Pentesting iOS Apps – Runtime Analysis and Manipulation – Andreas Kurtz
iSpeech
Security testing of mobile apps and their environment has become increasingly important in recent years. However, there is still a lack of testing methodologies and supporting tools. Accordingly, the objective of this presentation is to close that gap. As in any kind of software security assessment two different approaches do exist: static and dynamic analysis. While static analysis gives detailed insights into a mobile app, it is not always the most practicable way. To evaluate the security level of a mobile app within an economically reasonable timeframe, it is worthwhile to combine both, static and dynamic analysis. During this talk, I will explain the basic concepts of Objective-C and its runtime. Objective-C supports the concepts of reflection, also known as introspection. This describes the ability to examine and modify the structure and behavior (specifically the values, meta-data, properties and functions) of an object at runtime. Based on this dynamic nature of the Objective-C runtime, I will show how runtime analysis and manipulation eases security assessments of mobile apps. For this purpose, I will discuss the backgrounds, techniques, problems and solutions to Objective-C runtime analysis and manipulation. I will demonstrate how running applications can be extended with additional debugging and runtime tracing capabilities, and how this facilitates both dynamic and static analysis of Apple iOS apps. Moreover, a new tool to assist dynamic analysis and security assessments of iOS Apps will be introduced and demonstrated. This tool allows on-the-fly manipulations of arbitrary iOS Apps with an easy-to-use graphical user interface. Thus, bypassing client-side restrictions or unlocking additional features and premium content of Apps is going to be a child's play.
2013-07-29 18:38:40
source
Gloss