M 702: Frida on iOS & Hacking Ringdahl EMS (20 pts)

What You Need

A jailbroken iPhone, as detailed in the previous project
A Mac computer with XCode installed
An iPhone cable

Purpose

To install Frida and use it to decrypt an App on the iPhone.

Installing Frida from Source

I had a lot of trouble getting Frida to install on my Mac. This procedure finally worked.

Making a Code-Signing Certificate

On your Mac, launch the Keychain Access application.

At the top left of your screen, from the menu, click "Keychain Access", "Certificate Assistant", "Create a Certificate...".

In the "Create Your Certificate" box, make these selections, as shown below.

Name: frida-cert
Identity Type: Self Signed Root
Certificate Type: Code Signing
Check this box: Let me override defaults

Click Continue nine times, until you get to the Specify a Location For The Certificate screen, then accept the default Keychain of login, as shown below.

Click Create.

In "Keychain Access", in the lower left pane, click "My Certificates".

In the top left pane, right-click the System keychain and click 'Unlock Keychain "System"', as shown below.

Enter your password when you are prompted to.

In the top left pane, click the login keychain. Drag the frida-cert and drop it onto the System keychain, as shown below.

Enter your password when you are prompted to, several times.

In the top left pane, click the System keychain. The frida-cert is visible in the right pane, as shown below.

Right-click "frida-cert" and click "Get Info".

In the "When using this certificate" field, select "Always Trust", as shown below.

Close the "frida-cert" Info box. Enter your password when you are prompted to.

Quit Keychain Access.

In a Terminal, execute this command:

security find-certificate -c frida-cert

You should see "frida-cert" in the System keychain, as shown below.

In a Terminal, execute this command:

security find-certificate -p -c frida-cert | openssl x509 -checkend 0

You should see a message saying that your certificate will not expire, as shown below.

Trusting the Certificate for Code Signing

Start Keychain Access again. In the top left pane, click the System keychain.

Right-click "frida-cert" and click "Get Info".

Make sure the "Code Signing" line is set to"Always Trust, as shown below.

Viewing Trust Settings

Quit the Keychain Access application once more to refresh the certificate store.

In a Terminal, execute this command:

security dump-trust-settings -d

This should show the frida-cert certificate and its trust settings, including Code Signing, as shown below.

Compiling and Signing Frida

In a Terminal, execute these commands:

git clone https://github.com/frida/frida.git cd frida export MAC_CERTID=frida-cert export IOS_CERTID=frida-cert make

Installing Python

I had a lot of problems with python libraries. These commands fixed Python on my system.

Installing Homebrew

In a Terminal, execute this command:

/usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"

Installing Python and Libraries

In a Terminal, execute these commands:

brew unlink openssl brew reinstall python@2 pip install paramiko pip install scp pip install tqdm

Installing Frida and Objection

In a Terminal, execute these commands:

pip3 install frida-tools pip3 install objection

Installing Frida on your iPhone

On your iPhone, open Cydia. Tap Sources, Edit, Add.

Enter https://build.frida.re, as shown below.

On your iPhone, in Cydia, Tap Search, enter Frida, and tap Install, as shown below.

Connecting your iPhone to your Mac

Connect your jailbroken iPhone to your Mac with a USB cable.

On your Mac, open a new Terminal window and execute this command:

iproxy 2222 44

Leave this process running.

Flag M 702.1: Launching Objection (10 pts)
On your Mac, in a Terminal, execute these commands, to see information about your IOS system:
objection --gadget "com.apple.AppStore" explore reconnect ios info binary quit
The flag is covered by a green rectangle in the image below.
To exit from Objection, press Ctrl+C.

Dumping App Files

Unlike Android apk files, iOS apps are stored as encrypted ipa files, preventing easy access and analysis. Having installed iproxy and Frida, we can use frida-ios-dump to do this at runtime.

Installing Dump.py

On your Mac, in a Terminal, execute these commands:

cd cd frida git clone https://github.com/AloneMonkey/frida-ios-dump.git cd frida-ios-dump sudo pip3 install -r requirements.txt --upgrade ./dump.py

You see the "dump.py" help message, as shown below.

Linking Dump.py

This makes the "dump.py" script available from any directory.

On your Mac, in the Terminal you used to run "dump.py", execute this command, to show where "dump.py" is:

pwd

Execute these commnds, adjusting the directory in the "ln" command to match the correct location of "dump.py":

ln -s /Users/sambowne/frida/frida-ios-dump/dump.py /usr/local/bin/dump-ipa dump-ipa

You should see the "dump.py" help message again, as shown below.

Installing the Ringdahl EMS App

This is an App from a developer who often puts passwords in the source code of the apps. He rejected my vulnerability reports and told me to stop bothering him, so they're fair game for security projects now :)

Connect your iPhone to Wi-Fi. Open the App Store. Log in with an Apple account, creating a new one if necessary.

Search for the "Ringdahl EMS" App and install it, as shown below.

Launch the app. It asks for a password, as shown below.

Decrypting the App

On your Mac, in a Terminal, execute this command to list the apps on your phone:

dump-ipa -l

The "Ringdahl EMS" app should be on the list, as shown below.

On your Mac, in a Terminal, execute this command to decrypt the apps and pull it onto your Mac from your phone.

You may have to relaunch the app a and try the command a second time.

dump-ipa Ringdahl\ EMS

When it works, the app will be dumped to your Mac, as shown below.

Flag M 702.2: App Password (10 pts)
On your Mac, in a Terminal, execute this command to unzip the app and search the code for the password:
unzip Ringdahl\ EMS.ipa cd Payload/apps4ems.app/ grep -ir password .
The password appears, covered by a green rectangle in the image below. That's the flag.

Using the Password

On your iPhone, in the app, enter the password.

You see the "protected" portion of the app, as shown below.

References

Many thanks to axi0mx for making the checkra1n jailbreak possible and showing me how to compile C code for the iPhone and debug it.

From checkra1n to Frida: iOS App Pentesting Quickstart on iOS 13

Posted 12-23-19
Flag number fixed 12-25-19