iOS Security and Reverse Engineering Basics

iOS Jailbreaking

Common Jailbreaking Tools

1. palera1n: Supports iOS 17
2. checkra1n: Supports iOS 12 to 14
3. unc0ver: Supports iOS 11 to 14

Usage of the above tools:

• Install the jailbreaking tool on the device by connecting to a computer or using an IPA package, open the tool and click the "Jailbreak" button. The jailbreak will be completed after the device restarts.

Exploited Vulnerabilities:

• palera1n and checkra1n exploit hardware-level vulnerabilities (checkm8 bootrom vulnerability, present in A7 to A11 chips), which cannot be patched through software updates.
• unc0ver exploits software-level vulnerabilities, which can be patched through software updates. unc0ver is a semi-untethered jailbreak tool that requires reactivation of the jailbreak after each device restart.

Possible software vulnerabilities include:

• Deserialization: Attackers construct specific serialized data containing malicious code and pass it to the target program through network requests, etc. When the target program deserializes, it executes the malicious code.
• Memory Overflow: Attackers overwrite the program's control flow through memory overflow, executing their injected malicious code.

Principles of Jailbreaking Tools

1. Exploit vulnerabilities (kernel vulnerabilities, sandbox escape, etc.) to gain high privileges on the system.
2. Further escalate privileges to gain root access, changing the file system from read-only to read-write.
3. Install a jailbreak manager on the device to install various jailbreak plugins and applications.
4. Modify boot files and install a boot daemon to maintain the jailbreak state after device restarts.
5. Modify system files and processes to prevent detection by security software.

Types of Jailbreaking

Based on the effects of jailbreaking, there are several types:

• Untethered Jailbreak: The jailbreak state is retained after a device restart, requiring no further action.
• Semi-Tethered Jailbreak: The jailbreak state is lost after a device restart, but can be restored by performing certain actions on the device.
• Tethered Jailbreak: The jailbreak state is lost after a device restart, requiring connection to a computer to boot using the jailbreak tool and perform the jailbreak operation again.
• Semi-Untethered Jailbreak: The jailbreak state is lost after a device restart, requiring connection to a computer to perform the jailbreak operation again.

Currently, the main types of jailbreaks are Semi-Untethered Jailbreak and Tethered Jailbreak.

Jailbreak Status

• Restore to the state before jailbreaking: Restart or use the jailbreak tool again to restore.
• Check if the device is jailbroken: Install 3uTools.

Jailbreak Detection

1. Check for jailbreak applications and files: For example, /Applications/Cydia.app, /usr/sbin/sshd, etc. If they exist, it indicates a jailbreak.
2. Check directory read/write permissions: Directories outside the application sandbox should be non-writable; if writable, it indicates a jailbreak.
3. Check system or private APIs: Some system APIs (e.g., sysctl) or private APIs (e.g., fork) cannot be called on non-jailbroken devices; if successfully called, it indicates a jailbreak.
4. Check for suspicious dynamic libraries: Certain dynamic libraries (like Frida) are used on jailbroken devices; if these libraries exist, it indicates a jailbreak.
5. Check for suspicious environment variables: For example, DYLD_INSERT_LIBRARIES.

Anti-Jailbreak Detection

1. Hide jailbreak files and directories.
2. Modify the return values of system APIs to deceive detection programs.
3. Inject custom dynamic libraries, such as using Frida to inject JavaScript scripts to modify application behavior.

Anti-Anti-Jailbreak Detection

1. Use a combination of methods to increase the difficulty of bypassing detection.
2. Combine with MDM detection to restrict device behavior.

Jailbreak Package Managers

Jailbreak version of AppStore:

• Sileo is usually used for iOS 15 and above.
• Cydia is usually used for iOS 15 and below.

It can manage software sources, download applications and plugins from software sources, and install them.

Common Plugins

• OpenSSH: Access iPhone via SSH.
• Filza: The most commonly used file manager.
• AFC2=Apple File Conduit "2": Allows USB access to iPhone, thus supporting tools like iFunBox, 3uTools, 3uTools, etc.
• AppSync Unified: Allows the system to stop verifying signatures, preventing app installation failures due to signature issues.
• CocoaTop64: View process details, such as process flags, binary file locations, etc.
• iCleaner Pro: Plugin management, such as temporarily enabling or disabling certain plugins.
• Mterminal: Terminal tool.

iOS "Cracking" (Decryption)

Cracking Principles

iOS applications are encrypted and signed at release to prevent unauthorized modifications and analysis.
"Cracking" (also known as "decryption") refers to removing the encryption and signature protection from applications to obtain unencrypted binary files.

Cracking usually needs to be performed on a jailbroken iOS device, as it requires access to the system's low-level resources and the ability to run unsigned code.

Common Cracking Tools

• Frida: A cross-platform dynamic analysis and instrumentation tool that allows modification of application behavior at runtime.
• Clutch: A cracking tool used to decrypt encrypted iOS applications.
• dumpdecrypted: A tool that decrypts iOS applications through dynamic library injection, used to generate unencrypted executable files.

Cracking Steps

1. Install the application to be cracked and the cracking tool (e.g., Frida, Clutch, etc.) on the jailbroken device.
2. Execute the cracking tool's command; the cracking tool will retrieve the unencrypted binary file from memory and save it to the device.
3. Transfer the unencrypted binary file to a computer and use reverse engineering tools (e.g., IDA Pro, Hopper Disassembler, etc.) for analysis, viewing and modifying the code.

Static Analysis

Static analysis refers to analyzing the binary files, code structure, and resources of the target application without running it, to understand the application's behavior and logic.

Common Disassembly and Decompilation Tools

• IDA Pro: Provides powerful disassembly, static analysis, and debugging capabilities, supporting plugin extensions and script automation.
• Hopper Disassembler: Offers disassembly and decompilation features, supports multiple architectures, and has a user-friendly graphical interface and script support.

Static Analysis Steps

1. Obtain the target application's binary through "cracking."
2. Use disassembly tools to convert the binary file into assembly code, and use decompilation tools to convert the assembly code into higher-level pseudocode.

Using static analysis tools, we can:

• Analyze the application's code structure, including the relationships between functions, methods, classes, and modules, identify key functions and methods, and understand their call relationships and parameters.
• Extract strings and other resources from the application, such as images and configuration files, providing clues about the application's functionality and logic.
• Attempt to recover symbol information within the application, such as function names and variable names, which can greatly aid in understanding code logic.
• Generate control flow graphs (CFG) and data flow graphs (DFG) to help understand the execution paths and data transfers in the code, visually displaying the logical structure and dependencies of the code.

Limitations of Static Analysis:

1. Some applications may use code obfuscation and encryption techniques, increasing the difficulty of static analysis.
2. Static analysis cannot capture runtime dynamic behavior and data, potentially missing logic that depends on specific inputs or environments.

Dynamic debugging can compensate for these limitations.

Dynamic Debugging

Dynamic debugging refers to analyzing and modifying an application while it is running, to understand its behavior and logic.

Common Dynamic Debugging Tools

• LLDB: The debugger that comes with Xcode, supports dynamic debugging of iOS applications, allowing setting breakpoints, checking memory, tracking function calls, etc.
• Frida: A dynamic analysis and code injection tool that allows modification of application behavior, interception of function calls, and memory operations at runtime.

Dynamic Debugging Steps

1. Obtain the target application's binary through "cracking," re-sign it, and install it on the jailbroken device.
2. Install necessary debugging tools (e.g., LLDB, Frida, etc.) on the jailbroken device.
3. Attach the debugger to the target application's process to monitor and control its execution. For example, in LLDB, you can use the attach command to attach to a running process.

Using dynamic debugging tools, we can:

• Set breakpoints at functions or code locations of interest, allowing the debugger to inspect and modify.
• Modify data in memory to observe different program behaviors.
• Track function calls to understand the order of calls and parameter passing, comprehending complex logic.
• Dynamically inject custom code into the target process to modify its behavior or obtain specific information.

Anti-Debugging

Most apps implement anti-debugging protections, so to debug smoothly, one must address anti-anti-debugging.

Example:

• Anti-debugging: Many apps use the ptrace system call and pass the PT_DENY_ATTACH parameter to prevent other processes (like debuggers) from attaching to the current process.
• Anti-anti-debugging: By modifying the assembly code corresponding to ptrace(PT_DENY_ATTACH, 0, 0, 0); in IDA Pro to a no-op instruction, debugging the target process becomes possible.