You're checking your messages in the morning, and your new friend James Willy has sent you a link to a cool new iOS app he's developed. While you'd like to give feedback, the last Visual Studio project he sent you didn't load properly, so to be safe, it might be a good idea to scan the IPA.
You could send the IPA's URL to Google's Safe Browsing platform and cross your fingers that their static analysis works. If only there was a Safe Browsing API that you knew worked well for iOS apps..
How difficult could it be to create a Safe Browsing API to scan for malicious apps? Must be pretty difficult, given that even Apple outsources it to Google.
Let's challenge that assumption, and create a prototype to scan iOS applications found on websites. We'll do it with zero physical devices, nothing running on our local machines once deployed, and for a few dollars a day (even with thousands of requests).
We'll solve this using:
- Corellium's virtual hardware and Python API
- Frida to scan memory for an "evil" pattern (e.g. as a starting place for you to add your own malware analysis)
- FastAPI as our RESTful endpoint that implements part of the Safe Browsing Lookup API (v4)
- AWS Lambda for deploying our solution as a serverless application
By the end of this article, you'll even have a lovely Swagger UI that looks like this!
If you haven't already, go generate yourself an API token in the web UI. That's it.
Next, go ahead and create a jailbroken device on Corellium. Wait a bit for it to be booted, and that's it for setup.
For our application, you'll need to get:
- The instance ID, which can be found in the URL (circled in red)
- The project ID, which can be found in the SSH section (circled in green)
(Both of these values can be obtained from the Corellium API as well.)
Because we'd like to not care what OS our serverless application runs on, we're going to use pure Python (instead of calling out to an SSH binary).
First, let's create an API connection to Corellium.
Let's generate a new temporary SSH key.
And add it to our project.
At this point, we can create a tunnel to Corellium's gateway!
Readers paying attention might wonder why the "disabled_algorithms" option is there. I'll save you the trial and error: it's because Paramiko defaults to a sig version that is unsupported by the SSH gateway on Corellium's proxy. https://stackoverflow.com/a/70567773
Using the transport tunnel to Corellium's gateway, we can now open up an SSH connection to the iOS device itself.
The tunnel forwarding is a bit convoluted and not particularly interesting, so I've omitted it from this section. (I took an example from paramiko and modified it to work asynchronously.)
Lastly, we need to forward Frida's port. We do this instead of modifying Frida to listen on 0.0.0.0, as this allows us to disconnect WiFi if needed without Frida disconnecting.
We're now able to use Frida's Python API as if we had the device plugged right into our machine!
For the purpose of this demonstration, we're going to make a very simple Frida script that just looks for an "evil" byte pattern.
As this service we're building takes in a URL to check, we're going to need to write a function that:
1. Downloads app at that URL.
2. Copies it to our Corellium device.
3. Installs the app on the Corellium device.
4. Runs the app with our Frida script hooks.
5. Uninstalls the app (alternatively, a safer option would be to restore the VM's state at the cost of speed).
This script buffers the entire zip into memory (meaning up to ~4GB of usage), and I would encourage the reader to spend a bit of time on optimizing it if they intend on doing something similar at scale.
For those who have not used it before, FastAPI is a handy web framework for building RESTful APIs. It's incredibly easy to use.
Here's an example of how we're going to implement the "/v4/threatMatches:find" endpoint.
For brevity's sake, I'm only including one class model example. The rest can be found in the full script.
The only modification we need to do is adding this to our existing script.
Next, we'll create a CloudFormation template. This assumes this "template.yaml" file is in the root directory of our project, and we have both "app.py" and "requirements.txt" in the "python/" folder.
After saving all three files, run:
Simply run:
If you run into this unhelpful error message, it means you need to request a quota of >100 concurrent executions in your AWS account.
In terms of costs, data and duration should be minimal, as we're running our Lambda in the same region as Corellium. Here's my current AWS bill:
Does it work?! Yep!
Thanks to Corellium's virtual iOS devices, creating these types of services is manageable whether you're a large tech giant or a bored person with free time on your weekend.