SlideShare ist ein Scribd-Unternehmen logo

Rv defcon25 keeping an eye on mobile applications - mikhail sosonkin

R
reconvillage

Keeping an eye on mobile applications.

Technologie
1 von 33
Downloaden Sie, um offline zu lesen
Up close and personal Keeping an eye on mobile applications
Mikhail Sosonkin Director of R&D Always a Student @hexlogic mikhail@synack.com http://debugtrap.com
“ ” - @cnoanalysis
Why do this? Breaking in. Attack Surface The End. We all just hack for fun… right? Automation
Why do we care? Our privacy. Our money.Our freedoms. Wouldn’t want to lose any of those things!
Why do this? Breaking in. Attack Surface The End. We all just hack for fun… right? Automation
Pangu TaiG Step 1: Jailbreak
Step 1: Jailbreak Today
Step 2: Apply IDAPro For those that don’t know Aarch64 IdaRef documentation plugin: https://github.com/nologic/idaref DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib Thanks Stephan Esser!
In-process • Frida • Cycrypt • LLDB • Tracing Objective-C calls and mach port messages • https://github.com/nologic/objc_trace External • FileMon • MiTM proxy SSL Kill Switch Step 3: Dynamic Analysis
• Objective-C messages • On iOS, more meaningful than strace • Might want to hit/fuzz a particular method • In case of Swift, we see runtime library interactions • Swift Reversing by Ryan Stortz • Mach Port Messages • Any sort of IPC • CFMessagePort, etc Collecting Coverage Information
1. Allocate a page - a jump page 2. Set objc_msgSend readable and writable 3. Copy preamble bytes from objc_msgSend 4. Check for branch instructions in preamble 5. Modify objc_msgSend preamble 6. Set jump page to readable and executable 7. Set objc_msgSend readable and executable Objc_Trace Call Sequence Hook Steps
void* hook_callback64_pre(id self, SEL op, void* a1, ...) { Class cls = object_getClass(self); if(cls != NULL && op != NULL) cacheImp = c_cache_getImp(cls, op); if(!cacheImp) { // not in cache, never been called, record the call. … const struct mach_header* libobjc_base = libobjc_dylib_base(); c_cache_getImp = (p_cache_getImp)((uint8_t*)libobjc_base) + 97792 + 0x4000; Important Optimization Only record unseen method calls Find the cache check function cache_getImp
{ '_payload': { '_payload': { '_msg': 'x00x00x08x00x00x00subsystemx00x00x00x00@x00x00x05x0 0x00x00x00x00x00x00ha', 'type': 2048}, 'magic': '!CPX', 'version': 5}, 'msgh_bits': 1250579, 'msgh_id': 268435456, 'msgh_local_port': '0x30b', 'msgh_remote_port': '0x10b', 'msgh_reserved': 2819, 'msgh_size': 256} MACH Shark Machshark
Why do this? Breaking in. Attack Surface The End. We all just hack for fun… right? Automation
Most apps are largely user reactive in nature The difficulty of Apps
“A little engine for driving the UI while observing the inner workings of an iOS App” -- CHAOTICMARCH
• Time saving • Repeatable • WebAPI Discovery • Service use discovery • Code Coverage Why automate?
Apply intelligence! ● Simulate the user ● Read and understand the UI
How does the UI look like in memory?
● Lua Scriptable Logic ● Standard functions for touching the device ● Options for record/replay ● Finding UI Components ● Regulating speed of execution ● Support for multiple targets ● Mechanisms for generic logic ● Lightweight injected module CHAOTICMARCH Source
A basic script
Deadly in the right combination MITM Proxy Request Mutant Mutator
• WebAPI - gives you working samples. • Local behaviour • File accesses, IPC interactions • Vendor infrastructure • Any hidden call outs • Frequency of call outs Discovery Applications
● tracker-api.my.com ● api.ok.ru/api/batch/execute ● data.flurry.com/aas.do ● sdk.hockeyapp.net
Why do this? Breaking in. Attack Surface The End. We all just hack for fun… right? Automation
Attack Surface
Attack Surface Rewire!
Get the app to show its cards MITM Proxy Request Mutant Mutator Mutator
Why do this? Breaking in. Attack Surface The End. We all just hack for fun… right? Automation
• Apps are important! • Automation of the UI • Traversal of App Features • Helps collect infrastructure details • Collection of coverage information Wrap up!
Email: mikhail@synack.com blog: debugtrap.com Twitter: @H4ckerLife č ū Спасибо ...Catch me in the halls or online! Mikhail Sosonkin

Empfohlen

Protecting data on device with SQLCipher, Stephen Lombardo
Protecting data on device with SQLCipher, Stephen LombardoProtecting data on device with SQLCipher, Stephen Lombardo
Protecting data on device with SQLCipher, Stephen LombardoXamarin
 
BlueHat v18 || Badly behaving scripts - meet amsi script behavior instrumenta...
BlueHat v18 || Badly behaving scripts - meet amsi script behavior instrumenta...BlueHat v18 || Badly behaving scripts - meet amsi script behavior instrumenta...
BlueHat v18 || Badly behaving scripts - meet amsi script behavior instrumenta...BlueHat Security Conference
 
What should a hacker know about WebDav?
What should a hacker know about WebDav?What should a hacker know about WebDav?
What should a hacker know about WebDav?Mikhail Egorov
 
2010 A Net Odyssey
2010 A Net Odyssey2010 A Net Odyssey
2010 A Net OdysseySaumil Shah
 
Экспресс-анализ вредоносов / Crowdsourced Malware Triage
Экспресс-анализ вредоносов / Crowdsourced Malware TriageЭкспресс-анализ вредоносов / Crowdsourced Malware Triage
Экспресс-анализ вредоносов / Crowdsourced Malware TriagePositive Hack Days
 
Iphone Presentation for MuMe09
Iphone Presentation for MuMe09Iphone Presentation for MuMe09
Iphone Presentation for MuMe09Gonzalo Parra
 
A Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications securityA Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications securityMikhail Egorov
 
Securing Rails
Securing RailsSecuring Rails
Securing RailsAlex Payne
 

Empfohlen

Protecting data on device with SQLCipher, Stephen Lombardo
Protecting data on device with SQLCipher, Stephen LombardoProtecting data on device with SQLCipher, Stephen Lombardo
Protecting data on device with SQLCipher, Stephen LombardoXamarin
 
BlueHat v18 || Badly behaving scripts - meet amsi script behavior instrumenta...
BlueHat v18 || Badly behaving scripts - meet amsi script behavior instrumenta...BlueHat v18 || Badly behaving scripts - meet amsi script behavior instrumenta...
BlueHat v18 || Badly behaving scripts - meet amsi script behavior instrumenta...BlueHat Security Conference
 
What should a hacker know about WebDav?
What should a hacker know about WebDav?What should a hacker know about WebDav?
What should a hacker know about WebDav?Mikhail Egorov
 
2010 A Net Odyssey
2010 A Net Odyssey2010 A Net Odyssey
2010 A Net OdysseySaumil Shah
 
Экспресс-анализ вредоносов / Crowdsourced Malware Triage
Экспресс-анализ вредоносов / Crowdsourced Malware TriageЭкспресс-анализ вредоносов / Crowdsourced Malware Triage
Экспресс-анализ вредоносов / Crowdsourced Malware TriagePositive Hack Days
 
Iphone Presentation for MuMe09
Iphone Presentation for MuMe09Iphone Presentation for MuMe09
Iphone Presentation for MuMe09Gonzalo Parra
 
A Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications securityA Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications securityMikhail Egorov
 
Securing Rails
Securing RailsSecuring Rails
Securing RailsAlex Payne
 
Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)Peter Sabev
 
Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Zoltan Balazs
 
Demystifying Apple 'Pie' & TouchID
Demystifying Apple 'Pie' & TouchIDDemystifying Apple 'Pie' & TouchID
Demystifying Apple 'Pie' & TouchIDSebastián Guerrero Selma
 
Automated malware analysis
Automated malware analysisAutomated malware analysis
Automated malware analysisIbrahim Baliç
 
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey GordeychikCODE BLUE
 
IstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
IstSec'14 - İbrahim BALİÇ - Automated Malware AnalysisIstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
IstSec'14 - İbrahim BALİÇ - Automated Malware AnalysisBGA Cyber Security
 
Duck Hunter - The return of autorun
Duck Hunter - The return of autorunDuck Hunter - The return of autorun
Duck Hunter - The return of autorunNimrod Levy
 
Nimrod duck hunter copy
Nimrod duck hunter copyNimrod duck hunter copy
Nimrod duck hunter copyNimrod Levy
 
Us 16-subverting apple-graphics_practical_approaches_to_remotely_gaining_root...
Us 16-subverting apple-graphics_practical_approaches_to_remotely_gaining_root...Us 16-subverting apple-graphics_practical_approaches_to_remotely_gaining_root...
Us 16-subverting apple-graphics_practical_approaches_to_remotely_gaining_root...Liang Chen
 
Positive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysPositive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysqqlan
 
Python + NoSQL in Animations
Python + NoSQL in AnimationsPython + NoSQL in Animations
Python + NoSQL in AnimationsShuen-Huei Guan
 
Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.Priyanka Aash
 
Javascript Security - Three main methods of defending your MEAN stack
Javascript Security - Three main methods of defending your MEAN stackJavascript Security - Three main methods of defending your MEAN stack
Javascript Security - Three main methods of defending your MEAN stackRan Bar-Zik
 
JavaScript Libraries: The Big Picture
JavaScript Libraries: The Big PictureJavaScript Libraries: The Big Picture
JavaScript Libraries: The Big PictureSimon Willison
 
IoT exploitation: from memory corruption to code execution by Marco Romano
IoT exploitation: from memory corruption to code execution by Marco RomanoIoT exploitation: from memory corruption to code execution by Marco Romano
IoT exploitation: from memory corruption to code execution by Marco RomanoCodemotion
 
IoT exploitation: from memory corruption to code execution - Marco Romano - C...
IoT exploitation: from memory corruption to code execution - Marco Romano - C...IoT exploitation: from memory corruption to code execution - Marco Romano - C...
IoT exploitation: from memory corruption to code execution - Marco Romano - C...Codemotion
 
Webinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsWebinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsSynopsys Software Integrity Group
 
Pc54
Pc54Pc54
Pc54guestd9aa5
 
Test & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automatedTest & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automatedZoltan Balazs
 
A Stuxnet for Mainframes
A Stuxnet for MainframesA Stuxnet for Mainframes
A Stuxnet for MainframesCheryl Biswas
 
Empowering red and blue teams with osint c0c0n 2017
Empowering red and blue teams with osint c0c0n 2017Empowering red and blue teams with osint c0c0n 2017
Empowering red and blue teams with osint c0c0n 2017reconvillage
 
Rv defcon25 osint tactics on source code intelligence - simon roses
Rv defcon25 osint tactics on source code intelligence - simon rosesRv defcon25 osint tactics on source code intelligence - simon roses
Rv defcon25 osint tactics on source code intelligence - simon rosesreconvillage
 

Weitere ähnliche Inhalte

Ähnlich wie Rv defcon25 keeping an eye on mobile applications - mikhail sosonkin

Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)Peter Sabev
 
Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Zoltan Balazs
 
Automated malware analysis
Automated malware analysisAutomated malware analysis
Automated malware analysisIbrahim Baliç
 
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey GordeychikCODE BLUE
 
IstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
IstSec'14 - İbrahim BALİÇ - Automated Malware AnalysisIstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
IstSec'14 - İbrahim BALİÇ - Automated Malware AnalysisBGA Cyber Security
 
Duck Hunter - The return of autorun
Duck Hunter - The return of autorunDuck Hunter - The return of autorun
Duck Hunter - The return of autorunNimrod Levy
 
Nimrod duck hunter copy
Nimrod duck hunter copyNimrod duck hunter copy
Nimrod duck hunter copyNimrod Levy
 
Us 16-subverting apple-graphics_practical_approaches_to_remotely_gaining_root...
Us 16-subverting apple-graphics_practical_approaches_to_remotely_gaining_root...Us 16-subverting apple-graphics_practical_approaches_to_remotely_gaining_root...
Us 16-subverting apple-graphics_practical_approaches_to_remotely_gaining_root...Liang Chen
 
Positive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysPositive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysqqlan
 
Python + NoSQL in Animations
Python + NoSQL in AnimationsPython + NoSQL in Animations
Python + NoSQL in AnimationsShuen-Huei Guan
 
Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.Priyanka Aash
 
Javascript Security - Three main methods of defending your MEAN stack
Javascript Security - Three main methods of defending your MEAN stackJavascript Security - Three main methods of defending your MEAN stack
Javascript Security - Three main methods of defending your MEAN stackRan Bar-Zik
 
JavaScript Libraries: The Big Picture
JavaScript Libraries: The Big PictureJavaScript Libraries: The Big Picture
JavaScript Libraries: The Big PictureSimon Willison
 
IoT exploitation: from memory corruption to code execution by Marco Romano
IoT exploitation: from memory corruption to code execution by Marco RomanoIoT exploitation: from memory corruption to code execution by Marco Romano
IoT exploitation: from memory corruption to code execution by Marco RomanoCodemotion
 
IoT exploitation: from memory corruption to code execution - Marco Romano - C...
IoT exploitation: from memory corruption to code execution - Marco Romano - C...IoT exploitation: from memory corruption to code execution - Marco Romano - C...
IoT exploitation: from memory corruption to code execution - Marco Romano - C...Codemotion
 
Webinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsWebinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsSynopsys Software Integrity Group
 
Test & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automatedTest & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automatedZoltan Balazs
 
A Stuxnet for Mainframes
A Stuxnet for MainframesA Stuxnet for Mainframes
A Stuxnet for MainframesCheryl Biswas
 

Ähnlich wie Rv defcon25 keeping an eye on mobile applications - mikhail sosonkin (20)

Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)
 
Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015
 
Demystifying Apple 'Pie' & TouchID
Demystifying Apple 'Pie' & TouchIDDemystifying Apple 'Pie' & TouchID
Demystifying Apple 'Pie' & TouchID
 
Automated malware analysis
Automated malware analysisAutomated malware analysis
Automated malware analysis
 
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
 
IstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
IstSec'14 - İbrahim BALİÇ - Automated Malware AnalysisIstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
IstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
 
Duck Hunter - The return of autorun
Duck Hunter - The return of autorunDuck Hunter - The return of autorun
Duck Hunter - The return of autorun
 
Nimrod duck hunter copy
Nimrod duck hunter copyNimrod duck hunter copy
Nimrod duck hunter copy
 
Us 16-subverting apple-graphics_practical_approaches_to_remotely_gaining_root...
Us 16-subverting apple-graphics_practical_approaches_to_remotely_gaining_root...Us 16-subverting apple-graphics_practical_approaches_to_remotely_gaining_root...
Us 16-subverting apple-graphics_practical_approaches_to_remotely_gaining_root...
 
Positive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysPositive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-rays
 
Python + NoSQL in Animations
Python + NoSQL in AnimationsPython + NoSQL in Animations
Python + NoSQL in Animations
 
Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.
 
Javascript Security - Three main methods of defending your MEAN stack
Javascript Security - Three main methods of defending your MEAN stackJavascript Security - Three main methods of defending your MEAN stack
Javascript Security - Three main methods of defending your MEAN stack
 
JavaScript Libraries: The Big Picture
JavaScript Libraries: The Big PictureJavaScript Libraries: The Big Picture
JavaScript Libraries: The Big Picture
 
IoT exploitation: from memory corruption to code execution by Marco Romano
IoT exploitation: from memory corruption to code execution by Marco RomanoIoT exploitation: from memory corruption to code execution by Marco Romano
IoT exploitation: from memory corruption to code execution by Marco Romano
 
IoT exploitation: from memory corruption to code execution - Marco Romano - C...
IoT exploitation: from memory corruption to code execution - Marco Romano - C...IoT exploitation: from memory corruption to code execution - Marco Romano - C...
IoT exploitation: from memory corruption to code execution - Marco Romano - C...
 
Webinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsWebinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical Apps
 
Pc54
Pc54Pc54
Pc54
 
Test & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automatedTest & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automated
 
A Stuxnet for Mainframes
A Stuxnet for MainframesA Stuxnet for Mainframes
A Stuxnet for Mainframes
 

Mehr von reconvillage

Empowering red and blue teams with osint c0c0n 2017
Empowering red and blue teams with osint c0c0n 2017Empowering red and blue teams with osint c0c0n 2017
Empowering red and blue teams with osint c0c0n 2017reconvillage
 
Rv defcon25 osint tactics on source code intelligence - simon roses
Rv defcon25 osint tactics on source code intelligence - simon rosesRv defcon25 osint tactics on source code intelligence - simon roses
Rv defcon25 osint tactics on source code intelligence - simon rosesreconvillage
 
Rv defcon25 into the birds nest - a comprehensive look at twitter as a rese...
Rv defcon25 into the birds nest - a comprehensive look at twitter as a rese...Rv defcon25 into the birds nest - a comprehensive look at twitter as a rese...
Rv defcon25 into the birds nest - a comprehensive look at twitter as a rese...reconvillage
 
Rv defcon25 how to obtain 100 facebook accounts per day through internet se...
Rv defcon25 how to obtain 100 facebook accounts per day through internet se...Rv defcon25 how to obtain 100 facebook accounts per day through internet se...
Rv defcon25 how to obtain 100 facebook accounts per day through internet se...reconvillage
 
Rv defcon25 ferpa only your grades are safe - leah
Rv defcon25 ferpa only your grades are safe - leahRv defcon25 ferpa only your grades are safe - leah
Rv defcon25 ferpa only your grades are safe - leahreconvillage
 
Rv defcon25 burner phone challenge - dakota nelson
Rv defcon25 burner phone challenge - dakota nelsonRv defcon25 burner phone challenge - dakota nelson
Rv defcon25 burner phone challenge - dakota nelsonreconvillage
 
Rv defcon25 attack surface discovery with intrigue - jonathan cran
Rv defcon25 attack surface discovery with intrigue - jonathan cranRv defcon25 attack surface discovery with intrigue - jonathan cran
Rv defcon25 attack surface discovery with intrigue - jonathan cranreconvillage
 

Mehr von reconvillage (7)

Empowering red and blue teams with osint c0c0n 2017
Empowering red and blue teams with osint c0c0n 2017Empowering red and blue teams with osint c0c0n 2017
Empowering red and blue teams with osint c0c0n 2017
 
Rv defcon25 osint tactics on source code intelligence - simon roses
Rv defcon25 osint tactics on source code intelligence - simon rosesRv defcon25 osint tactics on source code intelligence - simon roses
Rv defcon25 osint tactics on source code intelligence - simon roses
 
Rv defcon25 into the birds nest - a comprehensive look at twitter as a rese...
Rv defcon25 into the birds nest - a comprehensive look at twitter as a rese...Rv defcon25 into the birds nest - a comprehensive look at twitter as a rese...
Rv defcon25 into the birds nest - a comprehensive look at twitter as a rese...
 
Rv defcon25 how to obtain 100 facebook accounts per day through internet se...
Rv defcon25 how to obtain 100 facebook accounts per day through internet se...Rv defcon25 how to obtain 100 facebook accounts per day through internet se...
Rv defcon25 how to obtain 100 facebook accounts per day through internet se...
 
Rv defcon25 ferpa only your grades are safe - leah
Rv defcon25 ferpa only your grades are safe - leahRv defcon25 ferpa only your grades are safe - leah
Rv defcon25 ferpa only your grades are safe - leah
 
Rv defcon25 burner phone challenge - dakota nelson
Rv defcon25 burner phone challenge - dakota nelsonRv defcon25 burner phone challenge - dakota nelson
Rv defcon25 burner phone challenge - dakota nelson
 
Rv defcon25 attack surface discovery with intrigue - jonathan cran
Rv defcon25 attack surface discovery with intrigue - jonathan cranRv defcon25 attack surface discovery with intrigue - jonathan cran
Rv defcon25 attack surface discovery with intrigue - jonathan cran
 

Kürzlich hochgeladen

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 

Kürzlich hochgeladen (20)

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 

Rv defcon25 keeping an eye on mobile applications - mikhail sosonkin

  • 1. Up close and personal Keeping an eye on mobile applications
  • 2. Mikhail Sosonkin Director of R&D Always a Student @hexlogic mikhail@synack.com http://debugtrap.com
  • 4. Why do this? Breaking in. Attack Surface The End. We all just hack for fun… right? Automation
  • 5. Why do we care? Our privacy. Our money.Our freedoms. Wouldn’t want to lose any of those things!
  • 6. Why do this? Breaking in. Attack Surface The End. We all just hack for fun… right? Automation
  • 7. Pangu TaiG Step 1: Jailbreak
  • 9. Step 2: Apply IDAPro For those that don’t know Aarch64 IdaRef documentation plugin: https://github.com/nologic/idaref DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib Thanks Stephan Esser!
  • 10. In-process • Frida • Cycrypt • LLDB • Tracing Objective-C calls and mach port messages • https://github.com/nologic/objc_trace External • FileMon • MiTM proxy SSL Kill Switch Step 3: Dynamic Analysis
  • 11. • Objective-C messages • On iOS, more meaningful than strace • Might want to hit/fuzz a particular method • In case of Swift, we see runtime library interactions • Swift Reversing by Ryan Stortz • Mach Port Messages • Any sort of IPC • CFMessagePort, etc Collecting Coverage Information
  • 12. 1. Allocate a page - a jump page 2. Set objc_msgSend readable and writable 3. Copy preamble bytes from objc_msgSend 4. Check for branch instructions in preamble 5. Modify objc_msgSend preamble 6. Set jump page to readable and executable 7. Set objc_msgSend readable and executable Objc_Trace Call Sequence Hook Steps
  • 13. void* hook_callback64_pre(id self, SEL op, void* a1, ...) { Class cls = object_getClass(self); if(cls != NULL && op != NULL) cacheImp = c_cache_getImp(cls, op); if(!cacheImp) { // not in cache, never been called, record the call. … const struct mach_header* libobjc_base = libobjc_dylib_base(); c_cache_getImp = (p_cache_getImp)((uint8_t*)libobjc_base) + 97792 + 0x4000; Important Optimization Only record unseen method calls Find the cache check function cache_getImp
  • 14. { '_payload': { '_payload': { '_msg': 'x00x00x08x00x00x00subsystemx00x00x00x00@x00x00x05x0 0x00x00x00x00x00x00ha', 'type': 2048}, 'magic': '!CPX', 'version': 5}, 'msgh_bits': 1250579, 'msgh_id': 268435456, 'msgh_local_port': '0x30b', 'msgh_remote_port': '0x10b', 'msgh_reserved': 2819, 'msgh_size': 256} MACH Shark Machshark
  • 15. Why do this? Breaking in. Attack Surface The End. We all just hack for fun… right? Automation
  • 16. Most apps are largely user reactive in nature The difficulty of Apps
  • 17. “A little engine for driving the UI while observing the inner workings of an iOS App” -- CHAOTICMARCH
  • 18. • Time saving • Repeatable • WebAPI Discovery • Service use discovery • Code Coverage Why automate?
  • 19. Apply intelligence! ● Simulate the user ● Read and understand the UI
  • 20. How does the UI look like in memory?
  • 21. ● Lua Scriptable Logic ● Standard functions for touching the device ● Options for record/replay ● Finding UI Components ● Regulating speed of execution ● Support for multiple targets ● Mechanisms for generic logic ● Lightweight injected module CHAOTICMARCH Source
  • 23. Deadly in the right combination MITM Proxy Request Mutant Mutator
  • 24. • WebAPI - gives you working samples. • Local behaviour • File accesses, IPC interactions • Vendor infrastructure • Any hidden call outs • Frequency of call outs Discovery Applications
  • 25. ● tracker-api.my.com ● api.ok.ru/api/batch/execute ● data.flurry.com/aas.do ● sdk.hockeyapp.net
  • 26. Why do this? Breaking in. Attack Surface The End. We all just hack for fun… right? Automation
  • 29.
  • 30. Get the app to show its cards MITM Proxy Request Mutant Mutator Mutator
  • 31. Why do this? Breaking in. Attack Surface The End. We all just hack for fun… right? Automation
  • 32. • Apps are important! • Automation of the UI • Traversal of App Features • Helps collect infrastructure details • Collection of coverage information Wrap up!
  • 33. Email: mikhail@synack.com blog: debugtrap.com Twitter: @H4ckerLife č ū Спасибо ...Catch me in the halls or online! Mikhail Sosonkin