Skip to content
/ FiOS Public

small proof of concept gui for auditing iOS applications based on objection

License

Notifications You must be signed in to change notification settings

snooze6/FiOS

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

FiOS


This manual will show how to execute the application, the usage of its main features and how to setup a development environment in order to expand its features. It will be divided in the following sections:

  1. Acknowledgements
  2. Requirements
  3. Usage
  4. Development
  5. Troubleshooting and feature request
  6. License

1 - Acknowledgements

  1. Objection - Most of the hooks are adapted from here
  2. Frida
  3. frida-scripts

2 - Requirements

In order to execute this tool, the only requirement is to have a computer running either linux, osx or windows, although in order to use its features it is required to have an iOS device running Frida.

There are two ways of running Frida on a device: As a dydl or as frida-server. When loading Frida as a dydl not all features are available so for the purpose of this document we will use an iOS device with frida-server running listening to localhost.

The installation of frida-server requires the iDevice to be jailbroken; this is a risky operation that won't be covered in this manual but more information can be obtained in https://canijailbreak.com/.

For the purpose of installing Frida, a new source must be added to either sources.list or in the Cydia application:

https://build.frida.re

Once the source is added and after a repository refresh, the frida-server package should be available to install by using Cydia or "apt-get install".

After the installation it is possible to check that the frida-server is running by SSHing to the iDevice.

Figure 1: frida-server running on the device.

More information about the process of installing Frida on iOS is available in the official documentation (https://www.frida.re/docs/ios/)

3 - Usage

Simply double-click on the application executable and it should start the GUI. Local devices are shown as they are planned to be supported on the future.

Figure 2: First view.

The tool must be able to detect connected devices; plug and play works as expected and it shows a green notification when the device is connected and a red one when it's disconnected.

If frida-server is listening on the network interface, it is possible to add the device as a remote device and attach to it wirelessly knowing the ip address and the port in which frida-server is listening. This is not recommended because of security reasons as frida-server doesn't implement any security restrictions.

After selecting one device, the tool will show basic information about the device:

Figure 3: Device overview

The files tab makes the user able to easily manage the iDevice filesystem, allowing to upload, download or delete any file.

On the left bar installed applications are listed; by clicking in one of them, the tool will get attached to that process showing basic information of the application.

Figure 4: Basic information from a given application.

The view is adjustable by sliding the separator allowing the user to see more clearly the Info.plist contents which are parsed on the right panel. Both the application search and the Info.plist search are in real time as it is a fast search.

In the agents view the user can examine JavaScript files that contain the agents, in order to run it.

Those agents can be deleted, executed, stopped and edited with the integrated editor. The results of the executed agents are shown on the bottom panel which can be resized.

Figure 4: Agent execution.

The basic anatomy of an agent is simple:

rpc.exports = {
    run: function(){
        return new Promise(function (resolve, reject) {
            if (ObjC.available) {
                send('ObjC');
                // Do stuff on iOS
            } else if (Java.available) {
                Java.perform(function () {
                    send('Java');
                    // Do stuff on Android
                })
            } else {
                reject(new Error('Language not supported'))
            }
        });
    }
};

It should export a function called run that returns a Promise. Inside that function the user is allowed to write any JavaScript code, but the interesting part is accessing the application classes, methods and objects. This can be achieved by using ObjC and Java objects.

ObjC is an object available on iDevices whereas Java is available on Android devices, at this time the only platform that is compatible to all the agents is iOS so the following instruction are iOS specific.

send function is used to log information instead the usual console.log because the agent is executed on the process context on the iDevice and it needs to return the information to the tool.

In order to override the behavior of one method in the application, the agent must Intercept it using the Interceptor object as shown:

// Hook schema
Interceptor.attach(ObjC.classes.UIApplication['- canOpenURL:'].implementation,{
    onEnter: function(args){
        // Use a marker to check onExit if we need to manipulate the response.
        this.cydia = false;
        // Extract the url
        this.url = ObjC.Object(args[2]).toString();
        // check if the url is cydia://
        if (this.url.indexOf('cydia://') >= 0) {
            // Mark this path as one that should have its response modified if needed.
            this.cydia = true;
        }
    }, onLeave: function (retval) {
        // check if the method call matched a common_path. If that's the case, respond with a failure instead if needed.
        if (this.cydia) {
            if (retval != 0x0) {
                send('[+] --- URL: '+this.url);
                retval.replace(0x0);
            }
        }
    }
})

This code will return 0 (false) if the application checks for the "cydia://" schema by overriding the "- canOpenURL:" method of the UIApplication class. Notice the two functions on the second argument of the Interceptor attach method: onEnter is called before the method is executed and onLeave after the execution of the method.

The onEnter arguments are first the method itself and then the parameters with which the program was called. onLeave receives the returned value.

More information about the available functions is found in the Frida's official documentation (https://www.frida.re/docs/javascript-api/#objc)

The classes/exports view shows each class and each exported method in a friendly way. It is useful in order to find important methods that can be hooked using agents.

Figure 6: Exported modules with its functions.

The search field doesn't search in real-time because depending on the number of classes/exports it can take a long time; the search starts when pressing the intro key finishing the query.

In the memory view an user is able to see the contents of the application memory. The memory dump can take up to a minute depending on the size of the memory. Once the dump is finished the memory is automatically converted to strings and indexed; during this operation the CPU of the computer will experience a hard use.

Figure 7: Memory view.

The memory view shows the different ranges of memory in the application with its permissions and contents; that memory can be saved into a .zip file to further inspection. If a determined range is interesting is possible to show or save it by right-clicking on the desired range.

The last view is the ui-view in which the ui-contents are shown:

Figure 8: Memory view.

This view shows the contents of the ui including hidden elements which can hide interesting information. It allows to control the iDevice pasteboard and show an alert on the iDevice.

4 - Development

The project uses npm to manage its dependencies so it is mandatory to install NodeJS and npm in order to improve the tool, any version is supported as the ".npmrc" specifies the correct electron version to use.

In order to make the process of setting up a development environment easier, a makefile is available with a small preset of targets.

  • clean: It removes all dependencies, compiled agents and generated files.
  • clean-agents: It removes all compiled agents.
  • dist: It generates a release of the tool.
  • frida-compile: It compiles the agents.
  • frida-compile-watch: It recompiles the agent every time a file is changed.
  • install-dependencies: Must be executed at first and its main purpose is to install the dependencies of the tool using npm and bower.
  • run-gui: It executes the gui.
  • run-test: It executes the test-file.
  • update: It updates the installed dependencies to its latest version. CAUTION: THIS CAN BE DANGEROUS.

Figure 10: Methods of the makefile

To easily develop new features it is a good idea to configure a JavaScript IDE in order to automatize all the repetitive tasks that need to be made in each execution of the program.

The recommended IDE is WebStorm by JetBrains but every other IDE with NodeJS support can be used.

Figure 11: Opening the project in WebStorm

After opening the project in the IDE it should be recognized as a NodeJS project and a run-configuration can be added.

Figure 12: Setting up the main run task

The important arguments are:

  • Node interpreter: Should be the electron binary that is inside node_modules after installing the dependencies.
  • Working dir: The directory where are located the source files.
  • JavaScript file: The file that we want to execute. "main.js" for the GUI and "test.js" for the tests
  • Tasks before launch: In order to re-compile the agents on each execution, a new task can be configured doing "npm run compile"

Figure 13: Npm run compile

In accordance with the usual rules of procedure on other open-source projects, for publishing the new features or bugfixes a pull-request should be made to https://github.com/snooze6/FiOS

5 - Troubleshooting and feature request

If a bug is found in the tool, a issue can be filled in GitHub so it can be fixed.

Figure 9: Issues support on GitHub.

New ideas or features are also welcomed.

6 - License

See license.txt

About

small proof of concept gui for auditing iOS applications based on objection

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages