The document discusses runtime analysis of iOS applications, focusing on techniques like hooking to manipulate APIs, bypass security features, and analyze vulnerabilities. It outlines tools and methods used for testing, including Cydia Substrate, Cycript, and Snoop-It, and provides examples of common security issues such as insecure data storage and broken cryptography. Additionally, it compares tools for iOS and Android runtime analysis and emphasizes the importance of understanding application internals for effective black box testing.

1. RUNTIME ANALYSIS ON
MOBILE APPLICATIONS (IOS)
SANDEEP JAYASHANKAR

2. ABOUT ME
• An amateur presenter
• Principal Consultant, Protiviti, Philadelphia
• Web Application Security
• Mobile Application Security
• Penetration Testing and Ethical Hacking
• Red Teaming
• Twitter: @sandeep_j
• Linkedin: https://linkedin.com/in/sandeepjayashankar

3. WHAT’S THIS ABOUT?
• Main Agenda:
• What’s Hooking and how it works?
• How it can be done in iOS applications
• Tools we can use
• Advantages of runtime analysis
• Demo:
• Insecure Data Storage
• Broken Cryptography
• Sensitive Information in memory
• Bypassing Client-Side Checks
• Jailbreak Detection Bypass – at runtime
• Certificate Pinning Bypass

4. SIMPLY HOOKING
• An API call to system methods are intercepted.
• The control is rerouted to a replacement code
• Once the replacement code executes, the program control is returned
back to the calling function

5. HOOKING IN PRACTICE - INJECTING ”TWEAKS”
• Cydia Substrate (formerly MobileSubstrate) – requires jailbreak
• Allows runtime patches (tweaks/extensions) to system functions
• MobileHooker – Hook and replace iOS methods
• MobileLoader – Load code into the running code
• Ref: http://www.cydiasubstrate.com/id/264d6581-a762-4343-9605-
729ef12ff0af
• Theos Development Suite
• Mainly used to develop and deploy iOS apps without the use of Xcode.
• Also used for developing tweaks for jailbroken devices.
• Ref: http://iphonedevwiki.net/index.php/Theos/Setup

6. HOOKING IN PRACTICE - INJECTING INTERPRETERS
• Cycript (Ref: http://www.cycript.org)
• A Programming Language.
• Injects Javascript interpreter into a running application through Cydia
substrate
• Can perform runtime manipulations on-the-fly. – requires jailbreak
• Can also hook cycript into the app code for debugging purposes. –
doesn’t require jailbreak
• Usage for runtime manipulations:
• Identify the iOS application’s process ID
• Attach cycript to it ( syn: cycript –p <PID>)

7. HOOKING IN PRACTICE – A GUI TOOL NAMED SNOOP-IT
• Monitors:
• File system access (in addition to data protection classes being used)
• KeyChain Access (in addition to Security Attributes used)
• Network Traffic
• Any cryptographic library calls (in addition to the function’s input/output
parameters)
• Analyze:
• All Objective-C classes, and calling methods available
• Shows the active ViewControllers available at that point of time.
• Can Invoke any available methods

8. WHY RUNTIME ANALYSIS ?
• Know the internals of the iOS application – when performing black box testing
• Monitor any changes in application files, keychains, etc.,
• Catch before files are changed.
• Runtime Method Tracing – while performing black box testing
• Bypass client-side restrictions – specifically for MDM solutions
• Jailbreak Detection/Application Piracy Detection
• SSL/TLS Certification Pinning
• Business logic restrictions
• Identify weak cryptographic usage.
• Unlock hidden functionalities, and execute them.
• Bypassing application’s client-side authentication, authorization, and access controls
• Functionalities which should not be there in the release build
• Unlock premium content, (Eg., Pandora)

9. [DEMO] MY CURRENT SETUP
• Hardware
• Jailbroken iPhone 6 (v9.0)
• A RAVPower power bank with a Wifi interface.
• Impactor – an app install modded iOS apps.
• Software
• On computer
• Xcode with iOS Simulator
• IDA Free (or Hopper)
• Burpsuite Pro
• On iOS device
• DamnVulnerableIOSApplication (ref: http://damnvulnerableiosapp.com/#learn)
• Snoop-IT
• cydia

10. [DEMO] INSECURE DATA STORAGE
• Sensitive information is stored locally on the device without proper file
protections.
• PLIST files – unencrypted binary/xml file stored in app sandbox. Generally
used for storing application configuration information.
• Keychains – An encrypted vault which uses iOS’s Secure Enclave
implementation extensively.
• Use kSecAttrAccessibleWhenUnlockedThisDeviceOnly – for sensitive data storage
• CoreData – An SQLite type flat file used for storing iOS application data.
• Tool Used:
• DamnVulnerableIOSApplication
• Snoop-IT – for monitoring iOS application changes at runtime

11. [DEMO] BROKEN CRYPTOGRAPHY
• Insecure encryption/decryption implementation
• Hardcoded Keys
• Depreciated cryptographic algorithms
• Insufficient Key Size
• Tool Used:
• DamnVulnerableIOSApplication
• Snoop-IT – for monitoring iOS application changes at runtime
• IDA Pro – for decompiling the application

12. [DEMO] SENSITIVE INFORMATION IN
MEMORY
• Insecure handling of sensitive information
• Using NSString* to store passwords, credit card numbers etc.,
• NSString is an immutable data type. NSMutableString is a better alternative.
• Not clearing variables used for storing sensitive information, after its use.
• Tool Used:
• DamnVulnerableIOSApplication
• Snoop-IT – for calling Objective-C classes at runtime.
• Cycript - for scripting capabilities

13. [DEMO] BYPASSING CLIENT-SIDE CHECKS
• Runtime manipulation of code to bypass built-in safeguards
• Flawed design/implementation of application logic.
• Only Client-Side check for mission/business critical functionalities
• Tool Used:
• DamnVulnerableIOSApplication
• Snoop-IT – for calling Objective-C classes at runtime.
• Cycript – for scripting capabilities
• Xcode and iOS Simulator – another way of performing runtime analysis

14. [DEMO] JAILBREAK DETECTION BYPASS
• Runtime manipulation of code to bypass jailbreak detection
• Flawed design/implementation of application logic.
• Custom built jailbreak detections are easy to bypass
• Applicability: MDM solutions.
• Tool Used:
• DamnVulnerableIOSApplication
• Snoop-IT – for calling Objective-C classes at runtime.
• Cycript – for scripting capabilities

15. [DEMO] SSL/TLS CERTIFICATE PINNING
• Bypassing SSL/TLS Certificate Pinning at runtime.
• iOS Applications use “NSURLConnection” to trigger an HTTP request
• “NSURLConnection” uses
“connection:willSendRequestForAuthenticationChallenge” to perform
certificate pinning validations
• SSL Kill Switch 2 - a tweak which hooks into ”NSURLConnection”, and accepts
all certificates.
• Tool Used:
• DamnVulnerableIOSApplication
• Burpsuite Pro
• SSL Kill Switch 2
• https://github.com/nabla-c0d3/ssl-kill-switch2

16. ANDROID ALTERNATIVES
• Inspeckage – equivalent to Snoop-IT for android devices
• https://github.com/ac-pm/Inspeckage
• http://repo.xposed.info/module/mobi.acpm.inspeckage
• Cycript – Android version
• Drozer
• https://labs.mwrinfosecurity.com/tools/drozer/
• Needle
• https://github.com/mwrlabs/needle
• Android Studio
• Ssl-kill-switch-2 – Android version

17. QUESTIONS, COMMENTS OR IDEAS?