breaking ios apps using cycript

15
BREAKING IOS APPS WITH CYCRIPT Satish Bommisetty

Upload: nu-the-open-security-community

Post on 09-Jun-2015

2.791 views

Category:

Education


9 download

DESCRIPTION

null Hyderabad Chapter - June 2013 Meet

TRANSCRIPT

Page 1: Breaking iOS Apps using Cycript

BREAKING IOS APPS WITH CYCRIPT

Satish Bommisetty

Page 2: Breaking iOS Apps using Cycript

Agenda

¨  Objective  C  Basics  ¨  iOS  App  Architecture  ¨  Decrypting  iOS  Apps  ¨  Breaking  apps  with  Cycript  

Page 3: Breaking iOS Apps using Cycript

Native iOS Applications

¨  Objective  C  code  ¨  Developed  in  Xcode  

Page 4: Breaking iOS Apps using Cycript

Objective C Basics

¨  Objective  C  lies  on  top  of  the  C  language  ¨  Interface  @ile  (.h)  

@interface  Car  :  NSObject  {      @loat  @illLevel;    }      -­‐  (void)addGas;      @end      

¨  Implementation  @ile  (.m)  @implementation  Car      -­‐(void)  addGas  {    }      @end      

Page 5: Breaking iOS Apps using Cycript

Objective C Basics

¨  Methods  –  pass  messages  ¨  C++  

¤  Object-­‐>Method(param1,param2)  

¨  Objective-­‐C  ¤  [Object  method:param1  param2name:param2]  

Page 6: Breaking iOS Apps using Cycript

iOS App Architecture

¨  iOS  App  

Page 7: Breaking iOS Apps using Cycript

iOS App Architecture

¨  Mach-­‐O  format  ¤  Header  

n  Target  Architecture  

¤  Load  commands  n  Location  of  symbol  table  n  Shared  Libraries  

¤  Data  n  Organized  in  Segments  

Page 8: Breaking iOS Apps using Cycript

iOS App Architecture

¨  Header  can  be  viewed  using  otool  ¤  Otool  –h  Binary  ¤  Cpu  type  12/6  =  ARM  6  ¤  Cpu  type  12/9  =  ARM  7  

Page 9: Breaking iOS Apps using Cycript

iOS App Architecture

¨  Load  can  be  viewed  using  otool  ¤  Otool  –l  Binary  

Page 10: Breaking iOS Apps using Cycript

Decrypting iOS Apps

¨  AppStore  binaries  are  encrypted  ¤  Protects  from  piracy  ¤  Similar  to  Fairplay  DRM  used  on  iTunes  music  

¨  Self  distributed  Apps  are  not  encrypted  ¨  Loader  decrypts  the  apps  when  loaded  into  memory  ¨  Debugger  can  be  used  to  dump  the  decrypted  app  from  memory  ¨  Tools  are  available:  Craculous,  Clutch,  Installous  

Page 11: Breaking iOS Apps using Cycript

Cycript

¨  Combination  of  JavaScript  and  Objective-­‐C  interpreter  ¨  App  runtime  can  be  easily  modi@ied  using  Cycript    ¨  Can  be  hooked  to  a  running  process    ¨  Gives  access  to  all  classes  and  instance  variables  within  the  app  ¨  Used  for  runtime  analysis  

¤  Bypass  security  locks  ¤  Access  sensitive  information  from  memory  ¤  Authentication  Bypass  attacks  ¤  Accessing  restricted  areas  of  the  applications  

Page 12: Breaking iOS Apps using Cycript

Class-dump-z

¨  Use  class-­‐dump-­‐z  on  decrypted  binary  and  map  the  application  ¨  Retrieve  class  declarations  ¨  Analyze  the  class  dump  output  and  identify  the  interesting  class  

Page 13: Breaking iOS Apps using Cycript

iOS App Execution Flow

¨  iOS  app  centralized  point  of  control  (MVC)  –  UIApplication  class  

Page 14: Breaking iOS Apps using Cycript

Breaking iOS Apps

¨  Create  object  for  the  class  and  directly  access  the  instance  variables    and  invoke  methods  

¨  Existing  methods  can  be  overwritten  easily    

Page 15: Breaking iOS Apps using Cycript