Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

Rv defcon25 keeping an eye on mobile applications - mikhail sosonkin

60 visualizaciones

Publicado el

Keeping an eye on mobile applications.

Publicado en: Tecnología
  • Sé el primero en comentar

  • Sé el primero en recomendar esto

Rv defcon25 keeping an eye on mobile applications - mikhail sosonkin

  1. 1. Up close and personal Keeping an eye on mobile applications
  2. 2. Mikhail Sosonkin Director of R&D Always a Student @hexlogic mikhail@synack.com http://debugtrap.com
  3. 3. “ ” - @cnoanalysis
  4. 4. Why do this? Breaking in. Attack Surface The End. We all just hack for fun… right? Automation
  5. 5. Why do we care? Our privacy. Our money.Our freedoms. Wouldn’t want to lose any of those things!
  6. 6. Why do this? Breaking in. Attack Surface The End. We all just hack for fun… right? Automation
  7. 7. Pangu TaiG Step 1: Jailbreak
  8. 8. Step 1: Jailbreak Today
  9. 9. Step 2: Apply IDAPro For those that don’t know Aarch64 IdaRef documentation plugin: https://github.com/nologic/idaref DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib Thanks Stephan Esser!
  10. 10. In-process • Frida • Cycrypt • LLDB • Tracing Objective-C calls and mach port messages • https://github.com/nologic/objc_trace External • FileMon • MiTM proxy SSL Kill Switch Step 3: Dynamic Analysis
  11. 11. • Objective-C messages • On iOS, more meaningful than strace • Might want to hit/fuzz a particular method • In case of Swift, we see runtime library interactions • Swift Reversing by Ryan Stortz • Mach Port Messages • Any sort of IPC • CFMessagePort, etc Collecting Coverage Information
  12. 12. 1. Allocate a page - a jump page 2. Set objc_msgSend readable and writable 3. Copy preamble bytes from objc_msgSend 4. Check for branch instructions in preamble 5. Modify objc_msgSend preamble 6. Set jump page to readable and executable 7. Set objc_msgSend readable and executable Objc_Trace Call Sequence Hook Steps
  13. 13. void* hook_callback64_pre(id self, SEL op, void* a1, ...) { Class cls = object_getClass(self); if(cls != NULL && op != NULL) cacheImp = c_cache_getImp(cls, op); if(!cacheImp) { // not in cache, never been called, record the call. … const struct mach_header* libobjc_base = libobjc_dylib_base(); c_cache_getImp = (p_cache_getImp)((uint8_t*)libobjc_base) + 97792 + 0x4000; Important Optimization Only record unseen method calls Find the cache check function cache_getImp
  14. 14. { '_payload': { '_payload': { '_msg': 'x00x00x08x00x00x00subsystemx00x00x00x00@x00x00x05x0 0x00x00x00x00x00x00ha', 'type': 2048}, 'magic': '!CPX', 'version': 5}, 'msgh_bits': 1250579, 'msgh_id': 268435456, 'msgh_local_port': '0x30b', 'msgh_remote_port': '0x10b', 'msgh_reserved': 2819, 'msgh_size': 256} MACH Shark Machshark
  15. 15. Why do this? Breaking in. Attack Surface The End. We all just hack for fun… right? Automation
  16. 16. Most apps are largely user reactive in nature The difficulty of Apps
  17. 17. “A little engine for driving the UI while observing the inner workings of an iOS App” -- CHAOTICMARCH
  18. 18. • Time saving • Repeatable • WebAPI Discovery • Service use discovery • Code Coverage Why automate?
  19. 19. Apply intelligence! ● Simulate the user ● Read and understand the UI
  20. 20. How does the UI look like in memory?
  21. 21. ● Lua Scriptable Logic ● Standard functions for touching the device ● Options for record/replay ● Finding UI Components ● Regulating speed of execution ● Support for multiple targets ● Mechanisms for generic logic ● Lightweight injected module CHAOTICMARCH Source
  22. 22. A basic script
  23. 23. Deadly in the right combination MITM Proxy Request Mutant Mutator
  24. 24. • WebAPI - gives you working samples. • Local behaviour • File accesses, IPC interactions • Vendor infrastructure • Any hidden call outs • Frequency of call outs Discovery Applications
  25. 25. ● tracker-api.my.com ● api.ok.ru/api/batch/execute ● data.flurry.com/aas.do ● sdk.hockeyapp.net
  26. 26. Why do this? Breaking in. Attack Surface The End. We all just hack for fun… right? Automation
  27. 27. Attack Surface
  28. 28. Attack Surface Rewire!
  29. 29. Get the app to show its cards MITM Proxy Request Mutant Mutator Mutator
  30. 30. Why do this? Breaking in. Attack Surface The End. We all just hack for fun… right? Automation
  31. 31. • Apps are important! • Automation of the UI • Traversal of App Features • Helps collect infrastructure details • Collection of coverage information Wrap up!
  32. 32. Email: mikhail@synack.com blog: debugtrap.com Twitter: @H4ckerLife č ū Спасибо ...Catch me in the halls or online! Mikhail Sosonkin

×