Using Cycript for runtime hooking , bypassing locks , making changes to SpringBoard and security analysis

1. iOS INTERNALS
Part -2

2. @whoami
● Anto Joseph
● Works @ Citrix
● Does Security Research on Mobile / iOT and anything Interesting
● Speaker / Trainer @ HITB , HIP , NullCon, g0s, c0c0n, x0rconf etc
● Loves Music ( in my other life , i have been a DJ ) / Food / Bikes etc

3. iOS 101
● Objective C runtime
● Can be written in Objective C / Swift / Native Code
● CodeSigning is important
● Apps are zip file containers containing resources( images / plits) and the binary
● Binary if coming from apple has to be decrypted - use cluth / dump decrypted
● Use class-dump to find out the classes/ methods
● Use cycript to call those methods

4. Dynamic Analysis
● URl Schemes - Ios way of doing IPC
● Clipboard - - Ios way of doing IPC
● Network - SSL Trust Killer 2
● Binary Analysis - Hopper / IDa

5. Enter Cycript
Cycript allows developers to explore and modify running applications on either iOS
or Mac OS X using a hybrid of Objective-C++ and JavaScript syntax through an
interactive console that features syntax highlighting and tab completion.

6. cy# - commands
● Find all classes
○ cy# ObjectiveC.classes
● Get Instance of a class
○ cy# var blah = new Instance(0x123456)
● Call Methods
○ cy# [classname method_name: arguments]
● Find a class in memory
○ cy# choose(ClassName)

7. Demo Time
● Bypassing A Lock
● Making Changes to the SpringBoard

8. Thanks