How To Investigate IOS Devices - Paul Rascagneres

yeah so yeah I cannot speak with that so I need to take it off so yeah thank you thank you for the introduction and yeah I'm gonna speak about about iOS investigation so just a few seconds so I need to speak to remove all the cable on me so about me short introduction my name is Paul I like to to reverse malware and to to bite to read stuff like this stuff I did it by myself so you've got a picture of me when I had to reverse Delphia vb binary or when I create this kind of mask and I work at Cisco tell us for three years I think now mainly work on value analysis apt

actors and stuff like that I work on the Turkish so this morning about DNS panache see total Exeter extra so just a statement about my torque just now I will speak about iOS not about iOS so if you expect the torque about the Cisco patek system it's not the purpose of my talk I will just pick about the OS developed by Apple on iPhone iPod iPad devices so if if you expected something else you can change the room of three you have two tracks I won't give you an easier day on iOS because if I had every day I would be really rich and not here and I'm not a big expert on iOS stuff so

I touch my first iPhone a little bit more than one year ago so I'm really newbie on this on this domain I'm not involved on jailbreak community so I'm not develop Jade bike or stuff like that my my goal was we have to work on some investigation on iPhone devices and I was oscar's if you try to find documentation on google like how to do forensic how to analyze Marwin iOS iphone and stuff like that you don't find any stuff you find a lot of stuff about protection about how work the last jailbreak however the last video hability of this device and you can find this kind of stuff no problem but if you want to from the defense

point of view and from Z I've got some suspicious about this device and I would like to investigate if something is wrong you don't really have a lot of documentation because you know as malware does not exist on iphone you don't need documentation so that was that the purpose of my Turk is more about a feedback about how I work what kind of tool I used what limitation I have when I have to work on on iOS device etc so small agenda I will really really quickly introduce use the iOS architecture because it could take hours to speak about how it works but simply to give you a small overview and and you will be able to understand the rest of

the presentation I will have a part about jay bike because jailbreak is part of the system I will explain you why you should or you should not share bike your phone and the limitation of the in fact the limitation imposed by Apple when you have to do forensic and and how to bypass this limitation by using a jet bike I will present you the tool I use so no matters it's very common tools but I will explain you how I use on my specific context which was iPhone analysis and after I will much explain you how attackers can deploy my malware on on iOS devices it's based on real case so I don't I will not show you

something new but something they already used for for couple of years and finally I will show you from a malware analysis point of view what malicious developer can do on the malicious upon malicious iOS application because it's not like on Windows system you cannot make the injection of remote process pass the memory to finder I don't know critical number or whatever it's technically impossible on an iOS devices so I will show you what we saw what really exists and you will see even with a limited feature provided by Apple on this domain attackers can make some offender stuff so first things are us architecture so it's a unique system so I hope can have directly terminal having

classic come on like LSPs extra you have file system you it's really a unique system very close to Mac OS UNIX system you have several layer like every operating system you've got the user on where the application is executive you've got a couple of framework to help developers to develop iOS application but you have private framework it's framework used by the operating system but the developers don't have access to this framework you cannot develop your application and say yeah I want to use this private framework no it's closed and you don't have access to that you can develop your application in a swift or objective-c you have a lot of party library for example iOS really love

SQLite database so more less everything is an SQLite database on the device so you need the library to be able to read this this database so they provide library almost everything from a configuration point of view is an XML so you have a library to pass XML configuration file and stuff like that and after you have all the library for memory management and sandbox cause every application where your phone is block inside of a sandbox so they developed the library to manage his sandbox and finally you have the camp so it's really classical layers the only big difference between that and a Linux system if you wish is everything is very separated and you only have access to

the libraries that Apple decided you will have access for your application so Apple does a lot of effort to provide a secure operating system so they put a lot of different layers to block access to a really important part of the operating system they think you don't need to have access a first thing for example you cannot be root you cannot have a root account on your phone it's it's not possible you cannot have the UID 0 you don't have a direct access to the filesystem you cannot go on /tmp slash whatever it's it's technically not not possible when you have an application they create a file system for the application you can go inside of

your directory but that's all you cannot go on directory of other application and you cannot go on the system slash you USA or stuff like that it's not possible you have a vector file system for your application I said that as I mentioned every application is executed inside of a sandbox is related from the other application the slash the hood file system is in the feed only so even if you find a way to escape the sandbox and you find a way to become out you cannot modify the file system it's in a hidden nation and finally you have cut signing your application must be sign correctly to be executed it it's not like on

Microsoft Microsoft you should be slide that if you're not sign it's not a big issue here is if you are not signed by a good certificate you cannot executor binary it easy so it's very good from a security point of view see I had so many layer of securities and it's really complicated too to be able to become route make a bad application become route put a malware on the file system extra it's something very very complicated so from the security point of view and my point of view it's it's a lot of good choice but the limitation is when you want to do forensic analysis when you have a phone you know it's compromised for

whatever reason and you say okay I would like to check what happen on my phone because you will have all this limitation for you even if you're a good guy and you want to do something positive that's why I will speak about gel bike is it monetary or not so this is young 12 is yes you need to jail back to your device to work for for example you you you can imagine you have a devices you know it's a malicious application because I don't know it was downloaded somewhere or it was not here and you wake up one morning and a new application you have a big suspicious it's not normal if it's technically

impossible to get the application so file system subjectively was the application the binary code is stored on the device is not reachable you cannot access to this repository you can access to the data but not to the binary so if you do a backup of your phone for example he will back up all your data so if you have a new phone you will restore the data but on the Apple philosophy you don't need a backup of the binary because the binary will be back from the store later when you install a new phone so you don't need to backup the binary so you don't have access to the binary it's something new this limitation

appears on iOS 8 it's possible to damage the memory as you are located inside of a sandbox you could imagine I can dump the memory of my sandbox but not the memory of also process it's not possible you can Adams a disk as I explained you are limited to the data that allow you to have access for example if you want to debug an application if you already have the application you can modify the application and delegate on a device without jailbreaking the device if you don't have the application before it's impossible it's limited by by a pair of security so let's speak about J bike what is a jailbreak is a couple of vulnerabilities that hello you to have a

root of full access to the device so imagine I describe you a lot of protection just here so when you execute a jet bike it means it's an application that have a vulnerability on the camel that hello to executive I that trick to rename the file system in it right in order to drop something in this file system bypass the signatures and you finally have a jailbreak so today the application I list here do all these tasks for you but it's it's a lot of different tasks and it's a lot of different combined exploit a weakness to to achieve this this pass so today we are able to jet bike from an OS point of

view all the version until 12.4 so if z/os is more recent if you the people that own the phone you want to analyze is up to date you cannot get by the phone I will explain you some some new stuff just attack so for for up to date device you only have two solutions the first one is to ping celebrate and be prepared to pay a lot of money and this second solutions are more realistic if you don't have a lot of money is to freeze the phone to stop the phone to put effect profile for example you can say on your device no in fact I'm not an iPhone I'm a purty and by doing that you block the update

system of Apple and wait for the next gen back you don't have other solutions and wait for Jade white if you want to perform a forensic investigation on the device or get install application or whatever if you want to create a lab course you want to practice before having a big big issue it's always better trust me you would like a phone that you can jet bike you would like a specific version because you don't want to have a iOS 13 and you cannot jailbreak it you need to wait for the next winner ability and at this time it will be able to J bike extracts fat so you will last a lot of time the best way

I have for you is in fact you would I did it you will look like a little bit crazy but it works when you come to shop you take the second number on the box and based on the cell number you can guess the date of the creation of the phone when his II was gold from the factory and based on this date you can guess with which operating system is installed on the phone for example here if you have a second number that start by something w w something and cccc it means it was create on the first half of 2018 on the week twenty five that means it's probably installed this version of

iOS and the phone the only stuff is when you go on tour and you say yeah I would like an iPhone X with a second number with when the third and fourth number are a and C he looks like a little bit William but finally if you pay the guys okay and that's how I'm sure I have this specific iOS version on my device and and I can jet bike it so you know the solution is to go on eBay a lot of guy blog the update and try to set it on on eBay but it's expensive and this technique is you pay the real price of the phone not double like you can see on

on eBay so the website is this get at our website if you want to to not and it automatically give you more less iOS version instant on all the device you want to buy yeah so few weeks ago something changed on the jailbreak stuff so a vulnerability was released named checkmate and it changed the game so someone from the vulnerability on the film web part of the device so he found the vulnerabilities somewhere on the device or where Apple is not able to patch so today all the phone from my iphone if I take iPhone but same thing for all the I device iPhone 8 2 X all this device have in the hub to checkmate

and all this device can be patched because it it's hardware venerability and it's on the on the chip inside of the phone and it cannot be patched by Apple what is this vulnerabilities is variability he's on the iboot I boot is how C iPhone boot it's the cut that will take your OS and load the u.s. in memory and start cos why it's big change the I boot is a part that checks the signatures of the operating system it means we have a vulnerability in high boot that we allow you to boot not correctly signed iOS operating system so it's not a jet bike it simply you have the control of how your device boot and you can modify the

boot you modify the memory and say I want to get in Depok you can normally load on a lot of people starting to boot very old version of iOS which is impossible because when a prolific certificate you cannot boot old version anymore you need to have the latest version of iOS and you cannot downgrade for example it's not supported you can downgrade a phone but with this venerable et you can bypass the check and say I want to downgrade my my device and it works so it's really a game changer from Jerry bike community point of view and another group of people starting to write a jailbreak named Jacqueline that use the checkmate vulnerability and the biggest

change is as we are speaking about Hardware vulnerability you can get back any version of iOS even the last one because it's modified before the load of the operating system so no you have Jade back on OS point of view two days the last one is 12.4 and you have j back from hardware point of view from 8 to x so we that's all in the past it was a little bit complicated but no we it's more complicated because it depend of the art where and and stuff like that so yeah I'm gonna try to show you I'm not sure it's gonna work as the expert is not when on 100% stable so yeah something for this exploit that I read a

lot of bad news papers that say it's part of our life I know so some newspaper explain yeah I don't choose a random charger for for your phone causes they can use this vulnerability blah blah blah there's a vulnerability only works in GF humored it means in the rest of mod so you met two you must switch off your phone sorry and once your phone is switched off you must put in in GF u which means you must push a level down and click on the button so there is a power button and normally I have in GF u let's try it fed let's try again so yeah if you use a your ubirr cable except if you reboot to

switch in DFU mode X right it cannot choose checkmate on on your phone so don't be paranoid but if someone have physical access to your phone yes you can do it I'm not in good mood anyway I don't eat even if I want to I've got some issue to to put in GF u so basically the purpose is you boot in GF u you use the exploit and you have gdb sort of classical debugger on your I boot and you can debug step by step it's a bit of your operating system you can modify memory you can modify a fatty stuff at you like a common debugger so it's it's really useful if you want to

understand how boot and iOS and it's also very useful if you want to modify the boot behavior for the moment it's only in memory so it doesn't bike your phone you know so expect modify memory and and that's all but something you can do is to overwrite see I put and put your own bootloader yes in this case you could break your device anyway let's come back on Mahalaya analysis and and stuff like that first thing if you want to decompile Jesus um an application ID up whole you give you good results but it's expensive and today we have two alternative really good one the first one is hopper you need to pay that it's like 100 euro it's

not very expensive or even today you can use Gita and get a perfectly support objective-c or Swift code so it's you have a free alternative today to do so so yeah something a little bit complicated when you start is everything is an object it's how it works iOS device so you have like a lot of object and you don't really have a clear workflow so if you are used to reverse C + space you are won't be shocked but if you're not it could be a little bit complicated at the beginning and everything is based on event so an event an action an event an action yeah some example here we we have a class name

with SF you can see not know if my yeah Web SF had a method name web LD a link web download in this case and those are very very useful tools is Frida Frida is the tool for for doing dynamic instrumentation so it's like a debugger but for example you can make some really interesting stuff like when you go in a specific function method you can get the argument when you go out you can get the output so the result of the function and it can be really useful if you don't understand the function you can at least check what kind of argument he's at geometry and what kind of stuff go out of the out of the method here is an

example so I take use the same method so web SF and web something download and I've got a cryptid data here so yeah you can in this specific case you could do it statically it's not free complex but it just for for the example so you have you want L on the function it do some magic description and you have a value at the end you can do it with Freda so I simply say I want to attach to this specific method I want on and I'd say okay I'm inside of the method and when I go on the live I print the value of the object and here you can see I'm inside of the function here is the output of

the function so you can see it's a URL the purpose of this function is to treat a c2 server Johanna so using frida can be really useful if you want to automate I make some ultimate decision about this kind of stuff another approach could be to do it directly on the US framework so each time I use ul method so provided by Apple I check the argument and I display the argument so sure I can directly have the domain because each time the Murat tried to connect to CC to server I will display so c2 server so it's very convenient to use a theta for this kind of task yes the only big issue on Frieda

is the only support JavaScript don't ask me why you haven't achieved debugger provided by Apple name ll DB it's really close to gdb so if you are used to to use gdb could be interesting for you to be honest I don't I think it's pretty hard to read the syntax is mystic and and I don't like it but I I did exactly the same thing Black Point at the specific method shows it is a summary card like point at the end get the value at the end I I've got my URL so it's exactly the same approach but but yeah I think it's over complicated compared to Frida but it was someone just stuff you can use you have freedom

which is a street that them is a memory of the current process so it dump the memory during the execution and you can check the generated things and in this case for example you will have the URL directly in memory and you can directly get it from the memory dump it can be an interesting approach something else you can do and you should do if you analyze iOS device is to listen on the network how I work on at home I got my phone I've got a hooter dedicated to research and I've got a verb and the pickup so I'm able to have a full pickup during my analysis if I need to to replay it or if

I want to check the communication and if you choose HTTP which is almost all the time today I use verb and I do man-in-the-middle with my own certificate I trust the certificate on my phone and I'm able to have all the HTTP requests it's not dedicated to iOS you can do that on Windows it's the same idea but really do that have a pickup and an HTTPS man-in-the-middle interception HTTP interception and to be honest use gone to the supermarket buy the cheapest hotel you can find but choose a dedicated Rooter to avoid noise on your pickup for example only the phone you analyzed on the hotel and that's all that's how I work so Marvel deployments we speak about

malware how to analyze malware we speak about jailbreak we speak about a lot of stuff but how the articles deploying malware for iOS you don't have a thousand of combination you are really limited on the method from my point of view and and you must understand how works an application on iOS so first thing cut signing the application this beside must be signed by a developer certificate so birth certificate you can have a developer certificate you pay 100 euro at Apple she will give you a certificate and after you manage your certificate with a web page and you sign your application it's it's free easy to do a great job to have something very convenient because everybody knows

certificate is a big you are always lost about the type of certificate where you need to put it extra extra and here it's automatically done by by Apple it's really really nice yeah yeah you have different kind of certificate almost all the case I work on is they use a doc certificate which is an adult certificate when you are developer and you are developing an application you do not want to put it on the store because you don't want people don't load your application it's under development so something you can do is create an application and inside the certificate you say this application only work for this specific device based on the UID so each device has a unique ID and you say

ok the application side for this specific device almost all the time as a malware I saw use the same approach other certificates yeah there is an example of of developer certificate name comma rich Universal Academy and it's installed a fake Instagram application in a habbit language so it's an example of a certificate if you look at the application the Arabic Instagram application here you can see it's an addict and you have the UID of the targeted devices how you get a UID but you can get it on the phone directly and if you don't have access to the phone you can create a fake a web page and by using profile you can get the you idea of the people that go on

the website you must have a user interaction it's not magic so you have a pop-up on your iPhone saying someone would like to go to get your idea you sure you want to give your ID everybody click yes because it's easier and and the Atticus Ozzy is the idea of the house the device you have a police file inside of each applications that gives a UID and just mention for example and you need to set up a minimal OS version and up name for example Instagram or whatever so that's basically how works an application policed such as a minimal requirement and you sign your binary and the application with a developer certificate for for that for the deployment for

example you have MDM so mobile device management so we don't if I'm malicious MDM some MDM maintained by bad guys with few register phone on the MDM with not at this time how the phone was purchased from the MDM we have to eat but this is so first one is social engineering you call the guy explained you ask support from Apple and you should do that that or whatever all the other approaches they have a physical access to the phone with a physical access to the phone its 22nd to on the whole device on MDM show you just one second it's [Music] I don't know if it works

yeah next time I will write system yeah so you have the device and you which is a number of interaction you need from the users point of view to unwhole the device on the MDM it's a lot of direction so so first you need to download the profile he writes said to you yeah you are trying to open a profile are you sure your is a profile you need to install the profile it's on Holling you have a whopping inverse to tread certificate so it's a lot of of steps to turn also you cannot do it very by accident you need to yeah very good social engineering or physical access to the device so if you wait a little bit

what will be the first task of the MDM take few second few Lopes a note yeah installation so by device management manager is able to deploy application on all the whole device it's exactly what do company you have an iPhone you want all your phone on your you're quite MDM and after your company is able to deploy internal application on your phone it's its main purpose of MDM in this case you can see to to whatsapp application instead the real one and the malicious one if if you want to check on your device yeah you can go directly on on the device on settings you go on the bottom and you have device management country where you have all the servers

that can manage your phone it's very easy if you don't have the menu it means you don't have any you are not on hold on on an MDM a participe hide the menu if it's not relevant yeah so the other way to install application is to use your day but it's really expensive it's really limited to two specific actors we saw what's up VIN ability a few two weeks ago so it's exist but it's a hard way to do it but it's a more silent way to do it so it depend on the actors of the money of the actors of the skills of the actors but it's a way to do it here I put the hot

jump price list for for iOS for mobile and as the price is a little bit too low yeah low well now I think but it was a price like six months ago so let's speak a little bit about the manual analysis and what you can do first thing some application are only by the upper G arm so it's the application it's all the stuff upper sometime use GM so you must Jerry glyph device and use a script named EF inject it's on github you can download it and he will execute the encrypted application and takes an encrypted version from the memory and package it for you and you will have the unencrypted version of the

application so it's really simple the most common technique I saw in my case it is free one library injection web keep interaction and crystal key ball how works labor injection so you have a huge community of people that make tweak on application which is a tweak that take legitimate application patch the legitimate application with new feature for example on whatsapp you can only have one account per foot so some guys take whatsapp and it did add support of media account so you have to tap and you have account one account to as it not supported by by whatsapp a guy did did it you can download it it's developer certificate extra you can steal it on

your phone and it's not malicious really I check the application it really do what the developers say it's you have the support of two words app but some other people use exactly the same tricks of tweeting a tweaking application to had malicious code basically it works you have the application you have a library and when you compile the application you say ok you will load the library when you execute the real application for the attacker is really useful because it doesn't have to write the original application it takes a real one and simply inject a library inside of the real one so for for users the users it's really hard to detect if it's a real one or not because in fact it's a

real one patched you have open source project that explained you how to do this sistahs it's a pretty complicated and the point is when you are inside of the application if the user I use this application which is a fake one as occurred the malicious code is executed inside of the application he has access to the data of the application so if whatsapp if I drop a log chat on the phone so malicious code they will have access to the repository where information are logged Susan Manuel can simply get the file and exfiltrate the file - to the attackers it's natively support and it's like that another thing we with so it was a fake

Instagram application and the application was very light it was simply a browser going on instagram.com nothing else the application download the HTML code of Instagram but patch it add some JavaScript inside and there is an example where they use a trick secretin event and when the users click on the login is a iOS application take what the users put inside of the field and send the information to the attackers so basically the purpose is to state cultures so we discover this application on Star used in Iran because yeah it's another joke on some country due to US sanctions it cannot have access to the legitimate store in u.s. but as they can as they must use a phone they create a local

store and the user local star with fake copy of real application so it's where we found this this malicious Instagram application so yeah it's basically what what I explained also think we discovered it's another it's less aggressive than the previous one we don't if I click folder so i explained to you check-rein the exploit and this is a jet bike and this jet bike is not released yet the guy is on Twitter post a lot of picture about how the work is going on and they can get back this version this version so they already make a lot of communication but the source code is not available and they register check Francom with a one

because it's the name of the project and there's a guy registered chicane but come with I not with the one and said yes I provide the JJ check check for energy brackets you simply need to download this profile and once you download this profile you will have a jet back on your device you don't even need to connect it in USB it it's magic in fact if you look at the profile the description is a simply fake and it contains a web clip a web clip is for Apple simply a bookmark a bookmark on your on your desktop so here is what it is for for real so when you install the the perfect this icon is on your phone

check-rein and if you click on it you will see the attackers was very creative in fact it's simply a bookmark to a to a website and you will see the website if the video want yeah so you can see it's in full screen so the advantage of web clip is you don't see the bosses so you've really looks like a real application and yeah I check rain click on the pattern it check your device which is wrong check version it's simply JavaScript it does nothing it's just visual and after he load your preference whatever it means expect in your channel get random memory doesn't match my memory and yeah it's a bike congratulation yeah the next

step you will have a fake terminal to look serious you know and you need to confirm how sure you do your backup so yeah you have a kind of fake shell Cydia is a store used by G bike or on jailbroken device and yeah it's successful load daemon and stuff like that and finally if you want to full jet bike please play this game and when you click on the game you want to in you're him and you yes you need to play seven days before having your device jet bike which is wrong of course so yeah and finally move you to the real star and you need to instance this application extracts and nothing happens

obviously and finally another really funny stuff is I'm a little bit late sorry is we you can develop christum keyboard so it's a crazy idea but Apple support custom keyboard so you are developer and you say yeah I don't like the Apple keyboard I want to use magics my layer not supported by Apple and you can create your own keyboard so as you can imagine if you have your own keyboard you can do what you want with a keyboard so here you have a keyboard on my phone and you can see each key I push you have the value on the left so it's said to the server so it's a key logger basically it's a crystal keyboard used

as a key logger and it's supported Apple did something really smart with system keyboard you cannot steal password with that because even if you deploy your custom keyboard on your device if you try to write something on the password field it automatically switch to the real upper keyboard and once you left the password field for normal text field it switched back to the crystal keyboard so you can still description you can start chat you can still user name but you can disturb as well so it's it's pretty clever from my point of view so yeah I tried to show you all the stuff I so in real life so it's not on my lab just to show you what could be done all

this case up for real Apple is doing a great job miss security point of view for and user point of view and it's very it's a lot of effort to become route and make some very bad cell phone on the device but when you are defender and you you have to whatsapp on your phone sir which is not normal it's normally impossible to have two words up on your phone and you want to do some investigation you have a huge limitation due to this security put put by Apple on the on device and you need to be creative you need to perform a few months after the reserved jail but you can have the phone extra extra so it's

it's a lot of effort and obviously marva exists on this kind of devices and we have the proof we identify a couple of different Marwa it's documenting you can go on our blog post and you will see exactly where we found it's a group behind etc extra extra so but it was not the purpose of the door to speak about so copán and simply to show you it's very exist and the state of art from my point of view concerning iOS forensic analysis and marwah and I'm three minutes late who will be ok we sure we can make it up Paul thank you very much to the top

okay do we were a minute or two late but we can take a question or two if anyone has any we've got one at least you're lucky you got a question mostly because you drew a stop see yeah you should try thank thank you for that I have two questions actually after after exploiting the hood wrong with checkmate is it is it possible to run the dual boot or is it can be dumped the custom firmware and the second question is like after after jailbreaking into the I voice can you see the user data I mean like is it encrypted yeah it's a good question because Apple had did something else very clever the users data are not in clear so you

need to bid to get access to the data to decrypt that times you fight opposite SMS are not studying explained on your phone it's encrypted and you need the pin to decrypt this information so even if you have checkmate and check-rein and you are able to do custom stuff modifies the memory jailbreak the device or whatever you cannot have access to the data of the users it's it's not possible you need to have the pin to decrypt the data so even if someone takes your phone when you are the hotel put USB cable and use some magics stuff if he doesn't have your pin he will only have encrypted data if he has your pin you can steal

your data so the pin up in your fingerprint or your face or whatever encrypt your data so no even with this they cannot access to your data you need to reboot the phone and do a few extra so everything is encrypted from that point of view oh one more won't take no more okay just be quick is there any good repositories or sources if you're wanting to get into the area or or kind of analyze things yourself like obviously windows other platforms there's a lot of readily available malware that you can download and look at yeah in in our case I don't know if the sample we analyzed on the on virustotal to practice I'm not sure maybe you need

to do two to check or even if you don't work on Marriott you can work on legitimate application to understand how it works and to create your lab you don't necessarily need the malware even you develop your own in the world and you will play with signature adopt certificate and stuff like that and you will clearly understand how it works so you can if you don't find any public malware you can do your own lol and practice or you take establish application it works also don't take the star box application but have fault let me say that guys that's US done if you want Sepoy you'll be a party yeah if you have questions feel free to yeah also

sears poor thanks very much