Hacking iOS on the Run: Using Cycript - Where The … · SESSION ID: Hacking iOS on the Run: Using...
Transcript of Hacking iOS on the Run: Using Cycript - Where The … · SESSION ID: Hacking iOS on the Run: Using...
![Page 1: Hacking iOS on the Run: Using Cycript - Where The … · SESSION ID: Hacking iOS on the Run: Using Cycript . HTA-R04A . Sebastián Guerrero . Mobile Security Analyst . viaForensics](https://reader031.fdocuments.us/reader031/viewer/2022020121/5bad979b09d3f2da1b8d9171/html5/thumbnails/1.jpg)
SESSION ID:
Hacking iOS on the Run: Using Cycript
HTA-R04A
Sebastián Guerrero Mobile Security Analyst
viaForensics @0xroot
![Page 2: Hacking iOS on the Run: Using Cycript - Where The … · SESSION ID: Hacking iOS on the Run: Using Cycript . HTA-R04A . Sebastián Guerrero . Mobile Security Analyst . viaForensics](https://reader031.fdocuments.us/reader031/viewer/2022020121/5bad979b09d3f2da1b8d9171/html5/thumbnails/2.jpg)
#RSAC
Agenda
Analyzing binaries
Encrypted binaries
Abusing the Runtime with Cycript
Securing the Runtime
2
![Page 3: Hacking iOS on the Run: Using Cycript - Where The … · SESSION ID: Hacking iOS on the Run: Using Cycript . HTA-R04A . Sebastián Guerrero . Mobile Security Analyst . viaForensics](https://reader031.fdocuments.us/reader031/viewer/2022020121/5bad979b09d3f2da1b8d9171/html5/thumbnails/3.jpg)
Analyzing binaries
![Page 4: Hacking iOS on the Run: Using Cycript - Where The … · SESSION ID: Hacking iOS on the Run: Using Cycript . HTA-R04A . Sebastián Guerrero . Mobile Security Analyst . viaForensics](https://reader031.fdocuments.us/reader031/viewer/2022020121/5bad979b09d3f2da1b8d9171/html5/thumbnails/4.jpg)
#RSAC
iOS App Architecture
4
![Page 5: Hacking iOS on the Run: Using Cycript - Where The … · SESSION ID: Hacking iOS on the Run: Using Cycript . HTA-R04A . Sebastián Guerrero . Mobile Security Analyst . viaForensics](https://reader031.fdocuments.us/reader031/viewer/2022020121/5bad979b09d3f2da1b8d9171/html5/thumbnails/5.jpg)
#RSAC
The Mach-O format
5
Header Target architecture
Load commands Location of symbol table
Shared libraries
Data Organized in segments
![Page 6: Hacking iOS on the Run: Using Cycript - Where The … · SESSION ID: Hacking iOS on the Run: Using Cycript . HTA-R04A . Sebastián Guerrero . Mobile Security Analyst . viaForensics](https://reader031.fdocuments.us/reader031/viewer/2022020121/5bad979b09d3f2da1b8d9171/html5/thumbnails/6.jpg)
#RSAC
The Mach-O format
Header section can be inspected using Otool utility
‘Load command’ section can be analyzed too
6
![Page 7: Hacking iOS on the Run: Using Cycript - Where The … · SESSION ID: Hacking iOS on the Run: Using Cycript . HTA-R04A . Sebastián Guerrero . Mobile Security Analyst . viaForensics](https://reader031.fdocuments.us/reader031/viewer/2022020121/5bad979b09d3f2da1b8d9171/html5/thumbnails/7.jpg)
#RSAC
Introduction to class-dump-z
Outputs the equivalent of an Objective-C header Classes compiled into the program
Its associated methods
Instance variables and properties
7
![Page 8: Hacking iOS on the Run: Using Cycript - Where The … · SESSION ID: Hacking iOS on the Run: Using Cycript . HTA-R04A . Sebastián Guerrero . Mobile Security Analyst . viaForensics](https://reader031.fdocuments.us/reader031/viewer/2022020121/5bad979b09d3f2da1b8d9171/html5/thumbnails/8.jpg)
Encrypted binaries
![Page 9: Hacking iOS on the Run: Using Cycript - Where The … · SESSION ID: Hacking iOS on the Run: Using Cycript . HTA-R04A . Sebastián Guerrero . Mobile Security Analyst . viaForensics](https://reader031.fdocuments.us/reader031/viewer/2022020121/5bad979b09d3f2da1b8d9171/html5/thumbnails/9.jpg)
#RSAC
Encrypted binaries
AppStore binaries are always encrypted Similar to FairPlay DRM used on iTunes music
Self distributed apps are not encrypted
Loader decrypts the apps when loaded into memory
Debugger can be used to dump the decrypted app from memory
Manual process is tedious, there are tools available: Craculous, Clutch, Installous
9
![Page 10: Hacking iOS on the Run: Using Cycript - Where The … · SESSION ID: Hacking iOS on the Run: Using Cycript . HTA-R04A . Sebastián Guerrero . Mobile Security Analyst . viaForensics](https://reader031.fdocuments.us/reader031/viewer/2022020121/5bad979b09d3f2da1b8d9171/html5/thumbnails/10.jpg)
#RSAC
Decrypting iOS Apps
Find the starting offset and the size of the encrypted data in the app binary.
Find the memory loading address of the application (changes every time the app is compiled with PIE).
Dump the decrypted portion of the application from memory using a debugger.
Overwrite the application’s encrypted area with the dumped binary data.
Change the cycript value to 0.
10
![Page 11: Hacking iOS on the Run: Using Cycript - Where The … · SESSION ID: Hacking iOS on the Run: Using Cycript . HTA-R04A . Sebastián Guerrero . Mobile Security Analyst . viaForensics](https://reader031.fdocuments.us/reader031/viewer/2022020121/5bad979b09d3f2da1b8d9171/html5/thumbnails/11.jpg)
#RSAC
Clutch
11
![Page 12: Hacking iOS on the Run: Using Cycript - Where The … · SESSION ID: Hacking iOS on the Run: Using Cycript . HTA-R04A . Sebastián Guerrero . Mobile Security Analyst . viaForensics](https://reader031.fdocuments.us/reader031/viewer/2022020121/5bad979b09d3f2da1b8d9171/html5/thumbnails/12.jpg)
Abusing the runtime with Cycript
![Page 13: Hacking iOS on the Run: Using Cycript - Where The … · SESSION ID: Hacking iOS on the Run: Using Cycript . HTA-R04A . Sebastián Guerrero . Mobile Security Analyst . viaForensics](https://reader031.fdocuments.us/reader031/viewer/2022020121/5bad979b09d3f2da1b8d9171/html5/thumbnails/13.jpg)
![Page 14: Hacking iOS on the Run: Using Cycript - Where The … · SESSION ID: Hacking iOS on the Run: Using Cycript . HTA-R04A . Sebastián Guerrero . Mobile Security Analyst . viaForensics](https://reader031.fdocuments.us/reader031/viewer/2022020121/5bad979b09d3f2da1b8d9171/html5/thumbnails/14.jpg)
#RSAC
Cycript
Combination of JavaScript and Objective-C interpreter
App runtime can be easily modified using Cycript
Can be hooked to a running process
Gives access to all classes and instance variables within the app
Used for runtime analysis Bypass security locks / Authentication Bypass attacks
Access sensitive information from memory
Accessing restricted areas of the applications
14
![Page 15: Hacking iOS on the Run: Using Cycript - Where The … · SESSION ID: Hacking iOS on the Run: Using Cycript . HTA-R04A . Sebastián Guerrero . Mobile Security Analyst . viaForensics](https://reader031.fdocuments.us/reader031/viewer/2022020121/5bad979b09d3f2da1b8d9171/html5/thumbnails/15.jpg)
#RSAC
iOS App Execution Flow
15
![Page 16: Hacking iOS on the Run: Using Cycript - Where The … · SESSION ID: Hacking iOS on the Run: Using Cycript . HTA-R04A . Sebastián Guerrero . Mobile Security Analyst . viaForensics](https://reader031.fdocuments.us/reader031/viewer/2022020121/5bad979b09d3f2da1b8d9171/html5/thumbnails/16.jpg)
#RSAC
Breaking simple locks
Create object for the class and directly access the instance variables and invoke methods
16
![Page 17: Hacking iOS on the Run: Using Cycript - Where The … · SESSION ID: Hacking iOS on the Run: Using Cycript . HTA-R04A . Sebastián Guerrero . Mobile Security Analyst . viaForensics](https://reader031.fdocuments.us/reader031/viewer/2022020121/5bad979b09d3f2da1b8d9171/html5/thumbnails/17.jpg)
#RSAC
Trawling for data
Instance variables – Provides a simple way to display an object’s instance variable
17
![Page 18: Hacking iOS on the Run: Using Cycript - Where The … · SESSION ID: Hacking iOS on the Run: Using Cycript . HTA-R04A . Sebastián Guerrero . Mobile Security Analyst . viaForensics](https://reader031.fdocuments.us/reader031/viewer/2022020121/5bad979b09d3f2da1b8d9171/html5/thumbnails/18.jpg)
#RSAC
Trawling for data
Methods– List methods as well as memory locations of their respective implementations
18
![Page 19: Hacking iOS on the Run: Using Cycript - Where The … · SESSION ID: Hacking iOS on the Run: Using Cycript . HTA-R04A . Sebastián Guerrero . Mobile Security Analyst . viaForensics](https://reader031.fdocuments.us/reader031/viewer/2022020121/5bad979b09d3f2da1b8d9171/html5/thumbnails/19.jpg)
#RSAC
Trawling for data
Classes – A complete listing of classes can be dumped by referencing Cycript’s built-in ObjectiveC object cy# ObjectiveC.classes
19
![Page 20: Hacking iOS on the Run: Using Cycript - Where The … · SESSION ID: Hacking iOS on the Run: Using Cycript . HTA-R04A . Sebastián Guerrero . Mobile Security Analyst . viaForensics](https://reader031.fdocuments.us/reader031/viewer/2022020121/5bad979b09d3f2da1b8d9171/html5/thumbnails/20.jpg)
#RSAC
Evernote Demo
20
Activate premium features.
Retrieve the PIN access code.
Disable PIN access code.
![Page 21: Hacking iOS on the Run: Using Cycript - Where The … · SESSION ID: Hacking iOS on the Run: Using Cycript . HTA-R04A . Sebastián Guerrero . Mobile Security Analyst . viaForensics](https://reader031.fdocuments.us/reader031/viewer/2022020121/5bad979b09d3f2da1b8d9171/html5/thumbnails/21.jpg)
#RSAC
21
![Page 22: Hacking iOS on the Run: Using Cycript - Where The … · SESSION ID: Hacking iOS on the Run: Using Cycript . HTA-R04A . Sebastián Guerrero . Mobile Security Analyst . viaForensics](https://reader031.fdocuments.us/reader031/viewer/2022020121/5bad979b09d3f2da1b8d9171/html5/thumbnails/22.jpg)
#RSAC
More serious implications
Fun applications aren’t the only programs suffering from terrible security holes in their applications. Financial and enterprise applications are just as bad.
Personal data vaults
Payment processing applications
Electronic banking
…
22
![Page 23: Hacking iOS on the Run: Using Cycript - Where The … · SESSION ID: Hacking iOS on the Run: Using Cycript . HTA-R04A . Sebastián Guerrero . Mobile Security Analyst . viaForensics](https://reader031.fdocuments.us/reader031/viewer/2022020121/5bad979b09d3f2da1b8d9171/html5/thumbnails/23.jpg)
Securing the Runtime
![Page 24: Hacking iOS on the Run: Using Cycript - Where The … · SESSION ID: Hacking iOS on the Run: Using Cycript . HTA-R04A . Sebastián Guerrero . Mobile Security Analyst . viaForensics](https://reader031.fdocuments.us/reader031/viewer/2022020121/5bad979b09d3f2da1b8d9171/html5/thumbnails/24.jpg)
#RSAC
Securing the Runtime
Tamper response
Process trace checking
Blocking debuggers
Runtime Class integrity checks
Complicating disassembly
24
![Page 25: Hacking iOS on the Run: Using Cycript - Where The … · SESSION ID: Hacking iOS on the Run: Using Cycript . HTA-R04A . Sebastián Guerrero . Mobile Security Analyst . viaForensics](https://reader031.fdocuments.us/reader031/viewer/2022020121/5bad979b09d3f2da1b8d9171/html5/thumbnails/25.jpg)
#RSAC
Summary
Mobile devices are a hostile environment
Is important to protect your apps
Identify the common app vulnerabilities and remediate them
25
![Page 26: Hacking iOS on the Run: Using Cycript - Where The … · SESSION ID: Hacking iOS on the Run: Using Cycript . HTA-R04A . Sebastián Guerrero . Mobile Security Analyst . viaForensics](https://reader031.fdocuments.us/reader031/viewer/2022020121/5bad979b09d3f2da1b8d9171/html5/thumbnails/26.jpg)
#RSAC
References
https://viaforensics.com/blog/
https://viaforensics.com/resources/reports/best-practices-ios-android-secure-mobile-development/
http://www.cycript.org/
http://resources.infosecinstitute.com/ios-application-security-part-8-method-swizzling-using-cycript/
http://resources.infosecinstitute.com/ios-application-security-part-4-runtime-analysis-using-cycript-yahoo-weather-app/
26