With the big delays in the time it takes until an iOS jailbreak is public and stable, it is often not possible to test mobile apps in the latest iOS version. Occasionally customers might also provide builds that only work in iOS versions for which no jailbreak is available. On Android the situation is better, but there can also be problems to root certain phone models. These trends make security testing of mobile apps difficult. This talk will cover approaches to defeat common security mechanisms that must be bypassed in the absence of root/jailbreak.
Developer Data Modeling Mistakes: From Postgres to NoSQL
Pwning mobile apps without root or jailbreak
1. Pwning Mobile Apps
Without Root or Jailbreak
> Abraham Aranguren
> abraham@7asecurity.com
> @7asecurity
> @7a_
+ 7asecurity.com
CureCon 2018, Berlin
3. • Director at 7ASecurity, check out our public reports, presentations, etc:
7asecurity.com/#publications
• Author of Practical Web Defense, a hands-on attack & defense course:
www.elearnsecurity.com/PWD
• Founder and leader of OWASP OWTF, an OWASP flagship project:
owtf.org
• Some presentations: www.slideshare.net/abrahamaranguren/presentations
• Some sec certs: CISSP, OSCP, GWEB, OSWP, CPTS, CEH, MCSE: Security,
MCSA: Security, Security+
• Some dev certs: ZCE PHP 5, ZCE PHP 4, Oracle PL/SQL Developer Certified
Associate, MySQL 5 CMDev, MCTS SQL Server 2005
Who am I
4. Motivation
● iOS jailbreaks are not always available:
○ The app requires iOS version X, without a public jailbreak available
● iOS/Android jailbreak/root detection might take too long to bypass
○ Example: root/jailbreak detection via obfuscated binary
● Test an app on a device you don’t want to root/jailbreak
● Avoid ptrace/debugging app checks due to tampered environment
5. Repackaging: Android - Problem: App filesystem access
Problem:
● When using the Android emulator/Genymotion you have a root shell
● BUT sometimes the app will only work on a real phone
● A non-rooted phone won’t give you a root shell
● A non-rooted phone won’t give you access to application files in
/data/data/…
● The app often has backups disabled too
Repackaging Solution:
● Modify the APK, enable backups
6. Repackaging: Android - Problem: Debugging
Problem:
● Some apps enable debugging features, such as Webview debugging or other
useful information in logcat, etc., when the app has debugging enabled
Repackaging Solution:
● Modify the APK, enable debugging
10. Repackaging: Android - Problem: Pinning
● Often a problem at the start of the test as you try to MitM :)
● We can modify the APK to skip certificate pinning checks
11. Repackaging: Android - Problem: Pinning Examp
Step 1: Disassemble - apktool d some_app.apk -o some_app_disassembled
Step 2: Find file to modify - grep -Ir checkServerTrusted *
Step 3: Modify the file
.method public final
checkServerTrusted([Ljava/security/cert/X509Certificate;Ljava/lang/String;)
V
[...] return-void # Pinning bypass
Steps 4-6: Repackage, Sign & Install :)
13. Repackaging: Android - Problem: Root detection
● Sometimes apps refuse to run when your phone is rooted
● Repackaging often allows us to bypass these checks and enjoy root powers
:D
14. Android repackaging - Root detection bypass example 1
Step 1: Disassemble - apktool d some.apk -o some_disassembled
Step 2: Remove check from app
Java Code: if (isRooted()) [...]
Related Smali Code: if-eqz v0, :cond_0
Change Smali Code to: if-nez v0, :cond_0
NOTE: The if-nez opcode inverts the condition, hence bypassing the check
Steps 3-5: Repackage, Sign & Install :)
15. Android repackaging - Root detection bypass example 2
Step 1: Disassemble - apktool d some.apk -o some_disassembled
Step 2: Remove check from app, return “False” from isRooted
.method public isRooted()Z
const/4 v0, 0x0 # False
return v0 # Return false
[...]
Steps 3-5: Repackage, Sign & Install :)
17. Limitations of apktool-style Android repackaging
● Limited to changes in smali code:
○ We can only modify Java code disassembled as smali
○ If the app loads and runs code from a binary we cannot modify that (at
least not as easily :D)
● Changes are static
○ If you notice later that you need further changes you need to:
■ Disassemble
■ Modify
■ Repackage, Sign and Install
■ … For each modification! :P
18. Further reading
Must-use tool for Android repackaging:
https://ibotpeaches.github.io/Apktool/
Cool smali opcode references:
http://pallergabor.uw.hu/androidblog/dalvik_opcodes.html
https://source.android.com/devices/tech/dalvik/dalvik-bytecode
19. What is Frida? - https://www.frida.re/
● Dynamic Instrumentation Toolkit
● Allows hooking and observing/modifying any app function:
○ Crypto APIs
○ Proprietary functions
○ Even functionality in binaries
● Lets you inject snippets of JavaScript into native apps that run on Windows,
Mac, Linux, iOS and Android
In short:
Frida Gadgets allow root-like access on apps from not-rooted/jailbroken devices
20. How to add Frida to an APK so we can run it without root?
Step 1: Disassemble - apktool d some_app.apk -o some_app_disassembled
Step 2: Add the frida-gadget binaries to the APK - For the correct architecture! :)
https://github.com/frida/frida/releases/download/12.0.8/frida-gadget-12.0.8-androi
d-x86.so.xz
https://github.com/frida/frida/releases/download/12.0.8/frida-gadget-12.0.8-androi
d-x86_64.so.xz
https://github.com/frida/frida/releases/download/12.0.8/frida-gadget-12.0.8-androi
d-arm.so.xz
https://github.com/frida/frida/releases/download/12.0.8/frida-gadget-12.0.8-androi
d-arm64.so.xz
21. How do I know the architecture?
ADB Command:
adb shell getprop ro.product.cpu.abi
Example Output (Genymotion):
x86
22. Step 2: Adding the Frida-Gadget to the APK - (ARM 32bits)
Download:
wget
https://github.com/frida/frida/releases/download/12.0.8/frida-gadget-12.0.8-a
ndroid-arm.so.xz
Uncompress: unxz frida-gadget-12.0.8-android-arm.so.xz
Copy:
cp frida-gadget-12.0.8-android-arm.so
some_disassembled/lib/armeabi/libfrida-gadget.so
23. Step 3: Make the APK load the Gadget
Find main activity:
find . | grep -i main | grep smali$
Add the following smali code to the constructor:
const-string v0, "frida-gadget"
invoke-static {v0}, Ljava/lang/System;->loadLibrary(Ljava/lang/String;)V
Corresponding Java Code:
System.loadLibrary("frida-gadget")
24. Step 4: Ensure network permissions in AndroidManifest.xml
We will talk to Frida over the network so the app needs to use the internet, most
apps do but worth double checking:
File:
AndroidManifest.xml
Make sure it has:
<uses-permission android:name="android.permission.INTERNET" />
26. Basic Frida usage
Logcat - Frida: Listening on TCP port 27042
The PID will show Gadget instead of the original package name:
Command:
$ frida-ps –U
Output:
PID Name
----- ------
16071 Gadget
27. Basic Frida usage – Interactive Instrumentation Shell
Command:
frida -U Gadget --no-pause
Output:
Commands:
/_/ |_| help -> Displays the help system
. . . . object? -> Display information about 'object'
. . . . exit/quit -> Exit
[USB::Android Emulator 5556::['com.android.chrome']]-> Java.androidVersion
"7.1.1"
51. iOS Repackaging - Step 3: Create mobileprovision file
● Plug your iPhone
● Select the iPhone as the target device on Xcode
● Hit the “Play” button
● Verify the mobileprovision file has been created:
find ~/Library/Developer/Xcode/DerivedData/ -name
embedded.mobileprovision
52. iOS Repackaging - Step 3: Create mobileprovision file
Do we have to do all this nonsense every time?
53. iOS Repackaging - Step 3: Create mobileprovision file
From here, each time we will “only” need to:
● Create a blank app
● Deploy it to an iDevice
This will create a new, valid provisioning file
54. iOS Repackaging - Step 4: IPA Patching Dependencies
● objection – from: https://github.com/sensepost/objection/wiki/Installation
● applesign - from: https://github.com/nowsecure/node-applesign
● insert_dylib - from: https://github.com/Tyilo/insert_dylib
● security, codesign, xcodebuild` - macOS/XCode commands
● zip & unzip - builtin, or just installed using homebrew
● 7z - installed using homebrew with brew install p7zip
55. iOS Repackaging - Step 4: IPA Patching Dependencies
Objection Installation:
pip3 install -U objection
More details and options:
https://github.com/sensepost/objection/wiki/Installation
59. iOS Repackaging - Step 5: Running the patched IPA
More dependencies :D
Install ios-deploy:
npm install -g ios-deploy
60. iOS Repackaging - Step 5: Running the patched IPA
Installing and running the app:
unzip my-app.ipa # Creates a Payload/ directory.
Unlock iDevice and plug via USB to your Mac
Run ios-deploy:
ios-deploy --bundle Payload/my-app.app -W -d
More intel and Linux instructions:
https://github.com/sensepost/objection/wiki/Running-Patched-iOS-Applications
61. iOS Repackaging - Step 6: Using Frida ☺
So now we can run Frida scripts:
frida -U Gadget -l <frida_script> --no-pause
Some nice examples for iOS inspiration:
https://github.com/iddoeldor/frida-snippets
https://github.com/0xdea/frida-scripts/tree/master/ios-snippets
65. Frida Examples – iOS extract cookies
var cookieJar = [];
var cookies =
ObjC.classes.NSHTTPCookieStorage.sharedHTTPCookieStorage().cookies();
for (var i = 0, l = cookies.count(); i < l; i++) {
var cookie = cookies['- objectAtIndex:'](i);
cookieJar.push(cookie.Name() + '=' + cookie.Value());
}
console.log(cookieJar.join("; "));
https://github.com/iddoeldor/frida-snippets
67. What is Objection?
● Wrapper around Frida
● Automates a lot of stuff via Frida hooks
● Works for iOS and Android
https://github.com/sensepost/objection/wiki
68. Demos from the author of objection
https://www.youtube.com/watch?v=zkxSFERFuBw
https://www.youtube.com/watch?v=AqqPGXa4nO8
https://www.youtube.com/watch?v=t3nRDELo_fY
https://www.youtube.com/watch?v=aL8Z2PctBFE
https://www.youtube.com/watch?v=Mhf92DeRk8c