Welcome to my 4th blog post on “iOS Application Security Testing Series”. You can find Part Three here. In this article, we will look at applications Runtime analysis using Objection runtime Mobile Exploration toolkit, powered by Frida. We will look at how we can obtain information about a class (methods, instance variables) and modify them at runtime, in addition, we will inspect various objects (i.e. keychain) on disk during (or after) execution.
Before we start, let’s talk about Frameworks in iOS, Frameworks are libraries of code modules that make up developing applications.
The frameworks associated with the Apple operating systems are Cocoa (for OS X) and Cocoa Touch (iOS). With modules written in the Objective-C language, Cocoa Touch is specifically geared toward touch-based devices like iPhones and iPads.
Objective-C Runtime
Objective-C is a runtime-oriented language, which means that all the links between your methods and variables and classes are deferred to the last moment possible to when your app is running, and this gives you great flexibility because you can change those links. You can read Apple’s documentation here-.
SWIFT
In 2014, Apple launched Swift, a new programming language for iOS mobile apps that’s given iOS developers an alternative to Objective-C – this programming language is designed to provide seamless compatibility with Cocoa and Objective-C.
Swift is compiling time-oriented language. So, in Swift, everything is a bit harder bound, and you get more safety, but it’s less flexible. You can read Apple’s documentation here-.
Twitter Directory (Language Indicators)
Let’s look at the Twitter iOS app. Let’s go inside the Twitter directory. Once you are inside the folder, use the Find -name *Frame Unix command to displays specified parts of object files and the libraries.
We can see that it imports quite a lot of frameworks as well as libraries. (Swift is clearly the language as displayed the figure below)
Even when written without a single line of Objective-C code, every Swift app executes inside the Objective-C runtime, opening a world of dynamic dispatch and associated runtime manipulation.
Runtime Analysis with Objection
Let’s begin the assessment.
Prerequisites
To run objection, all you need is the python3 interpreter to be available. The installation via pip should take care of all the dependencies needed. with Frida properly set up on both our iOS device and workstation.
The most commonly used subcommand is explore, which will start the objection exploration
Early Instrumentation
Sometimes it is necessary to run commands and hook functions as the execution of the application in question is resumed (or as early as possible). Examples of this might be when testing jailbreak detection, or when an API call that has its SSL certificate pinned is made on startup.
First, let’s make sure we are hooked into the running process.
At its core, objection relies heavily on Frida to perform most of the magic. Frida, together with some purpose-built hooks and the python REPL is what makes up Objection.
Finding methods for a class
Let’s define a search to find a class.
To print, the methods for a particular class is as simple as:
We can now modify them at runtime and set to true/false.
Other interesting directories that relate to the application in question may be enumerated using the env command. This will print out the locations of the applications Files, Caches, and other directories:
Keychain and Memory Dump
Another interesting function is a memory dump with an easy search option;
Dumping the keychain is easy in one commandios keychain dump.
This is achieved by building a query dictionary just like you would in an iOS application, and querying for all of the available object class types such as,kSecClassKey kSecClassIdentityand kSecClassInternetPassword.
There are a few important things to keep in mind though:
- This command will only dump keychain entries for the current application. In fact, a more ‘correct’ way of saying this is that it will only dump entries for the current entitlement group.
- The entitlement group your application will use comes from the
embedded.mobileprovisionfile used when patching and resigning the IPA. - When patching multiple IPA’s, it is common to re-use an
embedded.mobileprovisionfile. This is fine, but it is important to remember that other applications keychain entries may exist when you dump the keychain.
To hack easy or automate all the instrumentation with Frida as we’ve done above manually. Here are Frida scripts on my Github.
| Script Name | Script Description |
|---|---|
| dump-ios-URL-scheme.js | Dump iOS URL scheme when “OpenURL” is called |
| find-classes.js | Dump all classes used by the app |
| find-methods.js | Dump all methods inside all classes |
| find-specific-method.js | Find a specific method in all classes |
| frida_python_script.py | Python script to run Frida scripts |
| frida_without_jailbreak_ipa.png | Screenshot from Reddit for using Frida without jailbreak |
| hook-all-methods-of-specific-class.js | Hook all the methods of a particular class |
| hook-specific-method-of-class.js | Hook a particular method of a specific class |
| show-all-methods-of-specific-class.js | Dump all methods of a particular class |
| show-method-return-value.js | Show return value of a particular method inside a class |
Executing Frida Scripts
If you try to run the scripts as a file from the command line (frida -U -p 1234 -l test_script.js) then it will get terminated if execution time exceeds 28 seconds.
I recommend attaching to the target app’s process and then pasting the Frida script code you want to execute.You can also utilize the Python script for executing the Frida script code.
Conclusion
In this article, we looked at how we can install Objection runtime Mobile Exploration toolkit powered by Frida into a jailbroken device, obtain information about a class (methods, instance variables) and modify them at runtime, in addition, we inspected various objects (i.e. keychain, and Memory).
Techniques like method swizzling could be deployed which we have not covered but mentioned in the previous article.
To become more comfortable pen testing in iOS, you should develop your own strategy which is tuned to your particular needs.
This was another worked example – nothing new, this has been done by others before. I was hoping to demonstrate a fully worked example from the ground up as a record of how to go from knowing nothing about an iOS app to being able to disclose some interesting artefacts about it.
I hope you’ve enjoyed this tutorial! See you next time.
Pingback: iOS Application Security Part 6–Reverse Engineering and Tampering Re-sign + Patching. | agostini.tech