Basic iOS Static Analysis Using Linux
Introduction:
In this blog, we will look at how to perform static analysis of iOS applications using Linux. But before that one should have an automated scan result of the .ipa file (MobSF) and <application>.app file to verify the vulnerability manually.
It is highly recommended to use MobSF to perform an automated scan. It is an open-source static and dynamic analysis tool for both Android and iOS, which can be used to quickly detect major issues on your android/ios application.
The Good Stuff:
Earlier, there was a dependency on Mac OS to verify certain issues or vulnerabilities raised by MobSF such as
- Weak Hashing Algorithm
- Insecure Random Functions
- Insecure Malloc Function etc.
Moreover, MobSF and Mac OS don’t give you the exact location of the vulnerability. Now with the help of Linux, we can verify the exact location / Affected file name of the vulnerabilities. Let's get it started.
Details of grep pattern selection and interpretation used in this blog
Weak Hashing Algorithm: Cryptographic hash algorithms such as MD5, and SHA-1 are no longer considered secure because it is possible to have collisions (little computational effort is enough to find two or more different inputs that produce the same hash). They can be cracked using websites using large databases or using a tool like hashcat.
grep -iER “_CC_MD5”
grep -iER “_CC_SHA1”
Insecure Random Function: “random ()” are predictable. There are concepts such PRNG (Pseudo Random Number Generator) and CPRNG (Cryptographically Pseudo Random Number Generator) and it is suggested by the developer community to use CPRNG to generate random numbers.
grep -iER “_random”
Insecure Malloc Function: “malloc ()” function is used for the dynamic assignment of the memory. Its presence indicates that the application has memory management which is the opposite of ARC (automatic referencing count). As the memory assignment is uninitialized, it poses a memory corruption threat.
grep -iER “_strlen”
grep -iER “_memcpy”
grep -iER “_sscanf”
grep -iER “_strncpy”
grep -iER “_sprintf”
grep -iER “_printf”
Similarly, you can look for other insecure APIs using the syntax grep -iER “<APIs>”.
PIE (Position Independent Executable): It is a security function that allows the application to use ASLR. The app must be compiled using the flag -fPIE -pie. Each time you run a “Position Independent Executable” (PIE), the binary and all of its dependencies are loaded into random locations within virtual memory, which make ROP attacks much more difficult to execute reliably.
grep PIE
Automatic Reference Counting (ARC): It is a compiler feature that provides automatic memory management of Objective-C objects. It decreases the probability of memory corruption errors caused by the application.
grep objc_release
To Check if the Binary is Encrypted: If the cryptid is 0, the application is not encrypted. Otherwise, it is encrypted.
grep -A5 LC_ENCRYPT
Conclusion
With this, we have a basic understanding of how to perform Static analysis of iOS applications using Linux.
Thanks, everyone for your time. Hope you enjoyed reading it.
If you have any questions or just want to have a chat, please ping me on LinkedIn: Isa-Ghojaria