In this article, we will look at how we can use Introspy for Black-box assessment of IOS applications. Introspy is developed by ISEC partners and its github page can be found here. Introspy consists of two seperate modules, a tracer and an analyzer. It is undoubtedly one of the most powerful tools for analyzing the security of IOS applications.

The first step is to install the Introspy tracer on your device. You can download the debian package from here. Once it is downloaded, just upload it and install on your device. The image below shows how to perform all the above mentioned steps.

Click to EnlargeClick to Enlarge

Once the tracer has been installed on your device, reboot or respring it. Go to Settings app and you will now see a different section for Introspy.

The Introspy Apps section lets you choose the apps that you want to perform your analysis on. So go over to it and select the app that you want to analyze. In my case, i will select the Path app for analysis.

Now go over to the Introspy settings option and make sure every option is selected, specially the option Log to The Console. If we check this option, the Introspy analyzer will log all the information that it finds about the app to the device console which allows us to see the information being logged during runtime.

Once the Path app has been selected, make sure it is not running. If it is running, quit it and restart the app again. Also make sure that your device is connected to your computer as we want to see the device logs that the Introspy analyzer will be logging. Also, open Xcode on your machine (if you are on a Mac), go to Window -> Organizer -> Devices. Choose your device from the menu on the left and select Console. You will now be able to see the device logs.

Click to Enlarge

Now start the Path app and try to browse the app as much as possible. In the meantime, the analyzer will work in the background and collect as much information about the app as possible. You can see that it is logging info on the device as well. In this case, we can see a request being made to the server and we can see all the contents of the request, including the path and the query parameter.

Click to Enlarge

And over here, you can see that the app is checking the NSUserDefaults for the userId key. This information should have been stored in the keychain instead.

Want to learn more?? The InfoSec Institute CISSP Training course trains and prepares you to pass the premier security certification, the CISSP. Professionals that hold the CISSP have demonstrated that they have deep knowledge of all 10 Common Body of Knowledge Domains, and have the necessary skills to provide leadership in the creation and operational duties of enterprise wide information security programs.

InfoSec Institute's proprietary CISSP certification courseware materials are always up to date and synchronized with the latest ISC2 exam objectives. Our industry leading course curriculum combined with our award-winning CISSP training provided by expert instructors delivers the platform you need in order to pass the CISSP exam with flying colors. You will leave the InfoSec Institute CISSP Boot Camp with the knowledge and domain expertise to successfully pass the CISSP exam the first time you take it. Some benefits of the CISSP Boot Camp are:

  • Dual Certification - CISSP and ISSEP/ISSMP/ISSAP
  • We have cultivated a strong reputation for getting at the secrets of the CISSP certification exam
  • Our materials are always updated with the latest information on the exam objectives: This is NOT a Common Body of Knowledge review-it is intense, successful preparation for CISSP certification.
  • We focus on preparing you for the CISSP certification exam through drill sessions, review of the entire Common Body of Knowledge, and practical question and answer scenarios, all following a high-energy seminar approach.

But probably the most interesting piece of information can be found from the image below. As you can see, the app is checking NSUserDefaults for a bool value HangTracerEnabled. This could have been a check to see if the the app is being traced during runtime and if so, quit the app. However, this technique seems to fail currently as it not able to detect the Introspy analyzer. But when i ran Snoop-it to analyze the Path application, it crashed. So this bool value definitely seems to be a check to determine whether tracing is being enabled or not. We will look up this concept in later articles.

Apart from displaying the runtime information about the app in the Console, Introspy also saves it in a sqlite database file on your device. From your computer, you can fetch this database file and Introspy will convert it into a well presentable format. To fetch the database files from your device, first of all download Introspy from its github page. Then navigate inside the Analyzer folder and use the command as shown in the figure below. You will need to specify the directory in which the report will be put on your local machine as well as the ip address of your device.

As you can see, Introspy will ask you to select a database file. These database files are created for each application that we had selected from the Settings. In this case, lets select the database for the Path App.

Click to Enlarge

You will see that the database file had been saved in the present directory as well as a folder with the name Path-Report had been created. If we go inside that folder and open up the file report.html, this is what we see. As you can see, Introspy has displayed the complete information in a much more presentable format. We can see the list of traced calls along with the arguments that were passed.

Click to Enlarge

We can also see a list of potential findings. These are basically the vulnerabilities that Introspy thinks it has found out. In this case, we can see some Insecure Data Storage issues. Its not necessarily a vulnerability though as the information that was written may not have been of much importance.

Click to Enlarge

You can also customise the information that you want to see by selecting the options as shown in the image below.

For example, i have configured it to just show me the methods related to UserPreferences. This information can be very helpful as it can help us find some important information that may have been written to NSUserDefaults. Even though it is not shown in the image below, but i was easily able to figure out that Path was saving my userId in NSUserDefaults and using it in a lot of other places. This information should have been stored in a more secure place, for e.g the keychain.

Click to Enlarge

We can also analyze the saved database file directly from the command line. Here is the usage information.

Click to Enlarge

Let’s use the info command on http. As you can see, it dumps a list of the endpoints.

Click to Enlarge

Introspy can also be imported as a module and used in other Python scripts. We can also add our own signatures to flag vulnerabilities or insecure configurations. We will look into those concepts in later articles.

Conclusion

In this article, we looked at how we can use Introspy to perform black-box assessment of IOS applications. Introspy consists of 2 modules, the Tracer and the Analyzer. We can use the Tracer to perform runtime analysis of the application. The tracer can then store the results in a sqlite file which can be later used by the analyzer for analysis, or it can also just log all the data to the device console. The Analyzer can also generate a well detailed HTML report from the database file.

References