- Two days ago, the company gave an application security evaluation report, which showed that the score of iOS security evaluation was 60 (out of 100). The report was quite detailed, listing the danger level, hazards and suggested solutions. I evaluated the risk of code obfuscation and dynamic modulated attacks.
Code confusion
A, harm
- For the Object C and C used in iOS application development,C++ code currently lacks effective means of protection. Apple app itself does not have more secure protection measures than Android, nor can it protect the application from decomcompiling and tampering through conventional secondary reinforcement. Security loopholes, code hidden dangers, and even defects in business logic in the process of application code writing are easily exposed by analysis, resulting in the disclosure of program business logic, the failure of encryption and decryption algorithms, and the failure of communication encryption. Attackers can use this information to steal sensitive data of clients, including accounts and passwords. Bypass the service security authentication process, directly tamper with user account information; Attacks on server interfaces. In iOS code confusion, the method name, variable name, class name, package name and other element names in object-C and C/C++ codes are changed into unrelated and meaningless names, so as to realize logical branch confusion and control flow flattening of source code, hide key logics, increase the difficulty of hackers to crack, and increase the cost of cracking time.
Second, suggested solutions
- The developer defines the PCH file using header mapping, introduces header files into the defined PCH file, defines method obfuscation insinuations in the header file, prevents the code semantic definition from exposing the program diagram, and compiles new distribution packages
3. Practical solutions
1. CD Project path
2. Touch confusion.sh (Add confusionscript to this file, script here)
3. Touch func.list (add methods you want to obfuscate manually in this file, or refer to the script in this article for global obfuscating)
List to their own project directory, for example, mv confuse. Sh project path
5. Set run script as shown below
Add #import "codeObfuscation. H "to PCH file
7, compile,
8. If you need a demo, here’s one I didn’t write
Four, the above operation process of the developers summed up a lot, HERE I mainly say about their own pit:
-
The deepest pit is the path problem, read qian’s blog to see is using mv command to move, in other blogs mostly recorded is Add Files… To move to the project directory, I’ll say Add Files… After that, an error message appeared, indicating that the path could not be found. After trying various relative paths and absolute paths, there was no result. Then, after using the terminal MV command, all the way was smooth.
-
If the codeObfuscation. H file is not automatically generated, you can create it manually. But note that #ifndef Demo_codeObfuscation_h #define Demo_codeObfuscation_h corresponds to echo ‘#ifndef Demo_codeObfuscation_h in the script.
-
The command chmod -r 777 XXX can be run from the terminal. XXX is the path, indicating that all folders and files in the XXX path are granted read/write and execute permission.
-
If codeObfuscation. H does not generate the corresponding obfuscation code after adding methods to the func.list file, it is recommended to look at the path where HEAD_FILE=”$PROJECT_DIR/codeObfuscation. H “in confusion. sh.
Five, reverse check whether the code is successfully confused
1, download class-dump download address
/usr/local/bin/ copy DMG class-dump to /usr/local/bin/
3. Enter class-dump on the terminal to check whether the version is displayed correctly
4. Change the ipA suffix to zip and decompress it
5. Run the class-dump -h Payload path/appname. app -o command to write the file path
6, at this point the code obfuscation is basically complete, you can find the obfuscation method in the file just written to see if it is a string of chaotic characters.
Dynamic modulated attack risk
A, harm
- In iOS apps that are not debugged, the attacker makes it available
GDB, IDA, PtraceDebugger such as tracking of the program running, check the memory state of running process, access to transport in the process of the memory of lines of code and data, real-time analysis of tamper with the application’s business logic, even key data to the client or server for malicious attacks, for example, to view the client business operation of the data, such as login name, password, etc., to steal user information; Or by analyzing the program running logic, mining application vulnerabilities.
Second, suggested solutions
-
Add the following code to the main.m class in the code, GDB mode or other debugging tools into the current program process, the code is as follows:
void anti_gdb_debug() { void* handle = dlopen(0, RTLD_GLOBAL | RTLD_NOW); ptrace_ptr_t ptrace_ptr = dlsym(handle, "ptrace"); ptrace_ptr(PT_DENY_ATTACH, 0, 0, 0); dlclose(handle); }
3. Practical solutions
- Just read qian big guy’s blog to see this article to prevent GDB attachment, basically I also so, have to say big guy is big guy, a series of security attack summary in place, worship.
The above are some problems I met in the project. I am very happy if I can help you. If I can’t help you, I suggest you check more relevant documents.
OVER