates: What You Need to KnowAndroid P Security Updates: What You Need to Know
Android P Security Updates: What You Need to Know
 
iOS 12 Preview - What You Need To Know
iOS 12 Preview - What You Need To KnowiOS 12 Preview - What You Need To Know
iOS 12 Preview - What You Need To Know
 
5 Tips for Agile Mobile App Security Testing
5 Tips for Agile Mobile App Security Testing5 Tips for Agile Mobile App Security Testing
5 Tips for Agile Mobile App Security Testing
 
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDATop OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
 
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
 
5 Mobile App Security MUST-DOs in 2018
5 Mobile App Security MUST-DOs in 20185 Mobile App Security MUST-DOs in 2018
5 Mobile App Security MUST-DOs in 2018
 
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App RiskMobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk
 
What attackers know about your mobile apps that you don’t: Banking & FinTech
What attackers know about your mobile apps that you don’t: Banking & FinTechWhat attackers know about your mobile apps that you don’t: Banking & FinTech
What attackers know about your mobile apps that you don’t: Banking & FinTech
 
Solving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial servicesSolving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial services
 
Leaky Mobile Apps: What You Need to Know
Leaky Mobile Apps: What You Need to KnowLeaky Mobile Apps: What You Need to Know
Leaky Mobile Apps: What You Need to Know
 
Vetting Mobile Apps for Corporate Use: Security Essentials
Vetting Mobile Apps for Corporate Use: Security EssentialsVetting Mobile Apps for Corporate Use: Security Essentials
Vetting Mobile Apps for Corporate Use: Security Essentials
 
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
 

Recently uploaded

Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 

Recently uploaded (20)

Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 

iOS recon with Radare2

  • 1. © Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.© Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. iOS recon with r2 Dawn Isabel Mobile Security Research Engineer
  • 2. © Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. ▪ Portable reverse engineering framework ▪ Assemble / disassemble ▪ Analyze and emulate code ▪ Native debugger ▪ Various interactive modes ▪ Control-flow graphs ▪ Automate your mobile app static analysis 2 What is radare2, and why use it?
  • 3. © Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. ▪ Apps are packaged in a zip file ▪ Native binaries will be ▪ Objective-C ▪ Swift ▪ C, C++ ▪ Analysis and emulation makes our job easier! ▪ aar - Analyze opcode absolute and relative references ▪ aae - Emulate code to identify new pointer references ▪ aao - Analyze all objc references ▪ e emu.str=true – Enable string emulation 3 iOS binary basics
  • 4. © Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. Why use multiple tools? ▪ i – Binary information ▪ il – List libraries ▪ ic / icc – Examine and dump classes ▪ izz – Dump and search strings 4 Gathering basic app info
  • 5. © Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. ▪ Objective-C methods are invoked using message-passing ▪ objc_msgSend ▪ arg0: class or instance receiving the message ▪ arg1: method name / “selector” ▪ arg2…argN: method arguments ▪ Finding cross-references to methods requires looking for the selector string, not the address of the method implementation 5 Finding method cross-references
  • 6. © Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. ▪ izz~ / izzq~ - Search for a string ▪ axt – Find cross-references (xrefs) to an address ▪ s – Seek to address ▪ n / N - Jump next / previous flag ▪ df – Define function ▪ pdsf – Print disassemble summary for function 6 Simple Workflow – finding functions and references
  • 7. © Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. ▪ _ - Search using HUD ▪ x – Find xrefs to/from data ▪ u / U – Undo / redo seek ▪ p – change view ▪ V – Graph mode! 7 Getting fancy - visual mode
  • 8. © Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. ▪ Recon can be easily automated using python and r2pipe import r2pipe r2 = r2pipe.open("ipa://decrypted-app.ipa") print("[*] Dumping classes...") r2.cmd('icc > classdump.txt') print("[*] Dumping strings...") r2.cmd("izz > strings.txt") 8 Automation with r2pipe
  • 9. © Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. ▪ https://rada.re/n/ ▪ https://radare.gitbooks.io/radare2book/ ▪ https://www.youtube.com/results?search_query=r2con ▪ https://github.com/prateek147/DVIA Dawn Isabel (she/her) @dawnisabel 9 Happy hacking!