In the previous article, we introduced how to use class-dump-z to export class information of iOS apps, how to use cylinder to hook processes, execute runtime operations, and method swizzling, use gdb to analyze the app process. However, there may be better ways to do these things. It would be great to have a tool capable of doing all these things and better displaying the information.
Snoop-it is such a tool. It allows us to perform runtime analysis and evaluate the black box security of iOS apps. It provides a very simple web interface. At the time of writing this article, Snoop-it was not officially released. I wrote an email to the author. They provided me a beta version for testing very kindly. You can go to its official website or follow the author on Twitter.
The functions provided by Snoop-it can be viewed from its official address.
Install
(Note: you can add a source on Cydia and download and install it directly .) Install Snoop-it on your device. You have to download the deb package and then upload it to your device using sftp. Run dpkg-I [packageName] on the command line to install Snoop-it on your device. Once the installation is complete, restart your device.
Once the installation is complete, you will see the Snoop-it icon. Click it and you will see the following interface.
Go to settings and press the configuration you need. Here, we select port 12345 and disable verification. If your network has many other users or naughty users, we recommend that you enable verification.
Now, use the address provided by Snoop-it to open the Snoop-it Web interface. Here, the address is: http: // 10.0.1.79: 12345
You will see this Web interface. If you read it, you will find that it allows you to select the application you want to analyze in Snoop-it, open the application you want to analyze in the application, and then refresh the Web interface. Now return to Snoop-it and select the application we want to analyze. Here, I will select the MethodSwizzlingDemo application, which is the same as the application used in the previous article.
Make sure that the application to be analyzed has been opened and kept on the frontend. Now, refresh the Snoop-it Web interface.
As you can see, now you have a very beautiful interface, and now you can perform a detailed security evaluation on this application.
Analysis
On the left, under Analysis, click Objective-C Classes. On the right side, you can see all the class information, such as attributes and method names.
The orange color indicates an instance class. For example, when you move the mouse over the ViewController class, you will see the information of a class instance.
Similarly, you can see the methods and attributes of AppDelegate.
Back to View Controller, we can call the method through Snoop-it. Click Setup and Invoke in the upper right corner. As we mentioned in the previous article, we can use this method to bypass the verification of this application.
Select the corresponding instance (there is only one instance here, but if view controller is reused, there may be multiple instances) and click Invoke Method.
In this way, we call the corresponding method and bypass program verification.
Another awesome function of Snoop-it is that we can switch to any view controller. For example, under Analysis on the left, select View Controller, select view controller on the right, and click Display Controller. You can switch to the view controller. You can also choose to click Close/Hide View Controller Based on whether the View controller is in another View Controller.
You can click Reset display to return the result. This function allows us to associate the view controller with the corresponding view. I like Snoop-it very much.
Modify at runtime
Snoop-it supports multiple runtime modifications, including modifying your hardware identifiers, such as Mac addresses, udids, and device model numbers.
You can also get a fake address. This is useful for applications that use GeoEncrytion to protect their data.
You can also track methods and System Call processes. Note that you need to Refresh the top Refresh after calling the method every several seconds. Please note that, because we test in beta, the author may change this behavior so that we do not have to click the refresh button every few seconds. For some users, this information may be too much, but it is quite simple and straightforward for people who have developed iOS programs for years like me.
Monitoring
Snoop-it allows you to view which files and directories are currently being accessed by applications. For this purpose, click Filesystem under Monitoring. This function is particularly useful, especially when the application is writing data to the database, this function allows you to find the name of the db file. You can also double-click them and download them to your machine for analysis.
You can also see the sensitive API called by the application. For example, search for information in the address book, access camera, or access the device's UDID. The following are pre-installed sensitive APIs for App Store Access.
We can also see that this application has all the information about the keychain. It also lists all HTTP requests accessed through NSURLConnection. Both functions can be seen under monitoring. I will leave these functions to the readers to try. We will introduce how to dump data from the keychain in another article.
You will be glad to know that Snoop-it has public APIs, so we can use it to write automated tests or compile our own user interfaces. Documents on XML-RPC web service API can be found on the official website.
Summary
This article describes how to use Snoop-it for runtime analysis and black box security assessment for iOS apps. Snoop-it is several weeks away from release, even though you can send an email to the author asking for the beta version as I do. One of the features that I especially want to add to Snoop-it is to execute Method Swizzling. I'm sure Snoop-it is a good tool for anyone interested in iOS app security analysis and it will get better and better.
(Note: the translation has been published. You can download it on Cydia. You need to add the source first. For details, see its official website)
The original Article is IOS Application Security Part 9-Analyzing Security of IOS Applications using Snoop-it