dynamic analysis of ios apps w/o jailbreak · 2018-04-23 · dynamic analysis of ios apps w/o...
TRANSCRIPT
![Page 1: Dynamic analysis of iOS apps w/o Jailbreak · 2018-04-23 · Dynamic analysis of iOS apps w/o Jailbreak Download old ver. .ipa file • Run any mitm-proxy tool (Charles/Burp/any..)](https://reader033.vdocuments.mx/reader033/viewer/2022042314/5f026a137e708231d40428b2/html5/thumbnails/1.jpg)
Dynamic analysis of iOS apps w/o Jailbreak
Egor Saltykov Web & Mobile pentester Digital Security
![Page 2: Dynamic analysis of iOS apps w/o Jailbreak · 2018-04-23 · Dynamic analysis of iOS apps w/o Jailbreak Download old ver. .ipa file • Run any mitm-proxy tool (Charles/Burp/any..)](https://reader033.vdocuments.mx/reader033/viewer/2022042314/5f026a137e708231d40428b2/html5/thumbnails/2.jpg)
© 2002—2017, Digital Security
Dynamic analysis of iOS apps w/o Jailbreak
whoamiDigital SecurityWeb & mobile pentesterBugBounty
Digital SecurityResearch
Apple / Safari XSSCVE-2017-7038
Cure53 / DomPurify Safari XSS
2
![Page 3: Dynamic analysis of iOS apps w/o Jailbreak · 2018-04-23 · Dynamic analysis of iOS apps w/o Jailbreak Download old ver. .ipa file • Run any mitm-proxy tool (Charles/Burp/any..)](https://reader033.vdocuments.mx/reader033/viewer/2022042314/5f026a137e708231d40428b2/html5/thumbnails/3.jpg)
© 2002—2017, Digital Security
Dynamic analysis of iOS apps w/o Jailbreak
Agenda
• Types of application analysis
• Superuser privileges on mobile
• Graybox pentest
• Jailbreak free iOS app analysis
3
![Page 4: Dynamic analysis of iOS apps w/o Jailbreak · 2018-04-23 · Dynamic analysis of iOS apps w/o Jailbreak Download old ver. .ipa file • Run any mitm-proxy tool (Charles/Burp/any..)](https://reader033.vdocuments.mx/reader033/viewer/2022042314/5f026a137e708231d40428b2/html5/thumbnails/4.jpg)
© 2002—2017, Digital Security
Dynamic analysis of iOS apps w/o Jailbreak
App analysis
4
![Page 5: Dynamic analysis of iOS apps w/o Jailbreak · 2018-04-23 · Dynamic analysis of iOS apps w/o Jailbreak Download old ver. .ipa file • Run any mitm-proxy tool (Charles/Burp/any..)](https://reader033.vdocuments.mx/reader033/viewer/2022042314/5f026a137e708231d40428b2/html5/thumbnails/5.jpg)
© 2002—2017, Digital Security
Dynamic analysis of iOS apps w/o Jailbreak
App analysis
• A huge number of mobile devices
• More private information inside
• Proprietary mobile OS and unclear how this works
5
![Page 6: Dynamic analysis of iOS apps w/o Jailbreak · 2018-04-23 · Dynamic analysis of iOS apps w/o Jailbreak Download old ver. .ipa file • Run any mitm-proxy tool (Charles/Burp/any..)](https://reader033.vdocuments.mx/reader033/viewer/2022042314/5f026a137e708231d40428b2/html5/thumbnails/6.jpg)
© 2002—2017, Digital Security
Dynamic analysis of iOS apps w/o Jailbreak
App analysisStatic Dynamic
6
![Page 7: Dynamic analysis of iOS apps w/o Jailbreak · 2018-04-23 · Dynamic analysis of iOS apps w/o Jailbreak Download old ver. .ipa file • Run any mitm-proxy tool (Charles/Burp/any..)](https://reader033.vdocuments.mx/reader033/viewer/2022042314/5f026a137e708231d40428b2/html5/thumbnails/7.jpg)
© 2002—2017, Digital Security
Dynamic analysis of iOS apps w/o Jailbreak
App analysisCriterion Static analysis Dynamic analysis
Code vs. data Problem No problem
Code coverage Big (but not all) One way
Information about values No information All information
Self-modifying code Problem No problem
Runtime vulns No Yes
Unused code Analysis No analysis
Autoscan Yes No
Programming language Not all Any
7
![Page 8: Dynamic analysis of iOS apps w/o Jailbreak · 2018-04-23 · Dynamic analysis of iOS apps w/o Jailbreak Download old ver. .ipa file • Run any mitm-proxy tool (Charles/Burp/any..)](https://reader033.vdocuments.mx/reader033/viewer/2022042314/5f026a137e708231d40428b2/html5/thumbnails/8.jpg)
© 2002—2017, Digital Security
Dynamic analysis of iOS apps w/o Jailbreak
but
8
![Page 9: Dynamic analysis of iOS apps w/o Jailbreak · 2018-04-23 · Dynamic analysis of iOS apps w/o Jailbreak Download old ver. .ipa file • Run any mitm-proxy tool (Charles/Burp/any..)](https://reader033.vdocuments.mx/reader033/viewer/2022042314/5f026a137e708231d40428b2/html5/thumbnails/9.jpg)
© 2002—2017, Digital Security
Dynamic analysis of iOS apps w/o Jailbreak
Dynamic analysis ❤ root/jb
9
![Page 10: Dynamic analysis of iOS apps w/o Jailbreak · 2018-04-23 · Dynamic analysis of iOS apps w/o Jailbreak Download old ver. .ipa file • Run any mitm-proxy tool (Charles/Burp/any..)](https://reader033.vdocuments.mx/reader033/viewer/2022042314/5f026a137e708231d40428b2/html5/thumbnails/10.jpg)
© 2002—2017, Digital Security
Dynamic analysis of iOS apps w/o Jailbreak
Dynamic analysis ❤ root
• Android – one button hack
• Each version
• Some corp.'ve built-in root (e.g. old Meizu, Xiaomi)
10
![Page 11: Dynamic analysis of iOS apps w/o Jailbreak · 2018-04-23 · Dynamic analysis of iOS apps w/o Jailbreak Download old ver. .ipa file • Run any mitm-proxy tool (Charles/Burp/any..)](https://reader033.vdocuments.mx/reader033/viewer/2022042314/5f026a137e708231d40428b2/html5/thumbnails/11.jpg)
11
![Page 12: Dynamic analysis of iOS apps w/o Jailbreak · 2018-04-23 · Dynamic analysis of iOS apps w/o Jailbreak Download old ver. .ipa file • Run any mitm-proxy tool (Charles/Burp/any..)](https://reader033.vdocuments.mx/reader033/viewer/2022042314/5f026a137e708231d40428b2/html5/thumbnails/12.jpg)
© 2002—2017, Digital Security
Dynamic analysis of iOS apps w/o Jailbreak
Dynamic analysis ❤ jb
• iOS – difficult to hack
• Increase difficulty of hack w/each system update
• Frequent rewriting applications for a new iOS
12
![Page 13: Dynamic analysis of iOS apps w/o Jailbreak · 2018-04-23 · Dynamic analysis of iOS apps w/o Jailbreak Download old ver. .ipa file • Run any mitm-proxy tool (Charles/Burp/any..)](https://reader033.vdocuments.mx/reader033/viewer/2022042314/5f026a137e708231d40428b2/html5/thumbnails/13.jpg)
© 2002—2017, Digital Security
Dynamic analysis of iOS apps w/o Jailbreak
Root/JB for Pentest
13
![Page 14: Dynamic analysis of iOS apps w/o Jailbreak · 2018-04-23 · Dynamic analysis of iOS apps w/o Jailbreak Download old ver. .ipa file • Run any mitm-proxy tool (Charles/Burp/any..)](https://reader033.vdocuments.mx/reader033/viewer/2022042314/5f026a137e708231d40428b2/html5/thumbnails/14.jpg)
© 2002—2017, Digital Security
Dynamic analysis of iOS apps w/o Jailbreak
Root for Pentest
• Too much devices
• Too much iOS versions
• Difficult to keep fresh versions
14
![Page 15: Dynamic analysis of iOS apps w/o Jailbreak · 2018-04-23 · Dynamic analysis of iOS apps w/o Jailbreak Download old ver. .ipa file • Run any mitm-proxy tool (Charles/Burp/any..)](https://reader033.vdocuments.mx/reader033/viewer/2022042314/5f026a137e708231d40428b2/html5/thumbnails/15.jpg)
© 2002—2017, Digital Security
Dynamic analysis of iOS apps w/o Jailbreak
<any>boxWhite Gray Black
Input point Input point Input point
Output point Output point Output point
Source code Our lib or snippet injection
NODISCLOSURESOURCE
15
![Page 16: Dynamic analysis of iOS apps w/o Jailbreak · 2018-04-23 · Dynamic analysis of iOS apps w/o Jailbreak Download old ver. .ipa file • Run any mitm-proxy tool (Charles/Burp/any..)](https://reader033.vdocuments.mx/reader033/viewer/2022042314/5f026a137e708231d40428b2/html5/thumbnails/16.jpg)
© 2002—2017, Digital Security
Dynamic analysis of iOS apps w/o Jailbreak
Customer developer
• Inject our lines of codeGitHub: /bang590/JSPatch
• Inject our library
• Build special test versionSSLPinning free ver.
16
![Page 17: Dynamic analysis of iOS apps w/o Jailbreak · 2018-04-23 · Dynamic analysis of iOS apps w/o Jailbreak Download old ver. .ipa file • Run any mitm-proxy tool (Charles/Burp/any..)](https://reader033.vdocuments.mx/reader033/viewer/2022042314/5f026a137e708231d40428b2/html5/thumbnails/17.jpg)
© 2002—2017, Digital Security
Dynamic analysis of iOS apps w/o Jailbreak
How to start dynamic analysis w/o Jailbreak
of iOS app?
17
![Page 18: Dynamic analysis of iOS apps w/o Jailbreak · 2018-04-23 · Dynamic analysis of iOS apps w/o Jailbreak Download old ver. .ipa file • Run any mitm-proxy tool (Charles/Burp/any..)](https://reader033.vdocuments.mx/reader033/viewer/2022042314/5f026a137e708231d40428b2/html5/thumbnails/18.jpg)
© 2002—2017, Digital Security
Dynamic analysis of iOS apps w/o Jailbreak
Preparations• Xcode
• iOS Developer account (paid better)
• iOS non-jailbroken device
• Decrypted .ipa
• Framework for injection
18
Step: 0
![Page 19: Dynamic analysis of iOS apps w/o Jailbreak · 2018-04-23 · Dynamic analysis of iOS apps w/o Jailbreak Download old ver. .ipa file • Run any mitm-proxy tool (Charles/Burp/any..)](https://reader033.vdocuments.mx/reader033/viewer/2022042314/5f026a137e708231d40428b2/html5/thumbnails/19.jpg)
© 2002—2017, Digital Security
Dynamic analysis of iOS apps w/o Jailbreak
How to change binary for iOS w/o Jailbreak and start research it?• Download .ipa file from device/store
• Decrypt and extract data from .ipa
• Change/inject code into binary
• Repack .ipa
• Resign binary
• Upload to device
• ???
• Magic
+⬇
19
![Page 20: Dynamic analysis of iOS apps w/o Jailbreak · 2018-04-23 · Dynamic analysis of iOS apps w/o Jailbreak Download old ver. .ipa file • Run any mitm-proxy tool (Charles/Burp/any..)](https://reader033.vdocuments.mx/reader033/viewer/2022042314/5f026a137e708231d40428b2/html5/thumbnails/20.jpg)
© 2002—2017, Digital Security
Dynamic analysis of iOS apps w/o Jailbreak
⬇ .ipa file from store/device
• From iTunes Store, just download
• From iFunBox (even TestFlight iOS≤8.3)
• Downgrade .ipa files w/iTunes through request forgery
• Online (danger) ipastore.me
⬇
📱
20
Step: 1
![Page 21: Dynamic analysis of iOS apps w/o Jailbreak · 2018-04-23 · Dynamic analysis of iOS apps w/o Jailbreak Download old ver. .ipa file • Run any mitm-proxy tool (Charles/Burp/any..)](https://reader033.vdocuments.mx/reader033/viewer/2022042314/5f026a137e708231d40428b2/html5/thumbnails/21.jpg)
© 2002—2017, Digital Security
Dynamic analysis of iOS apps w/o Jailbreak
Download old ver. .ipa file
• Run any mitm-proxy tool (Charles/Burp/any..)
• Run iTunes and download app
• Intercept request and change version value from XML below in request
• Enjoy old version
21
Useful links: Malware wellbeing on iOSLifehacker video manual
Step: 1.3
![Page 22: Dynamic analysis of iOS apps w/o Jailbreak · 2018-04-23 · Dynamic analysis of iOS apps w/o Jailbreak Download old ver. .ipa file • Run any mitm-proxy tool (Charles/Burp/any..)](https://reader033.vdocuments.mx/reader033/viewer/2022042314/5f026a137e708231d40428b2/html5/thumbnails/22.jpg)
© 2002—2017, Digital Security
Dynamic analysis of iOS apps w/o Jailbreak
📦 data from .ipaExtract decrypted .ipa
• From jailbroken deviceGitHub: /stefanesser/dumpdecryptedGitHub: /KJCracks/ClutchGitHub: /easonoutlook/Rasticrac
• From iphonecake.com
• From 4pda.ru
⬇
22
Step: 2-3
![Page 23: Dynamic analysis of iOS apps w/o Jailbreak · 2018-04-23 · Dynamic analysis of iOS apps w/o Jailbreak Download old ver. .ipa file • Run any mitm-proxy tool (Charles/Burp/any..)](https://reader033.vdocuments.mx/reader033/viewer/2022042314/5f026a137e708231d40428b2/html5/thumbnails/23.jpg)
© 2002—2017, Digital Security
Dynamic analysis of iOS apps w/o Jailbreak
↪ or 🔀 data and re📦.ipa
• GitHub: /jamie72/IPAPatch (reveal / cycript)
• GitHub: /vtky/resign (any framework / frida)
23
Step: 4
![Page 24: Dynamic analysis of iOS apps w/o Jailbreak · 2018-04-23 · Dynamic analysis of iOS apps w/o Jailbreak Download old ver. .ipa file • Run any mitm-proxy tool (Charles/Burp/any..)](https://reader033.vdocuments.mx/reader033/viewer/2022042314/5f026a137e708231d40428b2/html5/thumbnails/24.jpg)
© 2002—2017, Digital Security
Dynamic analysis of iOS apps w/o Jailbreak
What I can put .ipa inside?
Answer: whatever you want!
24
![Page 25: Dynamic analysis of iOS apps w/o Jailbreak · 2018-04-23 · Dynamic analysis of iOS apps w/o Jailbreak Download old ver. .ipa file • Run any mitm-proxy tool (Charles/Burp/any..)](https://reader033.vdocuments.mx/reader033/viewer/2022042314/5f026a137e708231d40428b2/html5/thumbnails/25.jpg)
© 2002—2017, Digital Security
Dynamic analysis of iOS apps w/o Jailbreak
FRIDA• frida.re
GitHub: /frida/frida
• Portable, scalable, scriptable
• Inject JS into process
• Can inject a hook into starting process
• Calling understand
25
Useful links: ZeroNights'15 workshop
Frida Objection Awesome Frida (examples)
![Page 26: Dynamic analysis of iOS apps w/o Jailbreak · 2018-04-23 · Dynamic analysis of iOS apps w/o Jailbreak Download old ver. .ipa file • Run any mitm-proxy tool (Charles/Burp/any..)](https://reader033.vdocuments.mx/reader033/viewer/2022042314/5f026a137e708231d40428b2/html5/thumbnails/26.jpg)
© 2002—2017, Digital Security
Dynamic analysis of iOS apps w/o Jailbreak
Cycript• www.cycript.org
• GitHub: /nowsecure/frida-cycript
• Inject into process and enables to manipulate the runtime w/interactive console
• Supports Objective-C and JS
26
Useful links: Manual
Cycript @ 360|iDev 2013
![Page 27: Dynamic analysis of iOS apps w/o Jailbreak · 2018-04-23 · Dynamic analysis of iOS apps w/o Jailbreak Download old ver. .ipa file • Run any mitm-proxy tool (Charles/Burp/any..)](https://reader033.vdocuments.mx/reader033/viewer/2022042314/5f026a137e708231d40428b2/html5/thumbnails/27.jpg)
© 2002—2017, Digital Security
Dynamic analysis of iOS apps w/o Jailbreak
Reveal
• revealapp.com
• Design inspect
• Support even TV Watch
• More for UI/UX debug
27
![Page 28: Dynamic analysis of iOS apps w/o Jailbreak · 2018-04-23 · Dynamic analysis of iOS apps w/o Jailbreak Download old ver. .ipa file • Run any mitm-proxy tool (Charles/Burp/any..)](https://reader033.vdocuments.mx/reader033/viewer/2022042314/5f026a137e708231d40428b2/html5/thumbnails/28.jpg)
© 2002—2017, Digital Security
Dynamic analysis of iOS apps w/o Jailbreak
CydiaSubstrate• cydiasubstrate.com
• apt.saurik.com/debs/mobilesubstrate_0.9.6301_iphoneos-arm.deb
• Modify app w/o source code
• Provide API for manipulation
• Functioning depends on iOS
28
![Page 29: Dynamic analysis of iOS apps w/o Jailbreak · 2018-04-23 · Dynamic analysis of iOS apps w/o Jailbreak Download old ver. .ipa file • Run any mitm-proxy tool (Charles/Burp/any..)](https://reader033.vdocuments.mx/reader033/viewer/2022042314/5f026a137e708231d40428b2/html5/thumbnails/29.jpg)
© 2002—2017, Digital Security
Dynamic analysis of iOS apps w/o Jailbreak
🛅.ipa
• GitHub: /nowsecure/node-applesign
• GitHub: /DanTheMan827/ios-app-signer
• Xcode w/dev account
29
Step: 5
![Page 30: Dynamic analysis of iOS apps w/o Jailbreak · 2018-04-23 · Dynamic analysis of iOS apps w/o Jailbreak Download old ver. .ipa file • Run any mitm-proxy tool (Charles/Burp/any..)](https://reader033.vdocuments.mx/reader033/viewer/2022042314/5f026a137e708231d40428b2/html5/thumbnails/30.jpg)
© 2002—2017, Digital Security
Dynamic analysis of iOS apps w/o Jailbreak
📦📲.ipa to iOS device
• Xcode (free Developer Account)
• Impactor (any AppleID)
• iFunBox (iOS≤8.3)
• JB GitHub: /autopear/ipainstaller
📦➡
30
Step: 6
![Page 31: Dynamic analysis of iOS apps w/o Jailbreak · 2018-04-23 · Dynamic analysis of iOS apps w/o Jailbreak Download old ver. .ipa file • Run any mitm-proxy tool (Charles/Burp/any..)](https://reader033.vdocuments.mx/reader033/viewer/2022042314/5f026a137e708231d40428b2/html5/thumbnails/31.jpg)
© 2002—2017, Digital Security
Dynamic analysis of iOS apps w/o Jailbreak
*+ exec own code
Press “X” to Hack
• Write your code & exec it on iOS device
• Connect to device and control your app
31
Step: pwn
![Page 32: Dynamic analysis of iOS apps w/o Jailbreak · 2018-04-23 · Dynamic analysis of iOS apps w/o Jailbreak Download old ver. .ipa file • Run any mitm-proxy tool (Charles/Burp/any..)](https://reader033.vdocuments.mx/reader033/viewer/2022042314/5f026a137e708231d40428b2/html5/thumbnails/32.jpg)
![Page 33: Dynamic analysis of iOS apps w/o Jailbreak · 2018-04-23 · Dynamic analysis of iOS apps w/o Jailbreak Download old ver. .ipa file • Run any mitm-proxy tool (Charles/Burp/any..)](https://reader033.vdocuments.mx/reader033/viewer/2022042314/5f026a137e708231d40428b2/html5/thumbnails/33.jpg)
© 2002—2017, Digital Security
Dynamic analysis of iOS apps w/o Jailbreak
One-slide-schema
33
![Page 34: Dynamic analysis of iOS apps w/o Jailbreak · 2018-04-23 · Dynamic analysis of iOS apps w/o Jailbreak Download old ver. .ipa file • Run any mitm-proxy tool (Charles/Burp/any..)](https://reader033.vdocuments.mx/reader033/viewer/2022042314/5f026a137e708231d40428b2/html5/thumbnails/34.jpg)
© 2002—2017, Digital Security
Dynamic analysis of iOS apps w/o Jailbreak
Demo
34
![Page 35: Dynamic analysis of iOS apps w/o Jailbreak · 2018-04-23 · Dynamic analysis of iOS apps w/o Jailbreak Download old ver. .ipa file • Run any mitm-proxy tool (Charles/Burp/any..)](https://reader033.vdocuments.mx/reader033/viewer/2022042314/5f026a137e708231d40428b2/html5/thumbnails/35.jpg)
© 2002—2017, Digital Security
Dynamic analysis of iOS apps w/o Jailbreak
Thank you!Questions?
@ansjdnakjdnajkd
35
Digital Security in Moskow: (495) 223-07-86 Digital Security in Saint-Petersburg: (812) 703-15-47