Security analysis of iOS applications

Now let’s move on to the main topic of the article. There are three types of application analysis (systems).

Whitebox

The customer provides all the information about the application: source code, documentation, etc. So you can do whatever you want — to modify, build, run, analyze, etc. on any device even without Jailbreak.

Graybox

The customer does not provide the source code of his application, but can make a special build of his application for analysis. For example, all enabled debug messages and functions disabled SSL pinning and with our own libraries inside, for ease of analysis application (more about them later). This build runs seamlessly on the device without Jailbreak.

Blackbox

A model that fully reflects the situation of a real attacker who has no additional information about the application and has no ability to influence its build. Here just go to the app distribution store, download one of them and then try to do something with it. There may be a desire of the customer to work in such a model of the offender, and participation in the Bug Bounty program. This is where the problem arises in the dynamic application research, because Jailbreak is necessary.

Dynamic security analysis of iOS apps without Jailbreak

For research require some preparation of the researcher and setting the environment, so the steps in the form of manual, necessary for the implementation will be described below. It is important to note that some steps can be skipped, for example, if you use an Xcode project (signing, delivering to the device, etc.).

0x00 Preparation

To begin the research, it is necessary to prepare and configure the environment:

macOS with Xcode

Apple developer account (preferably)

iOS device without Jailbreak

Decrypted .ipa file of the app

The framework you want to add to your application

0x01 Download .ipa file

To extract an .ipa file for analysis, there are several ways.

From iTunes (iTunes≤12.7.x)

Buying apps in the AppStore allows you to get linked .ipa file with buyer AppleID, this limits the possibility of modification, but allows for static analysis of the binary file. Limitation of iTunes version related to the latest app updates: Apple has removed the AppStore section.

iFunBox, even TestFlight( iOS≤8.3)

Desktop application for managing the file system of iOS devices. Full functionality is available only on devices with iOS version not higher than iOS 8.3.

Download the old version .ipa file from iTunes (iTunes≤12.7.x)

This is possible if you use any application that allows you to redirect traffic through itself (Charles Proxy, Burp,..). Then you need to start iTunes and download the selected application. Further, intercepting the request to change in the XML package file, the build number is required to download, and continue execution. More information about this can be read here and see here.

Download online decrypted .ipa (e.g. ipastore.me, 4pda, appdb.store,…)

Sites and forums with applications that are available for downloads without binding to AppleID and allow the necessary manipulation to attach frameworks — the best solution, but you need to be careful with banking applications:)

0x02–0x03 Data extraction and decryption .ipa

There will be a slight deviation from the rules when it may be necessary to use Jailbreak — for the step of getting decrypted the .ipa file. This applies primarily to those applications that are not accessible through the AppStore (for example, “special builds” or TestFlight). Obtaining a decrypted file, you need to build the changed executable without reference to the AppleID of the owner. To do this, you can use the utilities for Jailbreak devices (for example, ask a friend to download:)

Or, publicly available apps, download from resources such as:

0x04 Framework append

One of the most convenient ways to add a framework to .ipa file — use the Xcode project. There are many projects on GitHub, but we wanted to highlight a couple of, in our opinion, the most successful, efficient and intuitive.

In the first case, there is a demo in which you only need to replace the .ipa and run the application, in the second case — drag and drop .ipa and .framework file that you want to attach. The convenience of the first project is that you can add your code, which will work right after the launch.

What can be put inside .ipa file?

Answer: whatever you want! But in terms of application security analysis I can recommend using the following frameworks.

One of the few Frameworks that is actively developing today and allows to implement JS code inside the process, to monitor the application launch and patch it before the launch is over. Its advantages are easy extensibility for tasks, the ability to script and a simple client. By adding only Frida gadget to the project, even without doing anything, you can already find out what calls are happening inside the program and later apply it in static analysis (r2+frida).

Useful links for this project:

Similar in functionality to the Frida framework, it allows you to integrate into processes and manipulate environment variables and memory through an interactive console. Supports Javascript and Objective-C.

Useful links for this project:

The legendary framework from Saurik, allowing you to modify the application without source code, manipulate the API and in every possible way to twist and tweak the application without having sources.

But at the moment it has not been updated for a long time, and use it is at your own risk. In addition, the development of iOS makes changes to the API, so in some versions of iOS it may be useless at all.

The most nonstandard of this set of frameworks. Suitable more for UI / UX and device learning interfaces for the presence of hidden fields, bound objects and so on.

Advantages is the support of TV and Watch.

0x05 Application singing

The application can not be installed on a smartphone without the appropriate signature of the developer (do not forget that the device we have without Jailbreak). If we do not use Xcode, which automatically picks up certificates, we can do it manually using one of the tools.

Both of them cope with their tasks perfectly well and at the output we get an application correctly rewritten by our certificate.

0x06 Application delivery

Using Xcode and device, the app will automatically be delivered and launched on your smartphone. If there is only .ipa file, you can use the following utilities.

In short, a diagram describing each step and utilities that help you make each step is as follows.