Use Frida in iOS apps to bypass jailbreak detection, iosfrida

Use Frida in iOS apps to bypass jailbreak detection, iosfrida
 

In the previous three blogs, Alibaba Cloud Universal Security introduced the use of Frida to attack Android applications. The whole process seemed to enable developers to look at God,In this blog, we will introduce how to use Frida to bypass jailbreak detection in iOS apps. Even if you have never used Frida, this article will serve as an entry guide to mobile security development and analysis.

 

Related Articles:

Use FRIDA to attack Android applications (1)

Use FRIDA to attack Android applications (2)

Use FRIDA to attack Android applications (3)

1. Introduction to Frida

Frida is a dynamic code toolkit that can hook apps. It can inject JavaScript or its own library code into local applications of Windows, macOS, Linux, iOS, Android, and QNX. Initially, it was running based on Google's V8 Javascript, but since version 9, Frida has started to run with its internal Duktape.

 

Use Cases of Frida:

1. hooking specific function and changing the return value

2. Analyze custom protocols and perform dynamic sniffing/Decryption

3. Application debugging

4. dump class and method information on iOS apps

...

 

Firda has many different use cases and various startup methods, including various powerful APIs and methods, making it the preferred tool for developers to establish their own security analysis. It can trace underlying functions using the command line interface or tools similar to frida-trace. You can also bind C, NodeJS, or Python to complete more complex tasks. However, within it, there are many times that Frida uses Javascript, and most of the work can be done through JavaScript.

 

Frida is so useful for security detection because it can run on a non-jailbreaking device. Frida provides a dynamic library named "FridaGadget. dylib", which can be used to insert FridaGadget. dylib for applications on devices not jailbroken. Developers can use tools such as Swizzler2 to modify the application to add FridaGadget. dylib to the application.

 

In iOS, several security analysis tools based on Frida are available, such as Needle and AppMon.

NeedleIs an open-source modular framework that simplifies the security evaluation process for iOS applications and serves as a central point. In view of its modular approach, Needle can easily expand new modules and can be added as Python scripts.

Address: https://github.com/mwrlabs/needle

 

AppMonIt is an automated framework for monitoring and modifying local macOS, iOS, and Android APIs, and can be displayed and operated through web interfaces.

Address: https://github.com/dpnishant/appmon

 

 

2. Set Frida on iOS

The setup procedure is very simple. developers can install Frida on both iOS devices and computers.

To install an iOS device, follow these steps:

1. Open the Cydia APP on iOS devices

2. Add URL: https://build.frida.re

 

 

3. Open Source or search for Frida, click Modify, and install.

 

 

4. Open the terminal and enter pip install frida to install Frida binding. Of course, you can also use python, C, or NodeJS binding to complete more complex tasks.

 

3. Use Frida to connect to the iOS Process

After completing all settings of Frida, start the Security Evaluation and Utilization of iOS apps.

Damn Vulnerable iOS Application (DVIA) as this test method, address: http://damnvulnerableiosapp.com/

The Code involved in the following, GitHub address: https://github.com/interference-security/frida-scripts/tree/master/iOS

 

We will analyze the jailbreak detection operation from DVIA. The current device has been jailbroken.

 

 

First, view the list of all running processes of the target device.

Frida-ps-U

 

From the above, we can see all the processes running on iOS devices.

Enter frida-U process-name to attach to any process. On the Frida console, obtain the attributes, memory, and functions of the target process.

 

Now we can work in the shell of Frida, which can interact with our iOS process, or write JavaScript to get the analysis data we want.

 

Iv. Dump class and method information

This step is used to identify which ViewController and function is responsible for verifying whether the iOS device is jailbroken.

 

ViewController is an important part of iOS applications and an important bridge between application data and views. ViewController manages multiple views in applications. The iOS SDK provides many native viewcontrollers to support standard user interfaces, such as the table View Controller (UITableViewController), navigation controller (UINavigationController), and label bar controller (UITabbarController) and iPad proprietary UISplitViewController.

 

First, write a basic Frida script to dump all the class files and method information in the target application. Start searching for any jailbreak-related content so that we can bypass the jailbreak detection with the help of Frida.

 

The process is as follows:

 

1. Use Frida in DVIA to find the jailbreak detection class

Let's take a look at all the class files in the application.

For (var className in ObjC. classes)

{

If (ObjC. classes. hasOwnProperty (className ))

{

Console. log (className );

}

}

 

Run the script and we will see that Frida is appended to the target process. Once the load is complete, it will display many class files in the target process.

It is better to use the grep command to find related class files. When we run the grep Jailbreak command, we will see a class named JailbreakDetectionVC, as shown in

 

 

After finding all instances, a safe to ignore error message is displayed. Therefore, the first task is to find the target class and find any related methods in this class. This is an interesting process.

 

2. Use Frida in DVIA to find the jailbreak Detection Method

Use ObjC. classes. class-name. $ methods. In this example, you only need to find this method in the target class JailbreakDetectionVC.

Console. log ("[*] Started: Find All Methods of a Specific Class ");

If (ObjC. available)

{

Try

{

Var className = "JailbreakDetectionVC ";

Var methods = eval ('objc. classes. '+ className +'. $ methods ');

For (var I = 0; I <methods. length; I ++)

{

Try

{

Console. log ("[-]" + methods [I]);

}

Catch (err)

{

Console. log ("[!] Prediction1: "+ err. message );

}

}

}

Catch (err)

{

Console. log ("[!] Prediction2: "+ err. message );

}

}

Else

{

Console. log ("Objective-C Runtime is not available! ");

}

Console. log ("[*] Completed: Find All Methods of a Specific Class ");

 

Run grep to search for strings such as Jailbreak, Jailbroken, and detection, as shown in

 

 

We found three types of strings, isJailbroken, jailbreakTest1Tapped:, and jailbreakTest2Tapped:, matching the search targets. Among them, isJailbroken looks like a function that checks whether a device is jailbroken and returns a value.

 

3. Use Frida in DVIA to modify the return value of the jailbreak detection method.

View the returned values sent by isJailbroken

{

Try

{

Var className = "JailbreakDetectionVC ";

Var funcName = "-isJailbroken ";

Var hook = eval ('objc. classes. '+ className +' ["'+ funcName +'"] ');

Interceptor. attach (hook. implementation ,{

OnLeave: function (retval ){

Console. log ("[*] Class Name:" + className );

Console. log ("[*] Method Name:" + funcName );

Console. log ("\ t [-] Type of return value:" + typeof retval );

Console. log ("\ t [-] Return Value:" + retval );

}

});

}

Catch (err)

{

Console. log ("[!] Prediction2: "+ err. message );

}

}

Else

{

Console. log ("Objective-C Runtime is not available! ");

 

Run the script and press the Jailbreak Test 1 button in the iOS app. We can see the returned value in the Frida console.

Because the device has escaped from jail, the returned value is 0*1, which means the return function is True.

 

The next task is to overwrite the returned value and fix it so that the returned value is false or 0*0 whenever the Jailbreak Test 1 button is pressed.

 

We add another row to change the return value of this specific function. The following code is implemented and recorded on the console.

Newretval = ptr ("0x0 ")

Retval. replace (newretval)

Console. log ("\ t [-] New Return Value:" + newretval)

 

The final script is as follows:

If (ObjC. available)

{

Try

{

Var className = "JailbreakDetectionVC ";

Var funcName = "-isJailbroken ";

Var hook = eval ('objc. classes. '+ className +' ["'+ funcName +'"] ');

Interceptor. attach (hook. implementation ,{

OnLeave: function (retval ){

Console. log ("[*] Class Name:" + className );

Console. log ("[*] Method Name:" + funcName );

Console. log ("\ t [-] Type of return value:" + typeof retval );

Console. log ("\ t [-] Original Return Value:" + retval );

Newretval = ptr ("0x0 ")

Retval. replace (newretval)

Console. log ("\ t [-] New Return Value:" + newretval)

}

});

}

Catch (err)

{

Console. log ("[!] Prediction2: "+ err. message );

}

}

Else

{

Console. log ("Objective-C Runtime is not available! ");

}

 

Once the script is run, we can see that the returned value has been modified.

 

View the iOS APP. You can see that the device is not jailbroken.

 

 

---------------------------------------------------------

This article is compiled by Douglas from attify, original address: http://blog.attify.com/2017/05/06/bypass-jailbreak-detection-frida-ios-applications/

For more mobile security knowledge, please keep an eye on Alibaba Cloud universal security blog