Project 2x: Reverse Engineering an iPhone App (20 pts.)

What You Need

A jailbroken iPhone
A Mac OS computer

Get Homebrew

You need to install Homebrew on your Mac. Here are some guides to do that:

Connect to the iPhone With USB

Plug in a cable connecting your iPhone to the Mac.

On the Mac, in a Terminal window, execute these commands to install "libmobiledevice" and start a proxy listening on port 2222, which connects to port 22 via the USB cable.

brew install libimobiledevice
iproxy 2222 22

Leave this window open, as shown below.

In a new Terminal window, execute this command:

ssh -p 2222 root@localhost

Agree to connect by typing yes and enter the password toor1

You should see a root command prompt, as shown below.

Task 1: Exploring the Built-in Maps Application

Exploring iPhone Applications

In the SSH window, execute these commands to see all the installed applications:

cd /Applications
ls

Each application on the phone has a directory here.

Exploring the Maps App

In the SSH window, execute these commands to see more about the Maps app:

cd Maps.app
ls

These are all the files used by the Maps app. The executable that launches the app is named "Maps", and it appears in green on the left side of the image below.

Pulling the Maps Executable Via SFTP

We want to copy the executable file to the Mac for further analysis. We can do that with Secure FTP.

Open a new Terminal window and execute this command:

sftp -P 2222 root@localhost

Enter the password toor1

You should see an "sftp>" prompt, as shown below.

At the "sftp>" prompt, execute these commands:

get /Applications/Maps.app/Maps
quit

The file is transferred to the Mac, as shown below.

In the same Terminal window, execute this command to see the local file:

ls -l Maps

You should see the local file, approximately 3 MB in size, prompt, as shown below.

Exploring the Maps App on the iPhone

On the iPhone, from the home screen, tap Maps.

In the search box, enter

50 Phelan Ave., San Francisco

The address is found, as shown below.

Tap the rightward-pointing arrow.

In the next screen, notice the "Directions to here" option, as shown below.

Installing Class-Dump

Class-dump allows us to see the structure of an iOS app.

On your Mac computer, in a Web browser, go to

http://stevenygard.com/projects/class-dump/

Download the class-dump-3.5.dmg file, and double-click it. A window shows the single executable inside it, as shown below.

Drag the class-dump icon out of this window and drop it on your Mac's desktop.

In a Terminal window, execute this command to copy the class-dump executable to the /usr/local/bin directory:

cp ~/Desktop/class-dump /usr/local/bin

In a Terminal window, execute this command to see the class-dump help message:

class-dump

As shown below, class-dump works on "mach-o" files (iPhone apps).

Examining Classes in the Maps App

In a Terminal window, execute this command:

class-dump Maps

Many pages of data scroll by too quickly to read. It'll be more helpful to put that in a text file.

In a Terminal window, execute this command, replacing YOURNAME with your own name.

class-dump Maps > Maps-YOURNAME

This puts the data in a file named "Maps-YOURNAME". Now execute this command to find the text "directionsto" with a case-insensitive search:

grep directionsto -i Maps-YOURNAME

As shown below, there's an item at the end that looks like a function to implement this action:

Execute this command to open the file in a graphical text editor:

Open /Applications/TextEdit.app/ Maps-YOURNAME

Press Command+F and search for

_directionsToAddress

You see the method that performs the "Directions To" function. As shown below, this method is part of the "PlaceViewController" interface.

Saving a Screen Image

Make sure the _directionsToAddress method and the filename containing YOURNAME are visible.

Capture a full-screen image.

YOU MUST SUBMIT A FULL-SCREEN IMAGE FOR FULL CREDIT!

Save the image with the filename "YOUR NAME Proj 2xa", replacing "YOUR NAME" with your real name.

Task 2: Exploring an App from the App Store

Apps from the App Store are different in two ways from built-in apps:

1. The apps are stored in a different location: /var/mobile/Applications/

2. Unlike the apps that come preinstalled with the device, the apps are encrypted, hence you will have to decrypt them first. We'll use the "Clutch" utility to decrypt them.

Installing Stitcher

This is just a random app to investigate. I chose it because the Android version has egregious security flaws, and the company ignored my reports and never fixed them, so I expect the iPhone app to have flaws too.

On the iPhone, from the home screen, tap "App Store".

Search for stitcher. Install "Stitcher Radio for Podcasts", as shown below, by tapping GET and tapping INSTALL.

If you need to log in to install the app, use these credentials:

Username: cnit128vm@gmail.com
Password: DamnIt233

Installing Clutch

Clutch is the utility we need to decrypt Apps from the App Store.

On the iPhone, open Cydia.

If you are prompted to upgrade, click "Complete Upgrade".

At the bottom, click Sources

At the top right, click Edit.

At the top left, click Add.

Enter http://cydia.iphonecake.com/ and tap "Add Source".

Tap "Add Anyway".

Wait while files download. When the downloads are done, tap "Return to Cydia".

When I did it, some sources failed to download, as shown below. I had to move to a place with a better Wi-Fi signal and Refresh the sources to complete the downloads.

Troubleshooting
If you can't find Clutch, try adding this repository:
http://repo.xarold.com

In Cydia, at the bottom, right, click Search.

Search for Clutch, as shown below.

At the top right, tap Modify. Tap Install. Tap Confirm.

When the download is complete, tap "Return to Cydia".

You should have an SSH session open, connected to your iPhone via USB. If you don't, open one now, as you did at the start of this project.

In the ssh session, execute this command:

Clutch

You get a "Permission denied" error, as shown below.

This error is easy to fix. Execute this command to see the problem:

ls -l /usr/bin/Clutch*

As shown below, "Clutch" is a symbolic link to "Clutch2", and although the link is executable, the actual binary file is not.

To fix it, execute this command:

chmod a+x /usr/bin/Clutch2

Now execute this command again:

Clutch

Clutch runs, showing a help message, as shown below.

Decrypting Stitcher with Clutch

In the ssh session, execute this command to see all installed apps from the App Store:

Clutch -i

There's only one app, "Stitcher", as shown below.

In the ssh session, execute this command to decrypt Stitcher:

Clutch -d com.stitcher.player

Clutch decrypts the Stitcher app and puts it into a file ending in ".ipa", as shown below.

Pulling the Stitcher IPA File Via SFTP

We want to copy the IPA file to the Mac for further analysis. We can do that with Secure FTP.

Open a new Terminal window and execute this command:

sftp -P 2222 root@localhost

Enter the password toor1

You should see an "sftp>" prompt, as shown below.

At the "sftp>" prompt, execute these commands:

get /private/var/mobile/Documents/Dumped/com.stitcher.player-iOS7.0-(Clutch-2.0.4).ipa
quit

The file is transferred to the Mac, as shown below.

In the same Terminal window, execute this command to see the local file:

ls -l com.stitch*

You should see the local file, approximately 30 MB in size, prompt, as shown below.

Unzipping the IPA File

In a Terminal window, execute these commands, replacing YOURNAME with your own name:

mkdir YOURNAME cd YOURNAME mv ../com.stitcher.player-iOS7.0-\(Clutch-2.0.4\).ipa . unzip com.stitcher.player-iOS7.0-\(Clutch-2.0.4\).ipa

A long list of files scrolls by, as the entire app is unzipped, as shown below.

In the same Terminal window, execute these commands:

cd Payload/Stitcher.app ls -l

A long list of files scrolls by: these are the images and other files used by Stitcher, as shown below.

Scroll up and find the "Stitcher" file--this is the main executable file that launches the app. It's a large file, approximately 16 MB in size, as shown below.

Examining Classes in the Stitcher App

In the same Terminal window, execute these commands replacing YOURNAME with your own name:

class-dump Stitcher > Stitcher-YOURNAME grep -i password Stitcher-YOURNAME

This shows all references to "password". One interesting item is the decryptPassword method, as shown below.

In the Android app, the password was encrypted with a slightly modified Caesar cipher. This method is worth examining to see if that's also true of the iPhone app.

Execute this command to open the file in a graphical text editor:

Open /Applications/TextEdit.app/ Stitcher-YOURNAME

Press Command+F and search for

decryptPassword

You see the decryptPassword method, as shown below.

Saving a Screen Image

Make sure the decryptPassword method and the filename containing YOURNAME are visible.

Capture a full-screen image.

YOU MUST SUBMIT A FULL-SCREEN IMAGE FOR FULL CREDIT!

Save the image with the filename "YOUR NAME Proj 2xb", replacing "YOUR NAME" with your real name.

Finding the Interface

Scroll up to see the Interface that contains the "decryptPassword" method. It's named "User", as shown below.

Turning in your Project

Email the images to cnit.128sam@gmail.com with the subject line: Proj 2x from YOUR NAME

References

http://highaltitudehacks.com/2013/06/16/ios-application-security-part-1-setting-up-a-mobile-pentesting-platform/

http://highaltitudehacks.com/2013/06/16/ios-application-security-part-2-getting-class-information-of-ios-apps/

A Quick Guide to Using Clutch 2.0 to Decrypt iOS Apps

Posted 1-24-17
Revised 2-22-17