Application security

iOS Application Security Part 4 – Runtime Analysis Using Cycript (Yahoo Weather App)

Prateek Gianchandani
June 10, 2013 by
Prateek Gianchandani

Introduction

In the previous article, we learnt about the runtime capabilities of an IOS App written in Objective-C which uses the Cocoa framework. In this article, we will look at how we can use a very essential tool named Cycript to analyze and modify the runtime of an IOS application. In this article, we will be performing our analysis on the Yahoo Weather IOS app.

11 courses, 8+ hours of training

11 courses, 8+ hours of training

Learn cybersecurity from Ted Harrington, the #1 best-selling author of "Hackable: How to Do Application Security Right."

Cycript

Cycript is a javascript interpreter which also understands Objective-C syntax, meaning we can write either Objective-C or javascript or even both in a particular command. It can also hook into a running process and help us to modify a lot of the things in the application during runtime. As far as its application to IOS application is concerned, here are some of the advantages of using Cycript.

  1. We can hook into a running process and find the names of all classes being used, i.e the view controllers, the internal and third party libraries being used and even the name of the Application delegate.
  2. For a particular class, i.e View Controller, App delegate or any other class, we can also find the names of all the methods being used.
  3. We can also find the names of all the instance variable and their values at any particular time during the runtime of an application.
  4. We can modify the values of the instance variable during runtime.
  5. We can perform Method Swizzling, i.e replace the code of a particular method with some other implementation.
  6. We can call any method in the application during runtime without it being in the actual code of the application .

Installing Cycript

To install Cycript on your device, you must download the latest version from their official download page. Make sure to download the latest version.

cycript-Fig1

Once they have been downloaded on your system, upload them to your device using sftp.

Click to Enlarge

Then use the dpkg command to install cycript on your device.

Click to Enlarge

Then use the cycript command to check and see if everything is working.

Click to Enlarge

Runtime modification with Cycript

In this article, we will be performing all our tests on the Yahoo Weather app. It's a very neat app with an elegant UI that provides information about the weather of different places.

Once the Yahoo Weather has been installed, run it and make sure the app is the foreground. This is because once the app is in the background , it is in the paused state and you can't do much with it. Once the app is run, you can directly hook into the running process by finding the PID of the weather app and then using the cycript -p command to hook into the process.

Click to Enlarge

If the hooking is successful, you will be provided with a Cycript interpreter. Now we are all set. You can get the instance of the application by using the Objective-C syntax [UIApplication sharedApplication].

Click to Enlarge

You can also define variables using the Cycript interpreter as shown in the figure below. In this case, i am defining a variable a for [UIApplication sharedApplication]. Note that the L.H.S of this command is Javascript whereas the R.H.S is Objective-C syntax. This is the beauty of Cycript.


Cycript, by default has this variable which makes it easy to refer to the application instance.


To find the delegate class of this application, we can use the command [UIApplication sharedApplication].delegate. But since we already defined a variable a as the application instance, we can use the following command as shown in the figure below.


Hence, we now now that the delegate class name is YWAppDelegate. So the delegate files are defined as YWAppDelegate.h and YWAppDelegate.m. Now, let's try and call some methods in the app while it is running. A quick look at the application gives this kind of a picture.

As you can see, the status bar of the app is hidden. We can call a method in the application to unhide the status bar. Also, please make sure always that the app is in the foreground while you are performing runtime analysis on the application.

And here is how the app looks now


As you can see, the status bar is now visible. Let's try and see if we can modify the badge count of this particular application. A badge count is the number shown on the top-right of an application icon image. It usually refers to the amount of push notification received for the application. In mail apps, it can also refer to the amount of unread mails. In Yahoo Weather app, there is no concept of push notifications and hence there is no count shown on the top-right of its app icon. The thing is that the application badge number can be set locally in the app through a simple function call as well as remotely through a push notification from the server. Let's try and see if we can set the badge count for the app. Here is the Objective-C method that we can need to call. In this case i am setting the badge count to 999

Click to Enlarge

And now if we go back to the home screen, we see the badge count in the app.


Perfect !!

Let's now investigate more and see what more we can find out about the app. In order to find out the current view controller of the app, we must first find out the keyWindow property. A keyWindow is the window which is currently accepting user interaction (touch events) from the user. If you want to find out all the windows in an app, here is how you do it. Note that a window is of the class type UIWindow.

Click to Enlarge

Now, in order to find out the keyWindow at a particular time in the app, here is how you do it.

Click to Enlarge

Now, the root view controller for this window is found out by using the rootViewController property of the keyWindow. The root view controller property for this window is responsible for displaying the content in the window.

Click to Enlarge

As you can see, the name of the rootViewController class is YahooSlidingViewController. From the name, it is pretty clear that this class is the slider used in the app as shown in the figure below.


Hence, this class basically acts as a facade over all the other view controllers. This means that whenever a menu item is chosen in the menu as shown in the figure above, the YahooSlidingViewController is the class responsible for displaying the appropriate view controller.

Conclusion

In this article, we looked at how we can install Cycript into a jailbroken device, hook into a running process and find out the information about the properties of the application. We also looked at how we can call functions ourselves which are executed inside the sandbox of the application. In the next article, we will look at how we can find out all the methods of a given class and modify its implementation. We will also look at how we can modify the values of instance variables of a particular class.

References:

Cycript

http://www.cycript.org/

Cycript tricks

http://iphonedevwiki.net/index.php/Cycript_Tricks

Prateek Gianchandani
Prateek Gianchandani

Prateek Gianchandani, a recent IIT graduate, has interests in the field of Penetration Testing, Web Application Security and Intrusion Detection. He is currently a researcher for InfoSec Institute. In the past he has worked for security-based startups.

You can contact him at prateek.searchingeye@gmail.com and on twitter @prateekg147 or you can visit his personal website at highaltitudehacks.com