Analyzing iOS apps: road from AppStore to security analysis report

Presented at REcon Brussels 2017, Jan. 29, 2017, 10 a.m. (60 minutes)

The main goal of our work is to find out a sensible way to detect vulnerabilities in binary iOS applications. We present a new fully featured toolset, that constitutes a decompiling and analyzing engine, targeting ARM/AArch64 programs, particularly iOS applications.In general, the analysis workflow consists of four steps: Downloading and decrypting an iOS application from AppStore. We introduce the iOS-crack engine that is capable of automatic downloading, decrypting and dumping memory of AppStore applications using a jailbroken device. Decompiling the iOS application. The toolset is capable of carrying out a completely automated analyses of binary programs, using the LLVM as the intermediate representation language. Unlike known binary code to LLVM translation tools, our decompilation tool aims at a high-level program semantics reconstruction. That is: program CFG reconstruction, advanced analysis and propagation of memory objects and stack pointer tracking, data types reconstructions, program data model construction. Almost all iOS application are written in Objective-C or Swift, so we also take care about precise types reconstruction and use the runtime types information in decompilation process. Static analysis of the iOS application. We introduce our static analysis framework that is able to find all common vulnerabilities of mobile applications, especially iOS applications. Representation of analysis results. The toolset is able to produce a human-readable pseudocode representation of the source binary.During the presentation we will demonstrate our analysis engine in action. We will show real-world examples of the most common security flaws and how they can be found.




Similar Presentations: