Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Reverse Engineering iOS Apps

Conrad Kramer
August 20, 2015
Programming
11
250k

Reverse Engineering iOS Apps

Talk given at Swift Language User Group in SF on 20 August 2015

If you've ever needed to know how another piece of code works, or if you've ever been at the mercy of someone else's bugs – you can always look at the source code... unless you don't have it. I'll be giving an introduction to the art of reverse engineering on iOS and OS X, including Swift apps. I'll be cover sniffing network traffic as well as static and dynamic analysis, with tools like Charles, cycript, IDA, Hopper and class-dump.

Conrad Kramer

August 20, 2015
Tweet

More Decks by Conrad Kramer

See All by Conrad Kramer
How (not) to write an iOS SDK
conradev
1
43k
Memory Use in Extensions
conradev
2
450

Other Decks in Programming

See All in Programming
[PyCon Korea 2024 Keynote] 커뮤니티와 파이썬, 그리고 우리
beomi
0
110
Identifying User Idenity
moro
6
7.9k
役立つログに取り組もう
irof
27
8.7k
macOS でできる リアルタイム動画像処理
biacco42
7
1.9k
Googleのテストサイズを活用したテスト環境の構築
toms74209200
0
270
AWS IaCの注目アップデート 2024年10月版
konokenj
3
3.1k
Importmapを使ったJavaScriptの 読み込みとブラウザアドオンの影響
swamp09
4
1.2k
Kaigi on Rails 2024 - Rails APIモードのためのシンプルで効果的なCSRF対策 / kaigionrails-2024-csrf
corocn
5
3.4k
のびしろを広げる巻き込まれ力:偶然を活かすキャリアの作り方/oso2024
takahashiikki
1
410
飲食業界向けマルチプロダクトを実現させる開発体制とリアルな現状
hiroya0601
1
400
Generative AI Use Cases JP (略称:GenU)奮闘記
hideg
0
160
CPython 인터프리터 구조 파헤치기 - PyCon Korea 24
kennethanceyer
0
250

Featured

See All Featured
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
26
2.1k
GraphQLの誤解/rethinking-graphql
sonatard
66
9.9k
Side Projects
sachag
452
42k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
32
1.8k
How STYLIGHT went responsive
nonsquared
95
5.2k
What's new in Ruby 2.0
geeforr
342
31k
4 Signs Your Business is Dying
shpigford
180
21k
The MySQL Ecosystem @ GitHub 2015
samlambert
250
12k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
131
33k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
7
150
Bash Introduction
62gerente
608
210k
Building Flexible Design Systems
yeseniaperezcruz
327
38k

Transcript

  1. Reverse Engineering iOS Apps with Swi' Conrad Kramer @conradev

  2. Reverse Engineering Analyzing out how something works by examining the

    final product.

  3. Opera&ng the tools Knowing what to look for

  4. Frame the ques,on Why does this bug occur? What component

    do they use in their UI? What does the app's REST API look like?

  5. Test Subject: Ly# (Wri%en en)rely in Swy.)

  6. Ques%ons What does Ly,'s REST API look like? How does

    Ly*'s URL scheme work?

  7. What is in the Ly, app? • Metadata • Assets

    • Executable (Encrypted) • Lots of frameworks (Encrypted)

  8. What can we work with? • When it is running

    • Network traffic • Injec6ng code • When it isn't running • Inspec6ng the binaries

  9. Inspect Network Traffic using Charles charlesproxy.com

  10. HTTP(S) Proxy Performs SSL man-in-the-middle Pre$y prints JSON, YAML, XML,

    Mul8part, Form encoding, etc.

  11. Inject Code using cycript (jailbreak required for third party apps)

    cycript.org

  12. Cycript JavaScript/Objec/ve-C hybrid Interact with the app using the REPL,

    live: var application = [UIApplication sharedApplication]; [application openURL:[NSURL URLWithString:@"https://google.com"]];

  13. Decrypt The Executable with dumpdecrypted (jailbreak required) bit.ly/dumpd

  14. Analyze The Executable using IDA Pro bit.ly/idatrial

  15. Swi$ vs. Objec.ve-C Swi$ assembly is more verbose Swi$ class

    informa/on is harder to extract

  16. Looking at -applica.on:openURL: _TZFV4Lyft15DeepLinkManager13handleOpenURLfMS0_FC So5NSURLSb Mangled symbol name

  17. Looking at -applica.on:openURL: _TZFV4Lyft15DeepLinkManager13handleOpenURLfMS0_FC So5NSURLSb • _T -> Swi( symbol

    • F -> Func3on • 4Lyft -> Module name • A lot more informa3on (see Mike Ash's Friday Q&A)

  18. Looking at -applica.on:openURL: var url = NSURL(string: "lyft://") var manager

    : Lyft.DeepLinkManager = ... manager.handleOpenURL(url)

  19. Think like the developer

  20. Looking at Ly+.DeepLinkManager • DeepLinkRequest • DeepLinkable • DeepLinkToRide •

    DeepLinkToHelp • DeepLinkToSe6ngs • DeepLinkToDriveMode • etc.

  21. Looking at Ly+.DeepLinkManager lyft://action?paramter=value

  22. Looking at Ly+.DeepLinkToRide lyft://ridetype ?id=lyft_line &pickup[latitude]=0 &pickup[longitude]=0 &destination[latitude]=0 &destination[longitude]=0

  23. Thanks!