Sandbox on iOS

In iOS development, each App data will be in their own sandbox, between apps can not access data, unless it is in iOS8 after the use of the App Group mechanism, so that the same Team between apps can share information.

Structure of sandbox

Documents

It is generally used to store persistent data, such as conversation records. ITunes also does this for you, so you can find instructional articles on how to back up Line chats (such as db_fruits.sqlite3 above)

Library

Store the Caches and Preferences folders.

  • Caches are generally used to store cache files, such as images. Files in this directory are not deleted when exiting the App, but are not backed up by iTunes either.
  • Preferences, access iOS related Settings, generally not directly in the file, but through UserDefault Settings, ITunes will backup the contents of this directory (such as in the figure above the Preferences of ios.devdon.com.LabReverse.plist)

Tmp

Temporary folder that will be cleared when the App is restarted.

Here is the official sandbox description file.


Security issues & Tool introduction

We can see more information about apps by jailbreaking Apple devices, similar to the concept of Android devices getting root.

Through jailbreaking or using tools, you can see some interesting information, such as:

  • Cydia — The App Store of jailbroken devices.
  • OpenSSH – Connect jailbroken devices.
  • Cycript – Dynamic analysis tool (see UI changes in real time, get firebaseKey property values, etc.)
  • IFunBox – File transfer tool (direct access to device contents, such as UserDefault plist file in App sandbox, Sqlite Database file, cache file, etc.)
  • Charles – What apis are used, what parameters are used, and what content is obtained.
  • KeychainDump – Gets access to the Keychain (previously encrypted), such as wifi account passwords.
  • Class-dump — static analysis tool (after App cracks the shell, you can export the corresponding header file content)

This time I’ll cover some interesting tools, but I won’t cover them because IDA and Hopper are still under development.


Charles – Web Debugging Proxy

This tool makes it easy to view packets sent by devices over HTTP/HTTPS through a man-in-the-middle attack.

Download Charles App – US$50, there is also a trial version available for limited use.


iFunBox

A tool to access device content (download iFunBox App)

When the device is jailbroken, it can even read the sandbox and other data. For example, we first get the address of the App file:

Print (NSHomeDirectory ()) / / got/var/mobile/Containers/Data/Application / 9 bb71cc9 47 b6-8-766 - f - CDB - FF74F6CF9A95Copy the code

For example, we can see the plist file in Library/Preferences

UserDefault accesses the same plist file, so it is not right to use UserDefault to access important information (such as user accounts and passwords).

        UserStore.shared.userDefault.set("Don", forKey: "Name")
        UserStore.shared.userDefault.set("Taiwan", forKey: "From")
        UserStore.shared.userDefault.set("job", forKey: "Developer")Copy the code

For example, the database in /Documents can also be obtained, such as db_fruits.sqlite3 created by SQLite

After being copied to the computer, the contents can be read by tools such as Sqlite Database Browser, so important information should also be encrypted when stored in the local DATABASE.


Cydia

After jailbreaking an Apple device, you can install open market apps like Cydia and download them by joining different markets.


OpenSSH

After jailbreaking the device, OpenSSH can be downloaded through Cyida, and then we can communicate with the jailbroken device through the macbook and other devices.

Assuming our device IP is 192.168.0.1, we can communicate with each other via SSH [email protected] (the default account password for the newly jailbroken device is root/alpine).


Cycript

Cycript is a javascript interpreter that understands Objective-C syntax, which means you can use Objective-C or javascript, or both, in a single command. It has the ability to hook up to running processes and modify many things in the application at run time.

Cycript is a runtime tool created by Saurik that mixes OBJ-C with JavaScript syntax. It can hook processes so that you can send commands to your App via SSH and see changes in real time.

Display all processes

ps -eCopy the code

Finds the process ID of the specified application

So let’s say we’re looking for the SpringBoard process ID

ps -e | grep SpringBoardCopy the code

You can see SpringBoard in process 3190.

The injection process

cycript -p 3190Copy the code

Let’s display an AlertView (obj-C syntax, no semicolons at the end)

alertView = [[UIAlertView alloc] initWithTitle:@"Message" message:@"from Don" delegate:nil cancelButtonTitle:@"Got it" otherButtonTitles:nil]Copy the code

It is then used by # 0x16e6C400, or by the variable name alertView.

[#0x1656d570 show];
// 或者
[alertView show];Copy the code

You can also use the Choose method to obtain an instance

choose(UIAlertViewController)Copy the code

Read a property directly

Such as firebaseAPIKey:

homeVC = choose(UIViewController)[0]
[homeVC.firebaseAPIKey]Copy the code

Lists the view hierarchy

UIApp.keyWindow.recursiveDescription().toString()Copy the code

To instantly change the color of a Button

var button = new Instance(0x16d39fb0)
button.backgroundColor = [UIColor greenColor]Copy the code

More instructions can be found in the Cycript manual (Ctrl + D can exit Cycript).


Dumpdecrypted

Dumpdecrypted can be downloaded from Github and compiled by make in Terminal.

You get a.dylib file


Clutch

If you export the IPA package of your App from the App Store directly from your iOS device, you’ll find that the content is encrypted.

FairPlay DRM protects all apps on the App Store.

Clutch is open source on Github and can be downloaded as a release.

Once downloaded, you can use tools like iFunBox to place Clutch in /usr/bin. Make sure Clutch is executable

chmod +w /usr/bin/ClutchCopy the code

Then we can type Clutch to see what all the commands are, and clutch-i can see what apps are installed on the device.

Now that we have the Bundle ID, we can start cracking the shell.

Clutch -b com.devdon.HealthNumbersCopy the code

As you can see here, Alamofire and SwiftyJSON are used for health small data.

Clutch puts the broken binary in /var/tmp/clutch… In the


class-dump

Class dump is a command line tool that dumps the headers of iOS binaries after they have been cracked (for example using the above mentioned Clutch).

However, class-dump uses the Runtime mechanism, so if an App is developed entirely by Swift, it may not dump the content.

You can see the headers for closed source applications, frameworks, and bundles to see how they are designed internally.

class-dump -S -s -H HealthNumbers -o dumpHeadersCopy the code


Keychain dumper

Have you seen the function of “remember password” in the App? As we have seen above, it is easy to find access to account passwords using UserDefault.

Another possible place to access data is the Keychain, but it is also possible to access data via Keychain_dumper after jailbreaking. There is a Github link for Keychain_dumper.

On iOS devices, Keychian’s location is here:

/private/var/Keychains/Copy the code

Keychain-2.db is our target, but everything inside is encrypted.

Make keychain-2.db readable first.

chmod +r keychain-2.dbCopy the code

Then we can use iFunbox or other methods to drop keychain_dumper files on apple devices, such as /private/var/Keychains/, then enter the folder and execute:

Keychain_dumper // If you want to export the content to a file keychain_dumper> keychain-export-. TXT // keychain_dumper-h can see more instructionsCopy the code

Then we’ll see a lot of things accessed via Keychain, such as our wifi account and password:


Recommended reading

  • Cycript Tricks
  • The iOS security wiki
  • IOS Security – Make iOS apps more secure