October 19, 2017 at 11:11Dynamic analysis of iOS applications without Jailbreak
In the framework of this article, we want to share our experience in solving some problems related to the analysis of the security of iOS applications. The review will be subject to the condition that we do not have an iOS device with JailBreak on board.
We begin our dive with the types of analysis and their small comparison. Static analysis allows you to identify a large number of problems: from the left account data to various kinds of “bookmarks” and vulnerabilities. Speaking about iOS-applications, we note that IDA Pro, Hopper Disassembler, MobSF or Radare2 will be useful in this matter. An advantage of the approach is the ability to scan files, code, including code that is not used, with its relatively full coverage.
Dynamic analysis helps to find out how the application behaves directly during operation / execution, for example, to study the state of a program at one or another moment of execution (contents of memory, registers, value of variables), to study the logic of work, etc.
Using these two approaches allows us to conduct the most qualitative work on the analysis of the application, cover the entire attack-surface and find the maximum possible number of errors and vulnerabilities.
Dynamic analysis of mobile applications is not possible without a device or, in the worst case, an emulator. Real devices are almost always preferable (if there is no great need for any parallelization of the task). But the presence of a real device is more expensive for the researcher himself ... It also requires a simple ability to install your own applications and tools on the device for analyzing applications.
Exploring Android applications, you can often even get by with the old and cheap version of the device or an emulator in a development environment. On Android, there is a simple opportunity to increase the user's privileges, in other words, “get root access”, for installing your own tools and applications on it. On the old devices of the Chinese brothers, there was even a switch in the settings at one time for obtaining superuser privileges in one click / tap. On a personal device used every day, root can, in inept hands, significantly weaken the security of the system and cause malware infection, so we do not recommend this. But in the framework of laboratory research, this is a necessary thing, allowing to accelerate and improve the course of research.
When conducting a security audit of iOS applications, some additional points appear:
Previously, when the first iPhone was just released, it was hacked a few days after the release. A fairly low level of security remained until the fourth version of the operating system: the researchers created extensions (tweak), made their iOS builds and append applications. Over time, Apple has changed its approach to security and significantly strengthened the protection of the system, also adding some of the most popular features created for Jailbreak devices in its updates. For example, the Control Center was initially a tweak, and later became an embedded component of iOS. Each new release of the system increased the time for finding and exploiting vulnerabilities, changing the API and the availability of the function along the way (moving some to Private and some to Public). These and many other changes made life difficult for tweak 'developers s (add-ons for the system) and applications, forcing to update their offspring with new APIs and functions, as well as security researchers. The increased protection of devices was also influenced by close attention to the platform of “bad guys”, special services and all those who would like to access your data on the device. So, today the price of a remote JailBreak for iOS reaches $ 1.5 million.
Time passed, and many who were at the origins of the creation of JailBreak were hired by information security companies, Apple itself , or began to sell vulnerabilities to various individuals without publishing and creating public JailBreak. All this (increasing the level of platform security and the outflow of vulnerabilities to the market) led to the fact that public JailBreaks began to appear less and less.
At the moment, the latest current version of iOS suitable for using Jailbreak is iOS 10.2 . All other versions of iOS10.2.1–11 do not yet have confirmation, and numerous tweets do not contain anything other than videos or photos / screenshots. It turns out that in order to conduct a security audit on the device, many factors must be fulfilled, and the presence of the actual JailBreak becomes a stumbling block.
Now, gradually, we will move on to the main topic of the article. So, by and large, there are three types of analysis of applications / systems:
Carrying out this kind of research requires some preparation of the researcher and setting up the environment, so the steps in the form of a manual necessary for the implementation of the plan will be described below. It is important to note that some steps may be skipped, for example, if you use an Xcode project (signing, delivery to the device, etc.).
Step 0. Preparation
In order to start the study, it is necessary to observe some simple conditions regarding the environment:
Step 1. Extracting the .ipa file
In order to get the necessary IPA file for analysis, there are several ways:
Buying an application in the AppStore from iTunes.app allows you to get the attached .ipa file to the AppleID of the buyer, this limits the possibility of modification, but allows static analysis of the binary file. The iTunes.app version limitation is due to the latest app updates: Apple has removed the AppStore section .
An application for managing the file system of iOS devices. Full functionality is available only on devices with iOS version no higher than iOS 8.3.
This is possible thanks to the use of any application that allows you to redirect traffic through yourself (Charles Proxy, Burp, ..). Then you need to start iTunes and download the selected application. Then, intercepting the request, change the assembly number necessary for downloading in the package XML file and continue execution. You can read more about this here and see here .
Sites and forums with applications available for downloading without binding to AppleID and allowing the necessary manipulations to join frameworks are the
best solution, but you need to be careful with banking applications :)
Step 2-3. Data extraction and decryption of .ipa
Here there will be a small deviation from the rules when JailBreak may be required - for the step of obtaining the decrypted .ipa file. This applies, first of all, to those applications that are not accessible through the AppStore (for example, “special assemblies” or TestFlight). Obtaining the decrypted file is necessary for assembling the modified binar without binding to the owner's AppleID. To do this, you can use the applications for JailBreak devices (for example, ask to unload a friend :)
Or, if it is a publicly available application, download from resources such as:
Step 4. Adding a framework
One of the most convenient ways to add a framework to an .ipa file is to use the Xcode project. There are many projects on GitHub, but I wanted to highlight a couple, in our opinion, the most successful, efficient and intuitive.
In the first case, there is a demo in which you only need to replace the .ipa file of interest and compile the application, in the second case, drag and drop the .ipa file and the framework that you need to attach. The convenience of the first project is that in addition to introducing the library, the researcher can add his own code, which will work after launch.
Answer: Whatever your heart desires! But from the point of view of security analysis of the application, we can recommend the use of the following ready-made frameworks:
Frida ( GitHub: / frida / frida )
One of the few frameworks that is actively developing today and allows you to implement JS code inside the process, track application launch and patch it before the process end of download. Its advantages are easy extensibility for tasks, the ability to script actions and a convenient client. By adding only the Frida gadget to the project, without even doing anything, it is already possible to find out what calls are happening inside the program and later apply this in static analysis (r2 + frida).
Useful links for this project:
Cycript ( www.cycript.org / GitHub: / nowsecure / frida-cycript )
Similar in functionality to the Frida framework, it allows you to integrate into processes and manipulate environment variables and memory through an interactive console. It supports not only Javascript, but also Objective-C.
Useful links for this project:
CydiaSubstrate ( cydiasubstrate.com / mobilesubstrate_iphoneos-arm.deb )
The legendary framework from Saurik itself, which allows you to modify the application without source code, manipulate the API and twist and twist the application in any way without the source. But at the moment, it has not been updated for quite some time, and it should be used exclusively at your own peril and risk. In addition, the development of iOS introduces changes to the API, so in some versions of iOS it can be completely useless.
Reveal ( revealapp.com )
The most non-standard of this set of frameworks. It is more suitable for the UI / UX sphere and studying the design of interfaces for the presence of hidden fields, attached objects, and so on. The pluses are support for TV and Watch.
Step 5. Signature of the application The
application cannot be installed on the smartphone without the appropriate signature of the developer (do not forget that we have the device without JailBreak). If we do not use Xcode, which itself automatically picks up certificates, then we can do this manually using one of the tools:
They both do their job very well and on the way out we get an application correctly re-signed with our certificate.
Step 6. Delivery to the device
Using Xcode projects and the device after selecting the target, the application will automatically be delivered and launched on the smartphone. If the output contains only an .ipa file, the following utilities will help to install it:
If very briefly, then a diagram with a description of each step and utilities that help to take each step is as follows:
And finally, a couple of demos of how it all looks in a bunch:
Demo 1
Description : The
project is being assembled from the "decrypted" .ipa FaceTune together with FridaGadget. Running it and Frida, call tracking.
Demo 2
Description :
Assembling a project from Demo 1, launching the Objection add-on with Frida and viewing the contents of the application folder, calling Alerts, reading the contents of Keychain.
This work was presented a little earlier at VolgaCTF'17, and the slides from the report can be viewed here .
Thanks for the help in preparation thanks d1g1
UPD:
Thanks ZonD80
Static Analysis vs. dynamic analysis
We begin our dive with the types of analysis and their small comparison. Static analysis allows you to identify a large number of problems: from the left account data to various kinds of “bookmarks” and vulnerabilities. Speaking about iOS-applications, we note that IDA Pro, Hopper Disassembler, MobSF or Radare2 will be useful in this matter. An advantage of the approach is the ability to scan files, code, including code that is not used, with its relatively full coverage.
Dynamic analysis helps to find out how the application behaves directly during operation / execution, for example, to study the state of a program at one or another moment of execution (contents of memory, registers, value of variables), to study the logic of work, etc.
Using these two approaches allows us to conduct the most qualitative work on the analysis of the application, cover the entire attack-surface and find the maximum possible number of errors and vulnerabilities.
| Criteria | Static analysis | Dynamic analysis |
|---|---|---|
| Code vs. Data | Problems | No problems |
| Code coverage | Large (but not all) | One way |
| Value Data | No information | All information |
| Self Modifying Code | Problems | No problems |
| Runtime Vulnerabilities | Not | Yes |
| Unused code | Analyzed | Not analyzed |
Dynamic analysis
Dynamic analysis of mobile applications is not possible without a device or, in the worst case, an emulator. Real devices are almost always preferable (if there is no great need for any parallelization of the task). But the presence of a real device is more expensive for the researcher himself ... It also requires a simple ability to install your own applications and tools on the device for analyzing applications.
Android situation
Exploring Android applications, you can often even get by with the old and cheap version of the device or an emulator in a development environment. On Android, there is a simple opportunity to increase the user's privileges, in other words, “get root access”, for installing your own tools and applications on it. On the old devices of the Chinese brothers, there was even a switch in the settings at one time for obtaining superuser privileges in one click / tap. On a personal device used every day, root can, in inept hands, significantly weaken the security of the system and cause malware infection, so we do not recommend this. But in the framework of laboratory research, this is a necessary thing, allowing to accelerate and improve the course of research.
IOS situation
When conducting a security audit of iOS applications, some additional points appear:
- The cost of the device is not the lowest. But a separate device is definitely needed - do not use the same personal device
- Device version - old phones are not suitable. Often, the latest features are needed, including Force Touch / Touch ID / ..
- The type of device - phone, tablet, clock - all this plays an important role in the analysis (we have seen cases where the vulnerability in the same application was present only in the version for a certain type of device)
- Relevance of the iOS version - The iOS API is constantly evolving, and for quality analysis, the analysis itself must be carried out on the latest version of iOS
- The presence of JailBreak on the device - to install their applications and tools, taking into account all of the above
Jailbreak
Previously, when the first iPhone was just released, it was hacked a few days after the release. A fairly low level of security remained until the fourth version of the operating system: the researchers created extensions (tweak), made their iOS builds and append applications. Over time, Apple has changed its approach to security and significantly strengthened the protection of the system, also adding some of the most popular features created for Jailbreak devices in its updates. For example, the Control Center was initially a tweak, and later became an embedded component of iOS. Each new release of the system increased the time for finding and exploiting vulnerabilities, changing the API and the availability of the function along the way (moving some to Private and some to Public). These and many other changes made life difficult for tweak 'developers s (add-ons for the system) and applications, forcing to update their offspring with new APIs and functions, as well as security researchers. The increased protection of devices was also influenced by close attention to the platform of “bad guys”, special services and all those who would like to access your data on the device. So, today the price of a remote JailBreak for iOS reaches $ 1.5 million.
Time passed, and many who were at the origins of the creation of JailBreak were hired by information security companies, Apple itself , or began to sell vulnerabilities to various individuals without publishing and creating public JailBreak. All this (increasing the level of platform security and the outflow of vulnerabilities to the market) led to the fact that public JailBreaks began to appear less and less.
At the moment, the latest current version of iOS suitable for using Jailbreak is iOS 10.2 . All other versions of iOS10.2.1–11 do not yet have confirmation, and numerous tweets do not contain anything other than videos or photos / screenshots. It turns out that in order to conduct a security audit on the device, many factors must be fulfilled, and the presence of the actual JailBreak becomes a stumbling block.
A small digression
At the Tencent Security Summit 2017 conference, researcher Chris Wade presented a project for the full virtualization of iPhone 6. It is not public and it is not yet known how and when it will appear for a wide audience. But definitely, this is a very big step forward for many areas related to iOS.
one two three
IOS Application Security Analysis
Now, gradually, we will move on to the main topic of the article. So, by and large, there are three types of analysis of applications / systems:
- WhiteBox - as part of this type of work, the customer provides all the information about the application: source code, documentation, etc. And here we are free to do with the application ourselves, anything - modify, assemble, run, analyze, etc. on any available device, even without JailBreak.
- GrayBox - in this situation, the customer does not provide the source code of his application for one reason or another, but can make a special assembly of his application for analysis. For example, with all debugging messages and functions turned on, SSL pinning turned off, and with our own libraries inside, which simplify the analysis of the application (more on them later). Such an assembly runs without problems on a device without JailBreak.
- BlackBox is a model that fully reflects the situation with a real attacker who does not have any additional information about the application and the ability to influence its assembly. Here we just go to the application distribution store, download one of them and then try to do something with it. Here it is possible that the customer wants to work in such a model of the intruder, and the participation of some developer in the BugBounty program. This is where the problem arises when dynamically exploring applications, because, in theory, you can’t do without JailBreak ...
Dynamic security study of iOS applications without Jailbreak
Carrying out this kind of research requires some preparation of the researcher and setting up the environment, so the steps in the form of a manual necessary for the implementation of the plan will be described below. It is important to note that some steps may be skipped, for example, if you use an Xcode project (signing, delivery to the device, etc.).
Step 0. Preparation
In order to start the study, it is necessary to observe some simple conditions regarding the environment:
- macOS with Xcode
- Apple Developer Account
- iOS device without JailBreak
- Decrypted .ipa file of the studied application
- The framework to be added to the application
Step 1. Extracting the .ipa file
In order to get the necessary IPA file for analysis, there are several ways:
- From iTunes (iTunes <12.7.X +)
Buying an application in the AppStore from iTunes.app allows you to get the attached .ipa file to the AppleID of the buyer, this limits the possibility of modification, but allows static analysis of the binary file. The iTunes.app version limitation is due to the latest app updates: Apple has removed the AppStore section .
- iFunBox, even TestFlight (iOS≤8.3)
An application for managing the file system of iOS devices. Full functionality is available only on devices with iOS version no higher than iOS 8.3.
- Download the old version of the .ipa file from iTunes (iTunes <12.7.X +)
This is possible thanks to the use of any application that allows you to redirect traffic through yourself (Charles Proxy, Burp, ..). Then you need to start iTunes and download the selected application. Then, intercepting the request, change the assembly number necessary for downloading in the package XML file and continue execution. You can read more about this here and see here .
- Online, for example, with ipastore.me or w3bsit3-dns.com (here it is immediately decrypted)
Sites and forums with applications available for downloading without binding to AppleID and allowing the necessary manipulations to join frameworks are the
best solution, but you need to be careful with banking applications :)
Step 2-3. Data extraction and decryption of .ipa
Here there will be a small deviation from the rules when JailBreak may be required - for the step of obtaining the decrypted .ipa file. This applies, first of all, to those applications that are not accessible through the AppStore (for example, “special assemblies” or TestFlight). Obtaining the decrypted file is necessary for assembling the modified binar without binding to the owner's AppleID. To do this, you can use the applications for JailBreak devices (for example, ask to unload a friend :)
Or, if it is a publicly available application, download from resources such as:
Step 4. Adding a framework
One of the most convenient ways to add a framework to an .ipa file is to use the Xcode project. There are many projects on GitHub, but I wanted to highlight a couple, in our opinion, the most successful, efficient and intuitive.
- GitHub: / jamie72 / IPAPatch (ideal for reveal / cycript)
- GitHub: / vtky / resign (ideal for frida / etc ..)
In the first case, there is a demo in which you only need to replace the .ipa file of interest and compile the application, in the second case, drag and drop the .ipa file and the framework that you need to attach. The convenience of the first project is that in addition to introducing the library, the researcher can add his own code, which will work after launch.
What can I put inside an .ipa file?
Answer: Whatever your heart desires! But from the point of view of security analysis of the application, we can recommend the use of the following ready-made frameworks:
Frida ( GitHub: / frida / frida )
One of the few frameworks that is actively developing today and allows you to implement JS code inside the process, track application launch and patch it before the process end of download. Its advantages are easy extensibility for tasks, the ability to script actions and a convenient client. By adding only the Frida gadget to the project, without even doing anything, it is already possible to find out what calls are happening inside the program and later apply this in static analysis (r2 + frida).
Useful links for this project:
Cycript ( www.cycript.org / GitHub: / nowsecure / frida-cycript )
Similar in functionality to the Frida framework, it allows you to integrate into processes and manipulate environment variables and memory through an interactive console. It supports not only Javascript, but also Objective-C.
Useful links for this project:
CydiaSubstrate ( cydiasubstrate.com / mobilesubstrate_iphoneos-arm.deb )
The legendary framework from Saurik itself, which allows you to modify the application without source code, manipulate the API and twist and twist the application in any way without the source. But at the moment, it has not been updated for quite some time, and it should be used exclusively at your own peril and risk. In addition, the development of iOS introduces changes to the API, so in some versions of iOS it can be completely useless.
Reveal ( revealapp.com )
The most non-standard of this set of frameworks. It is more suitable for the UI / UX sphere and studying the design of interfaces for the presence of hidden fields, attached objects, and so on. The pluses are support for TV and Watch.
Step 5. Signature of the application The
application cannot be installed on the smartphone without the appropriate signature of the developer (do not forget that we have the device without JailBreak). If we do not use Xcode, which itself automatically picks up certificates, then we can do this manually using one of the tools:
They both do their job very well and on the way out we get an application correctly re-signed with our certificate.
Step 6. Delivery to the device
Using Xcode projects and the device after selecting the target, the application will automatically be delivered and launched on the smartphone. If the output contains only an .ipa file, the following utilities will help to install it:
If very briefly, then a diagram with a description of each step and utilities that help to take each step is as follows:
And finally, a couple of demos of how it all looks in a bunch:
Demo 1
Description : The
project is being assembled from the "decrypted" .ipa FaceTune together with FridaGadget. Running it and Frida, call tracking.
Demo 2
Description :
Assembling a project from Demo 1, launching the Objection add-on with Frida and viewing the contents of the application folder, calling Alerts, reading the contents of Keychain.
This work was presented a little earlier at VolgaCTF'17, and the slides from the report can be viewed here .
Thanks for the help in preparation thanks d1g1
UPD:
appdb.store - allows you to sign applications online and for free if you attach your developer account. You can also download decrypted binaries from there.
Thanks ZonD80