iOS runtime mobile exploration with Objection, or Hack own application

iOS runtime mobile exploration with Objection, or Hack own application 3r33469.  3r33479. 3r33469.  3r33479. More than once or twice, when I came to work (or just got out of bed), I found an angry letter in the mail, the essence of which was that nothing works in the app installation, and everything needs to be fixed immediately. 3r33469.  3r33479. 3r33469.  3r33479. Sometimes the cause was my shoals. Sometimes - my colleagues. And sometimes even itself. Apple Inc. . 3r33469.  3r33479. 3r33469.  3r33479. But the most deadly scenarios were associated with bugs that were reproduced only on appstorovskih /release builds. Nothing baffles so much and makes you howl in front of a MacBook, like the inability to connect a debugger to its own application and see what happens there. APNS and his troubleshooting on release /ad-hoc builds. 3r33469.  3r33479. On those builds where there is a production APNS environment, you cannot connect a debugger. 3r33469.  3r33479. On those assemblies where there is a debager, there is no APNS production-push. But they usually fall off. 3r33469.  3r33479. 3r33469.  3r33479. Apple, like the Old Testament god, with one hand gives a platform where the jailbreak will soon move away to r3r341. history
(and piracy in the App Store remains at the level of statistical error), and the other makes the developer feel like a poor relative, little Oliver Twist, who dared to ask for more pockets. 3r33469.  3r33479. 3r33469.  3r33479.  3r33479. 3r33469.  3r33479. The release build is signed by the Distribution Certificate and uses the Distribution Provisioning Profile. Entitlement prohibits attaching a debugger to an application process. Plus, when downloading ipa from the App Store, the binary is also encrypted. App Extensions are signed separately. 3r33469.  3r33479. 3r33469.  3r33479. That is, the application author seems to be able to take and re-sign the App Store assembly with a certificate using a debugging provisioning profile. But it still needs to know how to do it. But even after that, the question of how to connect the debager to the application process remains open. 3r33469.  3r33479. 3r33469.  3r33479. Therefore, it is necessary to focus solely on the fact that it is not adjusted at the design stage. And catch all the bugs before the application goes to the App Store. And logs, more logs for the god of logs! 3r33469.  3r33479. 3r33469.  3r33479. 3r376. 3r33469.  3r33479. 3r33469.  3r33479. But recently on the horizon loomed a new hope. 3r33469.  3r33479. 3r33469.  3r33479. We met Frida, a wonderful framework for dynamic code injection. And they went around using SSL-pinning in a beautiful project. FoodSniffer . 3r33469.  3r33479. 3r33469.  3r33479. In this article we will introduce the framework created on the basis of Frida, which greatly facilitates the manipulation of the release assemblies of iOS applications. 3r33469.  3r33479. 3r33469.  3r33479.

Objection 3r33432. 3r33469.  3r33479. Objection allows inject r3r3460. 3r31-10. FridaGadget to an iOS build and re-sign it with the necessary certificate and provisioning profile. 3r33469.  3r33479. 3r33469.  3r33479.
3r33469.  3r33479. First we need the release assembly FoodSniffer. 3r33469.  3r33479. 3r33469.  3r33479. Important note - when creating ipa, disable “Include bitcode for iOS content”. 3r33469.  3r33479. 3r33469.  3r33479. 3r3128. 3r33469.  3r33479. 3r33469.  3r33479. Then we will need a provisioning profile for the assembly. 3r33469.  3r33479. 3r33469.  3r33479. To get it:
 3r33479. 3r33469.  3r33479. 3r33381.  3r33479.
Install the application via Xcode on the device. 3r3409.  3r33479.
Find in the Finder. 3r33469.  3r33479. 3r33469.  3r33479. 3r3151. 3r3409.  3r33479.
Go to the FoodSniffer bundle. 3r33469.  3r33479. 3r33469.  3r33479. Copy from there embedded.mobileprovision in the folder with your release ipa. 3r33469.  3r33479. 3r33469.  3r33479.  3r33479. 3r33469.  3r33479. 3r3179. 3r33469.  3r33479. 3r33469.  3r33479. After this, set the objection according to 3r3184. instructions
. I strongly recommend using the virtualenv option. 3r33469.  3r33479. 3r33469.  3r33479. In addition to objection, we need ios-deploy to run the patched application on the device. 3r33469.  3r33479. 3r33469.  3r33479.
Reware the app!
3r33469.  3r33479. In the terminal, find out the hash of the code we need code sign identity:
 3r33479. 3r33469.  3r33479. 3rr3465. security find-identity -p codesigning -v [/b] 3r33469.  3r33479. 3r33469.  3r33479.  3r33479. 3r33469.  3r33479. 3rr3465. objection patchipa --source FoodSniffer /FoodSniffer.ipa --codesign-signature 386XXX --provision-file embedded.mobileprovision [/b] 3r33469.  3r33479. 3r33469.  3r33479. FoodSniffer-frida-codesigned.ipa [/b] . 3r33469.  3r33479. 3r33469.  3r33479. Now we need ios-deploy to install and connect to FridaGadget. This is an important step - if you simply install ipa on your device via iTunes or Xcode, you will not be able to connect to FridaGadget. 3r33469.  3r33479. 3r33469.  3r33479. Pre-unpacking FoodSniffer-frida-codesigned.ipa :
 3r33479. 3r33469.  3r33479. 3rr3465. unzip FoodSniffer-frida-codesigned.ipa [/b] 3r33469.  3r33479. 3r33469.  3r33479. We start our patched application on the device:
 3r33479. 3r33469.  3r33479. 3rr3465. ios-deploy --bundle Payload / -W -d [/b] 3r33469.  3r33479. 3r33469.  3r33479. If everything went well, then the application should start on the device, and in the terminal we will see:
 3r33479. 3r33469.  3r33479.  3r33479. 3r33469.  3r33479. 3rr3465. objection explore [/b] 3r33469.  3r33479. 3r33469.  3r33479. The buns provided by objection
3r33469.  3r33479. 3r33333. SSL Pinning Bypass
3r33469.  3r33479. Everything is simple:
 3r33479. 3r33469.  3r33479. 3rr3465. ios sslpinning disable [/b] 3r33469.  3r33479. 3r33469.  3r33479. 3r33469.  3r33479. 3rr3465. ios nsuserdefaults get [/b] 3r33469.  3r33479. 3r33469.  3r33479. At the end of the dump, we should see “Mood_state” = “I’m hungry” 3r33469.  3r33479. 3r33469.  3r33479. 3r33333. 3r33469.  3r33479. 3r33469.  3r33479. 3r33333. Dump app keychain
3r33469.  3r33479. 3rr3465. ios keychain dump [/b] 3r33469.  3r33479. 3r33469.  3r33479. 3r33356. 3r33469.  3r33479. 3r33469.  3r33479. And here is our super secret password. 3r33469.  3r33479. 3r33469.  3r33479. 3r33471. Fetching data from SQLite database. [/i] 3r33469.  3r33479. I have added a sqlite database to the application. chinook.db 3r33333. from here
. 3r33469.  3r33479. 3r33469.  3r33479. Objection allows you to make requests directly to the database as follows. 3r33469.  3r33479. 3r33469.  3r33479. 3r33381.  3r33479.
Connection to the database:
 3r33479. 3r33469.  3r33479. 3rr3465. sqlite connect chinook.db [/b] 3r33469.  3r33479. 3r33469.  3r33479. 3r33394. 3r3409.  3r33479.
Request to her:
 3r33479. 3r33469.  3r33479. 3rr3465. sqlite execute query select * from albums [/b] 3r33469.  3r33479. 3r33469.  3r33479. 3r3408. 3r3409.  3r33479. 3r33411. 3r33469.  3r33479.

3r33469.  3r33479. Objection and Frida finally make it possible to work relatively normally and simply with Ad Hoc and Distribution assemblies of iOS applications. They return to the programmer the power over their own application, hidden behind the layers of protection with which Apple so carefully wraps iOS apps. Plus Objection and Frida work on non-jailbroken devices. In addition, they are relatively easy to use. 3r33469.  3r33479. 3r33469.  3r33479. With them I have a hope of make iOS development great again. Safely avoiding the undermining of the new Apple headquarters from the inside. 3r33469.  3r33479. 3r33469.  3r33479. 3r33426. 3r33469.  3r33479. 3r33469.  3r33479.

Hyper (useful) links

3r33469.  3r33479. 3r33434. Research for Amsterdam students on iOS Code Sign 3r33460. . 3r33469.  3r33479. 3r33469.  3r33479. 3r33469.  3r33479. 3r33469.  3r33479. . 3r33469.  3r33479. 3r33469.  3r33479. FoodSniffer iOS app source code . 3r33469.  3r33479. 3r33469.  3r33479. Frida telegram . 3r33469.  3r33479. 3r33469.  3r33479. Special thanks to @manishrhll . 3r33469.  3r33479. 3r33469.  3r33479. 3r33471. Note. [/i] All of the above should be applied only to your applications and not try to break Tinder or something else. Still not work! 3r38080. 3r33479. 3r33479. 3r33479. 3r37777. ! function (e) {function t (t, n) {if (! (n in e)) {for (var r, a = e.document, i = a.scripts, o = i.length; o-- ;) if (-1! == i[o].src.indexOf (t)) {r = i[o]; break} if (! r) {r = a.createElement ("script"), r.type = "text /jаvascript", r.async =! ? r.defer =! ? r.src = t, r.charset = "UTF-8"; var d = function () {var e = a.getElementsByTagName ("script")[0]; e.parentNode.insertBefore (r, e)}; "[object Opera]" == e.opera? a.addEventListener? a.addEventListener ("DOMContentLoaded", d,! 1): e.attachEvent ("onload", d ): d ()}}} t ("//"""_mediator") () (); 3r33478. 3r33479. 3r38080.
+ 0 -

Add comment