This document provides an introduction to runtime hacking on iOS. It discusses setting up the environment, mapping out an application by decrypting and dumping binaries to obtain class information. It then covers techniques for dumping and modifying variables at runtime like retrieving sensitive user data. Methods for manipulating functions are also presented, such as bypassing authentication or jailbreak detection. Persistence techniques like injecting libraries are explained. Finally, it addresses considerations for hacking Swift applications. The overall goal is to quickly get people up to speed on runtime analysis and manipulation of third-party iOS apps.
3. What Is This Presentation
About?
• Quick and dirty intro to runtime hacking on iOS
• Help people get up to speed quickly
• Hopefully practical
• Focussed on third-party apps
4. What It’s Not
• No data security
• No transport security
• Not touching on remediation/protection
• For more comprehensive presentations on iOS
pen testing or how to secure apps go to
eightbit.io/presentations
5. Outline
• Objective-C Basics
• Setting Up The Environment
• Mapping Out the Application
• Dumping and Modifying Variables
• Manipulating Functions at Runtime
• Swift Considerations
7. Objective-C
• Native iOS applications are written in Objective-C
• Objective-C is a superset of C
• Objective-C is basically C with Smalltalk-style
messaging and object syntax
10. Syntax
// Sending the message “method” to the object pointed to by the pointer obj
[obj method: argument1: argument2];
11. Important Takeaways
• Understand basic OO principles
• Rudimentary understanding of MVC
• Basic Objective-C
• How to call methods (embrace the square
bracket!)
• How to read and write variables
15. Mapping Out The Application
• The most important part
• Objective-C apps store a bunch of useful runtime
information in the executable
• This information provides great insight into how an
application functions (and thus is useful for finding
bugs)
16. Decrypting Binaries
• Apps downloaded from the App Store are
protected with Apple’s FairPlay DRM
• Certain portions of the binary are encrypted
• Need to decrypt these portions before we can
analyse the binary
17. Decrypting Binaries
• Can do it manually by extracting the encrypted
portion after the loader decrypts it and then patch
the decrypted portion it into the binary
• Plenty of tools to automate this for you
• dumpdecrypted
• Clutch and Rasticrac
18. Decrypting Binaries
• Not going to demonstrate this as there are plenty
of guides on the web and it’s not very interesting
• NOTE: Piracy is not cool
19. Obtaining a Class Dump
• Using the excellent class-dump-z tool you can
extract all of the runtime information stored in the
binary in a what is essentially the equivalent of an
Objective-C header file
• class-dump-z -aAkRzb [BINARY]
21. Other Options
• Disassemblers such as IDA or Hopper
• Great for lower level insight
• Swift binaries
• otool
• weak_class_dump.cy (https://github.com/limneos/
weak_classdump)
23. Retrieving Sensitive
Information
• Very easy to retrieve sensitive information at
runtime including:
• Credentials
• Encryption keys
• PII
• Sensitive business data
24. Quick and Dirty Approach
• Review the class dump (grep ftw)
• pin, password, passcode, pinlock, key, aes,
account, credentials, creditCard, username,
address, phone, session, token
• Hook into the running application with Cycript and
retrieve the information
25. Cycript
• Ridiculous name (pronounced script)
• Even more ridiculous premise
• “programming language designed to blend
the barrier between Objective-C and
JavaScript”
• Really great tool for interrogating and
manipulating the runtime of an app
29. Manipulating the Runtime
• Objective-C can observe and modify it’s own
behaviour at runtime
• Can call methods directly, modify functions and
even create your own classes and methods
• This has obvious security implications
30. What can you do?
• Break security checks
• Jailbreak checks
• Debug prevention
• Certificate validation
• Bypass authentication
• Subvert business logic
• Get the highest possible score in Flappy Bird
31. Quick and Dirty Approach
• Review the class dump
• Look for sensitive functions
• Identify simple logic
• Hook into the running application with Cycript and
call or modify the functions
35. Persistence
• Using Cycript to modify the behaviour at runtime
obviously will not persist when the application is
terminated
• For a POC on say a pen-test or a bug report it’s
usually not a problem
• However there may be instances where you want
the modification to be persistent
36. Why persistence?
• Security checks hindering testing
• Jailbreak prevention
• Anti-debug protection
• Transport security controls (e.g. cert pinning)
• Development of tools
• For a jailbreak or actual malware
37. How?
• Inject a library into every new process via the
DYLD_INSERT_LIBRARIES environment variable
#chmod +r hook.dylib
#launchctl setenv DYLD_INSERT_LIBRARIES /var/
root/ hook.dylib
38. CydiaSubstrate + Theos
• CydiaSubstrate simplifies hooking with a global injected dylib
• Can just install from Cydia
• Theos is a port of the build tools to other platforms
• So you don’t have to be an Apple fanboy to build hooks
• Focus on the logic of the hook
• Also available on iOS
• http://iphonedevwiki.net/index.php/Theos/Setup
43. Issues with Swift Apps
• Runtime manipulation limited for pure Swift apps
(i.e. a Swift-only runtime)
• Harder to analyse
• No class dump
• Name mangling
44. Assessing Swift Apps
• Can still do some runtime manipulation with the
Objective-C bridge enabled
• Realistically until we get Swift only frameworks all
apps will have this
• Can still do limited hooking with CydiaSubstrate
• Disassemblers for analysing Swift binaries
• Hopper scripts to demangle Swift names (https://
github.com/Januzellij/hopperscripts)