preface

Enterprise-class apps usually go through one step when they are delivered to customers (especially state-owned enterprises) : waiting for a guarantee test. So what else can we do on our own, besides some third-party paid reinforcement schemes? Next, I’ll take a few high risks from our iOS app security risk assessment report.

The risk of malicious program debugging

Risk description

Attackers can use GDB, IDA, Ptrace debugger trace of the program running, view, modify the code and data memory, even analysis/tampering with the business logic of the application, key data to the client or server for malicious attacks, such as modifying the client business operation of the data, such as the transfer account, amount and so on, leading to loss of users.

Repair advice

[Developer Fix] Integrate the anti-debugging protection function of Native layer to prevent the application from being debug-ed by Xcode, IDA and other tools, thus protecting business security.

Repair operation

The debug

#import <UIKit/UIKit.h>
#import "AppDelegate.h"
#import <dlfcn.h>
#import <sys/types.h>

typedef int (*ptrace_ptr_t)(int _request, pid_t _pid, caddr_t _addr ,int _data);
#if !defined(PT_DENT_ATTACH)
#define PT_DENT_ATTACH 31
#endif

void disable_gdb() {
    void * handle = dlopen(0, RTLD_GLOBAL|RTLD_NOW);
    ptrace_ptr_t ptrace_ptr = dlsym(handle, "ptrace");
    ptrace_ptr(PT_DENT_ATTACH, 0, 0, 0);
    dlclose(handle);
}
int main(int argc, char * argv[]) {
    disable_gdb();
    @autoreleasepool {
        return UIApplicationMain(argc, argv, nil, NSStringFromClass([AppDelegate class]));
    }
}
Copy the code

Risk of malicious program code injection

Risk description

Some sensitive data will be generated in memory during application running, such as Key, local decryption data and communication decryption data. Attackers can use frida and other tools to inject code into Key functions of the program and obtain plaintext data or directly attack the server by destroying business logic.

Repair advice

[Developer fix] Integrated anti-injection/anti-hook protection function to avoid application injection/Hook.

Repair operation

fishhook

#import "AppDelegate.h" #import "fishhook.h" #import <objc/runtime.h> @implementation AppDelegate #pragma mark ---- ------ // void(*exchangeP)(Method _Nonnull m1, Method _Nonnull m2); //static NSMutableArray *methods; void myExchange(Method _Nonnull m1, Method _Nonnull m2) { // if (! methods) { // methods = [NSMutableArray array]; // } // SEL oriMethodName = method_getName(m1); SEL oriMethodName2 = method_getName(m2); // IMP myMethodImp = method_getImplementation(m1); // IMP myMethodImp2 =method_getImplementation(m2); // First find all the method_exchangeImplementations methods currently in the project. // If there is no such method in the project, that is unsafe. NSString *newMethod = NSStringFromSelector(oriMethodName2); // [methods addObject:newMethod]; // HTLog(@"%@",methods); NSArray *wzArr = @[ @"af_resume", @"af_suspend",@"sd_setText:",@"sd_layoutSubviews", @"sd_button_layoutSubviews",@"sd_reloadData",@"sd_reloadRowsAtIndexPaths:withRowAnimation:", @"sd_deleteRowsAtIndexPaths:withRowAnimation:", @"mj_reloadData", @"mj_reloadData", @"fd_reloadData", @"fd_insertSections:withRowAnimation:", @"fd_deleteSections:withRowAnimation:", @"fd_reloadSections:withRowAnimation:", @"fd_moveSection:toSection:", @"fd_insertRowsAtIndexPaths:withRowAnimation:", @"fd_deleteRowsAtIndexPaths:withRowAnimation:", @"fd_reloadRowsAtIndexPaths:withRowAnimation:", @"fd_moveRowAtIndexPath:toIndexPath:"]; if (! [wzArr containsObject:newMethod]) {HTLog(@" malicious code HOOK:%@",newMethod); exit(0); }} +(void)load{/** implementations implementations HOOK substitution */ struct rebinding BD; bd.name = "method_exchangeImplementations"; bd.replacement = myExchange; bd.replaced = (void *)&exchangeP; struct rebinding rebs[1] = {bd}; rebind_symbols(rebs, 1); }Copy the code

Lack of code encryption protection

Risk description

After compiling the core code of iOS applications, Mach-O files are generated. “hackers” can easily decompile unprotected Mach-O files using reverse tools such as IDA Pro, and generate C code that is similar to the source code. The business logic and core technologies are directly exposed to attackers. Further causing core technology leakage, privacy data leakage, malicious tampering of business logic and other hazards.

Repair advice

[Developer fix] It is recommended to use virtualization or obfuscation protection technology for important C/C++/Objective-C/Swift code and carry out strong security encryption for key functions.

Repair operation

#define code confusion

1. Open the terminal CD to your project root directory and configure the confection. sh and func.list files

2. Add files to your project

3. Add Run Script

4. Set the relative path of the script to $PROJECT_DIR/ confusion.sh

5. Write the contents of the script file (copy the contents of the script to the confusion.sh file)
#! /usr/bin/env bash TABLENAME=symbols SYMBOL_DB_FILE="symbols" STRING_SYMBOL_FILE="func.list" HEAD_FILE="$PROJECT_DIR/$PROJECT_NAME/ codeobfuscation. h" export LC_CTYPE=C # createTable() {echo "create table $TABLENAME(src text, des text);" | sqlite3 $SYMBOL_DB_FILE } insertValue() { echo "insert into $TABLENAME values('$1' ,'$2');" | sqlite3 $SYMBOL_DB_FILE } query() { echo "select * from $TABLENAME where src='$1';" | sqlite3 $SYMBOL_DB_FILE } ramdomString() { openssl rand -base64 64 | tr -cd 'a-zA-Z' |head -c 16 } rm -f $SYMBOL_DB_FILE rm -f $HEAD_FILE createTable touch $HEAD_FILE echo '#ifndef Demo_codeObfuscation_h #define Demo_codeObfuscation_h' >> $HEAD_FILE echo "//confuse string at `date`" >> $HEAD_FILE cat "$STRING_SYMBOL_FILE" | while read -ra line; do if [[ ! -z "$line" ]]; then ramdom=`ramdomString` echo $line $ramdom insertValue $line $ramdom echo "#define $line $ramdom" >> $HEAD_FILE fi done echo "#endif" >> $HEAD_FILE sqlite3 $SYMBOL_DB_FILE .dumpCopy the code
6, set the script permissions by CD to the project and type chmod 755 confect.sh

7. After running the project, a codeObfuscation. H file will be automatically generated and pulled into the project directory

Add method names and attribute names to the func. List to be obfuscated. At runtime, random method names are automatically generated in codeObfuscation

9. Precautions

1. Set permission 2 before importing codeObfuscation. H. Make sure func.list is in the same folder as confusion. sh 3. Do not include Spaces in the directory

The end of the