Keychain and snoop-it of the reverse engineering of iOS

Today, the theme of the blog is Keychain, in this blog will be a login demo will be stored in the user name password into the Keychain , and to see what is stored in the Keychain, the content to guide out. Of course, the focus of this blog is not how to use keychain to store your username and password. But this knowledge will be used in today's blog. Apple has developed a full usage instance of Keychain on the documentation ( see iOS Keychain Services Tasks). The storage and updating of usernames and passwords in today's blogs is an example of the official documentation used. That is, the code on the direct copy of the development document, the code will not be copied today, the specific look at the official development documents.

The topic of today's blog is to store the user name and password, and then load it from the keychain the next time you log in. Of course keychain in the same group can be shared, that is, the same developer account under the app can be keychain shared. We do not encrypt the user name password, directly exist in the keychain, and then look at the effect. Then you have to use some encryption policies to process the user name password. The specific implementation details are given below.

First, the use of keychain

The use of KeyChain here do not say, because I did not how to use the KeyChain, today's blog about the KeyChain operation of the code is mainly from the development of Apple documents. The content below is a simple encapsulation of the operation of the keychain, Keychaindata is used to stage the data that will be stored in the keychain. genericpasswordquery is used to query data from keychain, andKkeychainitemidentifier is the only indicator of the data we store in keychain.

Other operating codes about KeyChain can be found in the development documentation for the above-mentioned connections, so there is not much to repeat.

　　　　

After encapsulating the Keychainmanager , we can invoke the singleton of this class to do the keychain operation. Below is the use of Keychainmanager , from below, it can be seen that the AES encrypted code to comment out, that is, to Keychainmanager what content, will store what content. About the use of keychain first said so much, or that sentence, the above Apple Official document is very clear, here do not do too much to repeat.

　　

Second, view the contents of the Keychain database

We can view the contents stored in the keychain in the jailbreak phone . Keychain is stored on the device in the form of a database, and the storage directory is "/private/var/keychains". Just next to me there is a jailbreak device, below is the storage location of keychain, below this keychain-2.db is the key string to store the contents of the database.

　　

Now that we've found this file, we can copy it to a Mac and see what it's storing is God horse content. After we have the above files on the Mac, we can use Sqlitemanager to open them and see what's inside. Below is the structure of the keychain-2.db database, which has 5 tables, and we can focus on the structure and content of the genp table.

　　

The following is a printout of the data in the Keychaindata dictionary , which means that the data below is queried from the keychain. We can see that the key in the dictionary below corresponds to the field in the GENP table, so we have some data in the keychain that are actually stored in the GENP table.

　　

Below is our query of the relevant data, the data in the table is very much, but we have the SQL statement is not, can be based on their own information to view the data. Of course, some of the data that you see directly from this is encrypted in the table, even if you are storing it in Keychain . This is still relatively safe.

　　

Third, use snoop-it to crawl the data in the corresponding app keychain

We can use snoop-it to see the data in some apps, so let's take the demo I wrote myself for example. Before we had the data in the keychain, and did not do any processing in the code, it was stored directly in the form of a string, then we would use snoop-it to look at the data.

1. Brief introduction of the configuration and use of snoop-it

Snoop-it This tool is very powerful, to see the data stored in the keychain is one of its functions, then come to know this tool. First add this (http://repo.nesolabs.de) source to your Cydia store, and then search for snoop-it to install it. After installation, there will be an app with a little dog icon with a yellow hat on your phone, and this is the snoop-it we're going to use. Below is the interface that snoop-it opens. Click "Select App Store Apps" To select the app you want to analyze and configure it in Settings.

　　

Enter the above HTTP access address in your Mac browser, then open the app you chose to listen to and refresh the page. From below we can see that some of the stored information is obtained in the form of clear text. This means that the information stored directly in plaintext is still risky, so we encrypt the data.

　　

We open the code with the AES encryption code and store the encrypted data in keychain to see the effect. The code below calls the AES cryptographic module, which encrypts the data and stores it in the Keychain . Once opened, we re-run the project and then observe its effect.

　　

Of course, we encrypt the data, using snoop-it to hear the encrypted data, which increases the difficulty of reverse engineering.

　　

After the above steps, we can see that the user name and password are stored in the Keychain , for security purposes or to be encrypted processing it. Speaking of here, today to do this demo, the app sharing the content of Keychain data also to engage a bit, the process is not complicated, you need to Keychain sharing switch open, and add the Boundle ID of other apps .

　　

Iv. other roles of snoop-it

snoop-it is very powerful, and then look at another powerful feature of Snoop-it. It can browse the class level of your app on your phone, and of course apps that are downloaded on AppStore are also available. And you can view the properties and methods of a file in the app. The method is all the methods corresponding to the class, even if there is no call interface in the. h file, it can be viewed , and the function is quite powerful. All right, today's blog is here.

　　

For personal reasons, today's blog used in the login demo will not be put on GitHub, but also hope you understand.

Keychain and snoop-it of the reverse engineering of iOS