Reversing + mitm android & iphone app

Updated - It's been a while since i last look at android app and smali.
Here is my current setup with hostapd, dhcpd, burp proxy and some tips on unpacking apk and working with smali code:

Hardware: AWUS051NH

hostapd.conf

#/etc/hostapd/hostapd.conf
interface=wlan1  
driver=nl80211  
ssid=wirelesspentest  
channel=1  
macaddr_acl=0  
auth_algs=1  
ignore_broadcast_ssid=0  
wpa=3  
wpa_passphrase=<WPA PASSPHRASE HERE>  
wpa_key_mgmt=WPA-PSK  
wpa_pairwise=TKIP  
rsn_pairwise=CCMP

/etc/dhcp/dhcpd.conf

ddns-update-style none;  
ignore client-updates;  
pid-file-name "/tmp/dhcpd.pid" ;  
authoritative;  
option local-wpad code 252 = text;

 subnet
 12.0.0.0 netmask 255.255.255.0 {
 # --- default gateway
 option routers
 12.0.0.1;
 # --- Netmask
 option subnet-mask
 255.255.255.0;
 # --- Broadcast Address
 option broadcast-address
 12.0.0.255;
 # --- Domain name servers, tells the clients which DNS servers to use.
 option domain-name-servers
 12.0.0.1, 8.8.8.8, 8.8.4.4;
 option time-offset
 0;
 range 12.0.0.3 12.0.0.13;
 default-lease-time 1209600;
 max-lease-time 1814400;
 }

Then you need to run the following commands to start all services (hostapd and dhcpd in background) and the right ip table forwarding/nat rules (change eth0 to the right interface).Note that you can also put all these into a shell script and replace wlan1 with $1 to execute on chosen interface (after modifying config files if required):

ifconfig wlan1 up 12.0.0.1 netmask 255.255.255.0  
hostapd /etc/hostapd/hostapd.conf -B  
dhcpd wlan1 &

sysctl -w net.ipv4.ip_forward=1  
iptables --flush  
iptables --table nat --flush  
iptables --delete-chain  
iptables --table nat --delete-chain  
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE  
iptables --append FORWARD --in-interface wlan1 -j ACCEPT

on android or iphone/ipad device, after configuring Proxy setting to point to 12.0.0.1 on port 8080, you need to trust Burp CA certificate.

On your phone, go to http://burp in the browser and download/install the CA certificate. (See upper right corner in the screenshot below)

On Android device, you will need a file explore tools like fx or terminal tool to rename the downloaded certificate file from cacert.der to cacert.crt. Then you can go into Setting > Security > Install from storage (under credential storage) . If you are prompt for Credential storage password on nexus 5, try removing your current screen lock (pattern or whatever you are using) and import the cert again.

Now you are ready to MITM your traffic. Other tools that i use along with these are fakedns, mallory whenever necessary.

I also use sftp on my nix box to transfer file with the phone using fx file explorer which can be extremely useful. Android device was rooted and has sshd installed.

Android smali notes:

Requirement:

Install java sdk (in ubuntu):

sudo apt-add-repository ppa:webupd8team/java  
sudo apt-get update  
sudo apt-get install oracle-java8-installer  

Download latest apktool and the wrapper script, change apktool_.jar to apktool.jar and copy both apktool wrapper script and the jar file to /bin/.

Now we have apktool, keytool and jarsigner(installed with Java SDK)

generate an RSA key used for re-sign android app.

keytool -genkey -v -keystore awesome.keystore -alias awesome_alias_name -keyalg RSA -validity 10000  

In some latest android apps, you probably want to get the framework-res.ask and SystemUI.apk from the device:

  • /system/framework/framework-res.apk
  • /system/priv-app/SystemUI/SystemUI.apk

install these frameworks and SystemUI files:

java -jar apktool.jar if framework-res.apk  
java -jar apktool.jar if SystemUI.apk  

unpack apk file:

java -jar apktool_2.0.0rc3.jar d <apk file>.apk  

this is when you modify smali code to make sure public key verification always return true or bypass any inconvenience checks. Also check out assets folders and other resources. Also, if rebuilding apk has some issues with public.xml, you may want to use "-r" switch to not decompile resource files.

repack apk file:

java -jar apktool_2.0.0rc3.jar b <apk unpacked folder>  

your new apk file will now be stored in apk unpacked folder/dist/ folder.

let's sign the app and upload it to our android device.

jarsigner -verbose -keystore awesome.keystore <apk unpacked folder>/dist/<apk file>.apk awesome_alias_name  

When installing the apk, make sure your setting on the android phone (Setting > Security > Unknown sources) is enabled.

Bypass cert pinning in some android apps

So while reversing and digging through a pile of smali code for various apps, i found an interesting way to turn off cert pinning on these app (of course you will modify the apk so it is for research purpose purely). This will help if you want to mess with the traffic or play with the API. So what you want to look for is this magic string "checkServerTrusted" in all the smali files grep -R checkServerTrusted *

There will be quite a few references, you need to find the actual code that do this check which is fairly big and ignore any other references. Once you find it, all you need to do is insert return-void just a few line down the code and repackage the app.

Check oem for fastboot command

adb shell  
su  
ls -all /dev/block/bootdevice/by-name | grep 'aboot ->'  
dd if=/dev/block/{whatever came up} of=/sdcard/aboot.img  
strings /sdcard/aboot.img | grep oem  

Iphone notes

Notes: This is pretty much a copy from my old blog with minor validation using tools on my macbook pro. The blog post were written 2 years ago and may have already been out of date.

Mach-O remove signature block (LC_CODE_SIGNATURE)

"Thin" your application using ditto:

ditto --arch i386 <application name>  

Run **otool -l <app> and check if LCCODESIGNATURE is the last load command. If it's not there.. find different tutorial. :-S (Here might be one: https://github.com/Tyilo/insert_dylib)

To remove a code signature you need to do the following steps:

  • Modify the number of load commands (Starts at offset 0x10, 4B size) ==> Reduce it by one. Run otool -l again on the binary will result in 1 less load commands.
  • Size of the load commands (Starts at offset 0x14/20, 4B size) --> subtract by 0x10
  • Modify the 16 Bytes from the load command entry for LC_CODE_SIGNATURE. Replace them with 16 x 0x00. Intel: 0x1D00000010000000 PPC: 0x0000001D00000010
  • Remove the actual code signature. This starts with 0xFADE0CC0. Replace the entire code signature with 0x00 bytes.

Decrypt Iphone application

(this may only work with older iphone app)

otool -l <executable> to list out load commands

eg:  
otool -l &lt;app&gt;  | grep ENCR -A 4  
  cmd LC\_ENCRYPTION\_INFO
  cmdsize 20
 cryptoff  8192  (0x2000)
 cryptsize 10715136 (size)
 cryptid   1

search for ENCRYPTION like above
if encryptid = 1 ==> most likely it is encrypted

0x1000 ==> header size

  • dump memory out.bin (cryptoff+0x1000) (cryptoff+0x1000+cryptsize)

  • paste it in using HxD, offset (cryptoff+0x1000)

  • change LC_ENCRYPTION_INFO cryptid to 0 using HxD.

  • class-dump is useful once the encrypted executable is decrypted.

  • ldid and ldone helps signing code.

You may want to restart Iphone/Ipad if you get Killed: 9 error or EXC_BAD_ACCESS in gdb when replacing the executable. Try ldone before reboot.

Interesting stuffs

If you are getting "Illegal instruction: 4" error while running some binaries in IOS, you can run the following command to fix it:

sed -i'' 's/\x00\x30\x93\xe4/\x00\x30\x93\xe5/g;s/\x00\x30\xd3\xe4/\x00\x30\xd3\xe5/g;' `which <application name>`  

This is because you are executing an old compiled binaries. I ran into trouble with some apps on Cidia.

Interesting way of bypassing in-app check by hooking into function calls using Cydia substrate. This can be used to bypass mdm check if you find the right function call via IDA :

http://resources.infosecinstitute.com/ios-application-security-part-33-writing-tweaks-using-theos-cydia-substrate/

comments powered by Disqus