🍎 iOS Applications RE


Created: 09.10.2020

During forensic analysis it’s not too rare to run into some suspicious application. In this article I’m going to learn to reverse engineer iOS applications.

Analysis flow

First, we need to get IPA file from the device. There are different ways to do so (please, refer to BTFM and RTFM). Here I’m going to use the easiest one:

ipainstaller -i $(ipainstaller -l | grep -i [package_partial_name]) | grep Bundle
scp root@[device_ip]:/path/to/Bundle/ . 

Note that this method only works only if the application was not downloaded from AppStore, because the applications installed that way are encrypted and to get the code one needs to dump it decrpyted from memory (frida-ios-dump.py with frida-server) or decrypt it statically ().

Then open the Bundle folder on PC and look for Info.plist. Let’s find any strings that start with NS and end with UsageDescription.

cd *.ipa/[package_name].app
grep 'UsageDescription' Info.plist -A1

You sould see something like that:

<key>NSPhotoLibraryUsageDescription</key>
	<string>You can choose a profile picture from your photo library</string>
	<key>NSPhotoLibraryAddUsageDescription</key>
	<string>Allow Kindle to access your photos to save images.</string>
--
	<key>NSCameraUsageDescription</key>
	<string>Kindle would like to access the camera</string>
--
	<key>NSAppleMusicUsageDescription</key>
	<string>We use this to play audio in certain interactive books or magazines</string>

Inspect the application and make sense of all its entitlements. Why, for example, Kindle application needs to access my Camera? May be to set Avatar. And what if it was a simple game? Anyway, always check this since it might be an indication of malware application (although it’s very hard to get one uploaded to AppStore, it’s still possible. Besides, there are ways to sideload applications).

Entitlements

Here is an article which contains a section about iOS entitlements.

To decode certificate

openssl x509 -in certificate.crt -text -noout

Extract xml from Info.plist:

binwalk -e -y=xml ./Telegram\ X
r2 -qc 'izz~PropertyList' ./Telegram\ X
grep -a -A 5 'PropertyList' /var/containers/Bundle/Application/
    15E6A58F-1CA7-44A4-A9E0-6CA85B65FA35/Telegram X.app/Telegram\ X

Custom URL schemes and Unviersal URL schemes:

rabin2 -zq Telegram\ X.app/Telegram\ X | grep openURL

LAContext

User Presence

User Presence works with TouchID through Keychain. While LAContext just delegates the credentials check to the system, here Keychain services will present the authentication dialog to the user and return data or nil depending on whether a suitable fingerprint was provided or not. LAContext will present success or failure.

https://developer.apple.com/documentation/localauthentication/accessing_keychain_items_with_face_id_or_touch_id

Both using LocalAuthentication framework.

otool -L <AppName>.app/<AppName>

❓ Unlike macOS and Android, iOS currently (at iOS 12) does not support temporariness of an item’s accessibility in the keychain: when there is no additional security check when entering the keychain (e.g. kSecAccessControlUserPresence or similar is set), then once the device is unlocked, a key will be accessible.

MSTG-AUTH-8: “Biometric authentication, if any, is not event-bound (i.e. using an API that simply returns “true” or “false”). Instead, it is based on unlocking the keychain/keystore.”

MSTG-STORAGE-11: “The app enforces a minimum device-access-security policy, such as requiring the user to set a device passcode.”

https://blog.nvisium.com/dont-touch-me-that-way https://www.inversecos.com/2022/06/how-to-reverse-engineer-and-patch-ios.html