Post on 09-Jun-2015
description
transcript
BREAKING IOS APPS WITH CYCRIPT
Satish Bommisetty
Agenda
¨ Objective C Basics ¨ iOS App Architecture ¨ Decrypting iOS Apps ¨ Breaking apps with Cycript
Native iOS Applications
¨ Objective C code ¨ Developed in Xcode
Objective C Basics
¨ Objective C lies on top of the C language ¨ Interface @ile (.h)
@interface Car : NSObject { @loat @illLevel; } -‐ (void)addGas; @end
¨ Implementation @ile (.m) @implementation Car -‐(void) addGas { } @end
Objective C Basics
¨ Methods – pass messages ¨ C++
¤ Object-‐>Method(param1,param2)
¨ Objective-‐C ¤ [Object method:param1 param2name:param2]
iOS App Architecture
¨ iOS App
iOS App Architecture
¨ Mach-‐O format ¤ Header
n Target Architecture
¤ Load commands n Location of symbol table n Shared Libraries
¤ Data n Organized in Segments
iOS App Architecture
¨ Header can be viewed using otool ¤ Otool –h Binary ¤ Cpu type 12/6 = ARM 6 ¤ Cpu type 12/9 = ARM 7
iOS App Architecture
¨ Load can be viewed using otool ¤ Otool –l Binary
Decrypting iOS Apps
¨ AppStore binaries are encrypted ¤ Protects from piracy ¤ Similar to Fairplay DRM used on iTunes music
¨ Self distributed Apps are not encrypted ¨ Loader decrypts the apps when loaded into memory ¨ Debugger can be used to dump the decrypted app from memory ¨ Tools are available: Craculous, Clutch, Installous
Cycript
¨ Combination of JavaScript and Objective-‐C interpreter ¨ App runtime can be easily modi@ied using Cycript ¨ Can be hooked to a running process ¨ Gives access to all classes and instance variables within the app ¨ Used for runtime analysis
¤ Bypass security locks ¤ Access sensitive information from memory ¤ Authentication Bypass attacks ¤ Accessing restricted areas of the applications
Class-dump-z
¨ Use class-‐dump-‐z on decrypted binary and map the application ¨ Retrieve class declarations ¨ Analyze the class dump output and identify the interesting class
iOS App Execution Flow
¨ iOS app centralized point of control (MVC) – UIApplication class
Breaking iOS Apps
¨ Create object for the class and directly access the instance variables and invoke methods
¨ Existing methods can be overwritten easily