iOS Runtime Hacking Crash Course

so just to start off a little bit about myself my name is michael jenna raucous if you can't tell from my accent I'm from Australia I started a company recently asset known not gonna talk about it cuz it's not this kind of not that kind of con but if you want to chat to me about it afterwards that's cool before that I was the director of spider labs in Asia PAC spoken a bunch of conferences before mostly on mobile stuff around the way I also organized a much more disorganized conference than this in Australia called Tuscon and also local meetup in Brisbane and for anybody who's part of duck sec i am a flat tuck enthusiast i have a few

beers and i'll tell you about that cool so just a bit of an overview of what we're going to talk about today and and really where this talk is coming from so it's just a bit of a crash course into messing with the runtime of iOS applications mostly for like pen testing and bug bounty purposes right I did a similar presentation at a local conference in Brisbane a few years ago but what has really changed in sense so you know the big one obviously is Swift was introduced and you know that's changed a lot of things Apple has pushed 64-bit only as well so I forget which exact iOS version they stop supporting 32-bit apps but you know

they don't anymore there's also been a rise in sort of cross-platform frameworks so-so frameworks that allow you to develop in a particular language and then access native functionality across multiple platforms without having to write separate native apps and the tooling has evolved and we'll discuss in the presentation it's also in some areas not really kept up so it's really just an updated presentation if you've seen that one before online or whatever it is an updated presentation to cover cover this it's focused on iOS app testing so like Nomad iOS con holiday sorry I wouldn't be presenting it to you probably if I had that cool so setting up your environment so I go into too much detail about this but

there are putting of guides on the Internet and because we've got limited time I honestly haven't signed this talk I was working all night on it so we'll see how we go but the main tools that you will need and we'll cover it in the presentation it's obviously a jailbroken device currently up to iOS 11.3 I believe can be jailbroken you know some things you can do on a gel device it's not as easy and this is not straightforward and you can't do it many things but but yeah for the purpose of this presentation we'll be using a jailbroken device terms of some of the tools that we'll be using freida script mobile substrate class

time ssh disassembler of some kind essentially all you need there's a bunch of recent tools that are really good so like objection by by sense post and needle by MWR they're really nice and they are abstract away a lot of what I'm talking about here and make it you know easier to use but you know I'm gonna discuss a little bit more of the techniques and at a lower level so you guys can get a feel for you know how you could do it yourself but also how those sort of tools work if you if you do use those cool so start with objective-c apps so most I Oh s apps are still written in objective-c or how at least

have some objective-c component the trend is definitely moving away from objective-c you know particularly for consumer apps but object to see frameworks will still be around for a while apples got a bunch of internal frameworks that they you know supplies part of iOS that aren't likely to be updated to Swift anytime soon so it's still something that you should know when you are doing I Oh s packing right that's not that bad a lot of people don't like objective-c but you know it's not it's not too bad once you get used to it so that's a bit blurry so sorry about that we're using VGA but here's just like a little bit of a primer on the objective-c thing it's

syntax so on the left here you've got you've got your header file with the interface you can see there there's the @interface keyword you've got the the class name and after the colon you've got the superclass so so what are inherent from you've got your properties so it's just you know property some characteristics you don't really need to bother with those the type and then the property name and then you've got your your class methods and your instance methods so the class methods are denoted by the plus and the the instance methods are notice denoted by the dash and you've got in the brackets you've got the return type and then you've got the you've got the function name you can see

here for the for the instance method with parameter there's the that's the syntax if you've got parameters an interesting thing to know and it will come into play a little bit later on it's pretty common as a design pattern in Objective C apps and or iOS apps in general to have the sort of the first that's the function name indicate what the first parameter is so this is just a really contrived example but it might be I don't know login with user and then the parameter will be like a user you know something related to the user or whatever that's pretty common and then you've got on the right-hand side you just got the implementation so

it looks pretty much the same you with the properties you synthesize the properties so that all that does is at compile time it just generates the getter and setter methods for that property so you don't have to write it out yourself then you've got you know your your class methods and your instance methods pretty straightforward it doesn't look too too different right that's that's sort of the basic syntax of objective-c you really don't need to know all that much about testing tasks right so just like basic object-oriented principles like the difference between a class and object difference between a like a class method and an instance method a very like rudimentary understanding of the MVC design pattern iOS apps adopt

this pattern not all of them there are you know some hipsters who like to do like you know reactive kind of stuff but you know for the most part your Apple pushes as a standard you know an MVC design pattern and when I say rudimentary I really mean rudimentary like if you just think of you know the M being the model right which is data and you know V being the view which is like the presentation UI and C being the control which is kind of logic like that's if you're gonna get that then you know you can kind of understand what's going on from from you know what we're going to discuss you know how to call

methods the syntax to call methods we'll go over that and how to sort of read and write variables and then just that basic syntax you know class syntax that we saw in the previous slide so you don't really need to know that much you don't need to be an expert programmer to be able to be dangerous for for this sort of stuff so let's get into reverse engineering objective-c apps so objective-c executables need to have a bunch of class information in order to run and to support the dynamic features of the language and it's great for us as you know pen testers because we can extract this information and it gives us insight into how the application is

architected and and how it runs in how it functions you know for a pen test or a bug hunter this gives you a map of the application to help you you know with finding potential vulnerabilities and you know attacking the runtime so back in the day class tom said was the go-to for this as it had better I Oh s support than some of the alternatives but it's not actively develops you can see there like copyright 2009 so it doesn't really work on 64-bit apps or any kind of Swift or mixed mixed apps so that's a bummer hasn't really kept up but for objective-c apps the original class term utility by Steve Nygaard is still

probably the best it's also not really actively developed but it still works for sort of pure objective-c apps it works fine you can of course use something like O'Tool which is a you know comes with the Mac gives you a lot of different ways to sort of mess with the binary and get extract information out the binary but it's not presented in a really like easy to digest way in the same way that class dump is you could also get this information out of a disassembler but you know for the first pass when you're looking at this definitely you know class dump from from the class on utility is it's really the way to go

that's the command that I use I'll go through in the demo you know what those what those sort of options do they're just like formatting right and usually I just pipe it out to a out put it to a a file you can see what the dot H extension on that the reason I do that is because when you load it up into a text editor which you'll see it just automatically does the syntax highlighting so that's the only reason I do that and you're not going to be able to see this but that's fine I do have it in do you have something in demo that's a class sample of Instagram I was doing for like about

anything not too long ago yeah I'll probably just skip that and go in in the detail of that and go to you know wait for the demo and I'll go through the class stamp and you know some of the stuff that you'd look for when you're analyzing analyzing this stuff so before you can actually do any of these tasks you need to decrypt the binary so iOS apps that are downloaded from the App Store are protected by Apple's DRM and the binary is encrypted so to be able to analyze the binary whether it's for getting a class stamp or a disassembly or whatever you need to decrypt it first right the the way that you do it or the

kind of methodology it's pretty simple you sort of work out the correct offsets for the encrypted portion of the binary you extract that and encrypted portion after it's loaded at runtime because obviously it needs to be decrypted to run and then you take that now decrypted portion and you shove it back in to the binary you patch it back in and you're good to go you can do this manually and there's plenty of sort of guides on the Internet to how to you know how to do this but there's heaps of tools out there to automate it so I wouldn't bother doing it manually I prefer to use clutch for decrypting Flannery's I guess this

is probably the point where I should say be responsible and say don't use this like pirating apps there's a big warning when you when you go to their github page you know not cool but it's really useful for security analysis right so those are the options but really what you want to do is the - D option which dumps the the bundle ID into an IPA file you could also do - B which just dumps the binary portion so you could do just do the binary for you know your your class dump and you know disassembly and stuff like that but I like to get the the whole IPA file because it also has a

bunch of other interesting files so if it's a cross-platform app often they'll have all of those say the JavaScript files or you know even some of the compiled dll's for xamarin apps and things like that it also has like some interesting sort of settings and whatever so it's useful in a broader context but specifically for what we're going to talk about today it's not necessary but that's you know it's what I do normally on a pen test so once you got the class done the next step is really just to go through and start analyzing the class down and seeing what you can get out of it so essentially once you have that application that the

class dumped it becomes like a map of the application you can sort of see where everything fits together so the first thing you want to do is sort of look for interesting functionality so authentication in particular local authentication and other sort of local checks are definitely something that though it's interesting from a security perspective how the app is doing data storage in particular key management right that's usually pretty poor on on mobile apps you know storing the keys with the lock is you know not really great people don't do a good job security checks and controls things like jailbreak detection or prevention anti debugging and other sort of more advanced runtime security measures you know you you want to often deal with

these simply because if you're doing it in the broader context of say a pen test often these can stop you from from completing that and doing other tasks that you might want to do and so so you'll need to look for that and potentially you know break that which we'll go into in the presentation you know how it handles transport security so it doesn't implement sir pinning you know how it doesn't interact with the backend API is is it you know if it's using you know if there's no sort of sir pinning issues and it's using HTTP HTTPS it's not too bad but often you'll find in mobile apps they use you know different kind of protocols

or custom protocols or unusual protocols that aren't easily easily intercepted so you know you might want to have a look at you know if it's got some kind of custom network stack that's implementing it you might want to hook those functions and sort of see what's going on there and you can also sort of see what frameworks and third-party libraries are new so there's anything that has known vulnerabilities you can kind of get an idea for that as well so once you've identified the interesting functionality and you have a broader understanding of how the application is architected you can start to look for potential security issues so some of the the key things and really the the three

sort of broad categories that you would look for from a runtime security perspective is simple application logic that can be exploited so bypassing security checks access control and off bypass and we'll go through a few of those in the demo sense of information that you can extract from memory so things like earth Keys password encryption keys whatever and then explaining the way data at rest and transit is secured right so bypass insert pinning and validation you know how they doing encryption of any client-side data storage cool so we'll go into a demo which I have pre-recorded cuz I'm a good boy so this is just this really simple app so objective-c app so it's got a couple of jailbreak checks

now that's terrible but that's cool so it's just checking they're both failing and saying that you've you know your jailbroken and this is a little password like a log in films just saying the password that i typed in is incorrect right so you know pretty pretty basic I'll make these available as well online if you you know want to see them because yeah the projectors not so great but yeah so let's run through this demo so jeez that is terrible I can't even see it on my screen that's great so that basically what i'm doing here is i'm just running class tom said showing that it doesn't work right i have the screen shot in there i'm now I'm getting

classed up and so this is just some of the options which you can't make out obviously especially formatting options I like to sort it by inheritance and also the methods alphabetically and so yeah and then I'm just actually running the command on that on the binary of that application that I showed you

and I'm just as I did in the presentation I'm now putting it to a file on my desktop and I'm opening that in a text editor which is written an electron because you know I'm a hipster or whatever and it's not gonna work but yeah so we've got our class stuff right you have to trust me on this rayon um so I just did the syntax highlighting so it shows how close the the formatting is to like a standard objective-c header file because I've sorted by inheritance you got all the protocols first and you got your app delegate and a couple of classes that we've got in there and so you know pretty pretty small app pretty

pretty simple so what I would typically do is just start searching right so it's just you know grep or you know command F right what I usually start is the app delegate that's kind of essentially main for iOS apps right it's really the the point where the developer gets control and usually this is just a small app so it's got really nothing in it but usually there's a bunch of interesting stuff that the developers kind of just chucked in the app delegate because it you know that's where it goes you can see here so you've got the class name you've got the superclass and in the angled brackets that I didn't go through that in the syntax but that's just the

protocols that it conforms to then you've got the different you know your class and instance methods then I started looking for interesting stuff like I start searching jailbreak I start searching password and things like that you can see there's some interesting looking classes here you've got this jailbreak manager class which you know seems like it would probably be handling those jailbreak checks right you've got this one you can't read it but it says totally interesting information here so it's a bit obvious right and then you've got a couple of variables which is a password username and then there's a couple of a couple of methods so a class method that's called get encryption key and then two instance methods that get

password and get username then we're looking at the view controller so when you think about it from our rudimentary I'm saying of MVC right you've got this is where the logic is so you can see some you know like the login button pressed and you know jailbreak check one and two there is an interesting one there called user is authenticated you'll have to take my word for it but yeah it's definitely definitely there cool so let's move on to like actually manipulating the runtime of the app right so you know once you have an idea of what you want to target the next step is to actually then manipulate the runtime and exploit the issue to achieve your objective so

commonly the it falls into a confused sort of simple buckets right reading variables the values of variables out of memory or modifying them calling methods directly so typically to sort of exploit poor logic in the application flow and then rewriting the implementation of a particular function to change the way the app functions and we'll go through all of those in various ways there are a number of tools and techniques you can use to complete these tasks so frameworks and tools such as script and and freida using a debugger like ll to be writing your own dynamic libraries and linking them in or even just patching the binary can can often achieve some of the same objectives

I'm glad the photo of Christian came out that's great so scripts so scripts is kind of old tool written by the same guy who does Cydia who writes Cydia it's a ridiculous name because it's pronounced script it's not written like that at least in my mind but it has an even more ridiculous premise which is a programming language designed to blend the barrier between objective-c and JavaScript I don't know about you guys but like that just seems ridiculous to me uhm but it is a really great tool for interrogating and manipulating the runtime yeah so yeah Christian is a hipster so using script so you can use it to load script scripts which is why I hate that name or use it

interactively which is usually when how you how you use it so most of the time you want to hook into the running app to use it interactively and it's just the dash P and then you provided the application name or the process ID and then you know there are a lot of people moving to frida these days for a lot of the same tasks but you know you can use script but I like I use script and it's still a very handy tool it's kind of like got a different focus to Frieda and there was a bit of a spat between like the developers of both of those around you know what what the sort of purpose of

each one is script was really more designed for like tweak developers to sort of you know play around see how things are working whereas fruit is definitely more of a security research tool but you know we'll go into both here's some little tips and tricks that you know you might want to commonly do so you know you might want to get the bundle ID so just a nice bundle main bundle bundle identifier dumping instance variables just the little asterisks in front of the object you want to dump the variables out of getting all the objects of a class it's also something that's that's useful and I'll explain why in my demos that you probably can't see but

it's got this really cool function called choose which basically takes a parameter of a class name and then it goes through and tries to find all the instances of that for Swift apps the the sort of syntax kind of breaks with with Swift so instead of just putting in you know module class and you have to use this other method called Objective C get class right because it just breaks the JavaScript stuff didn't get like you know things aren't defined and whatever and then to replace the implementation of an existing method it's just the name of the class dot prototype dot you know the function that you want to replace and then you just basically replacing it

with a JavaScript function that does whatever you want usually if it's like simple logic you know that the the new implementations usually not that complex right but yeah we're going to that so yeah you can load up scripts so this little script here just prints the methods or attempts to prints them the methods of a particular class so you could type that into the script sort of wrap or I suppose or you can just create a dot C Y script and like load it in when you load like your inject script into the process and so you don't have to keep typing it out right so yeah if you do use that pretty methods the class that gets all

the instance methods and if you add the second parameter for true it also gets their class methods alright let's get into a demo that you probably won't be able to see alright so all I'm doing here the right hand side I'm just setting up a tunnel over USB to my device so I can connect to it which is now what I'm doing here with SSH

it's I'm logging in all right so now I'm connected to my iOS device which is running the app on the other side there and so I'm just now loading up script and injecting into that objective-c app that's running on the side and you can see that I'm just getting the the bundle identifier so you can see that it is that app and there's a few cool sort of features so here I'm just calling a method and the exact same sort of objective-c syntax that you would do so it definitely does bridge Objective C and JavaScript so you can see I'm just getting the the application instance there and you know you then you can you

know get the the delegate which gives you the the app delegate and since and but then script also has a bunch of shortcuts so for the application instance you can use UI app and then then you can do things like UI app delegate you get those same instances trust me those things are the same there's also history and like tab completion as well which is what I was just demonstrating there which is yeah I kind of kind of handy and kind of nice so me that hey

all right so this is just demonstrating getting the instance methods using the asterisk little shortcut that's for the app delegate so now we're going back to the class dump and you'll start to see why this is a useful document so here we're going in this totally interesting information here class and we're using it as a map to sort of help us you know navigate through the through the runtime and so here I'm highlighting this gate encryption key method which you know it seems like something we might want to see what it returns and because it's a class method you could just call it using the class name so I've got the open square square brackets you're

putting the totally interesting information here class and then type it and this comes back with a string saying this is an encryption key right this is common you'll see this all the time in iOS apps right but I'm trying now to to call the get instance get past an instance method and throws an error because I'm calling on the class right so going back to these auto principles right you don't you can't call it on the class you have to call it on the instance like the actual object right so one of the ways that I sort of find out you know where these instances are references to it as I search for the class name now this is a very small app

so there's this instance here so in the view controller there's an instance of that particular class so now what I want to do and you can see why we call this a bit of a map right now what I want to do is go to that view controller instance and then get that very read that variable to get an instance so for iOS the app has a key window property which always has a root view controller so in this particular case it's just the view controller because it's a very simple app so what I'm what I'm typing there is UI app key window dot root view controller it's just return the instance of that view controller class so one of the

things you can do here so going back now I want to read this instance out to get the instance of that totally you know interesting information here class should have made that a shorter name and that's returning an instance of that class so to just read that variable and so now we can use that now we could type out you know all of that string right you know there start there start this or you can create a reference like so this is just a JavaScript variable and I'm calling an info and I'm just using the instance function and script and then giving it the the pointer to that instance and then now I've got a

reference to that that I can use without having to type it all out right so I can just if you just see I typed in info and it came back with that that instance so now that we've got that we go back to the class stuff when we say okay well let's try and call these instance methods now so we could just reference it using the the info variable that we created and then we're typing get username which comes back with username and get password to come back with password and then we can also read the variables as well with just you know the reference that we created info dot password which is what we're doing

all right so yeah password there you go I made that different to the actual password for the login just so you know we do some different things right so now what we're going to do is have a look at this jailbreak check so the first jailbreak check we hit it and it says Jabra check failed because obviously we're on a jailbroken device right so again let's go back I mean normally we just search around for jailbreak but it's right there because it's a tiny app and you can see here we've got an instance method that says check jailbreak that returns a boolean value so likely what's doing the check it's returning you know true or false

depending whether it's whether it's jailbroken or not we can see here you know trying to do what we did with the last one where we go through and we're like okay here's the different you know instances of that we're not finding it right but we see here is this class method called shared jailbreak manager and that's a common pattern in iOS apps it's called singleton pattern basically that returns the any instance of that class typically so so basically you know when you're going through a much larger more complex app you know you do a search for shared you can see you know all that kind of stuff so here I'm just calling that that class method and it's

returning the an instance of jailbreak manager which I can then use I'm creating a reference called JBM to to that particular instance

and then I'm now going to call that instance method called check jailbroken using that reference that we created and that's going to return true right because it is jailbroken right so what we want to do now is change that to return false and see if that defeats the check right so this is where you know you could you look for things like simple logic that can be you know like flags that can we switched over and whatever so here we're just using the syntax that I spoke about before where you've got the class name dot prototype dot the method name and then just equals and then we're just you know changing it with an honest function that simply

returns false so that will return false all the time and now you can see jailbreak check pass right so we've now defeated that logic and now we're Nelligan moving on

so yeah this is just demonstrating the choose functionality right and why it's useful so you saw how we could kind of navigate through throughout the app to get those instances or choose just returns all the all the instances of a particular class in you know as an array that you can then just use which is kinda cool all right so you have more Ness so now we're going to look at the authentication right and see if we can bypass that because it's just local auth right so here you know just to show what it does again you know you're typing in a password which is incorrect you hit login and says password incorrect right so we want to we want to see what we can

do so again going back to the class stamp so again simple understanding of MVC right where with the logic for this beer I'd be in the control so so we've got the view control here you can see here you've got some buttons and you know some some different actions so likely to be where this is so you can see like login button pressed so that's obviously doing something when you press the login button but then there's also this other interesting one here called user is authenticated so we're going to see is like what happens if we call user is authenticated directly so again we need to get the instance of the view controller because it's an instance

method which we're just using the same technique that we used before you're a UI app key window dot review controller see that's the instance there and then we're just using that and calling it

and it's gonna minimize that just so yeah I was just checking what it's called although you got tab-completion scripts so it doesn't really matter so minimize that so you can see that it works and there you go pass by correct now this is actually quite common in iOS apps where you'll find this kind of process where developers will kind of abstract everything away so what they'll do is they'll do like the button was pressed and then they'll call like it may be a check function to check you know check the creds or whatever then after that it will it will call like you know now go and display this view controller right so what you can do with

that is particularly its local off is if you can you know basically short-circuit it and jump around the check either you could change the check to return whatever you want it to be often it won't work because it'll it'll require a password input that you don't know but you could prove force it maybe writing a little script or you know you just sort of short-circuit it and go to hey you know present this view controller and if it's local or and it's sort of been authenticated before on this data populating it it'll work for apps that use so like a back-end API to populate it and it uses sort of say typical session authentication that kind of

technique doesn't really work so even if it even if it is possible to do that in the app you know you'll jump to that you know view control but there'll be no no data right because it's not not able to you know actually get it down from the API but you know there's a lot of apps that do that are interesting that do use local or the one that I didn't do here but I usually demo it is Evernote like the pinko controller you know you can easily bypass that and other things like that so cool so next oh yeah that all I'm showing here is that that change that we made to the jailbreak check that's at run time so

when we closed that app and we fire it up again it's not persistent right so it's saying now it's failed again all right so there are ways to make it persistent and I'll go through some of them but but yeah that's that's what I'll show now so let's move on to Freda so Frida's kind of the new hotness when it comes to messing with mobile apps it's from their website a dynamic instrumentation toolkit for developers reverse engineers and security researchers essentially just inject school's v8 engine into a process so you can execute Java in that the context of that process access memory and lack of stuff freely can be used in many ways and it's really great sort of framework

toolkit and I recommend looking into it it has many different bindings all different kinds of languages that you're familiar with so if you don't like JavaScript there's Python and whatever it's mainly used to write scripts and pools but it cannot also it also comes bundled with a bunch of tools that you can use to get an idea of what it's capable of help you with your scripts and stuff like that those new tools that I mentioned earlier the style of presentation utilized Frida and rely on it and often quite heavily so it's good to understand how food works so freely comes bundled with some tools that you can use right off the bat so forgetting

about writing scripts you've got free to CLA free to PS for your trace etc etc free to CLI and free to Trey so probably the ones you that are most immediately useful for pen testing I'm going to go into that a second so now we're looking at the second jailbreak check right so you won't be able to read it but it says jailbreak check fails look harder for the check right so the text is kind of different and I'll explain why that is in second so okay following the process that we've we've become used to we go back to the class done we start looking for jailbreak right come up with the jailbreak manager but that was for the last one right it's

obviously not controlling this other one so you know and then it's just going through like the buttons and the other references to the jailbreak check buttons and all that [Music] and just so you might start looking for like route or like check or whatever in it and it you know it's not really working because it's not there alright so what can you do this is common like developers will kind of try and hide you know these sorts of checks like ones that come across like you know for a banking app it's like you know get store location or whatever right and they try to hide it I have one where like they just made all the security stuff like

random strings which just made us stand out in the class dump I'm like well I'm gonna look at those right and amazed must have been like really difficult to UM to code it's about a little trick could I do in those sort of instances as I look at the text right so usually there'll be a pop up you can see that the text is different well you can't see it but I'll you know I'll vouch for it it's differences look harder for the check right so a cool technique to use is you fire up a disassembler and you look for that you look for that string right and see where it's been being used so just firing up I to here and

basically going and doing a search for that string I've used this multiple times on on tests to sort of see where these hidden jailbreak texts are checks are or other kind of sensitive stuff and so you can see here well you know you can't it's in the view controller this jailbreak check to button is kind of being referenced here you can see there's sort of two branches on that right right-hand side where my mouse is that the positive brands where it says you know you're not jailbroken and this is the one that has the text that says you know look harder for the check so this is obviously what's happening so if you scroll up to before that kind of

branch you can't see the text here but what I was trying to point out here is like you don't even need to really understand any of this assembly to kind of understand what's going on that's saying shared application the next string down is delegate the next string down is a function name so basically what that's saying is that there's this function that's being called that's named that which you can't read um and it's in the it's in the app delegate so let's go back to our class staff and go back to the app delegate and have a look at to have a look at the app delegate there's that method and it kind of looks

very similar to the other methods but if you've done a lot of iOS testing you'll see all those other methods of boilerplate methods for like state transition stuff that automatically get generated for you and this one was kind of designed to be a bit sneaky and and kind of blend in with that it's called application terminates after background and it and it returns a boolean value so basically written a script in frida to modify that right so the first variable there is just the class name then the function that we're hooking so that was what we found then the next is just building a hook string and then this is really what it's doing so this is the Interceptor is basically

attaching and using the hook and then and basically saying change the implementation and then it's calling this javascript function here which is all it's doing like the rest is just sort of a console output but all that's doing is taking the the return value and changing it to 0 from 1 so changing it from from true to false and so it will always return 0 which will be false so if we go back to freedom so that all I'm doing here is free to - you which is connecting to my my USB device then I'm referencing the script injecting into that so just checking that it was still failing at that point just so you could

see that and now I you know it's now Frieda's running and I hit that button you can see now it says jar a check passed right so so that's now and every time you press it it's running that function and you know it's it's changing the return value so I'll bypass that check and that's a that's often a more persistent way to do it on a pen test if you like things a little bit more persistent all right let's race through Swift apps because I don't have a lot of time but yeah so as I said increasingly developers using Swift apps right iOS code it's impacting some of the techniques and tools that you know you

would usually use for objective-c applications that we discussed in general mobile app security sense like testing Swift apps isn't actually all that different except for some of the stuff that we'll be talking about most issues in iOS apps like any other app rights due to poor design decisions misconfigurations or like incorrect implementation of like system frameworks their party frameworks stuff like that but yeah what's really changed is how you sort of reverse engineer the application so Swift everybody kind of knows about Swift like I'm rushing through some of these less relevant bits it's created by Apple eventually it's going to you know the idea is that it replaces objective-c um here's the basic syntax it's a lot cleaner than

objective-c you've got mutable values and immutable values letting var and then you it swift in first type but you can be explicit with your type as well which is with the call and in the type this is a class declaration so you know class and then you've got your properties get a property with the default value yeah cool ten minutes probably with value then you've got your initializer which basically you know initializes any of the properties that don't have a default because obviously you know when it gets initialized it just uses a default value the class functions class methods are denoted by the class keyword and then functions to dinner by the func keyword and so your

class methods instance methods parameters the only thing that's really kind of interesting here is here with this one where it's like instance method with an exported parameter name so you look here you've just got the parameter name and the type here you've got an exported parameter name and then the parameter name and the type and that'll that'll I'll explain why that's relevant and then you've got the little dash and the return type and which is boolean and then you've got you know you do you implementations cool and then so yeah to initialize a class it's just class and then you pass it the the various sort of property values that you need to initialize it and then

calling class method right like Objective C is just calling on the actual class and then instance methods you get called on the on the actual object and then with an exported parameter name you need to put in that exported name whereas in the previous in the middle example you don't actually need to put in the parameter name right just put in the actual argument so you know all the useful sort of types are there I'll skip that subject to see compatibility and interrupt so it uses the same runtime environment still supports C and C++ in the same map but you can't call C and C++ app unless has changed in the same app from Swift like you can with

Objective C you kind of have to go through a bridge or just have it a self-contained code it can allow for some dynamic features and runtime an emulation when you've got that interrupts which is most applications these days still other Swift features barely scratch the surface unicode so that's like valid Swift yeah cool so reverse engineering Swift applications so there are some challenges in reversing Swift applications it's less dynamic than objective-c and less flexible so it can make it harder to get some of the information that you get out of like the objective-c like the class dump and stuff like that it's less of an issue where when you've got a mixed application and but you know it's still

still harder it's limited tooling much the tooling isn't being updated for Swift and we'll yeah we'll go into that in more detail so you know as we went through right the moment the co most common easiest way to retrieve classes that are from gypsy binary its class type utility it's one of the first things you do you've seen how useful it is this is well this is what happens when we run class dump Z up the top and just end the regular class style utility on our pure Swift app yet nothing back right it doesn't work alright sad face so what's next so class x there in class time don't work with swift binaries now

what let's start diving into the binary so what happens if we dump the symbol table well we get some interesting information that looks kind of interesting kind of looks like some class information there so what happens if we look at something that we already know is in the app like the app delegate you can't see that because this project is not great but it's coming back with a bunch of symbols and a lot of this stuff in the middle there is some of those you know memory I was mentioning those boilerplate methods right a lot of those are there so like this looks promising right but it's really like a far cry from the output of class time and it's

kind of hard to make out so but the reason for that is Swift source metadata but a function in its symbols and in the process it mangles the name so this is a rough sort of translation of one of them right this is this is a class and a function that's in the app so I'm squanders got T denotes the Swift function then you've got the module name prefix by the length you've got the class name also prefix like the length class method the C sorry denotes class method then you've got the function name prefix by the length then you've got the return type which is SB which is returning a boolean and like the Y and F and the zared of things like

string protocol stuff I don't know why that's on there for this particular function but it is like whatever that link down there has a really detailed explanation on this open source sort of Swift's github page around you know what all these things represent you can do that if you you know don't want to go drinking or something instead so apple includes a utility called swift mangle that you can use to demand on the names that's just showing like that that same mangled symbol but was just some of the different options so that by default it spits the mangled symbol back out at you and then the other one is Adam angle sort of version of that and then it goes

you know you can simplify it or you can make it more complex and get more information so with that you can basically you know create some kind of equivalent sort of class dump which is what I've done right I'm so like a simple little script to dump classes and function signatures from a swift binary I put it together last night I didn't really sleep I'll put it up eventually when I fix it all up on lab so it asked an entire it's pretty happy but it does the job eventually getting around I'll get around to adding some more features and stuff like that but I'm in Vegas I'm gonna be partying so will be next week

sometime so here's what it does and you're not gonna be able to see that but basically I'm just calling it and I'm passing it the binary and then it comes up you can see here you got the classes down the side and then the Associated functions on those classes so you know there's like app delegate the view controller and this jailbreak manager right then you can see the function signatures which show you know the the function name return type any parameters that why the exported parameter names became useful is the exported parameter names will actually show up in here but if there's no exported parameter names it won't so you kind of have to guess what

those arguments are usually it's not too bad in in iOS apps because of that design pattern that I sort of mentioned that naming convention where it kind of calls out what the what the sort of first parameter is so you can kind of get a feel for it other options you can use Frida or tools that are based on Frida to get some other way there so all the way at least with my limited knowledge of Frida but it's also useful option which I'll demonstrate now and basically this is just using the the Frida CLI tool so I'm just injecting into really the process of this Swift app that I'm using some of the inbuilt

functions right so this is just obj see doc classes and you can see it's coming up there or you can't see that's just got Swift demo mode you know jailbreak manager and it's basically showing all the classes right you the syntax if you're interested it's kind of different to what you'd use for objective-c classes if you want to reference that specifically you have to basically do obj obj see doc classes then put it in square brackets with the module name and the the function one of the things that doesn't work with Frieda which it was demonstrating here is you can't get the the methods of that class I'm using the standard way that you get methods you

can get inherited methods but not like the the methods that are implements in that class so so things like the jailbreak check method that's in that class I'm not showing up in that list so one of the things you can do and you know thinking about maybe doing that is you can use the module the module class and the enumerate symbols function and basically get a list of symbols and you can kind of do what we're doing before with de mangling the symbol name so you could build in that demanding logic and you know have that in so basically all this is doing it's getting all the symbols for that module cool so I'll skip that other options you can use a

disassembler there's a link to some stuff that you know some plugins that automatically dissimilar dissemble it function hooking less slack smash with it still got a few minutes still possible it's much easier with Swift mixed with objective-c binaries consol right tweaks level substrate and this is super simple class and basically we're going to do is we just want to change that variable right it's about variable an int and it's got the initializer which sets that right so you can hook to get a method and that works right so so the getter method you're changing it to return ten you can hook the setter method and it kind of works so you can hook the setter to to set it

to ten but certain functions in Swift are in line and the cost constructor is one of them so the initializer so and it's that's what's setting the instance variable in this case so the set is only called again by the top-level code so if you call from network so that's why I say it kind of works and then changing instance variable directly it works was probably not a good idea because you can mess up how the app functions the end I did it oh I don't know if I have time for questions there's some do I have time okay there's one down here front here

I was just wondering for iOS I have done some work in on the Android side but I haven't really looked into iOS but I was just wondering if you see much of office keishon in like method names or function names or not and I always start like you do commonly in Android no it's definitely not common I've seen it after it's done pen tests where they're like you know we've we've exploited some functions and then they just change it to like random strings but it's like the same functions but no it's definitely nowhere near as common as it is on Android cool thank you it's not a question no hey hey great talk I just

wanted to ask you what's your approach when when trying to search dynamically for keys or passwords or all these information that you can get dynamically so it's it's not interesting it's literally I'll go through the class dump and I will literally just you know grep search whatever it is and like look for interesting stuff right and then sort of just scroll around from there so look for interesting classes look for null search like pin password key whatever and just go through the whole thing so nothing nothing crazy nothing super sophisticated yep rest of the questions please go outside and one more round of applause for Michael thank you [Applause]