Dynamic analysis of iOS apps without Jailbreak

In the article I will share my experience in solving some of the problems I faced when analyzing the security of iOS applications. All the tricks and approaches (if it is not listed separately) applicable on iOS device without Jailbreak.

Static analysis vs. dynamic analysis

Let’s start this adventure with different types of analysis and a little comparison.

Static analysis can help detect a large number of problems, such as hard-coded sensitive data, various vulnerabilities, bugs, and backdoors. Analyzing the iOS application, we can note useful tools such as IDA Pro, Hopper Disassembler, MobSF or Radare2. The advantages of this method is the ability to automatically scan files, code, including not used code with almost one hundred percent coverage.

Dynamic analysis helps you explore your app while it is running. For example, examine the state of the program at run time (memory contents, registers, variable values), understand the logic of the work, and so on.

Using these two methods allows you to perform the most qualitative work on the analysis of the application, cover the entire attack-surface and find the maximum possible number of errors and vulnerabilities.

Comparative table of analysis methods

Dynamic analysis

Dynamic analysis of mobile applications is not possible without a device or an emulator. Real devices are almost always preferred (unless there is a great need for some parallelization of the task). But the presence of the device enhances the research price. In addition, you must be able to install your own applications and tools on your device to perform application analysis.

Android situation

When exploring Android apps, you can often use the old and cheap version of the device or emulator in the IDE. Android has a simple way to elevate the user’s privileges, in other words “get root access”, to install its own tools and applications on it. In previous models of smartphones from China in the settings was switcher to gain superuser privileges in a single tap. On a personal device that is used every day, root can significantly weaken the security of the system and cause a malware infection. In research, it is a useful thing that allows you to speed up and improve the progress of research.

iOS problem

During an audit of iOS applications there are some additional points:

  • The high cost of the device, but a separate device is necessary. You cannot use a personal device.
  • Device model: older smartphones and tablets are not applicable because they lack new features (e.g. Force Touch / Face ID / ..)
  • Device type: phone, tablet, watch — it all plays an important role in the analysis (we met cases where the vulnerability in the same application was present only in the version for a certain type of device)
  • The latest version of iOS: The API is constantly evolving, and for qualitative analysis, the analysis should take place on the latest version of iOS
  • Jailbreak on your device: install your apps and tools for inspections, access to file system

Jailbreak

Earlier, when the first iPhone came out, it was hacked a few days after the release. Rather low level of security remained up to the fourth version of an operating system: researchers created extensions (tweak), did the assemblies of iOS and added applications. Over time, Apple has changed its attitude to security and significantly enhanced system protection by adding some of the most popular features created for Jailbreak devices in their updates. For example, Control Center was tweak, and later became a built-in component of iOS. Each new release of the system increased the time to find and exploit vulnerabilities, changing API and accessibility features (moving some in Private and some in Public area). These and many other changes made life difficult for security researchers and tweak developers (add-ons for the system) and applications, forcing them to update their tools for new APIs and functions. The increased protection of devices has also been influenced by close attention to the platform of “bad guys”, intelligence agencies and all those who would like to access your data on the device. So, today the price of a remote Jailbreak for iOS reaches $1.5M.

The cost which Zerodium can pay for the Remote Jailbreak.

Many who stood at the origins of the Jailbreak, now employed by companies engaged in information security or Apple or began to sell vulnerabilities to other persons without publishing it or creating a public Jailbreak. All this, the increase in the level of security of the platform and the outflow of vulnerabilities to the market, has led to the fact that public Jailbreak began to appear not so often.
At the moment, the latest current version of iOS, which is suitable for use Jailbreak, is iOS 11.1.2. As a result, to perform a security audit on the device, you need to perform a variety of factors, and the most important thing is the availability of fresh Jailbreak.

At the Tencent Security Summit 2017 conference, researcher Chris Wade presented a project on full virtualization of iPhone 6. It is not public and it is not yet known how and when it will appear for a wide audience. But definitely, this is a very big step forward for many areas related to iOS.
Info: one, two, three

Security analysis of iOS applications

Now let’s move on to the main topic of the article. There are three types of application analysis (systems).

Whitebox

The customer provides all the information about the application: source code, documentation, etc. So you can do whatever you want — to modify, build, run, analyze, etc. on any device even without Jailbreak.

Graybox

The customer does not provide the source code of his application, but can make a special build of his application for analysis. For example, all enabled debug messages and functions disabled SSL pinning and with our own libraries inside, for ease of analysis application (more about them later). This build runs seamlessly on the device without Jailbreak.

Blackbox

A model that fully reflects the situation of a real attacker who has no additional information about the application and has no ability to influence its build. Here just go to the app distribution store, download one of them and then try to do something with it. There may be a desire of the customer to work in such a model of the offender, and participation in the Bug Bounty program. This is where the problem arises in the dynamic application research, because Jailbreak is necessary.

Dynamic security analysis of iOS apps without Jailbreak

For research require some preparation of the researcher and setting the environment, so the steps in the form of manual, necessary for the implementation will be described below. It is important to note that some steps can be skipped, for example, if you use an Xcode project (signing, delivering to the device, etc.).

0x00 Preparation

To begin the research, it is necessary to prepare and configure the environment:

  • macOS with Xcode
  • Apple developer account (preferably)
  • iOS device without Jailbreak
  • Decrypted .ipa file of the app
  • The framework you want to add to your application

0x01 Download .ipa file

To extract an .ipa file for analysis, there are several ways.

From iTunes (iTunes≤12.7.x)
Buying apps in the AppStore allows you to get linked .ipa file with buyer AppleID, this limits the possibility of modification, but allows for static analysis of the binary file. Limitation of iTunes version related to the latest app updates: Apple has removed the AppStore section.

iFunBox, even TestFlight( iOS≤8.3)
Desktop application for managing the file system of iOS devices. Full functionality is available only on devices with iOS version not higher than iOS 8.3.

Download the old version .ipa file from iTunes (iTunes≤12.7.x)
This is possible if you use any application that allows you to redirect traffic through itself (Charles Proxy, Burp,..). Then you need to start iTunes and download the selected application. Further, intercepting the request to change in the XML package file, the build number is required to download, and continue execution. More information about this can be read here and see here.

Download online decrypted .ipa (e.g. ipastore.me, 4pda, appdb.store,…)
Sites and forums with applications that are available for downloads without binding to AppleID and allow the necessary manipulation to attach frameworks — the best solution, but you need to be careful with banking applications:)

0x02–0x03 Data extraction and decryption .ipa

There will be a slight deviation from the rules when it may be necessary to use Jailbreak — for the step of getting decrypted the .ipa file. This applies primarily to those applications that are not accessible through the AppStore (for example, “special builds” or TestFlight). Obtaining a decrypted file, you need to build the changed executable without reference to the AppleID of the owner. To do this, you can use the utilities for Jailbreak devices (for example, ask a friend to download:)

Or, publicly available apps, download from resources such as:

0x04 Framework append

One of the most convenient ways to add a framework to .ipa file — use the Xcode project. There are many projects on GitHub, but we wanted to highlight a couple of, in our opinion, the most successful, efficient and intuitive.

In the first case, there is a demo in which you only need to replace the .ipa and run the application, in the second case — drag and drop .ipa and .framework file that you want to attach. The convenience of the first project is that you can add your code, which will work right after the launch.

What can be put inside .ipa file?

Answer: whatever you want! But in terms of application security analysis I can recommend using the following frameworks.

Frida (GitHub: /frida/frida)

One of the few Frameworks that is actively developing today and allows to implement JS code inside the process, to monitor the application launch and patch it before the launch is over. Its advantages are easy extensibility for tasks, the ability to script and a simple client. By adding only Frida gadget to the project, even without doing anything, you can already find out what calls are happening inside the program and later apply it in static analysis (r2+frida).

Useful links for this project:

Cycript (www.cycript.org / GitHub: /nowsecure/frida-cycript)

Similar in functionality to the Frida framework, it allows you to integrate into processes and manipulate environment variables and memory through an interactive console. Supports Javascript and Objective-C.

Useful links for this project:

CydiaSubstrate (cydiasubstrate.com / mobilesubstrate.deb)

The legendary framework from Saurik, allowing you to modify the application without source code, manipulate the API and in every possible way to twist and tweak the application without having sources. 
But at the moment it has not been updated for a long time, and use it is at your own risk. In addition, the development of iOS makes changes to the API, so in some versions of iOS it may be useless at all.

Reveal (revealapp.com)

The most nonstandard of this set of frameworks. Suitable more for UI / UX and device learning interfaces for the presence of hidden fields, bound objects and so on. 
Advantages is the support of TV and Watch.

0x05 Application singing

The application can not be installed on a smartphone without the appropriate signature of the developer (do not forget that the device we have without Jailbreak). If we do not use Xcode, which automatically picks up certificates, we can do it manually using one of the tools.

Both of them cope with their tasks perfectly well and at the output we get an application correctly rewritten by our certificate.

0x06 Application delivery

Using Xcode and device, the app will automatically be delivered and launched on your smartphone. If there is only .ipa file, you can use the following utilities.

In short, a diagram describing each step and utilities that help you make each step is as follows.

And finally a couple of demos of how it all looks.

Demo 1

Demo 2

Thank you d1g1.