Adventures in IOSland – Analyzing IOS Apps

Sunday, April 21st, 2013 @ 1:05 pm | Security

So I’ve been spending a lot of time reversing IOS apps and trying to secure them. In my hunt for bugs, I’ve used your standard set of tools and processes on a jail-broken iPhone. They of course include (in no specific order):

Burp – Standard HTTP(s) Proxy
Cycript – Interpreter that combines ObjC syntax with JavaScript and allows us to connect to an existing process and play with App live
Class-Dump-Z – Extract Obj-c runtine information from Mach-o Files
Mallory – Proxy (hard to use, but great tool!)
otool – Recovering Unencrypted Binaries & Finding Libraries
GDB – Recovering Unencrypted Binaries
Craculous – Create unencrypted binary
lipo – Thin IOS Binaries
IDA Pro – Static Analysis
SQLite Browser – See Sql files
Plist Editor – Read plist files

So this was all pretty standard. For most of the traffic, I just modified the host file on the IOS device, pushed HTTP traffic through Burp Suite Pro, and attacked the application (Mallory for non-HTTP traffic). For static analysis, I grabbed the unencrypted binary, pulled the classes, and the strings. This whole process took a while and there was no easy way to view all this data.

That’s when I ran into an article from Hack in the Box 2013 (http://conference.hitb.org/hitbsecconf2013ams/materials/D2T2%20-%20Chilik%20Tamir%20-%20iAnalyzer%20-%20No%20More%20Blackbox%20iOS%20Analysis.pdf), I thought I’d give it a try.

iNalyzer (https://appsec-labs.com/iNalyzer)

iNalyzer is a great testing framework for IOS applications. There is already a bunch of documentation and videos from the developer, but I thought I’d just give my experiences. I will not disclose any vulnerabilities, but show the processes and some high level findings. I picked up a random application from the appstore and just showed what it could do. From there it’s up to you…

Installation is pretty simple. Take your jail broken device and in Cydia add a source repository for http://appsec-labs.com/cydia. Once complete, look at the packages and you’ll see the newest version of iNalyzer.

Once it’s installed, you’ll see the icon on your IOS device and if you click on it you should see the numbers 5544 on top of it. Go to your web browser on a system on that same network (http://[IP of the Device]:5544) and you should connect to the iNalyzer application.

  Reverse0

So I followed the instructions, dropped down into the app I wanted to reverse, and clicked Package. This gave me a zip file which I extracted. Inside that folder, I opened up the file [appname]/Payload/Doxygen/dox.template with Doxygen. Once Doxygen did it’s thing, it created another folder inside Doxygen called html. If you opened up the index.html file inside the html folder, this is where all the goodies were stored.

Here is Doxygen creating the html files:

Reverse1

The analysis is broken down into a few different categories [Strings, ViewControllers, Info.Plist Contents, Embeded Strings, Classes, and Files]. So what this tool did was first decrypted the binary, ran strings, pulled all the classes/functions, sorted it, and striped out all the files for analysis. What a time saver…

Once you open up the index.html page, this is what you’ll see:

Reverse2

Remember when you had to use otool to pull out all the functions out of IOS apps? Now this makes it almost too easy…

Reverse3

So as I stated before, I won’t disclose any bugs here, but what are some funny things I saw. There were a lot of functions about easter (easter eggs?) and check for winners… interesting. Also, now with the functions list, your can do some real cool stuff with cycript to modify actions live in the app.

Examples of interesting strings within the App.

Reverse6

SQLite databases:

Reverse4

So, I had some problems running the tool with some of my custom applications I was testing. After contacting the developer, I found out that you do have the ability to run these manually by running (ssh’ed in the IOS device): ./iNalyzer5 –direct [Application].

Reverse8

So let me know how it all goes and happy hacking.

-Peter

 

Recently

  • The Hacker Playbook 2!
  • Password Cracking for Fun and Profit
  • The Hacker Playbook
  • Drop Box on the Cheap
  • Adventures in IOSland – Analyzing IOS Apps
  • Hiding Your Shells
  • DEFCON XX
  • AntiVirus – Now You See Me, Now You Don’t
  • Don’t Stick That in There – HID (Human Interface Device)
  • Doppelganging Your SSH Server
  •  

    Comments are closed.