Sandbox on iOS
In iOS development, each App data will be in their own sandbox, between apps can not access data, unless it is in iOS8 after the use of the App Group mechanism, so that the same Team between apps can share information.
Structure of sandbox
Documents
It is generally used to store persistent data, such as conversation records. ITunes also does this for you, so you can find instructional articles on how to back up Line chats (such as db_fruits.sqlite3 above)
Library
Store the Caches and Preferences folders.
- Caches are generally used to store cache files, such as images. Files in this directory are not deleted when exiting the App, but are not backed up by iTunes either.
- Preferences, access iOS related Settings, generally not directly in the file, but through UserDefault Settings, ITunes will backup the contents of this directory (such as in the figure above the Preferences of ios.devdon.com.LabReverse.plist)
Tmp
Temporary folder that will be cleared when the App is restarted.
Here is the official sandbox description file.
Security issues & Tool introduction
We can see more information about apps by jailbreaking Apple devices, similar to the concept of Android devices getting root.
Through jailbreaking or using tools, you can see some interesting information, such as:
- Cydia — The App Store of jailbroken devices.
- OpenSSH – Connect jailbroken devices.
- Cycript – Dynamic analysis tool (see UI changes in real time, get firebaseKey property values, etc.)
- IFunBox – File transfer tool (direct access to device contents, such as UserDefault plist file in App sandbox, Sqlite Database file, cache file, etc.)
- Charles – What apis are used, what parameters are used, and what content is obtained.
- KeychainDump – Gets access to the Keychain (previously encrypted), such as wifi account passwords.
- Class-dump — static analysis tool (after App cracks the shell, you can export the corresponding header file content)
This time I’ll cover some interesting tools, but I won’t cover them because IDA and Hopper are still under development.
Charles – Web Debugging Proxy
This tool makes it easy to view packets sent by devices over HTTP/HTTPS through a man-in-the-middle attack.
Download Charles App – US$50, there is also a trial version available for limited use.
iFunBox
A tool to access device content (download iFunBox App)
When the device is jailbroken, it can even read the sandbox and other data. For example, we first get the address of the App file:
Print (NSHomeDirectory ()) / / got/var/mobile/Containers/Data/Application / 9 bb71cc9 47 b6-8-766 - f - CDB - FF74F6CF9A95Copy the codeFor example, we can see the plist file in Library/Preferences
UserDefault accesses the same plist file, so it is not right to use UserDefault to access important information (such as user accounts and passwords).
UserStore.shared.userDefault.set("Don", forKey: "Name")
UserStore.shared.userDefault.set("Taiwan", forKey: "From")
UserStore.shared.userDefault.set("job", forKey: "Developer")Copy the codeFor example, the database in /Documents can also be obtained, such as db_fruits.sqlite3 created by SQLite
After being copied to the computer, the contents can be read by tools such as Sqlite Database Browser, so important information should also be encrypted when stored in the local DATABASE.
Cydia
After jailbreaking an Apple device, you can install open market apps like Cydia and download them by joining different markets.
OpenSSH
After jailbreaking the device, OpenSSH can be downloaded through Cyida, and then we can communicate with the jailbroken device through the macbook and other devices.
Assuming our device IP is 192.168.0.1, we can communicate with each other via SSH [email protected] (the default account password for the newly jailbroken device is root/alpine).
Cycript
Cycript is a javascript interpreter that understands Objective-C syntax, which means you can use Objective-C or javascript, or both, in a single command. It has the ability to hook up to running processes and modify many things in the application at run time.
Cycript is a runtime tool created by Saurik that mixes OBJ-C with JavaScript syntax. It can hook processes so that you can send commands to your App via SSH and see changes in real time.
Display all processes
ps -eCopy the codeFinds the process ID of the specified application
So let’s say we’re looking for the SpringBoard process ID
ps -e | grep SpringBoardCopy the codeYou can see SpringBoard in process 3190.
The injection process
cycript -p 3190Copy the codeLet’s display an AlertView (obj-C syntax, no semicolons at the end)
alertView = [[UIAlertView alloc] initWithTitle:@"Message" message:@"from Don" delegate:nil cancelButtonTitle:@"Got it" otherButtonTitles:nil]Copy the codeIt is then used by # 0x16e6C400, or by the variable name alertView.
[#0x1656d570 show];
// 或者
[alertView show];Copy the codeYou can also use the Choose method to obtain an instance
choose(UIAlertViewController)Copy the codeRead a property directly
Such as firebaseAPIKey:
homeVC = choose(UIViewController)[0]
[homeVC.firebaseAPIKey]Copy the codeLists the view hierarchy
UIApp.keyWindow.recursiveDescription().toString()Copy the codeTo instantly change the color of a Button
var button = new Instance(0x16d39fb0)
button.backgroundColor = [UIColor greenColor]Copy the codeMore instructions can be found in the Cycript manual (Ctrl + D can exit Cycript).
Dumpdecrypted
Dumpdecrypted can be downloaded from Github and compiled by make in Terminal.
You get a.dylib file
Clutch
If you export the IPA package of your App from the App Store directly from your iOS device, you’ll find that the content is encrypted.
FairPlay DRM protects all apps on the App Store.
Clutch is open source on Github and can be downloaded as a release.
Once downloaded, you can use tools like iFunBox to place Clutch in /usr/bin. Make sure Clutch is executable
chmod +w /usr/bin/ClutchCopy the codeThen we can type Clutch to see what all the commands are, and clutch-i can see what apps are installed on the device.
Now that we have the Bundle ID, we can start cracking the shell.
Clutch -b com.devdon.HealthNumbersCopy the codeAs you can see here, Alamofire and SwiftyJSON are used for health small data.
Clutch puts the broken binary in /var/tmp/clutch… In the
class-dump
Class dump is a command line tool that dumps the headers of iOS binaries after they have been cracked (for example using the above mentioned Clutch).
However, class-dump uses the Runtime mechanism, so if an App is developed entirely by Swift, it may not dump the content.
You can see the headers for closed source applications, frameworks, and bundles to see how they are designed internally.
class-dump -S -s -H HealthNumbers -o dumpHeadersCopy the codeKeychain dumper
Have you seen the function of “remember password” in the App? As we have seen above, it is easy to find access to account passwords using UserDefault.
Another possible place to access data is the Keychain, but it is also possible to access data via Keychain_dumper after jailbreaking. There is a Github link for Keychain_dumper.
On iOS devices, Keychian’s location is here:
/private/var/Keychains/Copy the codeKeychain-2.db is our target, but everything inside is encrypted.
Make keychain-2.db readable first.
chmod +r keychain-2.dbCopy the codeThen we can use iFunbox or other methods to drop keychain_dumper files on apple devices, such as /private/var/Keychains/, then enter the folder and execute:
Keychain_dumper // If you want to export the content to a file keychain_dumper> keychain-export-. TXT // keychain_dumper-h can see more instructionsCopy the codeThen we’ll see a lot of things accessed via Keychain, such as our wifi account and password:
Recommended reading
- Cycript Tricks
- The iOS security wiki
- IOS Security – Make iOS apps more secure