4 5 6 7 8 9 10 11 12 o iOS security mechanisms o Security from attacker’s perspective o Reverse engineering tools detection o Security coding practices o Advanced practices
3 4 5 6 7 8 9 10 11 12 o Implemented in kernel o Every executable should be signed o Stored in LC_CODE_SIGNATURE o Superblob, entitlements, signature o SHA1 check of memory pages o Superblob is signed
3 4 5 6 7 8 9 10 11 12 o R ^ W policy o Non executable stack and heap o Implemented in kernel o Vulnerable to ROP o (K)ASLR o No dynamic code generation
3 4 5 6 7 8 9 10 11 12 o Based upon TrustedBSD MAC framework o Implemented in kernel o Profiles (nointernet, container…) o Operations (read, write, search…) o System & user partition
4 5 6 7 8 9 10 11 12 o Hardware AES and SHA modules o 7 derivative keys from UID and GID o Everything is encrypted (iBoot, filesystem, …) o Data protection API o Passcode \ TouchID key o Remote device wiping
17 18 19 20 21 22 23 24 Mobile Substrate o Most popular code patching framework o Hook C, C++, Objective C, Java code o Trampoline for C hooks o Swizzling for Objective C o Dynamic code injection o Filter support
29 30 31 32 33 34 35 36 const char* hook_dyld_get_image_name(uint32_t image_index) {! if (image_index >= dyld_skipimage)! return orig_get_image_name(image_index + 1);! else! return orig_get_image_name(image_index);! }! ! MSHookFunction(_dyld_image_count,hooked_image_count,&orig_image_count)! MSHookFunction(_dyld_get_image_name,hooked_get_image_name,&orig_get_image_name) uint32_t dyld_skipimage = 0;! ! uint32_t hooked_dyld_image_count(void) {! return orig_image_count() - 1;! }! “Calling functions like _dyld_image_count() and _dyld_get_image_name() to see which dylibs are currently loaded. Very difficult to patch, as patches are themselves part of dylibs.” – theiphonewiki.com
53 54 55 56 57 58 59 60 System calls o Syscall function as wrapper o Implemented as svc 0x80 o Syscall number in r12 or x16 o Arguments in registers o Listed in syscall.h
65 66 67 68 69 70 71 72 Summary o Do not rely on iOS security and ObjC\Swift o ‘Everything is hooked’ environment o Detect hooks and code injection o Detect debuggers and device anomalies o Re implement standard functions o Love and use syscalls o Obfuscate your code