Creating a Safe Browsing, Serverless API to scan iOS apps with Corellium & Frida on AWS Lambda
You're checking your messages in the morning, and your new friend James Willy has sent you a link to a cool new iOS app he's developed. While you'd like to give feedback, the last Visual Studio project he sent you didn't load properly, so to be safe, it might be a good idea to scan the IPA.
You could send the IPA's URL to Google's Safe Browsing platform and cross your fingers that their static analysis works. If only there was a Safe Browsing API that you knew worked well for iOS apps..
How difficult could it be to create a Safe Browsing API to scan for malicious apps? Must be pretty difficult, given that even Apple outsources it to Google.
Let's challenge that assumption, and create a prototype to scan iOS applications found on websites. We'll do it with zero physical devices, nothing running on our local machines once deployed, and for a few dollars a day (even with thousands of requests).
We'll solve this using:
- Corellium's virtual hardware and Python API
- Frida to scan memory for an "evil" pattern (e.g. as a starting place for you to add your own malware analysis)
- FastAPI as our RESTful endpoint that implements part of the Safe Browsing Lookup API (v4)
- AWS Lambda for deploying our solution as a serverless application
By the end of this article, you'll even have a lovely Swagger UI that looks like this!
Part 1 - Setting up Corellium
If you haven't already, go generate yourself an API token in the web UI. That's it.
Next, go ahead and create a jailbroken device on Corellium. Wait a bit for it to be booted, and that's it for setup.
For our application, you'll need to get:
- The instance ID, which can be found in the URL (circled in red)
- The project ID, which can be found in the SSH section (circled in green)
(Both of these values can be obtained from the Corellium API as well.)
Part 2 - Creating SSH tunnels in pure Python
Because we'd like to not care what OS our serverless application runs on, we're going to use pure Python (instead of calling out to an SSH binary).
First, let's create an API connection to Corellium.
hostkey=None, # Might want to verify in production!
Readers paying attention might wonder why the "disabled_algorithms" option is there. I'll save you the trial and error: it's because Paramiko defaults to a sig version that is unsupported by the SSH gateway on Corellium's proxy. https://stackoverflow.com/a/70567773
Using the transport tunnel to Corellium's gateway, we can now open up an SSH connection to the iOS device itself.
This script buffers the entire zip into memory (meaning up to ~4GB of usage), and I would encourage the reader to spend a bit of time on optimizing it if they intend on doing something similar at scale.
Part 6 - FastAPI
For those who have not used it before, FastAPI is a handy web framework for building RESTful APIs. It's incredibly easy to use.
Here's an example of how we're going to implement the "/v4/threatMatches:find" endpoint.