IOS Application Security Part 22 - Runtime Analysis and Manipulation using GDB
In this article, we will look at how we can use GDB to perform runtime analysis of IOS applications. In the previous articles, we have looked at how we can use Cycript to analyze and manipulate the runtime behaviour of IOS applications. We have learnt how we can perform method swizzling and have our own methods being called instead of the original implementations. So why we do need GDB ? Well, what Cycript doesn't allow us to do yet is set breakpoints and alter the values of variables and registers after a particular instruction. With GDB, we can dive deep into the application, observe the low level assembly instructions, manipulate the values in the registers and hence change the application flow completely.
For this demo, you can download the sample application GDB-Demo from my github account. Then make sure to install and run it on the device. If you don't have a registered developer account to run this on your device, you can follow the instruction mentioned here. I would also recommend that you have a look at the previous article on GDB in this series before going ahead with this one. This application is just a single view application that prompts for a username/password combination to log you in. It then validates the credentials entered locally and logs you in if the username/password combination is correct.
11 courses, 8+ hours of training
Once the application is installed on your device, ssh into it.
Then start the GDB-Demo application on your device. In GDB, attach to the running process by using the command attach GDB-Demo.PID. Here PID is the process ID of the GDB-Demo app. It can be different in your case. Just type attach GDB-Demo and hit TAB. This will give you the correct process along with its PID appended to it. Once you hit enter, GDB will hook into the running process.
From the previous article, we already know about the class information about this app. We know it has a method named loginButtonTapped. So we set a breakpoint for it and press c to continue the application.
Now, lets enter any username/password combination and press Login. This will trigger the breakpoint.
Use the disas to print the disassembly for this function. Now we know that the validation is happening inside this function as we couldn't see any other relevant method name from the class information of this application that would be of interest.
From the previous article, we also learnt that whenever an external method is called or a property is accessed, the objc_msgSend function is called. But there are thousands of objc_msgSend calls called in any application. We should only be concerned with the objc_msgSend calls related to this function. So we find out the addresses of all the instructions that call objc_msgSend and set a breakpoint for it. A very simple way to do it is to look for the blx instruction, note its address and set a breakpoint for it.
Alright, i have set the breakpoint for some of the coming objc_msgSend calls in this function. Now we move through every objc_msgSend instruction one by one, print out the registers and see if there is anything of interest. We are printing out the value of r1 with every objc_msgSend call here. Then if there is nothing of interest, we just type c to continue until the next breakpoint is hit.
Ok, here is something of interest. If we look at the very bottom, we see that the method isEqualToString: gets called. Hence there is a comparison with a particular string. And from the knowledge gained in the previous articles we know that the r2 register will contain the argument to this function. Also, if you have some experience of writing Objective-C code, you will know that every object in Objective-C is a pointer. And this function isEqualToString: will also accept a string pointer as argment, which will be inside the r2 register. To find out the actual value of the object, GDB has a specific command po that can print the value of the pointer contained in the register.
Ok, so the string being compared is Admin. This looks like the username. Looks like half the job is done. Optionally, you could also have printed out the value of r2 in this way.
Now a wise thing to do here would be enter the username as Admin in the app again. This is because the flow may not reach a point where the password is being checked. So now lets enter the username as Admin and enter anything as password. Now lets sets the breakpoints again and see if we can figure out the password as well. After some time doing the same process, we hit another breakpoint where the method isEqualToString: is being called. On printing the value of r2, we can see that the password is HELLOIOSAPPLICATIONEXPERTS.
So now lets enter the username/password combination that we just found out and we can see that we will be authenticated.
Another way to achieve the same thing would have been to manipulate the values in the registers. In the disassembly code, we can see that there are 2 cmp instructions.
In both the cases, the value of the r0 register is checked against the value 0 and a decision is made after that. Lets set a breakpoint for both these instructions and continue the application.
Once the breakpoint is hit, set the value of r0 register to 1. You can do this by using the command set $r0 = 1. Repeat this for the other breakpoint as well and continue the application. You will see that you are logged in again without even entering the correct username/password combination.
And BTW, here is the code for the function loginButtonTapped: that we just busted.
[c]
- (IBAction)loginButtonTapped:(id)sender {
if([_usernameTextField.text isEqualToString:@"Admin"] && [_passwordTextField.text isEqualToString:@"HELLOIOSAPPLICATIONEXPERTS"]){
[self performSegueWithIdentifier:@"adminPage" sender:self];
}else{
[[[UIAlertView alloc] initWithTitle:@"Error" message:@"Incorrect Username or password" delegate:nil cancelButtonTitle:@"Ok" otherButtonTitles:nil] show];
}
}
In this article, we looked at how we can use GDB to manipulate the application flow during runtime. Knowledege of GDB is beneficial specially in cases like these where the whole logic is contained inside one function and we cannot use method swizzling techniques using Cycript. With good knowledege of ARM assembly and GDB, the ability to modify the application behaviour and manipulate the application flow is just upto your imagination.
In this Series
- IOS Application Security Part 22 - Runtime Analysis and Manipulation using GDB
- DevSecOps: Moving from “shift left” to “born left”
- What’s new in the OWASP Top 10 for 2023?
- DevSecOps: Continuous Integration Continuous Delivery (CI-CD) tools
- Introduction to DevSecOps and its evolution and statistics
- MongoDB (part 3): How to secure data
- MongoDB (part 2): How to manage data using CRUD operations
- MongoDB (part 1): How to design a schemaless, NoSQL database
- Understanding the DevSecOps Pipeline
- API Security: How to take a layered approach to protect your data
- How to find the perfect security partner for your company
- Security gives your company a competitive advantage
- 3 major flaws of the black-box approach to security testing
- Can bug bounty programs replace dedicated security testing?
- The 7 steps of ethical hacking
- Laravel authorization best practices and tips
- Learn how to do application security right in your organization
- How to use authorization in Laravel: Gates, policies, roles and permissions
- Is your company testing security often enough?
- Authentication vs. authorization: Which one should you use, and when?
- Why your company should prioritize security vulnerabilities by severity
- There’s no such thing as “done” with application security
- Understanding hackers: The insider threat
- Understanding hackers: The 5 primary types of external attackers
- Want to improve the security of your application? Think like a hacker
- 5 problems with securing applications
- Why you should build security into your system, rather than bolt it on
- Why a skills shortage is one of the biggest security challenges for companies
- How should your company think about investing in security?
- How to carry out a watering hole attack: Examples and video walkthrough
- How cross-site scripting attacks work: Examples and video walkthrough
- How SQL injection attacks work: Examples and video walkthrough
- Securing the Kubernetes cluster
- How to run a software composition analysis tool
- How to run a SAST (static application security test): tips & tools
- How to run an interactive application security test (IAST): Tips & tools
- How to run a dynamic application security test (DAST): Tips & tools
- Introduction to Kubernetes security
- Key findings from ESG’s Modern Application Development Security report
- Microsoft’s Project OneFuzz Framework with Azure: Overview and concerns
- Software maturity models for AppSec initiatives
- Best free and open source SQL injection tools [updated 2021]
- Pysa 101: Overview of Facebook’s open-source Python code analysis tool
- Improving web application security with purple teams
- Open-source application security flaws: What you should know and how to spot them
- Android app security: Over 12,000 popular Android apps contain undocumented backdoors
- 13 common web app vulnerabilities not included in the OWASP Top 10
- Fuzzing, security testing and tips for a career in AppSec
- 14 best open-source web application vulnerability scanners [updated for 2020]
- 6 ways to address the OWASP top 10 vulnerabilities
- Ways to protect your mobile applications against hacking
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Application security
Application security
Application security
DevSecOps: Continuous Integration Continuous Delivery (CI-CD) tools
Application security