Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Reverse Engineering iOS Apps

Conrad Kramer
August 20, 2015
Programming
11
250k

Reverse Engineering iOS Apps

Talk given at Swift Language User Group in SF on 20 August 2015

If you've ever needed to know how another piece of code works, or if you've ever been at the mercy of someone else's bugs – you can always look at the source code... unless you don't have it. I'll be giving an introduction to the art of reverse engineering on iOS and OS X, including Swift apps. I'll be cover sniffing network traffic as well as static and dynamic analysis, with tools like Charles, cycript, IDA, Hopper and class-dump.

Conrad Kramer

August 20, 2015
Tweet

More Decks by Conrad Kramer

See All by Conrad Kramer
How (not) to write an iOS SDK
conradev
1
43k
Memory Use in Extensions
conradev
2
450

Other Decks in Programming

See All in Programming
Tauriでネイティブアプリを作りたい
tsucchinoko
0
370
レガシーシステムにどう立ち向かうか 複雑さと理想と現実/vs-legacy
suzukihoge
14
2.3k
Ethereum_.pdf
nekomatu
0
470
RubyLSPのマルチバイト文字対応
notfounds
0
120
Streams APIとTCPフロー制御 / Web Streams API and TCP flow control
tasshi
2
350
距離関数を極める! / SESSIONS 2024
gam0022
0
290
cmp.Or に感動した
otakakot
3
210
WebフロントエンドにおけるGraphQL(あるいはバックエンドのAPI)との向き合い方 / #241106_plk_frontend
izumin5210
4
1.4k
OSSで起業してもうすぐ10年 / Open Source Conference 2024 Shimane
furukawayasuto
0
110
ピラミッド、アイスクリームコーン、SMURF: 自動テストの最適バランスを求めて / Pyramid Ice-Cream-Cone and SMURF
twada
PRO
10
1.3k
Realtime API 入門
riofujimon
0
150
Hotwire or React? ~アフタートーク・本編に含めなかった話~ / Hotwire or React? after talk
harunatsujita
1
120

Featured

See All Featured
Music & Morning Musume
bryan
46
6.2k
Fantastic passwords and where to find them - at NoRuKo
philnash
50
2.9k
How to train your dragon (web standard)
notwaldorf
88
5.7k
Building a Modern Day 
E-commerce SEO Strategy
aleyda
38
6.9k
4 Signs Your Business is Dying
shpigford
180
21k
Reflections from 52 weeks, 52 projects
jeffersonlam
346
20k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
246
1.3M
jQuery: Nuts, Bolts and Bling
dougneiner
61
7.5k
What's new in Ruby 2.0
geeforr
343
31k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
126
18k
For a Future-Friendly Web
brad_frost
175
9.4k
How To Stay Up To Date on Web Technology
chriscoyier
788
250k

Transcript

  1. Reverse Engineering iOS Apps with Swi' Conrad Kramer @conradev

  2. Reverse Engineering Analyzing out how something works by examining the

    final product.

  3. Opera&ng the tools Knowing what to look for

  4. Frame the ques,on Why does this bug occur? What component

    do they use in their UI? What does the app's REST API look like?

  5. Test Subject: Ly# (Wri%en en)rely in Swy.)

  6. Ques%ons What does Ly,'s REST API look like? How does

    Ly*'s URL scheme work?

  7. What is in the Ly, app? • Metadata • Assets

    • Executable (Encrypted) • Lots of frameworks (Encrypted)

  8. What can we work with? • When it is running

    • Network traffic • Injec6ng code • When it isn't running • Inspec6ng the binaries

  9. Inspect Network Traffic using Charles charlesproxy.com

  10. HTTP(S) Proxy Performs SSL man-in-the-middle Pre$y prints JSON, YAML, XML,

    Mul8part, Form encoding, etc.

  11. Inject Code using cycript (jailbreak required for third party apps)

    cycript.org

  12. Cycript JavaScript/Objec/ve-C hybrid Interact with the app using the REPL,

    live: var application = [UIApplication sharedApplication]; [application openURL:[NSURL URLWithString:@"https://google.com"]];

  13. Decrypt The Executable with dumpdecrypted (jailbreak required) bit.ly/dumpd

  14. Analyze The Executable using IDA Pro bit.ly/idatrial

  15. Swi$ vs. Objec.ve-C Swi$ assembly is more verbose Swi$ class

    informa/on is harder to extract

  16. Looking at -applica.on:openURL: _TZFV4Lyft15DeepLinkManager13handleOpenURLfMS0_FC So5NSURLSb Mangled symbol name

  17. Looking at -applica.on:openURL: _TZFV4Lyft15DeepLinkManager13handleOpenURLfMS0_FC So5NSURLSb • _T -> Swi( symbol

    • F -> Func3on • 4Lyft -> Module name • A lot more informa3on (see Mike Ash's Friday Q&A)

  18. Looking at -applica.on:openURL: var url = NSURL(string: "lyft://") var manager

    : Lyft.DeepLinkManager = ... manager.handleOpenURL(url)

  19. Think like the developer

  20. Looking at Ly+.DeepLinkManager • DeepLinkRequest • DeepLinkable • DeepLinkToRide •

    DeepLinkToHelp • DeepLinkToSe6ngs • DeepLinkToDriveMode • etc.

  21. Looking at Ly+.DeepLinkManager lyft://action?paramter=value

  22. Looking at Ly+.DeepLinkToRide lyft://ridetype ?id=lyft_line &pickup[latitude]=0 &pickup[longitude]=0 &destination[latitude]=0 &destination[longitude]=0

  23. Thanks!