iOS & Android Internals (Sommersemester 2024)

Dozent: Dr. Jiska Classen (Cybersecurity - Mobile & Wireless)

Allgemeine Information

• Semesterwochenstunden: 2
• ECTS: 3
• Benotet: Ja
• Einschreibefrist: 01.04.2024-08.04.2024
• Lehrform: Seminar
• Belegungsart: Wahlpflichtmodul
• Lehrsprache: Englisch
• Maximale Teilnehmerzahl: 8

Studiengänge, Modulgruppen & Module

Beschreibung

iOS App Fundamentals

Learning Objectives:

Students will have the understanding and means to perform basic static and dynamic reverse-engineering of iOS apps to identify and trace the execution of interesting functions, and write scripts to exercise the corresponding code-paths.

Topic Overview:

• Apple’s public documentation and source code.
• Attack surface and threat modeling: How to approach an App from a security point of view.
• The Apple App Store security model: Code signing, App Review, Entitlements, the iOS sandbox, and TCC.
• The internal structure of an iOS application: metadata and resources in Application Bundles, third-party frameworks, AppExtensions, and Mach-O internals, FairPlay DRM & decrypting iOS Apps, introduction to the DYLD Shared Cache.
• Static analysis: Introduction to Ghidra, navigating through larger binaries, Objective-C and Swift calling conventions and name mangling.
• Dynamic Analysis with Frida: initial approaches using frida-trace, combining static and dynamic analysis, writing stand-alone Frida scripts, hooking functions.

iOS User-Space Internal: Fuzzing, GCD, XPC

Learning Objectives:

Students will be able to write basic fuzzers to find bugs, read the crash logs, and understand how to identify the underlying vulnerabilities. Students will furthermore understand asynchronous and multi-threaded programming on iOS and be able to follow execution both statically and dynamically. By applying their understanding of the iOS sandbox to XPC, students will be able to assess the security impact of communication between Apps, AppExtensions, and iOS daemons.

Topic Overview:

• Introduction to Fuzzing: corpus and input mutation, harnessing using Frida, in-place harnessing, coverage-guidance collecting coverage using Frida Stalker.
• Reading and interpreting crash logs.
• Outlook to more advanced fuzzing techniques: sanitizers, persistent fuzzing, snapshot fuzzing, CmpCov & CmpLog, testcase & corpus minimization.
• Asynchronous programming: Grand Central Dispatch (GCD), threading, Static analysis of asynchronous programming patterns: reverse-engineering blocks in Objective-C and Swift.
• Apps & daemons: XPC, entitlements and access-control, tracing XPC messages.

Below User-Space: iOS Kernel & Firmware

Learning Objectives:

Through their understanding of mach messages, syscalls, and IOKit calls, students will be able to follow how user-space applications interact with the iOS kernel through syscalls and IOKit. Furthermore, students will be able to get started reverse engineering custom firmware implementations using Apple’s RTKit RTOS. As an outlook, students are able to put the concepts of the complete three-day course in the context of current public security research.

Topic Overview:

• iOS kernel overview: main components, drivers, and open-source.
• Where user space meets kernel space: IOKit drivers and syscalls.
• Understanding internals of IOKit drivers: driver structure, naming functions being called in the kernel, understanding and reverse engineering of IOKit message contents
• Mach Messages everywhere – a look at what interactions are implemented via Mach Messages and how.
• Beyond the AP – The Co-Processors in an iPhone
• RTKit firmware – Apple’s internal firmware formats (Mach-O, ftab), main RTKitOS components.
• Discussion of real-world applicability of learnt techniques using recent public research.

Android Security & Mobile Testing Tools

Learning Objectives:

Students will understand fundamental differences between Android and iOS Apps from a reverse engineering perspective, adapting the methods learned on iOS to the Java ecosystem used on Android.

Topic Overview:

• The internal structure of an Android app.
• Static analysis of applications written in Java/Kotlin.
• Android specifics: Java virtualization, native libraries, JNI, …
• Dynamic instrumentation of applications that mix Java and native code.
• Android security boundaries: Intents, content providers, Binder.
• Android permission system: Sandboxing, SELinux, Package Manager, Binder.
• Using existing tools to bypass TLS certificate pinning, root/jailbreak detection, and modifying SQLite databases.

Voraussetzungen

Language

If all students speak German, the course will be held in German. Otherwise, the course language is English.

Required Knowledge

Students will need to feel comfortable using a Linux/macOS command-line. While familiarity with JavaScript and Python are helpful, understanding of common scripting language concepts is sufficient to follow the course and complete exercises, as we will be referring to examples and documentation and providing guidance where required.

Technical Requirements

We will provide physical iPhones during the iOS exercises. If you already have an iPhone that you'd like to bring and jailbreak on your own, please let us know so that we can help you with a setup. The most recent working jailbreaks are palera1n and Dopamine 2, please do not attempt to install anything else, as this might be malware. Generally, do not jailbreak devices with personal data on them, for security reasons.

We will be providing a (x86_64) virtual machine image with all required tooling. Students will need to use a laptop capable of running a virtual machine with internet connectivity, USB pass-through (when using a physical device) at 16GiB of RAM and 40GB of free disk space. All required tools can be installed on Linux and macOS natively, especially for students who can only use an Apple M1/M2 laptop.

Windows & WSL are not supported.

Leistungserfassung

You'll learn all the basics about applied mobile security and low-level system internals during the two weekends. The grading is based on practical CTF challenges that you build based on the knowledge gained during the course.

• Create one or two CTF-style mobile security challenges (number of challenges depends on their complexity).
• During a final event at the end of the semester, we will host and test these challenges.
• Your grade will be based on the quality of the CTF challenges.

Termine

The lecture part is organized as a block seminar and takes place on the following weekends:

• April 12-14 (Friday–Sunday, 10:00-17:00)
• April 26-28 (Friday–Sunday, 10:00-17:00)

Zurück