eightbit, profile picture
Uploaded byeightbit
PDF, PPTX1,482 views

Rootcon X - Reverse Engineering Swift Applications

The document discusses challenges and techniques for reverse engineering Swift apps. It notes that class dump utilities do not work on Swift binaries due to name mangling. However, the symbol table, nm tool, and swift-demangle utility can be used to retrieve function signatures. A hacked script approximates class dump output. While stripping symbols makes analysis harder, Objective-C compatibility eases the process. Other tools like classdump-dyld and disassemblers also help. Function hooking is possible but setter methods require calling from top-level code due to inlining.

Embed presentation

Download as PDF, PPTX
Reverse Engineering Swift Apps Michael Gianarakis Rootcon X 2016
# whoami @mgianarakis Director of SpiderLabs APAC at Trustwave SecTalks Organiser (@SecTalks_BNE) Flat Duck Justice Warrior #ducksec
Motivation • Seeing more and more Swift being used in apps that we test (fan boys like me tend to adopt new Apple technology quickly) • Google is even considering using Swift as a first class language on Android… (http://thenextweb.com/dd/2016/04/07/google- facebook-uber-swift/) • Wanted to dive into some of the key differences with Swift and look at the challenges with respect to Swift app pen testing • Focus is on “black box” app pen testing - for a deeper dive into Swift language RE I recommend Ryan Stortz’s talk at Infiltrate (http://infiltratecon.com/archives/swift_Ryan_Stortz.pdf)
How Does Swift Affect Testing? • Will dive into the detail in the presentation but the reality is not much in most areas, quite a bit in others? • Most issues in iOS and OS X apps are due to poor design decisions or misconfiguration and incorrect implementation of Apple and third party frameworks and libraries. • The main thing that has changed is how you reverse engineer the application
Quick Overview of Swift
What is Swift? • Compiled language created by Apple • Released publicly in 2014 at WWDC and has seen multiple revisions since. • Open source with official implementations for iOS, OS X and Linux. • Intended to replace Objective-C eventually
Syntax (just the basics to follow along)
Syntax (just the basics to follow along)
Syntax (just the basics to follow along)
Syntax (just the basics to follow along)
Types • All basic C and Objective-C types -> String, Bool, Int , Float etc. • Collection Types -> Array, Set, Dictionary • Optional Types -> works with all types, no more nil pointers like Objective-C • Swift is a type safe language
Objective-C Compatibility • Objective-C compatibility and interoperability • Uses the same runtime environment • Still supports C and C++ in the same app but can’t be called from Swift like Objective-C • Can allow for some dynamic features and runtime manipulation
Other Language Features • Barely scratched the surface • Structs, Protocols, Extensions, Closures, Enumerations, Optionals, Generics, Type Casting, Access Control, Error Handling, Assertions…. • Automatic Reference Counting • Unicode… • var 💩 = 💩 💩 💩 💩 💩 ()
Other Language Features
Challenges Reversing Swift Apps
Challenges • Less dynamic than Objective-C • Less flexible than Objective-C in some areas • Can make it harder to do some of the standard tasks you would do on a standard app pen test • Less of an issue now because most Swift apps will include be mixed with Objective-C • Limited tooling • We will explore this in more detail
Challenges • Rapidly evolving syntax, APIs and features and Apple doesn’t care too much about breaking changes. • v1.0 - September 2014 • v1.1 - October 2014 • v1.2 - April 2015 • v2.0 - September 2015 (Open Sourced, Linux) • v2.2 - March 2016 • v3.0 - Late 2016
Reversing Swift Apps • Two primary reverse engineering activities when conducting a “black box” pen test • Dumping and analysing class information from the binary • Retrieving information at runtime using debuggers, function hooking, tracing etc.
Retrieving Class Information
Class Dump? • The most common and easiest way to retrieve class data from an Objective-C binary is the class- dump utility • class-dump-z retrieves class information and formats to look like the equivalent of an Objective- C header file • Usually one of the first things you do when looking at an app
Class Dump?
Class Dump?
What next? • So class-dump-z doesn’t work with Swift binaries :( • Now what? • Let’s start diving into the binary
Symbol Table • What do we get if we dump the symbol table?
Symbol Table • What if we look for something we know is in the binary? • nm -gUj rootcon-demo | grep printDuckType
Symbol Table • What if we look for something we know is in the binary?
Name Mangling • Looks promising but it’s a far cry from the output of class-dump and is kind of hard to make out • Swift stores metadata about a function in it’s symbols in the process “mangling” the name.
Name Mangling __TFC12rootcon_demo4Duck13printDuckTypefT_T_ Indicates it’s a Swift method
Name Mangling __TFC12rootcon_demo4Duck13printDuckTypefT_T_ Indicates it’s a Swift method Indicates it’s a function
Name Mangling __TFC12rootcon_demo4Duck13printDuckTypefT_T_ Indicates it’s a Swift method Indicates it’s a function Function of a class
Name Mangling __TFC12rootcon_demo4Duck13printDuckTypefT_T_ Indicates it’s a Swift method Indicates it’s a function Function of a class Module name with length
Name Mangling __TFC12rootcon_demo4Duck13printDuckTypefT_T_ Indicates it’s a Swift method Indicates it’s a function Function of a class Module name with length Class name with length
Name Mangling __TFC12rootcon_demo4Duck13printDuckTypefT_T_ Indicates it’s a Swift method Indicates it’s a function Function of a class Module name with length Class name with length Function name with length
Name Mangling __TFC12rootcon_demo4Duck13printDuckTypefT_T_ Indicates it’s a Swift method Indicates it’s a function Function of a class Module name with length Class name with length Function name with length Function attribute
Name Mangling __TFC12rootcon_demo4Duck13printDuckTypefT_T_ Indicates it’s a Swift method Indicates it’s a function Function of a class Module name with length Class name with length Function name with length Function attribute Parameters
Name Mangling __TFC12rootcon_demo4Duck13printDuckTypefT_T_ Indicates it’s a Swift method Indicates it’s a function Function of a class Module name with length Class name with length Function name with length Function attribute Parameters Return Type
Function Attributes f Normal function s Setter g Getter d Destructor D Deallocator c Constructor C Allocator
Return Types a Array b Boolean c Unicode Scalar d Double f Float i Integer u Unsigned Integer Q Implicitly Unwrapped Optional S String
swift-demangle • So now we know roughly the way the names are mangle you could use this to create a script that “de-mangles” the names • Apple has already thought of that and includes a utility called swift-demangle to do just that
swift-demangle
swift-demangle • With nm and swift-demangle and some shell scripting you should be able to easily grab the function signatures from an app • Should be all you need to get basically the same information you would from class-dump to start assessing the app
class-dump-s • Hacked together script that demangles names and formats the output to approximate the output of class-dump • Written in Swift
Demo
Stripped Binaries • CAVEAT: If the developer stripped symbols from the binary then these techniques obviously won’t work. • Reverse engineering stripped binaries is a bit more complicated
Objective-C Compatibility • Part of the reason it’s much easier to get class information from Objective-C binaries is because it’s necessary for the Objective-C runtime to have that info • So what happens when you import Objective-C frameworks or use Objective-C in your app?
Revisiting Class Dump • The latest branch of class-dump by Steven Nygard (the original class-dump utility) has limited support for Swift. • Need to download and build from source (no binary release yet) • https://github.com/nygard/class-dump
Revisiting Class Dump
Demo
Revisiting Class Dump
Revisiting Class Dump
Revisiting Class Dump
Other Options
Other Options • classdump-dyld (successor to weakclassdump.cy) • Disassemblers (i.e. Hopper, IDA Pro) • Necessary for lower level insight into the app • To demangle Swift function names https:// github.com/Januzellij/hopperscripts • cycript? frida?
Function Hooking
Hooking Swift Methods • Still possible. • Much easier with in mixed Swift/Objective-C binaries. • Can still write tweaks with Mobile Substrate.
Hooking Swift Methods
Hooking Swift Methods • Hooking getter method (works!)
Hooking Swift Methods • Hooking setter method (kinda works…)
Hooking Swift Methods • Certain functions in Swift are inlined and the class constructor is one of them (which is directly setting the instance variable) • So in this case the setter will only be called again by the top level code. • If you call from there it works.
Hooking Swift Methods • Changing the instance variable directly (works but not a good idea probably)
Wrap Up
Wrap Up • So not all hope is lost when it comes to your standard pen test workflows with Swift apps • A bit more of a pain in the arse if you don’t get access to the source code • Most issues in iOS and OS X apps are due to poor design decisions or misconfiguration and incorrect implementation of Apple and third party frameworks and libraries.
Next Steps • Improve the class-dump-s script :) • Remove dependency on swift-demagle • Ivars, stripped binaries? • Runtime inspection • cycript works but not as straightforward as with Objective-C • LLDB works well if you are familiar with it • Will hopefully write a blog post soon
Q&A?

More Related Content

PPTX
Multithreading models.ppt
byLuis Goldster
 
PDF
BIGDATA ANALYTICS LAB MANUAL final.pdf
byANJALAI AMMAL MAHALINGAM ENGINEERING COLLEGE
 
PPTX
Raid
byPiyush Rochwani
 
PPTX
Consistency in NoSQL
byDr-Dipali Meher
 
PPT
Unit 4
byRavi Kumar
 
PPTX
CLOUD ARCHITECTURE AND SERVICES.pptx
byDr Geetha Mohan
 
PDF
Mixed-critical adaptive AUTOSAR stack based on VxWorks, Linux, and virtualiza...
byAndrei Kholodnyi
 
PPT
cloud computing:Types of virtualization
byDr.Neeraj Kumar Pandey
 
Multithreading models.ppt
byLuis Goldster
 
BIGDATA ANALYTICS LAB MANUAL final.pdf
byANJALAI AMMAL MAHALINGAM ENGINEERING COLLEGE
 
Raid
byPiyush Rochwani
 
Consistency in NoSQL
byDr-Dipali Meher
 
Unit 4
byRavi Kumar
 
CLOUD ARCHITECTURE AND SERVICES.pptx
byDr Geetha Mohan
 
Mixed-critical adaptive AUTOSAR stack based on VxWorks, Linux, and virtualiza...
byAndrei Kholodnyi
 
cloud computing:Types of virtualization
byDr.Neeraj Kumar Pandey
 

What's hot

PPTX
Cloud computing hybrid architecture
byAbhijeet Singh
 
PPTX
Dockers and containers basics
bySourabh Saxena
 
PPTX
Virtualization Vs. Containers
byactualtechmedia
 
PPTX
HADOOP TECHNOLOGY ppt
bysravya raju
 
PPT
3. challenges
byAbDul ThaYyal
 
PPTX
Docker Networking Overview
bySreenivas Makam
 
PPTX
cluster computing
byanjalibhandari11011995
 
PPTX
Google BigTable
byNew York City College of Technology Computer Systems Technology Colloquium
 
PPTX
Design of Hadoop Distributed File System
byDr. C.V. Suresh Babu
 
PPTX
Version Stamps in NOSQL Databases
byDr-Dipali Meher
 
KEY
Testing Hadoop jobs with MRUnit
byEric Wendelin
 
PPTX
Parallel Computing on the GPU
byTilani Gunawardena PhD(UNIBAS), BSc(Pera), FHEA(UK), CEng, MIESL
 
PPT
Containers 101
byBlack Duck by Synopsys
 
PPT
Design patterns ppt
byAman Jain
 
PPT
Cloud deployment models
byAshok Kumar
 
PDF
Multiple Sites and Disaster Recovery with Ceph: Andrew Hatfield, Red Hat
byOpenStack
 
PPTX
CCS334 BIG DATA ANALYTICS Session 3 Distributed models.pptx
byGuru Nanak Technical Institutions
 
ODP
ansible why ?
byYashar Esmaildokht
 
PPTX
An Overview of Apache Cassandra
byDataStax
 
PPTX
Implementation levels of virtualization
byGokulnath S
 
Cloud computing hybrid architecture
byAbhijeet Singh
 
Dockers and containers basics
bySourabh Saxena
 
Virtualization Vs. Containers
byactualtechmedia
 
HADOOP TECHNOLOGY ppt
bysravya raju
 
3. challenges
byAbDul ThaYyal
 
Docker Networking Overview
bySreenivas Makam
 
cluster computing
byanjalibhandari11011995
 
Google BigTable
byNew York City College of Technology Computer Systems Technology Colloquium
 
Design of Hadoop Distributed File System
byDr. C.V. Suresh Babu
 
Version Stamps in NOSQL Databases
byDr-Dipali Meher
 
Testing Hadoop jobs with MRUnit
byEric Wendelin
 
Parallel Computing on the GPU
byTilani Gunawardena PhD(UNIBAS), BSc(Pera), FHEA(UK), CEng, MIESL
 
Containers 101
byBlack Duck by Synopsys
 
Design patterns ppt
byAman Jain
 
Cloud deployment models
byAshok Kumar
 
Multiple Sites and Disaster Recovery with Ceph: Andrew Hatfield, Red Hat
byOpenStack
 
CCS334 BIG DATA ANALYTICS Session 3 Distributed models.pptx
byGuru Nanak Technical Institutions
 
ansible why ?
byYashar Esmaildokht
 
An Overview of Apache Cassandra
byDataStax
 
Implementation levels of virtualization
byGokulnath S
 

Similar to Rootcon X - Reverse Engineering Swift Applications

PDF
Hack in the Box GSEC 2016 - Reverse Engineering Swift Applications
byeightbit
 
PDF
Learning Swift: A Stupid Way -- How to use Swift API in private frameworks
byKoan-Sin Tan
 
PDF
Wahckon[2] - iOS Runtime Hacking Crash Course
byeightbit
 
PPTX
iOS Application Exploitation
byPositive Hack Days
 
PDF
CrikeyCon 2015 - iOS Runtime Hacking Crash Course
byeightbit
 
PDF
Swift, swiftly
byJack Nutting
 
PDF
Swift2 smalltalk osxdev
byJung Kim
 
PDF
Facilitating Idiomatic Swift with Objective-C
byAaron Taylor
 
PDF
Swift - Under the Hood
byC4Media
 
PDF
Advanced Swift Updated For Swift 5 Chris Eidhof
byjksjzdl5949
 
PDF
Denis Lebedev, Swift
byYandex
 
PDF
iOS Application Security
byEgor Tolstoy
 
PDF
Swift for-rubyists
byMichael Yagudaev
 
PDF
The Swift Compiler and Standard Library
bySantosh Rajan
 
PPTX
Swift Bengaluru Meetup slides
byPushkar Kulkarni
 
PDF
What Makes Objective C Dynamic?
byKyle Oba
 
PDF
Intro toswift1
byJordan Morgan
 
PDF
iOS NSAgora #3: Objective-C vs. Swift
byAlex Cristea
 
PDF
Ios 12 Programming Fundamentals With Swift Swift Xcode And Cocoa Basics 5th E...
byjoettealhadi
 
PDF
Open Source Swift Under the Hood
byC4Media
 
Hack in the Box GSEC 2016 - Reverse Engineering Swift Applications
byeightbit
 
Learning Swift: A Stupid Way -- How to use Swift API in private frameworks
byKoan-Sin Tan
 
Wahckon[2] - iOS Runtime Hacking Crash Course
byeightbit
 
iOS Application Exploitation
byPositive Hack Days
 
CrikeyCon 2015 - iOS Runtime Hacking Crash Course
byeightbit
 
Swift, swiftly
byJack Nutting
 
Swift2 smalltalk osxdev
byJung Kim
 
Facilitating Idiomatic Swift with Objective-C
byAaron Taylor
 
Swift - Under the Hood
byC4Media
 
Advanced Swift Updated For Swift 5 Chris Eidhof
byjksjzdl5949
 
Denis Lebedev, Swift
byYandex
 
iOS Application Security
byEgor Tolstoy
 
Swift for-rubyists
byMichael Yagudaev
 
The Swift Compiler and Standard Library
bySantosh Rajan
 
Swift Bengaluru Meetup slides
byPushkar Kulkarni
 
What Makes Objective C Dynamic?
byKyle Oba
 
Intro toswift1
byJordan Morgan
 
iOS NSAgora #3: Objective-C vs. Swift
byAlex Cristea
 
Ios 12 Programming Fundamentals With Swift Swift Xcode And Cocoa Basics 5th E...
byjoettealhadi
 
Open Source Swift Under the Hood
byC4Media
 

More from eightbit

PDF
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
byeightbit
 
PDF
AusCERT - Developing Secure iOS Applications
byeightbit
 
PDF
CrikeyCon 2017 - Rumours of our Demise Have Been Greatly Exaggerated
byeightbit
 
PDF
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
byeightbit
 
PDF
YOW! Connected 2014 - Developing Secure iOS Applications
byeightbit
 
PDF
Ruxmon April 2014 - Introduction to iOS Penetration Testing
byeightbit
 
PDF
OWASP Melbourne - Introduction to iOS Application Penetration Testing
byeightbit
 
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
byeightbit
 
AusCERT - Developing Secure iOS Applications
byeightbit
 
CrikeyCon 2017 - Rumours of our Demise Have Been Greatly Exaggerated
byeightbit
 
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
byeightbit
 
YOW! Connected 2014 - Developing Secure iOS Applications
byeightbit
 
Ruxmon April 2014 - Introduction to iOS Penetration Testing
byeightbit
 
OWASP Melbourne - Introduction to iOS Application Penetration Testing
byeightbit
 

Recently uploaded

PPTX
GenerationAI Paris 2025 | AI in Tech: Beyond Expectations, Into Execution
byapidays
 
PPTX
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
PDF
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
PDF
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
PPTX
The Transformative Technology in Contemporary Businesses
bygreyaudrina
 
PDF
GDG Cloud Southlake #49: Pradeep R Kumar: Implications of Agentic AI for Iden...
byJames Anderson
 
PDF
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
PPTX
CTO Strategy OS 2026: The Tech, AI & Cloud Playbook Boards Want
byridwansassman
 
PDF
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
PDF
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
 
PPTX
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
PDF
Empower your IT team with cloud-based PC management using Dell Management Por...
byPrincipled Technologies
 
PDF
apidays New York 2025 | AI in Application Security
byapidays
 
PDF
20260212 Security-JAWS activity results for 2025 and activity goals for 2026
byTyphon 666
 
PPTX
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
PDF
Effortless Distributed Systems with Aspire.pdf
byParticular Software
 
PDF
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
 
PDF
final~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.pdf
byomarbishtawi04
 
PDF
How AI Can Help Platform Engineers Build Better Platforms
byAll Things Open
 
PDF
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
GenerationAI Paris 2025 | AI in Tech: Beyond Expectations, Into Execution
byapidays
 
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
The Transformative Technology in Contemporary Businesses
bygreyaudrina
 
GDG Cloud Southlake #49: Pradeep R Kumar: Implications of Agentic AI for Iden...
byJames Anderson
 
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
CTO Strategy OS 2026: The Tech, AI & Cloud Playbook Boards Want
byridwansassman
 
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
 
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
Empower your IT team with cloud-based PC management using Dell Management Por...
byPrincipled Technologies
 
apidays New York 2025 | AI in Application Security
byapidays
 
20260212 Security-JAWS activity results for 2025 and activity goals for 2026
byTyphon 666
 
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
Effortless Distributed Systems with Aspire.pdf
byParticular Software
 
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
 
final~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.pdf
byomarbishtawi04
 
How AI Can Help Platform Engineers Build Better Platforms
byAll Things Open
 
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 

Rootcon X - Reverse Engineering Swift Applications

  • 1.
    Reverse Engineering Swift Apps MichaelGianarakis Rootcon X 2016
  • 2.
    # whoami @mgianarakis Director ofSpiderLabs APAC at Trustwave SecTalks Organiser (@SecTalks_BNE) Flat Duck Justice Warrior #ducksec
  • 3.
    Motivation • Seeing moreand more Swift being used in apps that we test (fan boys like me tend to adopt new Apple technology quickly) • Google is even considering using Swift as a first class language on Android… (http://thenextweb.com/dd/2016/04/07/google- facebook-uber-swift/) • Wanted to dive into some of the key differences with Swift and look at the challenges with respect to Swift app pen testing • Focus is on “black box” app pen testing - for a deeper dive into Swift language RE I recommend Ryan Stortz’s talk at Infiltrate (http://infiltratecon.com/archives/swift_Ryan_Stortz.pdf)
  • 4.
    How Does SwiftAffect Testing? • Will dive into the detail in the presentation but the reality is not much in most areas, quite a bit in others? • Most issues in iOS and OS X apps are due to poor design decisions or misconfiguration and incorrect implementation of Apple and third party frameworks and libraries. • The main thing that has changed is how you reverse engineer the application
  • 5.
  • 6.
    What is Swift? •Compiled language created by Apple • Released publicly in 2014 at WWDC and has seen multiple revisions since. • Open source with official implementations for iOS, OS X and Linux. • Intended to replace Objective-C eventually
  • 7.
    Syntax (just thebasics to follow along)
  • 8.
    Syntax (just thebasics to follow along)
  • 9.
    Syntax (just thebasics to follow along)
  • 10.
    Syntax (just thebasics to follow along)
  • 11.
    Types • All basicC and Objective-C types -> String, Bool, Int , Float etc. • Collection Types -> Array, Set, Dictionary • Optional Types -> works with all types, no more nil pointers like Objective-C • Swift is a type safe language
  • 12.
    Objective-C Compatibility • Objective-Ccompatibility and interoperability • Uses the same runtime environment • Still supports C and C++ in the same app but can’t be called from Swift like Objective-C • Can allow for some dynamic features and runtime manipulation
  • 13.
    Other Language Features •Barely scratched the surface • Structs, Protocols, Extensions, Closures, Enumerations, Optionals, Generics, Type Casting, Access Control, Error Handling, Assertions…. • Automatic Reference Counting • Unicode… • var 💩 = 💩 💩 💩 💩 💩 ()
  • 14.
  • 15.
  • 16.
    Challenges • Less dynamicthan Objective-C • Less flexible than Objective-C in some areas • Can make it harder to do some of the standard tasks you would do on a standard app pen test • Less of an issue now because most Swift apps will include be mixed with Objective-C • Limited tooling • We will explore this in more detail
  • 17.
    Challenges • Rapidly evolvingsyntax, APIs and features and Apple doesn’t care too much about breaking changes. • v1.0 - September 2014 • v1.1 - October 2014 • v1.2 - April 2015 • v2.0 - September 2015 (Open Sourced, Linux) • v2.2 - March 2016 • v3.0 - Late 2016
  • 18.
    Reversing Swift Apps •Two primary reverse engineering activities when conducting a “black box” pen test • Dumping and analysing class information from the binary • Retrieving information at runtime using debuggers, function hooking, tracing etc.
  • 19.
  • 20.
    Class Dump? • Themost common and easiest way to retrieve class data from an Objective-C binary is the class- dump utility • class-dump-z retrieves class information and formats to look like the equivalent of an Objective- C header file • Usually one of the first things you do when looking at an app
  • 21.
  • 22.
  • 23.
    What next? • Soclass-dump-z doesn’t work with Swift binaries :( • Now what? • Let’s start diving into the binary
  • 24.
    Symbol Table • Whatdo we get if we dump the symbol table?
  • 25.
    Symbol Table • Whatif we look for something we know is in the binary? • nm -gUj rootcon-demo | grep printDuckType
  • 26.
    Symbol Table • Whatif we look for something we know is in the binary?
  • 27.
    Name Mangling • Lookspromising but it’s a far cry from the output of class-dump and is kind of hard to make out • Swift stores metadata about a function in it’s symbols in the process “mangling” the name.
  • 28.
  • 29.
  • 30.
    Name Mangling __TFC12rootcon_demo4Duck13printDuckTypefT_T_ Indicates it’sa Swift method Indicates it’s a function Function of a class
  • 31.
    Name Mangling __TFC12rootcon_demo4Duck13printDuckTypefT_T_ Indicates it’sa Swift method Indicates it’s a function Function of a class Module name with length
  • 32.
    Name Mangling __TFC12rootcon_demo4Duck13printDuckTypefT_T_ Indicates it’sa Swift method Indicates it’s a function Function of a class Module name with length Class name with length
  • 33.
    Name Mangling __TFC12rootcon_demo4Duck13printDuckTypefT_T_ Indicates it’sa Swift method Indicates it’s a function Function of a class Module name with length Class name with length Function name with length
  • 34.
    Name Mangling __TFC12rootcon_demo4Duck13printDuckTypefT_T_ Indicates it’sa Swift method Indicates it’s a function Function of a class Module name with length Class name with length Function name with length Function attribute
  • 35.
    Name Mangling __TFC12rootcon_demo4Duck13printDuckTypefT_T_ Indicates it’sa Swift method Indicates it’s a function Function of a class Module name with length Class name with length Function name with length Function attribute Parameters
  • 36.
    Name Mangling __TFC12rootcon_demo4Duck13printDuckTypefT_T_ Indicates it’sa Swift method Indicates it’s a function Function of a class Module name with length Class name with length Function name with length Function attribute Parameters Return Type
  • 37.
    Function Attributes f Normalfunction s Setter g Getter d Destructor D Deallocator c Constructor C Allocator
  • 38.
    Return Types a Array bBoolean c Unicode Scalar d Double f Float i Integer u Unsigned Integer Q Implicitly Unwrapped Optional S String
  • 39.
    swift-demangle • So nowwe know roughly the way the names are mangle you could use this to create a script that “de-mangles” the names • Apple has already thought of that and includes a utility called swift-demangle to do just that
  • 40.
  • 41.
    swift-demangle • With nmand swift-demangle and some shell scripting you should be able to easily grab the function signatures from an app • Should be all you need to get basically the same information you would from class-dump to start assessing the app
  • 42.
    class-dump-s • Hacked togetherscript that demangles names and formats the output to approximate the output of class-dump • Written in Swift
  • 43.
  • 44.
    Stripped Binaries • CAVEAT:If the developer stripped symbols from the binary then these techniques obviously won’t work. • Reverse engineering stripped binaries is a bit more complicated
  • 45.
    Objective-C Compatibility • Partof the reason it’s much easier to get class information from Objective-C binaries is because it’s necessary for the Objective-C runtime to have that info • So what happens when you import Objective-C frameworks or use Objective-C in your app?
  • 46.
    Revisiting Class Dump •The latest branch of class-dump by Steven Nygard (the original class-dump utility) has limited support for Swift. • Need to download and build from source (no binary release yet) • https://github.com/nygard/class-dump
  • 47.
  • 48.
  • 49.
  • 50.
  • 51.
  • 52.
  • 53.
    Other Options • classdump-dyld(successor to weakclassdump.cy) • Disassemblers (i.e. Hopper, IDA Pro) • Necessary for lower level insight into the app • To demangle Swift function names https:// github.com/Januzellij/hopperscripts • cycript? frida?
  • 54.
  • 55.
    Hooking Swift Methods •Still possible. • Much easier with in mixed Swift/Objective-C binaries. • Can still write tweaks with Mobile Substrate.
  • 56.
  • 57.
    Hooking Swift Methods •Hooking getter method (works!)
  • 58.
    Hooking Swift Methods •Hooking setter method (kinda works…)
  • 59.
    Hooking Swift Methods •Certain functions in Swift are inlined and the class constructor is one of them (which is directly setting the instance variable) • So in this case the setter will only be called again by the top level code. • If you call from there it works.
  • 60.
    Hooking Swift Methods •Changing the instance variable directly (works but not a good idea probably)
  • 61.
  • 62.
    Wrap Up • Sonot all hope is lost when it comes to your standard pen test workflows with Swift apps • A bit more of a pain in the arse if you don’t get access to the source code • Most issues in iOS and OS X apps are due to poor design decisions or misconfiguration and incorrect implementation of Apple and third party frameworks and libraries.
  • 63.
    Next Steps • Improvethe class-dump-s script :) • Remove dependency on swift-demagle • Ivars, stripped binaries? • Runtime inspection • cycript works but not as straightforward as with Objective-C • LLDB works well if you are familiar with it • Will hopefully write a blog post soon
  • 64.