This document provides an introduction to runtime hacking on iOS. It discusses setting up the environment, mapping out an application by decrypting and dumping binaries to obtain class information. It then covers techniques for dumping and modifying variables at runtime like retrieving sensitive user data. Methods for manipulating functions are also presented, such as bypassing authentication or jailbreak detection. Persistence techniques like injecting libraries are explained. Finally, it addresses considerations for hacking Swift applications. The overall goal is to quickly get people up to speed on runtime analysis and manipulation of third-party iOS apps.

1. iOS Runtime Hacking
Crash Course
Michael Gianarakis
WAHCKon[2]

2. #whoami
@mgianarakis
Managing Consultant at SpiderLabs
We're hiring!

3. What Is This Presentation
About?
• Quick and dirty intro to runtime hacking on iOS
• Help people get up to speed quickly
• Hopefully practical
• Focussed on third-party apps

4. What It’s Not
• No data security
• No transport security
• Not touching on remediation/protection
• For more comprehensive presentations on iOS
pen testing or how to secure apps go to
eightbit.io/presentations

5. Outline
• Objective-C Basics
• Setting Up The Environment
• Mapping Out the Application
• Dumping and Modifying Variables
• Manipulating Functions at Runtime
• Swift Considerations

6. Objective-C Basics

7. Objective-C
• Native iOS applications are written in Objective-C
• Objective-C is a superset of C
• Objective-C is basically C with Smalltalk-style
messaging and object syntax

8. Syntax

9. Syntax

10. Syntax
// Sending the message “method” to the object pointed to by the pointer obj
[obj method: argument1: argument2];

11. Important Takeaways
• Understand basic OO principles
• Rudimentary understanding of MVC
• Basic Objective-C
• How to call methods (embrace the square
bracket!)
• How to read and write variables

12. Setting Up The
Environment

13. Requirements
• Jailbroken device
• openssh (via Cydia)
• class-dump-z (http://code.google.com/p/networkpx/wiki/class_dump_z)
• cycript (http://www.cycript.org/debs/ or Cydia)
• gdb (via Cydia) or lldbdebugserver (http://iphonedevwiki.net/index.php/
Debugserver)
• CydiaSubstrate (via Cydia)
• Clutch (https://github.com/KJCracks/Clutch)
• For a slightly outdated guide on setting up the environment see eightbit.io/post/
64319534191/how-to-set-up-an-ios-pen-testing-environment

14. Mapping Out The
Application

15. Mapping Out The Application
• The most important part
• Objective-C apps store a bunch of useful runtime
information in the executable
• This information provides great insight into how an
application functions (and thus is useful for finding
bugs)

16. Decrypting Binaries
• Apps downloaded from the App Store are
protected with Apple’s FairPlay DRM
• Certain portions of the binary are encrypted
• Need to decrypt these portions before we can
analyse the binary

17. Decrypting Binaries
• Can do it manually by extracting the encrypted
portion after the loader decrypts it and then patch
the decrypted portion it into the binary
• Plenty of tools to automate this for you
• dumpdecrypted
• Clutch and Rasticrac

18. Decrypting Binaries
• Not going to demonstrate this as there are plenty
of guides on the web and it’s not very interesting
• NOTE: Piracy is not cool

19. Obtaining a Class Dump
• Using the excellent class-dump-z tool you can
extract all of the runtime information stored in the
binary in a what is essentially the equivalent of an
Objective-C header file
• class-dump-z -aAkRzb [BINARY]

20. Example: Class Dump

21. Other Options
• Disassemblers such as IDA or Hopper
• Great for lower level insight
• Swift binaries
• otool
• weak_class_dump.cy (https://github.com/limneos/
weak_classdump)

22. Dumping and
Modifying Variables

23. Retrieving Sensitive
Information
• Very easy to retrieve sensitive information at
runtime including:
• Credentials
• Encryption keys
• PII
• Sensitive business data

24. Quick and Dirty Approach
• Review the class dump (grep ftw)
• pin, password, passcode, pinlock, key, aes,
account, credentials, creditCard, username,
address, phone, session, token
• Hook into the running application with Cycript and
retrieve the information

25. Cycript
• Ridiculous name (pronounced script)
• Even more ridiculous premise
• “programming language designed to blend
the barrier between Objective-C and
JavaScript”
• Really great tool for interrogating and
manipulating the runtime of an app

27. Example: Retrieving
A User’s PIN

28. Manipulating
Functions at Runtime

29. Manipulating the Runtime
• Objective-C can observe and modify it’s own
behaviour at runtime
• Can call methods directly, modify functions and
even create your own classes and methods
• This has obvious security implications

30. What can you do?
• Break security checks
• Jailbreak checks
• Debug prevention
• Certificate validation
• Bypass authentication
• Subvert business logic
• Get the highest possible score in Flappy Bird

31. Quick and Dirty Approach
• Review the class dump
• Look for sensitive functions
• Identify simple logic
• Hook into the running application with Cycript and
call or modify the functions

32. Example:
Authentication Bypass

33. Example: Jailbreak
Detection

34. Phonegap/Cordova

35. Persistence
• Using Cycript to modify the behaviour at runtime
obviously will not persist when the application is
terminated
• For a POC on say a pen-test or a bug report it’s
usually not a problem
• However there may be instances where you want
the modification to be persistent

36. Why persistence?
• Security checks hindering testing
• Jailbreak prevention
• Anti-debug protection
• Transport security controls (e.g. cert pinning)
• Development of tools
• For a jailbreak or actual malware

37. How?
• Inject a library into every new process via the
DYLD_INSERT_LIBRARIES environment variable
#chmod +r hook.dylib
#launchctl setenv DYLD_INSERT_LIBRARIES /var/
root/ hook.dylib

38. CydiaSubstrate + Theos
• CydiaSubstrate simplifies hooking with a global injected dylib
• Can just install from Cydia
• Theos is a port of the build tools to other platforms
• So you don’t have to be an Apple fanboy to build hooks
• Focus on the logic of the hook
• Also available on iOS
• http://iphonedevwiki.net/index.php/Theos/Setup

39. Example: Hooking

40. Swift Considerations

41. What is Swift?
• Compiled language created by Apple
• Released publicly in 2014 at WWDC
• Intended to replace Objective-C eventually

42. Characteristics
• Uses the same runtime
• Binary compatibility with Objective-C
• No dynamic dispatch

43. Issues with Swift Apps
• Runtime manipulation limited for pure Swift apps
(i.e. a Swift-only runtime)
• Harder to analyse
• No class dump
• Name mangling

44. Assessing Swift Apps
• Can still do some runtime manipulation with the
Objective-C bridge enabled
• Realistically until we get Swift only frameworks all
apps will have this
• Can still do limited hooking with CydiaSubstrate
• Disassemblers for analysing Swift binaries
• Hopper scripts to demangle Swift names (https://
github.com/Januzellij/hopperscripts)

45. Questions?