Resolving an iOS Reverse Engineering Challenge with Frida

In this post, I will share my solution to a specific challenge in the DVIA-v2 app — the runtime manipulation challenge, which involves loading content from another URL. There isn’t much information available online about this challenge, so I decided to come up with my own solution.

For those who are not familiar with DVIA-v2, it is an application designed to teach common vulnerabilities in iOS apps. You can learn more about the app by visiting this link.

The challenge could be solved using various techniques and methods, but in this post, I will show you a simple solution using Frida. Please note that you will need a jailbroken iPhone to use Frida.

Let’s take a closer look at how the challenge works. When we click on the “Read tutorial” button, the app opens a page in Safari.

Through reverse engineering and coding some iOS apps, I discovered that there are a few techniques that can be used to accomplish this, including:

• The openURL method from the UIApplication class.
• The load method from the WKWebView class
• Custom URL schemes

Given that the page opens in Safari, it is likely that the openURL method is being used. To verify this, we can use Frida to trace the calls to the openURL method.

As expected, the app is using “-[UIApplication openURL:options:completionHandler:]”.

The next step is to write a Frida script to alter the arguments passed to the function. We need to create a NSURL pointer, since according to the Apple documentation, the first argument passed to the function is a pointer to a NSURL.

We executed the script and got the expected result.

In conclusion, we have demonstrated a simple solution to the runtime manipulation challenge in DVIA-v2 using Frida. This challenge is an excellent way to practice reverse engineering skills and learn about runtime manipulation techniques. We hope that this post has been informative and helpful to you!