The Github project is chaitin/passionfruit

Antecedents feed

While there are not as many attack surfaces and exploits as on Android, iOS apps still require security audits. Security on mobile platforms is currently based on scanners with a portion of manual reverse and dynamic analysis.

For iOS application attack surface analysis, the author knows or has used the following tools (except debugger and disassembly tools used in reverse engineering) :

  • Snoop-it (Maintenance discontinued)
  • dmayer/idb idb is a tool to simplify some common tasks for iOS pentesting and research
  • mwrlabs/needle The iOS Security Testing Framework
  • Sensepost /objection 📱 -Runtime mobile Exploration
  • iSECPartners/Introspy-iOS IntroSpy

In the use of the author more or less encountered some problems, such as Needle equipment needs to deploy too many dependency packages, IDB is not compatible with iOS 10, Introspy is good but query log database has some trouble…… Couldn’t help but start building wheels.

The audit tool has the following functions:

  • Analyze whether the application has the necessary compiler protection enabled
  • Analyze file contents and permissions in the application sandbox
  • Analyze the framework and dynamic link libraries used by the application
  • Analyze data stored by applications, such as UserDefaults, Binarycookies, and KeyChain
  • Analyze clipboard usage
  • Intercept and analyze Objective C runtime methods dynamically
  • Dynamically intercepts and analyzes parameter calls and stack traces of native code
  • Analyze UIView’s hierarchy and properties
  • Some hook based modification features such as device signature forgery, bypass jailbreak detection, bypass SSL Pinning, etc

The application is still under development and may have bugs or missing features.

design

In the implementation scheme, the author chose the hook framework Frida. re with extremely powerful functions. I don’t need to say much more about this framework. It supports hooks and calls to native functions and Objective C runtimes on iOS platforms, and can meet the automation needs of a variety of mobile security runtimes analysis.

Passionfruit uses Frida to inject code into the target App to perform its functions. It communicates with the browser through the Node.js server message proxy, and users perform regular App testing tasks by visiting the web page.

Installation and use

For the latest releases and updates, visit the project’s home page on GitHub, Chaitin/Passionfruit.

Passionfruit is compiled and installed using the following software:

  • THEOS is used to compile dylib for Tweak
  • Node.js is used to run the server. You can use YARN or the default NPM as package management according to your preference
  • libimobiledevice

Installation steps

  1. Install the dependencies and configure THEOS environment variables. Libimobiledevice can be installed on Mac using brew
  2. Install Frida on your jailbroken iOS device
  3. Synchronize the code repository locally with Git
  4. Connect to the jailbreak device and set THEOS_DEVICE_IP and THEOS_DEVICE_PORT
  5. Build front-end code and Tweak by running NPM run build in the code root directory before first use
  6. Run NPM start to run the server and access localhost:31337 in a browser

Features and demos

Passionfruit features a web-based graphical interface. So you can even access this graphical interface on a mobile device like the iPad Pro… (The configuration of server listening needs to be modified)

A fully graphical interface makes it easy to quickly find functions that need hooks. Because C functions lack runtime parameter type information, you need to manually set up function prototypes for these library functions. Objective C can print parameters and return values directly from reflection.

Other tools implement CheckSec based on otool to check the executable files of the application, requiring additional dependencies to be installed on the device, or files to be synchronized from the device to execute commands locally. Passionfruit directly analyzes the content mapped in memory, so it’s a lot faster. For file viewing, Passionfruit reads directly from the Plist/SQLite database in the app sandbox, saving time compared to SCP downloading and viewing it first.

Passionfruit adds search capabilities to a number of interfaces, such as module lists, exported symbols, Objective C classes, and even serialized data like Plist.

In iOS 10 there is a non public API UIDebuggingInformationOverlay hierarchy can be used to analysis on the equipment interface, you can click on the button in the Passionfruit UIDump panel to activate the interface.

If you have more advanced debugging requirements such as single-step and interface analysis, you are advised to use specialized debugging tools such as debugServer.

FAQ

Need to escape?

Needs.

While Frida supports both jailbroken and non-jailbroken environments, Passionfruit is currently only available on jailbroken devices. The reason for this is that I initially neglected to port to javascript when dealing with Mach-O format parsing and simply reused C code in tweak module. If you have the energy, you can rewrite this module in JS, or repackage dylib into an IPA file to avoid jailbreaking.

Why not support NSLog view?

The interface used by this tool is browser-based, and real-time presentation can cause significant performance issues for fast-refreshing content such as NSLog logs. While the existing tools (Xcode, Console for macOS, idevicesyslog for LibimovileDevice) are powerful enough, there is no need to develop another (more difficult) one.