iPhone Rootkit? There's an App for that! - Reverse Engineering Mac ...
iPhone Rootkit? There's an App for that! - Reverse Engineering Mac ... iPhone Rootkit? There's an App for that! - Reverse Engineering Mac ...
Other Library Injection TechniquesFor things running from “launchd”, we can use a trick from CharlieMiller’s SMS fuzzing playbook.Find your /System/Library/LaunchDaemons/*.plist and addEnvironmentVariablesDYLD_FORCE_FLAT_NAMESPACE1DYLD_INSERT_LIBRARIES/path/to/your.dylibDino Dai Zovi’s “Machiavellian” bundle-inject’ion also works on iOS.(porting in progress… stay tuned)Copyright Trustwave 2010
ConclusionsLots of security research to be done on iPhones and mobiles in general• Objective-C runtime is a ripe area for rootkits and backdoors• Mach kernel features are just as intriguing on iOS as they are on OS X• In general, if you get good at hacking OS X and you’ll also be getting good atIOSMitigation• Conventional wisdom is that Jailbroken devices are more vulnerable.I think it’s more nuanced than that.• My take-away:Jailbreak your iPhone/iPad/iPod before someone else does it for you!• Once jailbroken treat it just like the other computers you own• Patches• Stripped services• Monitoring (periodic md5 filesystem checks are probably even that crazy)Copyright Trustwave 2010
- Page 5 and 6: iPhone/iOS Security Overview
- Page 7 and 8: Architecture OverviewApplications P
- Page 9 and 10: Application SecurityCode signing•
- Page 11 and 12: Jailbreaking Overview
- Page 13 and 14: Jailbreakme.com A Thing to Behold
- Page 15 and 16: What it looks likeVisit h'p://jailb
- Page 17 and 18: Weaponizing
- Page 19 and 20: Patch PlanReversing the installui.d
- Page 21 and 22: My “Big Fat Rootkit”… so farC
- Page 23 and 24: Set-upA vanilla un-jailbroken iPhon
- Page 25 and 26: Hardware: Mic and AudioAudio record
- Page 27 and 28: Dumping Process DataSeveral interes
- Page 29 and 30: Targeting iOS ApplicationsiOS isn
- Page 31 and 32: Demo App Backdoor
- Page 33 and 34: Binary Reversing Prep (continued…
- Page 35 and 36: No More SecretsHint: find the LC
- Page 37 and 38: Mach Binary Encryption (continued
- Page 39 and 40: What’s your point?For starters…
- Page 41 and 42: Objective-C Method HookingIt’s ca
- Page 43 and 44: Objective-C Method Hook ExampleLets
- Page 45: Injecting Our LibraryConventionally
- Page 49 and 50: Reversing Redux: The Binary “star
- Page 51 and 52: … continued: eggMalformed Times-
- Page 53 and 54: class-dump on installui.dylib (aka
ConclusionsLots of security research to be done on <strong>iPhone</strong>s <strong>an</strong>d mobiles in general• Objective-C runtime is a ripe area <strong>for</strong> rootkits <strong>an</strong>d backdoors• <strong>Mac</strong>h kernel features are just as intriguing on iOS as they are on OS X• In general, if you get good at hacking OS X <strong>an</strong>d you’ll also be getting good atIOSMitigation• Conventional wisdom is <strong>that</strong> Jailbroken devices are more vulnerable.I think it’s more nu<strong>an</strong>ced th<strong>an</strong> <strong>that</strong>.• My take-away:Jailbreak your <strong>iPhone</strong>/iPad/iPod be<strong>for</strong>e someone else does it <strong>for</strong> you!• Once jailbroken treat it just like the other computers you own• Patches• Stripped services• Monitoring (periodic md5 filesystem checks are probably even <strong>that</strong> crazy)Copyright Trustwave 2010