iOS Reverse Engineering Tactics and Techniques in Practice
Understanding reverse engineering is a critical skill for security researchers, ethical hackers, and developer teams alike. Reverse engineering in mobile security testing involves decompiling and disassembling mobile applications to understand their underlying functionality, a process that is essential for identifying vulnerabilities and building scripts to exploit them.
To kick off the demonstration, Steven Smiley introduced the Corellium Cafe app, a fictitious coffee shop application that serves as a playground for ethical hackers. The app is full of vulnerabilities, including hardcoded values, bypassable root detection mechanisms and areas to exploit via dynamic instrumentation, that give security researchers an opportunity to experiment with and practice testing. Steven demonstrated how to use tools like Hopper and Ghidra to identify secrets hardcoded in an iOS application. Follow along with our webinar series for more updates on how to get access to Corellium Cafe.
Breaking Down iOS Reverse Engineering: A Deep Dive with Robert Ferri
During the live demonstration, Robert Ferri went into common techniques that are used for jailbreak detection as well as common bypasses. Using the Corellium Cafe app as an example, Robert demonstrated tools and techniques he uses all the time when doing mobile penetration tests.
“My goal for this talk is to show you that you don't actually have to be like a reverse engineering wizard or be able to read assembly at a really high level to figure out what's going on in the app and to do some basic reverse engineering.” — Robert Ferri, Mobile Cybersecurity Professional
Robert specifically focused on R2Frida, including its use cases, how to download and set it up, and how to launch R2Frida on a jailbroken iOS within Corellium. Radare2 (R2) and Frida are both essential tools for static and dynamic analysis. While R2 offers a comprehensive suite for disassembling, Frida is known for its dynamic instrumentation toolkit, allowing for real-time code injections and manipulations. The versatility of R2Frida makes it a must-have in a researcher's toolkit.
For those new to the world of reverse engineering, becoming familiar with the commands and their syntax in R2Frida can be daunting. Ferri walked through the syntax of R2 commands and explained how R2 files, described as configuration files, allow researchers to type out commands. When imported, these files automatically execute traces and hooks, streamlining the analysis process. Additionally, Ferri covered the following:
Live Device Analysis: Within Corellium, reverse engineering is done live on the device, allowing for real-time changes to values and instructions.
Jailbreak Detection: An app can use various methods to detect jailbreaks, including setting up a socket to listen on specific ports. Ferri showed that one way to bypass this is to start a server on a different port.
Tracing Functions: Ferri outlined how to set up a file to trace functions and replace values to bypass security checks. He also discusses how to filter out what's going on so you can stub your own trace.
Private APIs: Some APIs, like 'ptrace,' are private and not allowed by Apple's specifications. However, they can be used for process debugging.
The Future of iOS App Security
Wanting to learn more? Watch the full webinar, “Hunting for Vulernabilites in iOS Apps.” Also, be sure to check out Corellium for mobile app penetration testing. You can spin-up near limitless combinations of devices and OS, no jailbreak required, and access Arm-native virtual devices to enable both static (SAST) and dynamic (DAST) app vulnerability discovery and exploitation testing.