Automating ios blackbox security scanning Mikhail Sosonkin SYNACK Inc.

Transcription

1 Automating ios blackbox security scanning Mikhail Sosonkin SYNACK Inc.

2 leverages the best combination of humans and technology to discover security vulnerabilities in our customers web apps, mobile apps, IoT devices and infrastructure endpoints - SYNACK.com ME! Employer!

3 Why do we care? Our privacy. Our freedoms. Wouldn t want to lose any of those things! Our money.

4 Step 1: Jailbreak Pangu TaiG

5 Step 2: Apply IDAPro DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib Thanks Stephan Esser! For those that don t know Aarch64 IdaRef documentation plugin:

6 Step 3: Dynamic Analysis In-process Frida Cycrypt LLDB External FileMon MiTM proxy SSL Kill Switch Tracing Objective-C calls and mach port messages

7 Collecting Coverage Information Objective-C messages On ios, more meaningful than strace Might want to hit/fuzz a particular method In case of Swift, we see runtime library interactions Swift Reversing by Ryan Stortz Mach Port Messages Any sort of IPC CFMessagePort, etc

8 Hook Steps 1. Objc_Trace Call Sequence Allocate a page - a jump page 2. Set objc_msgsend readable and writable 3. Copy preamble bytes from objc_msgsend 4. Check for branch instructions in preamble 5. Modify objc_msgsend preamble 6. Set jump page to readable and executable 7. Set objc_msgsend readable and executable

9 Important Optimization void* hook_callback64_pre(id self, SEL op, void* a1,...) { Class cls = object_getclass(self); if(cls!= NULL && op!= NULL) Only record unseen method calls cacheimp = c_cache_getimp(cls, op); if(!cacheimp) { // not in cache, never been called, record the call. Find the cache check function cache_getimp const struct mach_header* libobjc_base = libobjc_dylib_base(); c_cache_getimp = (p_cache_getimp)((uint8_t*)libobjc_base) x4000;

10 What do we get out of this?

11 MACH Shark { '_payload': { '_payload': { '_msg': '\x00\x00\x08\x00\x00\x00subsystem\x00\x00\x00\x00@\x00\x00\x05\x0 0\x00\x00\x00\x00\x00\x00ha', 'type': 2048}, 'magic': '!CPX', 'version': 5}, 'msgh_bits': , 'msgh_id': , Machshark 'msgh_local_port': '0x30b', 'msgh_remote_port': '0x10b', 'msgh_reserved': 2819, 'msgh_size': 256}

12 Another mach_shark method Attach using LLDB Breakpoint on bootstrap_look_up2 Rocketbootstrap_look_up or bootstrap_look_up3 mach_msg Least intrusive but slow Harder to get the responses Often less important Compensate by breakpointing the server Detailed on debugtrap.com

13 The difficulty of Apps Most apps are largely user reactive in nature

14 A little engine for driving the UI while doing blackbox testing of an ios App - CHAOTICMARCH

15 Why automate? Time saving Repeatable WebAPI Discovery Code Coverage Discover Preinstalled Malware Cameras arrived with malware from Amazon

16 Apply intelligence! Simulate the user Read and understand the UI

17 How does the UI look like in memory? cy# UIApp.keyWindow <UIWindow; frame = (0 0; ); gesturerecognizers = <NSArray>;> <TiRootViewNeue; frame = (0 0; ); autoresize = W+H; layer = <CALayer>>... <TiUITableViewCell; baseclass = UITableViewCell; text = 'Log On'; <TiGradientLayer;> (layer) <UITableViewCellContentView; frame = (0 0; ); layer = <CALayer>> <UITableViewLabel; frame = (74 0; ); text = 'Log On'> <UIImageView; frame = (15 0; ); layer = <CALayer>> <_UITableViewCellSeparatorView; frame = ( ; ); layer = <CALayer>>

18 CHAOTICMARCH Lua Scriptable Logic Standard functions for touching the device Options for record/replay Finding UI Components Regulating speed of execution Support for multiple targets Mechanisms for generic logic Lightweight injected module Source

19 CHAOTICMARCH Powered by: LibSimulateTouch LUA #import <UIKit/UIKit.h>

20 A basic script while true do local button = getbutton(clickedbuttons) -- put some info in. fill_all_fields() click_button(button) if(button["text"] ~= nil) then clickedbuttons[button["text"]] = 1 end usleep(2 * ) end

21 Applications Discovery WebAPI - gives you working samples. Local behaviour File accesses, IPC interactions, and code coverage Fuzzing Testing kiosk type apps. Automate the UI to trigger events.

22 Deadly in the right combination Request Parse MITM Proxy Fuzz Mutator

23 Attack scenario 2 - Get exploited binary/xss with phish 1 - Make a post 3 - Steal creds or tokens User Attacker 5 - Request messages 4 - Put up a draft 6 - respond with attack content We focus on this

24

25 while true do local inputs = findoftypes("uitextfield", "") for index, inputfield in pairs(inputs) do click_button(inputfield) inputtext("someinput!!") end -- touch login touchdown(3, 138, 619); Source usleep( ); touchup(3, 141, 615); check_alert() end

26 Anti Automation techniques Defending apps from undesirable automation! Detecting hidden components is not straightforward! Misuse Labels as buttons Input forms as labels Trees of invisible to the user elements Kind of like anti-debugging or anti-re.

27 Wrap up! Apps are important! Automation of the UI Collection of coverage information Fuzzing of responses messages

28 Thank you! Questions? blog: debugtrap.com Source: CHAOTICMARCH: Machshark: Objc_trace: Images: