Automated embedding of dynamic libraries into iOS applications from - - PowerPoint PPT Presentation

automated embedding of dynamic libraries into ios
SMART_READER_LITE
LIVE PREVIEW

Automated embedding of dynamic libraries into iOS applications from - - PowerPoint PPT Presentation

Nov 02, 2022 308 likes •679 views

Automated embedding of dynamic libraries into iOS applications from GNU/Linux Marwin Baumann 1 & Leandro Velasco 1 1 Systems and Network Engineering MSc. University of Amsterdam Research Project 2, 2017 Marwin Baumann & Leandro Velasco

slide-1
SLIDE 1

Automated embedding of dynamic libraries into iOS applications from GNU/Linux

Marwin Baumann1 & Leandro Velasco1

1Systems and Network Engineering MSc.

University of Amsterdam

Research Project 2, 2017

Marwin Baumann & Leandro Velasco Research Project 2, 2017 1 / 20

slide-2
SLIDE 2

Introduction

Dynamic library embedding: Deploy debugging mechanisms Monitor the invocation of functions Tracking how data is propagated through the application Modify the behavior of Apps (on non-jailbroken devices)

Marwin Baumann & Leandro Velasco Research Project 2, 2017 2 / 20

slide-3
SLIDE 3

Introduction

Dynamic library embedding: Deploy debugging mechanisms Monitor the invocation of functions Tracking how data is propagated through the application Modify the behavior of Apps (on non-jailbroken devices) Common Use-case: Frida Instrumentation

Marwin Baumann & Leandro Velasco Research Project 2, 2017 2 / 20

slide-4
SLIDE 4

Introduction

Problem: Only on MacOS MacOS in Virtual Machine not legal [1] Cumbersome process

Marwin Baumann & Leandro Velasco Research Project 2, 2017 3 / 20

slide-5
SLIDE 5

Introduction

Problem: Only on MacOS MacOS in Virtual Machine not legal [1] Cumbersome process Motivation: More apps released every day [2] Increase in need for mobile app security assessments Need for automation and free publicly available tools

Marwin Baumann & Leandro Velasco Research Project 2, 2017 3 / 20

slide-6
SLIDE 6

Procedure Overview

Marwin Baumann & Leandro Velasco Research Project 2, 2017 4 / 20

slide-7
SLIDE 7

Research Question Is it possible from GNU/Linux to automate the process of embedding dynamic libraries into iOS applications?

Marwin Baumann & Leandro Velasco Research Project 2, 2017 5 / 20

slide-8
SLIDE 8

Methodology

Study procedure internals: Analyze iOS application format Analyze internals of dynamic library embedding Investigate Xcode signing procedure Implement procedure in GNU/Linux: Explore tools already ported Write/port new tools

Marwin Baumann & Leandro Velasco Research Project 2, 2017 6 / 20

slide-9
SLIDE 9

Procedure Overview

Marwin Baumann & Leandro Velasco Research Project 2, 2017 6 / 20

slide-10
SLIDE 10

iOS App Store Package (.ipa)

Marwin Baumann & Leandro Velasco Research Project 2, 2017 7 / 20

slide-11
SLIDE 11

Application Acquisition

Pre iOS 9: Get IPA from backup iOS 9 and later: iTunes redownload (Fairplay) Clutch

Marwin Baumann & Leandro Velasco Research Project 2, 2017 8 / 20

slide-12
SLIDE 12

Application Acquisition

Pre iOS 9: Get IPA from backup iOS 9 and later: iTunes redownload (Fairplay) Clutch Requirements Clutch: Jailbroken iDevice running iOS 9+

Marwin Baumann & Leandro Velasco Research Project 2, 2017 8 / 20

slide-13
SLIDE 13

Procedure Overview

Marwin Baumann & Leandro Velasco Research Project 2, 2017 8 / 20

slide-14
SLIDE 14

iOS App Store Package (.ipa)

Marwin Baumann & Leandro Velasco Research Project 2, 2017 9 / 20

slide-15
SLIDE 15

Mach-O File Format

Header Identifier Architecture Number of load commands Size of load commands ... Load Command region Layout and linkage properties Data region Data stored in segments which contain sections

Marwin Baumann & Leandro Velasco Research Project 2, 2017 10 / 20

slide-16
SLIDE 16

Mach-O File Format

Header Identifier Architecture Number of load commands Size of load commands ... Load Command region Inserting a LC_LOAD_DYLIB command Data region Data stored in segments which contain sections

Marwin Baumann & Leandro Velasco Research Project 2, 2017 10 / 20

slide-17
SLIDE 17

Executable Modification

Open Source Tools (all MacOS): Node_applesign Optool Insert_dylib

Marwin Baumann & Leandro Velasco Research Project 2, 2017 11 / 20

slide-18
SLIDE 18

Executable Modification

Open Source Tools (all MacOS): Node_applesign Optool Insert_dylib Port Insert_dylib to GNU/Linux: Mach-O headers are Open Sourced by Apple Header files from hogliux/cctools project used Changed code to avoid usage of copyfile.h

Marwin Baumann & Leandro Velasco Research Project 2, 2017 11 / 20

slide-19
SLIDE 19

Procedure Overview

Marwin Baumann & Leandro Velasco Research Project 2, 2017 11 / 20

slide-20
SLIDE 20

Application Signing - Background

Mandatory Code Signing Integrity of the code Identify code source (developer / signer) For Apps not signed by Apple, Mobile Provisioning is needed

Marwin Baumann & Leandro Velasco Research Project 2, 2017 12 / 20

slide-21
SLIDE 21

Application Signing - Background

Mandatory Code Signing Integrity of the code Identify code source (developer / signer) For Apps not signed by Apple, Mobile Provisioning is needed Mobile Provisioning Free Apple Account Individual Developer Account Enterprise Developer Account

Marwin Baumann & Leandro Velasco Research Project 2, 2017 12 / 20

slide-22
SLIDE 22

Application Signing - Procedure

Resources files : Signature stored in the file _CodeSignature/CodeResources Mach-o files : Signature stored in the file via LC_CODE_SIGNATURE load command

Marwin Baumann & Leandro Velasco Research Project 2, 2017 13 / 20

slide-23
SLIDE 23

Application Signing - Software

Jtool Only signs mach-o files Does not include Code Requirements in signature Close Source iSign Signs complete IPA or app bundle Experimental branch needed to sign binaries from scratch Open Source

Marwin Baumann & Leandro Velasco Research Project 2, 2017 14 / 20

slide-24
SLIDE 24

Application Signing - Software

Jtool Only signs mach-o files Does not include Code Requirements in signature Close Source iSign Signs complete IPA or app bundle Experimental branch needed to sign binaries from scratch Open Source

Marwin Baumann & Leandro Velasco Research Project 2, 2017 14 / 20

slide-25
SLIDE 25

Procedure Overview

Marwin Baumann & Leandro Velasco Research Project 2, 2017 14 / 20

slide-26
SLIDE 26

Application Deploying - Background

Marwin Baumann & Leandro Velasco Research Project 2, 2017 15 / 20

slide-27
SLIDE 27

Application Deploying - GNU/Linux

Marwin Baumann & Leandro Velasco Research Project 2, 2017 15 / 20

slide-28
SLIDE 28

Application Deploying - Software

Cydia Impactor Signs & Install IPA’s Close Source GUI tool Entitlements do not allow app debugging iDeviceinstaller Libmobiledevice Utility Open Source Command line tool

Marwin Baumann & Leandro Velasco Research Project 2, 2017 16 / 20

slide-29
SLIDE 29

Application Deploying - Software

Cydia Impactor Signs & Install IPA’s Close Source GUI tool Entitlements do not allow app debugging iDeviceinstaller Libmobiledevice Utility Open Source Command line tool

Marwin Baumann & Leandro Velasco Research Project 2, 2017 16 / 20

slide-30
SLIDE 30

Automation

Marwin Baumann & Leandro Velasco Research Project 2, 2017 17 / 20

slide-31
SLIDE 31

Roadmap

Application acquisition : Clutch usage could be automated ⇒ little value added Provision profile generation : Free Apple account ⇒ automation possible, but requires deep analysis

  • f Xcode / Cydia

Paid Apple Developer account ⇒ automation possible with Fastlane/Spaceship

Marwin Baumann & Leandro Velasco Research Project 2, 2017 18 / 20

slide-32
SLIDE 32

Conclusion / Discussion

It is possible to automate the embedding process in GNU/Linux using a paid Developer Account, however:

Marwin Baumann & Leandro Velasco Research Project 2, 2017 19 / 20

slide-33
SLIDE 33

Conclusion / Discussion

It is possible to automate the embedding process in GNU/Linux using a paid Developer Account, however: For free Apple accounts, Xcode access is needed once per week to renew the provisioning profile For IPA acquisition jailbroken device needed

Marwin Baumann & Leandro Velasco Research Project 2, 2017 19 / 20

slide-34
SLIDE 34

Conclusion / Discussion

It is possible to automate the embedding process in GNU/Linux using a paid Developer Account, however: For free Apple accounts, Xcode access is needed once per week to renew the provisioning profile For IPA acquisition jailbroken device needed iInject is still a proof of concept

iInject was tested against iOS 10.2.1 and iOS 10.3.2 (non-jailbroken) iInject was tested against 9 diferent IPA’s

Marwin Baumann & Leandro Velasco Research Project 2, 2017 19 / 20

slide-35
SLIDE 35

Questions? Try it out yourself: https://github.com/LeanVel/iInject

Marwin Baumann & Leandro Velasco Research Project 2, 2017 20 / 20

slide-36
SLIDE 36

Bibliography

Apple Support Community. Macintosh virtual machine hosted by Windows. https://discussions.apple.com/thread/5785112?tstart=0, 2014. [Online; accessed 8-June-2017]. Android Open Source Project. Android Security 2015 Year In Review. https://source.android.com/security/reports/Google_ Android_Security_2015_Report_Final.pdf, 2016. [Online; accessed 7-June-2017].

Marwin Baumann & Leandro Velasco Research Project 2, 2017 20 / 20