automated embedding of dynamic libraries into ios
play

Automated embedding of dynamic libraries into iOS applications from - PowerPoint PPT Presentation

Automated embedding of dynamic libraries into iOS applications from GNU/Linux Marwin Baumann 1 & Leandro Velasco 1 1 Systems and Network Engineering MSc. University of Amsterdam Research Project 2, 2017 Marwin Baumann & Leandro Velasco


  1. Automated embedding of dynamic libraries into iOS applications from GNU/Linux Marwin Baumann 1 & Leandro Velasco 1 1 Systems and Network Engineering MSc. University of Amsterdam Research Project 2, 2017 Marwin Baumann & Leandro Velasco Research Project 2, 2017 1 / 20

  2. Introduction Dynamic library embedding: Deploy debugging mechanisms Monitor the invocation of functions Tracking how data is propagated through the application Modify the behavior of Apps (on non-jailbroken devices) Marwin Baumann & Leandro Velasco Research Project 2, 2017 2 / 20

  3. Introduction Dynamic library embedding: Deploy debugging mechanisms Monitor the invocation of functions Tracking how data is propagated through the application Modify the behavior of Apps (on non-jailbroken devices) Common Use-case: Frida Instrumentation Marwin Baumann & Leandro Velasco Research Project 2, 2017 2 / 20

  4. Introduction Problem: Only on MacOS MacOS in Virtual Machine not legal [1] Cumbersome process Marwin Baumann & Leandro Velasco Research Project 2, 2017 3 / 20

  5. Introduction Problem: Only on MacOS MacOS in Virtual Machine not legal [1] Cumbersome process Motivation: More apps released every day [2] Increase in need for mobile app security assessments Need for automation and free publicly available tools Marwin Baumann & Leandro Velasco Research Project 2, 2017 3 / 20

  6. Procedure Overview Marwin Baumann & Leandro Velasco Research Project 2, 2017 4 / 20

  7. Research Question Is it possible from GNU/Linux to automate the process of embedding dynamic libraries into iOS applications? Marwin Baumann & Leandro Velasco Research Project 2, 2017 5 / 20

  8. Methodology Study procedure internals: Analyze iOS application format Analyze internals of dynamic library embedding Investigate Xcode signing procedure Implement procedure in GNU/Linux: Explore tools already ported Write/port new tools Marwin Baumann & Leandro Velasco Research Project 2, 2017 6 / 20

  9. Procedure Overview Marwin Baumann & Leandro Velasco Research Project 2, 2017 6 / 20

  10. iOS App Store Package (.ipa) Marwin Baumann & Leandro Velasco Research Project 2, 2017 7 / 20

  11. Application Acquisition Pre iOS 9: Get IPA from backup iOS 9 and later: iTunes redownload (Fairplay) Clutch Marwin Baumann & Leandro Velasco Research Project 2, 2017 8 / 20

  12. Application Acquisition Pre iOS 9: Get IPA from backup iOS 9 and later: iTunes redownload (Fairplay) Clutch Requirements Clutch: Jailbroken iDevice running iOS 9+ Marwin Baumann & Leandro Velasco Research Project 2, 2017 8 / 20

  13. Procedure Overview Marwin Baumann & Leandro Velasco Research Project 2, 2017 8 / 20

  14. iOS App Store Package (.ipa) Marwin Baumann & Leandro Velasco Research Project 2, 2017 9 / 20

  15. Mach-O File Format Header Identifier Architecture Number of load commands Size of load commands ... Load Command region Layout and linkage properties Data region Data stored in segments which contain sections Marwin Baumann & Leandro Velasco Research Project 2, 2017 10 / 20

  16. Mach-O File Format Header Identifier Architecture Number of load commands Size of load commands ... Load Command region Inserting a LC_LOAD_DYLIB command Data region Data stored in segments which contain sections Marwin Baumann & Leandro Velasco Research Project 2, 2017 10 / 20

  17. Executable Modification Open Source Tools (all MacOS): Node_applesign Optool Insert_dylib Marwin Baumann & Leandro Velasco Research Project 2, 2017 11 / 20

  18. Executable Modification Open Source Tools (all MacOS): Node_applesign Optool Insert_dylib Port Insert_dylib to GNU/Linux: Mach-O headers are Open Sourced by Apple Header files from hogliux/cctools project used Changed code to avoid usage of copyfile.h Marwin Baumann & Leandro Velasco Research Project 2, 2017 11 / 20

  19. Procedure Overview Marwin Baumann & Leandro Velasco Research Project 2, 2017 11 / 20

  20. Application Signing - Background Mandatory Code Signing Integrity of the code Identify code source (developer / signer) For Apps not signed by Apple, Mobile Provisioning is needed Marwin Baumann & Leandro Velasco Research Project 2, 2017 12 / 20

  21. Application Signing - Background Mandatory Code Signing Integrity of the code Identify code source (developer / signer) For Apps not signed by Apple, Mobile Provisioning is needed Mobile Provisioning Free Apple Account Individual Developer Account Enterprise Developer Account Marwin Baumann & Leandro Velasco Research Project 2, 2017 12 / 20

  22. Application Signing - Procedure Resources files : Signature stored in the file _CodeSignature/CodeResources Mach-o files : Signature stored in the file via LC_CODE_SIGNATURE load command Marwin Baumann & Leandro Velasco Research Project 2, 2017 13 / 20

  23. Application Signing - Software iSign Jtool Only signs mach-o files Signs complete IPA or app bundle Does not include Code Requirements in signature Experimental branch needed to sign binaries from scratch Close Source Open Source Marwin Baumann & Leandro Velasco Research Project 2, 2017 14 / 20

  24. Application Signing - Software iSign Jtool Only signs mach-o files Signs complete IPA or app bundle Does not include Code Requirements in signature Experimental branch needed to sign binaries from scratch Close Source Open Source Marwin Baumann & Leandro Velasco Research Project 2, 2017 14 / 20

  25. Procedure Overview Marwin Baumann & Leandro Velasco Research Project 2, 2017 14 / 20

  26. Application Deploying - Background Marwin Baumann & Leandro Velasco Research Project 2, 2017 15 / 20

  27. Application Deploying - GNU/Linux Marwin Baumann & Leandro Velasco Research Project 2, 2017 15 / 20

  28. Application Deploying - Software Cydia Impactor iDeviceinstaller Signs & Install IPA’s Libmobiledevice Utility Close Source Open Source GUI tool Command line tool Entitlements do not allow app debugging Marwin Baumann & Leandro Velasco Research Project 2, 2017 16 / 20

  29. Application Deploying - Software Cydia Impactor iDeviceinstaller Signs & Install IPA’s Libmobiledevice Utility Close Source Open Source GUI tool Command line tool Entitlements do not allow app debugging Marwin Baumann & Leandro Velasco Research Project 2, 2017 16 / 20

  30. Automation Marwin Baumann & Leandro Velasco Research Project 2, 2017 17 / 20

  31. Roadmap Application acquisition : Clutch usage could be automated ⇒ little value added Provision profile generation : Free Apple account ⇒ automation possible, but requires deep analysis of Xcode / Cydia Paid Apple Developer account ⇒ automation possible with Fastlane/Spaceship Marwin Baumann & Leandro Velasco Research Project 2, 2017 18 / 20

  32. Conclusion / Discussion It is possible to automate the embedding process in GNU/Linux using a paid Developer Account, however: Marwin Baumann & Leandro Velasco Research Project 2, 2017 19 / 20

  33. Conclusion / Discussion It is possible to automate the embedding process in GNU/Linux using a paid Developer Account, however: For free Apple accounts, Xcode access is needed once per week to renew the provisioning profile For IPA acquisition jailbroken device needed Marwin Baumann & Leandro Velasco Research Project 2, 2017 19 / 20

  34. Conclusion / Discussion It is possible to automate the embedding process in GNU/Linux using a paid Developer Account, however: For free Apple accounts, Xcode access is needed once per week to renew the provisioning profile For IPA acquisition jailbroken device needed iInject is still a proof of concept iInject was tested against iOS 10.2.1 and iOS 10.3.2 (non-jailbroken) iInject was tested against 9 diferent IPA’s Marwin Baumann & Leandro Velasco Research Project 2, 2017 19 / 20

  35. Questions? Try it out yourself: https://github.com/LeanVel/iInject Marwin Baumann & Leandro Velasco Research Project 2, 2017 20 / 20

  36. Bibliography Apple Support Community. Macintosh virtual machine hosted by Windows. https://discussions.apple.com/thread/5785112?tstart=0 , 2014. [Online; accessed 8-June-2017]. Android Open Source Project. Android Security 2015 Year In Review. https://source.android.com/security/reports/Google_ Android_Security_2015_Report_Final.pdf , 2016. [Online; accessed 7-June-2017]. Marwin Baumann & Leandro Velasco Research Project 2, 2017 20 / 20

Recommend


More recommend