automated embedding of dynamic libraries into ios ... · automatedembeddingofdynamiclibraries...
TRANSCRIPT
![Page 1: Automated embedding of dynamic libraries into iOS ... · Automatedembeddingofdynamiclibraries intoiOSapplicationsfromGNU/Linux MarwinBaumann1 &LeandroVelasco1 1Systems and Network](https://reader033.vdocuments.net/reader033/viewer/2022050610/5fb1c1eebc919604d41f239f/html5/thumbnails/1.jpg)
Automated embedding of dynamic librariesinto iOS applications from GNU/Linux
Marwin Baumann1 & Leandro Velasco1
1Systems and Network Engineering MSc.University of Amsterdam
Research Project 2, 2017
Marwin Baumann & Leandro Velasco Research Project 2, 2017 1 / 20
![Page 2: Automated embedding of dynamic libraries into iOS ... · Automatedembeddingofdynamiclibraries intoiOSapplicationsfromGNU/Linux MarwinBaumann1 &LeandroVelasco1 1Systems and Network](https://reader033.vdocuments.net/reader033/viewer/2022050610/5fb1c1eebc919604d41f239f/html5/thumbnails/2.jpg)
Introduction
Dynamic library embedding:Deploy debugging mechanisms
Monitor the invocation of functions
Tracking how data is propagated through the application
Modify the behavior of Apps (on non-jailbroken devices)
Common Use-case:Frida Instrumentation
Marwin Baumann & Leandro Velasco Research Project 2, 2017 2 / 20
![Page 3: Automated embedding of dynamic libraries into iOS ... · Automatedembeddingofdynamiclibraries intoiOSapplicationsfromGNU/Linux MarwinBaumann1 &LeandroVelasco1 1Systems and Network](https://reader033.vdocuments.net/reader033/viewer/2022050610/5fb1c1eebc919604d41f239f/html5/thumbnails/3.jpg)
Introduction
Dynamic library embedding:Deploy debugging mechanisms
Monitor the invocation of functions
Tracking how data is propagated through the application
Modify the behavior of Apps (on non-jailbroken devices)
Common Use-case:Frida Instrumentation
Marwin Baumann & Leandro Velasco Research Project 2, 2017 2 / 20
![Page 4: Automated embedding of dynamic libraries into iOS ... · Automatedembeddingofdynamiclibraries intoiOSapplicationsfromGNU/Linux MarwinBaumann1 &LeandroVelasco1 1Systems and Network](https://reader033.vdocuments.net/reader033/viewer/2022050610/5fb1c1eebc919604d41f239f/html5/thumbnails/4.jpg)
Introduction
Problem:Only on MacOS
MacOS in Virtual Machine not legal [1]
Cumbersome process
Motivation:More apps released every day [2]
Increase in need for mobile app security assessments
Need for automation and free publicly available tools
Marwin Baumann & Leandro Velasco Research Project 2, 2017 3 / 20
![Page 5: Automated embedding of dynamic libraries into iOS ... · Automatedembeddingofdynamiclibraries intoiOSapplicationsfromGNU/Linux MarwinBaumann1 &LeandroVelasco1 1Systems and Network](https://reader033.vdocuments.net/reader033/viewer/2022050610/5fb1c1eebc919604d41f239f/html5/thumbnails/5.jpg)
Introduction
Problem:Only on MacOS
MacOS in Virtual Machine not legal [1]
Cumbersome process
Motivation:More apps released every day [2]
Increase in need for mobile app security assessments
Need for automation and free publicly available tools
Marwin Baumann & Leandro Velasco Research Project 2, 2017 3 / 20
![Page 6: Automated embedding of dynamic libraries into iOS ... · Automatedembeddingofdynamiclibraries intoiOSapplicationsfromGNU/Linux MarwinBaumann1 &LeandroVelasco1 1Systems and Network](https://reader033.vdocuments.net/reader033/viewer/2022050610/5fb1c1eebc919604d41f239f/html5/thumbnails/6.jpg)
Procedure Overview
Marwin Baumann & Leandro Velasco Research Project 2, 2017 4 / 20
![Page 7: Automated embedding of dynamic libraries into iOS ... · Automatedembeddingofdynamiclibraries intoiOSapplicationsfromGNU/Linux MarwinBaumann1 &LeandroVelasco1 1Systems and Network](https://reader033.vdocuments.net/reader033/viewer/2022050610/5fb1c1eebc919604d41f239f/html5/thumbnails/7.jpg)
Research Question
Is it possible from GNU/Linux to automate the process ofembedding dynamic libraries into iOS applications?
Marwin Baumann & Leandro Velasco Research Project 2, 2017 5 / 20
![Page 8: Automated embedding of dynamic libraries into iOS ... · Automatedembeddingofdynamiclibraries intoiOSapplicationsfromGNU/Linux MarwinBaumann1 &LeandroVelasco1 1Systems and Network](https://reader033.vdocuments.net/reader033/viewer/2022050610/5fb1c1eebc919604d41f239f/html5/thumbnails/8.jpg)
Methodology
Study procedure internals:Analyze iOS application formatAnalyze internals of dynamic library embeddingInvestigate Xcode signing procedure
Implement procedure in GNU/Linux:Explore tools already portedWrite/port new tools
Marwin Baumann & Leandro Velasco Research Project 2, 2017 6 / 20
![Page 9: Automated embedding of dynamic libraries into iOS ... · Automatedembeddingofdynamiclibraries intoiOSapplicationsfromGNU/Linux MarwinBaumann1 &LeandroVelasco1 1Systems and Network](https://reader033.vdocuments.net/reader033/viewer/2022050610/5fb1c1eebc919604d41f239f/html5/thumbnails/9.jpg)
Procedure Overview
Marwin Baumann & Leandro Velasco Research Project 2, 2017 6 / 20
![Page 10: Automated embedding of dynamic libraries into iOS ... · Automatedembeddingofdynamiclibraries intoiOSapplicationsfromGNU/Linux MarwinBaumann1 &LeandroVelasco1 1Systems and Network](https://reader033.vdocuments.net/reader033/viewer/2022050610/5fb1c1eebc919604d41f239f/html5/thumbnails/10.jpg)
iOS App Store Package (.ipa)
Marwin Baumann & Leandro Velasco Research Project 2, 2017 7 / 20
![Page 11: Automated embedding of dynamic libraries into iOS ... · Automatedembeddingofdynamiclibraries intoiOSapplicationsfromGNU/Linux MarwinBaumann1 &LeandroVelasco1 1Systems and Network](https://reader033.vdocuments.net/reader033/viewer/2022050610/5fb1c1eebc919604d41f239f/html5/thumbnails/11.jpg)
Application Acquisition
Pre iOS 9:Get IPA from backup
iOS 9 and later:iTunes redownload (Fairplay)
Clutch
Requirements Clutch:Jailbroken iDevice running iOS 9+
Marwin Baumann & Leandro Velasco Research Project 2, 2017 8 / 20
![Page 12: Automated embedding of dynamic libraries into iOS ... · Automatedembeddingofdynamiclibraries intoiOSapplicationsfromGNU/Linux MarwinBaumann1 &LeandroVelasco1 1Systems and Network](https://reader033.vdocuments.net/reader033/viewer/2022050610/5fb1c1eebc919604d41f239f/html5/thumbnails/12.jpg)
Application Acquisition
Pre iOS 9:Get IPA from backup
iOS 9 and later:iTunes redownload (Fairplay)
ClutchRequirements Clutch:
Jailbroken iDevice running iOS 9+
Marwin Baumann & Leandro Velasco Research Project 2, 2017 8 / 20
![Page 13: Automated embedding of dynamic libraries into iOS ... · Automatedembeddingofdynamiclibraries intoiOSapplicationsfromGNU/Linux MarwinBaumann1 &LeandroVelasco1 1Systems and Network](https://reader033.vdocuments.net/reader033/viewer/2022050610/5fb1c1eebc919604d41f239f/html5/thumbnails/13.jpg)
Procedure Overview
Marwin Baumann & Leandro Velasco Research Project 2, 2017 8 / 20
![Page 14: Automated embedding of dynamic libraries into iOS ... · Automatedembeddingofdynamiclibraries intoiOSapplicationsfromGNU/Linux MarwinBaumann1 &LeandroVelasco1 1Systems and Network](https://reader033.vdocuments.net/reader033/viewer/2022050610/5fb1c1eebc919604d41f239f/html5/thumbnails/14.jpg)
iOS App Store Package (.ipa)
Marwin Baumann & Leandro Velasco Research Project 2, 2017 9 / 20
![Page 15: Automated embedding of dynamic libraries into iOS ... · Automatedembeddingofdynamiclibraries intoiOSapplicationsfromGNU/Linux MarwinBaumann1 &LeandroVelasco1 1Systems and Network](https://reader033.vdocuments.net/reader033/viewer/2022050610/5fb1c1eebc919604d41f239f/html5/thumbnails/15.jpg)
Mach-O File Format
HeaderIdentifierArchitectureNumber of load commandsSize of load commands...
Load Command regionLayout and linkage properties
Data regionData stored in segments whichcontain sections
Marwin Baumann & Leandro Velasco Research Project 2, 2017 10 / 20
![Page 16: Automated embedding of dynamic libraries into iOS ... · Automatedembeddingofdynamiclibraries intoiOSapplicationsfromGNU/Linux MarwinBaumann1 &LeandroVelasco1 1Systems and Network](https://reader033.vdocuments.net/reader033/viewer/2022050610/5fb1c1eebc919604d41f239f/html5/thumbnails/16.jpg)
Mach-O File Format
HeaderIdentifierArchitectureNumber of load commandsSize of load commands...
Load Command regionInserting a LC_LOAD_DYLIBcommand
Data regionData stored in segments whichcontain sections
Marwin Baumann & Leandro Velasco Research Project 2, 2017 10 / 20
![Page 17: Automated embedding of dynamic libraries into iOS ... · Automatedembeddingofdynamiclibraries intoiOSapplicationsfromGNU/Linux MarwinBaumann1 &LeandroVelasco1 1Systems and Network](https://reader033.vdocuments.net/reader033/viewer/2022050610/5fb1c1eebc919604d41f239f/html5/thumbnails/17.jpg)
Executable Modification
Open Source Tools (all MacOS):Node_applesignOptoolInsert_dylib
Port Insert_dylib to GNU/Linux:Mach-O headers are Open Sourced by AppleHeader files from hogliux/cctools project usedChanged code to avoid usage of copyfile.h
Marwin Baumann & Leandro Velasco Research Project 2, 2017 11 / 20
![Page 18: Automated embedding of dynamic libraries into iOS ... · Automatedembeddingofdynamiclibraries intoiOSapplicationsfromGNU/Linux MarwinBaumann1 &LeandroVelasco1 1Systems and Network](https://reader033.vdocuments.net/reader033/viewer/2022050610/5fb1c1eebc919604d41f239f/html5/thumbnails/18.jpg)
Executable Modification
Open Source Tools (all MacOS):Node_applesignOptoolInsert_dylib
Port Insert_dylib to GNU/Linux:Mach-O headers are Open Sourced by AppleHeader files from hogliux/cctools project usedChanged code to avoid usage of copyfile.h
Marwin Baumann & Leandro Velasco Research Project 2, 2017 11 / 20
![Page 19: Automated embedding of dynamic libraries into iOS ... · Automatedembeddingofdynamiclibraries intoiOSapplicationsfromGNU/Linux MarwinBaumann1 &LeandroVelasco1 1Systems and Network](https://reader033.vdocuments.net/reader033/viewer/2022050610/5fb1c1eebc919604d41f239f/html5/thumbnails/19.jpg)
Procedure Overview
Marwin Baumann & Leandro Velasco Research Project 2, 2017 11 / 20
![Page 20: Automated embedding of dynamic libraries into iOS ... · Automatedembeddingofdynamiclibraries intoiOSapplicationsfromGNU/Linux MarwinBaumann1 &LeandroVelasco1 1Systems and Network](https://reader033.vdocuments.net/reader033/viewer/2022050610/5fb1c1eebc919604d41f239f/html5/thumbnails/20.jpg)
Application Signing - Background
Mandatory Code SigningIntegrity of the code
Identify code source (developer / signer)
For Apps not signed by Apple, Mobile Provisioning is needed
Mobile ProvisioningFree Apple Account
Individual Developer Account
Enterprise Developer Account
Marwin Baumann & Leandro Velasco Research Project 2, 2017 12 / 20
![Page 21: Automated embedding of dynamic libraries into iOS ... · Automatedembeddingofdynamiclibraries intoiOSapplicationsfromGNU/Linux MarwinBaumann1 &LeandroVelasco1 1Systems and Network](https://reader033.vdocuments.net/reader033/viewer/2022050610/5fb1c1eebc919604d41f239f/html5/thumbnails/21.jpg)
Application Signing - Background
Mandatory Code SigningIntegrity of the code
Identify code source (developer / signer)
For Apps not signed by Apple, Mobile Provisioning is needed
Mobile ProvisioningFree Apple Account
Individual Developer Account
Enterprise Developer Account
Marwin Baumann & Leandro Velasco Research Project 2, 2017 12 / 20
![Page 22: Automated embedding of dynamic libraries into iOS ... · Automatedembeddingofdynamiclibraries intoiOSapplicationsfromGNU/Linux MarwinBaumann1 &LeandroVelasco1 1Systems and Network](https://reader033.vdocuments.net/reader033/viewer/2022050610/5fb1c1eebc919604d41f239f/html5/thumbnails/22.jpg)
Application Signing - Procedure
Resources files :Signature stored in the file_CodeSignature/CodeResources
Mach-o files :Signature stored in the file viaLC_CODE_SIGNATURE loadcommand
Marwin Baumann & Leandro Velasco Research Project 2, 2017 13 / 20
![Page 23: Automated embedding of dynamic libraries into iOS ... · Automatedembeddingofdynamiclibraries intoiOSapplicationsfromGNU/Linux MarwinBaumann1 &LeandroVelasco1 1Systems and Network](https://reader033.vdocuments.net/reader033/viewer/2022050610/5fb1c1eebc919604d41f239f/html5/thumbnails/23.jpg)
Application Signing - Software
JtoolOnly signs mach-o files
Does not include CodeRequirements in signature
Close Source
iSignSigns complete IPA or appbundle
Experimental branch needed tosign binaries from scratch
Open Source
Marwin Baumann & Leandro Velasco Research Project 2, 2017 14 / 20
![Page 24: Automated embedding of dynamic libraries into iOS ... · Automatedembeddingofdynamiclibraries intoiOSapplicationsfromGNU/Linux MarwinBaumann1 &LeandroVelasco1 1Systems and Network](https://reader033.vdocuments.net/reader033/viewer/2022050610/5fb1c1eebc919604d41f239f/html5/thumbnails/24.jpg)
Application Signing - Software
JtoolOnly signs mach-o files
Does not include CodeRequirements in signature
Close Source
iSignSigns complete IPA or appbundle
Experimental branch needed tosign binaries from scratch
Open Source
Marwin Baumann & Leandro Velasco Research Project 2, 2017 14 / 20
![Page 25: Automated embedding of dynamic libraries into iOS ... · Automatedembeddingofdynamiclibraries intoiOSapplicationsfromGNU/Linux MarwinBaumann1 &LeandroVelasco1 1Systems and Network](https://reader033.vdocuments.net/reader033/viewer/2022050610/5fb1c1eebc919604d41f239f/html5/thumbnails/25.jpg)
Procedure Overview
Marwin Baumann & Leandro Velasco Research Project 2, 2017 14 / 20
![Page 26: Automated embedding of dynamic libraries into iOS ... · Automatedembeddingofdynamiclibraries intoiOSapplicationsfromGNU/Linux MarwinBaumann1 &LeandroVelasco1 1Systems and Network](https://reader033.vdocuments.net/reader033/viewer/2022050610/5fb1c1eebc919604d41f239f/html5/thumbnails/26.jpg)
Application Deploying - Background
Marwin Baumann & Leandro Velasco Research Project 2, 2017 15 / 20
![Page 27: Automated embedding of dynamic libraries into iOS ... · Automatedembeddingofdynamiclibraries intoiOSapplicationsfromGNU/Linux MarwinBaumann1 &LeandroVelasco1 1Systems and Network](https://reader033.vdocuments.net/reader033/viewer/2022050610/5fb1c1eebc919604d41f239f/html5/thumbnails/27.jpg)
Application Deploying - GNU/Linux
Marwin Baumann & Leandro Velasco Research Project 2, 2017 15 / 20
![Page 28: Automated embedding of dynamic libraries into iOS ... · Automatedembeddingofdynamiclibraries intoiOSapplicationsfromGNU/Linux MarwinBaumann1 &LeandroVelasco1 1Systems and Network](https://reader033.vdocuments.net/reader033/viewer/2022050610/5fb1c1eebc919604d41f239f/html5/thumbnails/28.jpg)
Application Deploying - Software
Cydia ImpactorSigns & Install IPA’s
Close Source
GUI tool
Entitlements do not allow appdebugging
iDeviceinstallerLibmobiledevice Utility
Open Source
Command line tool
Marwin Baumann & Leandro Velasco Research Project 2, 2017 16 / 20
![Page 29: Automated embedding of dynamic libraries into iOS ... · Automatedembeddingofdynamiclibraries intoiOSapplicationsfromGNU/Linux MarwinBaumann1 &LeandroVelasco1 1Systems and Network](https://reader033.vdocuments.net/reader033/viewer/2022050610/5fb1c1eebc919604d41f239f/html5/thumbnails/29.jpg)
Application Deploying - Software
Cydia ImpactorSigns & Install IPA’s
Close Source
GUI tool
Entitlements do not allow appdebugging
iDeviceinstallerLibmobiledevice Utility
Open Source
Command line tool
Marwin Baumann & Leandro Velasco Research Project 2, 2017 16 / 20
![Page 30: Automated embedding of dynamic libraries into iOS ... · Automatedembeddingofdynamiclibraries intoiOSapplicationsfromGNU/Linux MarwinBaumann1 &LeandroVelasco1 1Systems and Network](https://reader033.vdocuments.net/reader033/viewer/2022050610/5fb1c1eebc919604d41f239f/html5/thumbnails/30.jpg)
Automation
Marwin Baumann & Leandro Velasco Research Project 2, 2017 17 / 20
![Page 31: Automated embedding of dynamic libraries into iOS ... · Automatedembeddingofdynamiclibraries intoiOSapplicationsfromGNU/Linux MarwinBaumann1 &LeandroVelasco1 1Systems and Network](https://reader033.vdocuments.net/reader033/viewer/2022050610/5fb1c1eebc919604d41f239f/html5/thumbnails/31.jpg)
Roadmap
Application acquisition :Clutch usage could be automated ⇒ little value added
Provision profile generation :Free Apple account ⇒ automation possible, but requires deep analysisof Xcode / Cydia
Paid Apple Developer account ⇒ automation possible withFastlane/Spaceship
Marwin Baumann & Leandro Velasco Research Project 2, 2017 18 / 20
![Page 32: Automated embedding of dynamic libraries into iOS ... · Automatedembeddingofdynamiclibraries intoiOSapplicationsfromGNU/Linux MarwinBaumann1 &LeandroVelasco1 1Systems and Network](https://reader033.vdocuments.net/reader033/viewer/2022050610/5fb1c1eebc919604d41f239f/html5/thumbnails/32.jpg)
Conclusion / Discussion
It is possible to automate the embedding process in GNU/Linuxusing a paid Developer Account, however:
For free Apple accounts, Xcode access is needed once per week torenew the provisioning profile
For IPA acquisition jailbroken device needed
iInject is still a proof of conceptiInject was tested against iOS 10.2.1 and iOS 10.3.2 (non-jailbroken)iInject was tested against 9 diferent IPA’s
Marwin Baumann & Leandro Velasco Research Project 2, 2017 19 / 20
![Page 33: Automated embedding of dynamic libraries into iOS ... · Automatedembeddingofdynamiclibraries intoiOSapplicationsfromGNU/Linux MarwinBaumann1 &LeandroVelasco1 1Systems and Network](https://reader033.vdocuments.net/reader033/viewer/2022050610/5fb1c1eebc919604d41f239f/html5/thumbnails/33.jpg)
Conclusion / Discussion
It is possible to automate the embedding process in GNU/Linuxusing a paid Developer Account, however:
For free Apple accounts, Xcode access is needed once per week torenew the provisioning profile
For IPA acquisition jailbroken device needed
iInject is still a proof of conceptiInject was tested against iOS 10.2.1 and iOS 10.3.2 (non-jailbroken)iInject was tested against 9 diferent IPA’s
Marwin Baumann & Leandro Velasco Research Project 2, 2017 19 / 20
![Page 34: Automated embedding of dynamic libraries into iOS ... · Automatedembeddingofdynamiclibraries intoiOSapplicationsfromGNU/Linux MarwinBaumann1 &LeandroVelasco1 1Systems and Network](https://reader033.vdocuments.net/reader033/viewer/2022050610/5fb1c1eebc919604d41f239f/html5/thumbnails/34.jpg)
Conclusion / Discussion
It is possible to automate the embedding process in GNU/Linuxusing a paid Developer Account, however:
For free Apple accounts, Xcode access is needed once per week torenew the provisioning profile
For IPA acquisition jailbroken device needed
iInject is still a proof of conceptiInject was tested against iOS 10.2.1 and iOS 10.3.2 (non-jailbroken)iInject was tested against 9 diferent IPA’s
Marwin Baumann & Leandro Velasco Research Project 2, 2017 19 / 20
![Page 35: Automated embedding of dynamic libraries into iOS ... · Automatedembeddingofdynamiclibraries intoiOSapplicationsfromGNU/Linux MarwinBaumann1 &LeandroVelasco1 1Systems and Network](https://reader033.vdocuments.net/reader033/viewer/2022050610/5fb1c1eebc919604d41f239f/html5/thumbnails/35.jpg)
Questions?
Try it out yourself:
https://github.com/LeanVel/iInject
Marwin Baumann & Leandro Velasco Research Project 2, 2017 20 / 20
![Page 36: Automated embedding of dynamic libraries into iOS ... · Automatedembeddingofdynamiclibraries intoiOSapplicationsfromGNU/Linux MarwinBaumann1 &LeandroVelasco1 1Systems and Network](https://reader033.vdocuments.net/reader033/viewer/2022050610/5fb1c1eebc919604d41f239f/html5/thumbnails/36.jpg)
Bibliography
Apple Support Community.Macintosh virtual machine hosted by Windows.https://discussions.apple.com/thread/5785112?tstart=0,2014.[Online; accessed 8-June-2017].
Android Open Source Project.Android Security 2015 Year In Review.https://source.android.com/security/reports/Google_Android_Security_2015_Report_Final.pdf, 2016.[Online; accessed 7-June-2017].
Marwin Baumann & Leandro Velasco Research Project 2, 2017 20 / 20