First Experience with iOS Reverse Engineering

First Experience with iOS Reverse Engineering

Exploring the process from jailbreaking, extracting iPA files, shelling, to UI analysis, injection, and decompilation

About Security

The only thing I did related to security before was « Using Man-in-the-Middle Attack to Sniff Transmission Data »; additionally, following this, suppose we encode and encrypt data before transmission and decrypt it within the APP upon receipt to prevent man-in-the-middle sniffing; is it still possible for the data to be stolen?

The answer is yes! Even if you haven’t actually tested it; there is no unbreakable system in the world, only the issue of time and cost. When the time and effort required to crack it exceed the benefits, it can be considered secure!

How?

Having done all this, how can it still be broken? This is the topic I want to document in this article — “Reverse Engineering”, cracking open your APP to study how you do encryption and decryption. I’ve always been somewhat clueless about this field, only hearing two major talks at iPlayground 2019, where I roughly understood the principles and implementation. Recently, I had the chance to play around with it and share it with everyone!

What can you do with reverse engineering?

• View APP UI layout and structure
• Obtain APP resource directories .assets/.plist/icon…
• Modify APP functions and repackage (EX: remove ads)
• Decompile to infer original source code and obtain business logic information
• Dump .h header files / keychain contents

Implementation Environment

macOS Version: 10.15.3 Catalina iOS Version: iPhone 6 (iOS 12.4.4 / Jailbroken) *Required Cydia: Open SSH

Jailbreaking

Any version of iOS, iPhone can be used, as long as it is a jailbreakable device. It is recommended to use an old phone or a development device to avoid unnecessary risks. You can refer to Mr. Crazy’s Jailbreak Tutorial based on your phone and iOS version. If necessary, you may need to downgrade iOS (Certification Status Check) before jailbreaking.

I used an old iPhone 6 for testing. It was originally upgraded to iOS 12.4.5, but I found that 12.4.5 couldn’t be jailbroken successfully. So, I downgraded to 12.4.4 and used checkra1n to jailbreak successfully!

The steps are not many and not difficult; it just requires some waiting time!

A silly experience of mine: After downloading the old IPSW file, connect the phone to the Mac, use Finder (macOS 10.5 and later no longer have iTunes), select the phone under Locations on the left, and in the phone information screen, hold “Option” and then click “Restore iPhone” to bring up the IPSW file selection window. Choose the old IPSW file you just downloaded to complete the downgrade.

I foolishly clicked Restore iPhone directly… it only wasted time reinstalling the latest version…

Using lookin tool to view other people’s APP UI layout

Let’s start with something interesting, using tools and a jailbroken phone to see how others layout their APP.

Viewing tools: One is the veteran Reveal (more complete features, costs about $60 USD/can be tried), and the other is the free open-source tool lookin made by Tencent QMUI Team. Here, we use lookin as a demonstration; Reveal is similar.

If you don’t have a jailbroken phone, it’s okay. This tool is mainly for use in development projects to view Debug layouts (replacing Xcode’s basic inspector). It can also be used in regular development!

Only when you want to view someone else’s APP do you need a jailbroken phone.

If you want to view your own project…

You can choose to install using CocoaPods, Breakpoint Injection (only supports simulators), manually import the Framework into the project, or manual setup.

After building and running the project, you can select the APP screen in the Lookin tool -> view the layout structure.

If you want to view someone else’s APP…

Step 1. Open “ Cydia “ on the jailbroken phone -> search for “ LookinLoader “ -> “ Install “ -> go back to the phone “ Settings “ -> “ Lookin “ -> “ Enabled Applications “ -> enable the APP you want to view.

Step 2. Use a cable to connect the phone to the Mac computer -> open the APP you want to view -> go back to the computer, select the APP screen in the Lookin tool -> you can view the layout structure.

Lookin View Layout Structure

Facebook login screen layout structure

You can view the View Hierarchy in the left sidebar and dynamically modify the selected object in the right sidebar.

The original “Create New Account” was changed to “Hahaha” by me

Modifications to the object will also be displayed in real-time on the mobile APP, as shown above.

Just like the “F12” developer tools for web pages, all modifications are only effective for the View and will not affect the actual data; mainly used for Debugging, but you can also use it to change values, take screenshots, and then trick your friends XD.

Using the Reveal tool to view APP UI layout structure

Although Reveal requires a paid subscription, I personally prefer Reveal; it provides more detailed information on the structure, and the right information panel is almost equivalent to the XCode development environment, allowing for real-time adjustments. Additionally, it will prompt Constraint Errors, which is very helpful for UI layout corrections!

Both of these tools are very helpful in the daily development of your own APP!

After understanding the process environment and the interesting parts, let’s get to the main topic!

*The following requires a jailbroken phone

Extracting APP .ipa files & Cracking

All APPs installed from the App Store have FairPlay DRM protection, commonly known as shell protection. Removing this protection is called “cracking,” so simply extracting the .ipa from the App Store is meaningless and unusable.

*Another tool, APP Configurator 2, can only extract protected files, which is meaningless, so it won’t be elaborated here. Those interested in using this tool can click here for a tutorial.

Using tools + jailbroken phone to extract the original cracked .ipa file:

Regarding the tools, initially, I used Clutch, but no matter how I tried, it always showed FAILED. After checking the project’s issues, I found that many people had the same problem. It seems that this tool can no longer be used on iOS ≥ 12. There is also an old tool called dumpdecrypted, but I haven’t looked into it.

Here, I use frida-ios-dump, a Python tool for dynamic binary dumping, which is very convenient to use!

First, let’s prepare the environment on the Mac:

1. The Mac comes with Python 2.7 by default. This tool supports Python 2.X/3.X, so there’s no need to install Python separately. However, I used Python 3.X for the operation. If you encounter issues with Python 2.X, you might want to install and use Python 3!
2. Install pip (Python’s package manager).
3. Use pip to install frida: sudo pip install frida --upgrade --ignore-installed six (Python 2.X) sudo pip3 install frida --upgrade --ignore-installed six (Python 3.X)
4. Enter frida-ps in Terminal. If there are no error messages, the installation was successful!
5. Clone the AloneMonkey/frida-ios-dump project.
6. Enter the project and open the dump.py file with a text editor.
7. Ensure the SSH connection settings are correct (no need to change the default settings): User = ‘root’ Password = ‘alpine’ Host = ‘localhost’ Port = 2222

Environment on the jailbroken phone:

1. Install Open SSH: Cydia → Search → Open SSH → Install
2. Install the Frida source: Cydia → Sources → Top right “Edit” → Top left “Add” → https://build.frida.re
3. Install Frida: Cydia → Search → Frida → Install the corresponding tool according to the phone’s processor version (e.g., I have an iPhone 6 A11, so I installed Frida for pre-A12 devices).

Once the environment is set up, let’s get started:

1. Connect the phone to the computer using a USB cable.

2. Open a Terminal on the Mac and enter iproxy 2222 22 to start the server.

3. Ensure the phone/computer are on the same network (e.g., connected to the same WiFi).

4. Open another Terminal and enter ssh root@127.0.0.1, then enter the SSH password (default is alpine).

1. Open another Terminal to execute the dumping command. Navigate to the cloned /frida-ios-dump directory.

Enter dump.py -l to list the installed/running apps on the phone.

1. Find the name/Bundle ID of the app you want to dump and enter:

dump.py APP_NAME_OR_BUNDLE_ID -o OUTPUT_PATH/OUTPUT_FILENAME.ipa

Be sure to specify the output path/filename because the default output path is /opt/dump/frida-ios-dump/. To avoid moving it to /opt/dump, specify the output path to avoid permission errors.

1. After a successful output, you can obtain the cracked .ipa file!

• The phone must be unlocked to use the tool.
• If connection errors occur, such as reset by peer, try unplugging and replugging the USB connection or restarting iproxy.

1. Rename the .ipa file directly to a .zip file, then right-click to extract the file.

You will see /Payload/APP_NAME.app

With the original APP file, we can…

1. Extract the APP’s resource directory

Right-click on APP_NAME.app → “Show Package Contents” to see the APP’s resource directory.

2. Use class-dump to extract the APP’s .h header file information

Use the class-dump tool to export all the APP’s (including Framework) .h header file information (only for Objective-C, not effective for Swift projects).

nygard/class-dump I tried using this tool but failed repeatedly; eventually, I succeeded using the rewritten class-dump tool from AloneMonkey / MonkeyDev.

• Download the tool directly from here: MonkeyDev/bin/class-dump
• Open Terminal and use: ./class-dump -H APP_PATH/APP_NAME.app -o OUTPUT_PATH

After a successful dump, you can obtain the entire APP’s .h information.

4. The final and most difficult step — decompilation

You can use decompilation tools like IDA and Hopper for analysis. Both are paid tools, but Hopper offers a free trial (30 minutes per session).

Drag the obtained APP_NAME.app file directly into Hopper to start the analysis.

However, this is where I stopped, as it requires studying machine code, using class-dump results to infer methods, etc.; it requires very deep skills!

After breaking through the decompilation, you can modify the operation and repackage it into a new APP.

Image from One Piece

Other tools for reverse engineering

1. Using the free MITM Proxy tool to sniff API network request information

»The APP uses HTTPS transmission, but the data was still stolen.

2. Cycript (with a jailbroken phone) dynamic analysis/injection tool:

• Open “Cydia” on the jailbroken phone -> search for “Cycript” -> “Install”
• Open a Terminal on the computer and use Open SSH to connect to the phone, ssh root@PHONE_IP (default is alpine)
• Open the target APP (keep the APP in the foreground)
• In Terminal, enter ps -e | grep APP Bundle ID to find the running APP Process ID
• Use cycript -p Process ID to inject the tool into the running APP

You can use Objective-C/Javascript for debugging control.

For Example:

// Objective-C code block
cy# alert = [[UIAlertView alloc] initWithTitle:@"HIHI" message:@"ZhgChg.li" delegate:nil cancelButtonTitle:@"Cancel" otherButtonTitles:nl]
cy# [alert show]

Injecting a UIAlertViewController…

• chose( ) : Get target
• UIApp.keyWindow.recursiveDescription( ).toString( ) : Display view hierarchy structure information
• new Instance(memory location): Get object
• exit(0) : Exit

For detailed operations, refer to this article.

3. Lookin / Reveal View UI Layout Tools

Previously introduced, recommending again; also very useful in daily development of your own projects, suggest purchasing and using Reveal.

4. MonkeyDev Integration Tool for dynamically injecting and modifying APPs and repackaging them into new APPs

5. ptoomey3 / Keychain-Dumper for exporting KeyChain content

For detailed operations, refer to this article, but I didn’t succeed. Looking at the project issues, it seems to have become ineffective since iOS ≥ 12.

Summary

This field is a super big pit, requiring a lot of technical knowledge to master; this article just gives a superficial “experience” of what reverse engineering feels like. Apologies for any shortcomings! For academic research only, do not do bad things; personally, I find the whole process and tools quite interesting and it gives a better understanding of APP security!

For any questions or feedback, feel free to contact me.

===

本文中文版本

===

This article was first published in Traditional Chinese on Medium ➡️ View Here