Welcome to my second article on “iOS Application Security Testing Series”. You can find Part 1 here.
Imagine a scenario where you, as an iOS Application Security Tester, are tasked with auditing an application to identify vulnerabilities. By itself, the task may not seem too daunting until you learn of a couple of conditions and constraints: you have very little information to work off on how the application operates, what protocols it uses, and you have a limited amount of time to conduct your evaluation. What do you do? In these scenarios, searching for and identifying vulnerabilities in the application can be an epic task.
In this article, I’d like to walk you through how we can analyse any preinstalled application on your device and determine things from the Source Code of the application like the Classes, the names of the View Controllers it uses, the Internal Libraries, and even details like the variables and methods names used in any class or view controller.
I generally start with Snoop-it by NESO Security Labs . Basically, I try to automate the effort of decrypting the application as much as possible.
A quick list of all the features provided by Snoop-it could be seen in the screenshot below.
To install Snoop-it on your device, Go to Cydia, tap on the Sources tab on the bottom, and tap Edit and click Add tap and add repo http://repo.nesolabs.de – tap install. Once this is done, you will see the Snoop-it app icon on your device. Open it up and you will see this user interface.
Before the first run, Snoop-it should be configured properly. For this, you need to select the App you want to analyze using the “Snoop-it Configuration App”. Within the ‘Applications’ tab, you can choose between available System/Cydia Apps or Apps installed from the official Apple App Store. For this blog, my DEMO will be Wikipedia app so I select it.
Next thing is to configure Snoop-it’s setting. In this case, I have left the port number to be 12345 and the authentication preselected default.
Now, just open the Snoop-it in any Browser web interface the address provided on the Snoop-it application. In my case, the address is http://10.80.56.187:12345 make sure that the app is opened on your device and in the foreground and now refresh the Snoop-it web interface. As you can see, you have a beautiful interface that you can use to perform a full-fledged security assessment of the application.
Now we are at a stage that we can analyze the App for class information. So, let’s look at the class information for the Wikipedia app. On the left-hand side, under Analysis, go to Objective-C classes. On the right-hand side, you will see all the classes and info like properties and method names. No method selected print screen below.
The ones in orange represent the classes that have instances. if you hover your mouse over the class View Controller, you will see that it has an instance which is presently live.
Similarly, you can see the methods and properties for Wikipedia app.
Technique to bypass authentication
A well-known technique to bypass authentication called “Method Swizzling in Objective-C” is possible with Snoop-it. Just check any relevant method, and click on Setup and Invoke on the top right. Here is Old school Video Method Swizzling in Objective-C 🙂
In addition, you can trace methods and system call on the flow if desired.
View Controllers (X)
TOPasscodeViewController is an open-source UIViewController subclass that will overlay a full-screen passcode UI over an app’s content. The user must enter the correct password into it in order to proceed, or hit ‘Cancel’ to exit the private part of the app. GitHub here.
This sort of UI is useful for certain apps that contain highly sensitive information (such as banking or health) where users may indeed want an extra level of security beyond the standard iOS passcode.
- (<span class="pl-k">void</span>)showButtonTapped:(<span class="pl-c1">id</span>)sender
TOPasscodeViewController *passcodeViewController = [[TOPasscodeViewController <span class="pl-c1">alloc</span>] <span class="pl-c1">initWithStyle:</span>TOPasscodeViewStyleTranslucentDark <span class="pl-c1">passcodeType:</span>TOPasscodeTypeFourDigits];
passcodeViewController.<span class="pl-smi">delegate</span> = self;
[<span class="pl-c1">self</span> <span class="pl-c1">presentViewController:</span>passcodeViewController <span class="pl-c1">animated:</span><span class="pl-c1">YES</span> <span class="pl-c1">completion:</span><span class="pl-c1">nil</span>];
- (<span class="pl-k">void</span>)didTapCancelInPasscodeViewController:(TOPasscodeViewController *)passcodeViewController
[<span class="pl-c1">self</span> <span class="pl-c1">dismissViewControllerAnimated:</span><span class="pl-c1">YES</span> <span class="pl-c1">completion:</span><span class="pl-c1">nil</span>];
- (<span class="pl-c1">BOOL</span>)passcodeViewController:(TOPasscodeViewController *)passcodeViewController isCorrectCode:(<span class="pl-c1">NSString</span> *)code
<span class="pl-k">return</span> [code <span class="pl-c1">isEqualToString:</span><span class="pl-s"><span class="pl-pds">@"</span>1234<span class="pl-pds">"</span></span>];
To hack the method passcodeViewController BOOL value we can use Cycript, we can change the implementation for any given message to always return TRUE- but why all the hassle when you can just hide the View Controller.
There is a feature in Snoop-it – the extreme left-hand side, under Analysis, View Controller, the View Controller class on the right-hand side and click on Display Controller. Click on Close/Hide View Controller depending on whether the view controller is over another view controller or not.
Internal Libraries and the File System Monitoring
To monitor the numerous files and directories that are being accessed by the application.To do that, on the navigation menu on the left side, click on Filesystem under Monitoring. This feature can be useful when an application is writing to a database file and this interface helps you in figuring out that filename. You can also download these files just by double clicking on them and then analyze it on your machine.
Double Proxy Network, Web, and API Monitoring
Burp Suite and OWASP ZAP Proxy are the tools I always run in the background to intercept SSL/TLS connections seamlessly 100%.
In this article, we looked at how we can use Snoop-it to perform black box Recon of an App and how easy it makes it. It’s an awesome tool but there are many methods one may employ in achieving one’s ends. We could have used Introspy which is undoubtedly one of the most powerful tools for analyzing the security of IOS applications or Clutch, Class-dump-z, LLDB, Hopper, idb , Cycript. and Frida which is a Dynamic instrumentation toolkit for developers, and reverse-engineers.,