Darmowe kakao — zhakuj appkę mobilną i spijaj piankę

Hi everyone, my name is Kamil, I'm an iOS developer, I work at Allegro. How many developers are there in the room? There are a few. Who? Yes, I write apps for iPhones, in short. And for iPads, for iOS. And he's messing with me, exactly. Today I'm going to tell you how you can drink cocoa for free. We did this presentation a year ago with Krzysiek Kocele. Some of you probably know him because there were comments about Hackerspace. I don't know if Jarek is still in the room, because he's not here anymore. Krzysiek is an Android user, he unfortunately left for Barcelona, now he's working there, probably taking a bath in the sea, so he couldn't be here with us today, because I found out that I would be presenting

3 hours ago, but Krzysiek is probably watching there, because he liked something on Facebook. And this presentation was presented to other developers, so a disclaimer that we don't teach how to hack, we raise awareness of security. We also never took any material benefits, so we did not drink free cocoa in any cafes. We changed the name a bit, because it all started when our friend asked us as mobile developers for an audit. We conducted a mini audit, although we are not specialists in security. You would probably do it much better than some, you would probably break the backend. But I will show you what an ordinary developer is able to do. I will talk about listening to HTTPS

traffic from mobile apps, about SSL pinning, setting it up and also about bypassing this security. And then I will show you how to decompile and modify logic in iOS app. Let's start with the app we changed its name to, let's call it Cocoa App. The app was meant to be used to install an app, buy a subscription, then you walk around various cafes in Warsaw and you get some drinks, you can buy them at a good price. It was supposed to be a new application, to encourage people to install it. The authors decided to do something like this, that every new installation of such an application on a new device will automatically cause you to get one free drink, you can go and drink cocoa

from the installers. And with Krzysiek we thought about how they recognize that this is a new device. What would happen if every Kakao was the first Kakao? I will tell you what we managed to get. Here, because these were slides for developers, everyone probably knows, there is a chain of certificates, here, for example, GitHub. I explained what leaf certificates are, and so on, I will let it go here, because everyone knows for sure. Such a tool, MITM Proxy, who used it, who knows? It is used to listen to HTTP and HTTPS traffic. It is a bit poorer Wireshark, but if you only rely on this traffic, it gives you very nice possibilities. It allows you to modify traffic, also writing scripts,

it is very nice and convenient to use as a developer. Here is just a schematic that says only that MIPROXY With every mentioned connection, it sets its own certificate and does some mediation with the server. And what if we try to listen to HTTPS traffic using the proxy? Most of the computers' browsers will display something like an unreliable new root certificate. There are two things: we have to force the client to communicate, i.e. the phone to communicate through our proxy and we have to somehow avoid the validation of this certificate, so that it lights up green. And you can do it in many ways, probably some highly technical ones, if you can find them. But you

can use the social technology, for example, offer some free version of some expensive game or program, which you can install by simply clicking on something like a configuration profile on devices. And there you can wipe out proxy settings, root certificate. In the last May, it improved a bit, because you have to explicitly indicate that someone who has this certificate will be able to listen to the whole movement. But on older devices it was extremely simple. Once we convince the user, then the whole communication simply flies through this MITM. And now I didn't prepare a stand here, but it's probably easy to use. Okay, thank you. As I said, the names have been changed, so in particular, such a test app has been prepared to show

it. On the right side you can see the iOS simulator and here you can see this example application Cocoa App. And on the left side, because the iOS simulator does not have a mail client, here is a mail client in the console, to simulate how the whole communication looks in reality. Let's start with the application. The application offers us registration at the very beginning, so we enter our e-mail. We register and we see that it asks us to check the mailbox, so we would go to the mail client on the device. We would see an email in which there is probably a hidden deep link to log in under some nice picture. They check that this mail is real. We would click on this picture. We would return to

the application again. There is such a custom schema and we would be logged in. because we have such UX, it will be necessary to mark it here and paste it into Safari. In fact, there are a few clicks there, so it is very easy for the user to use. We are logged in to a newly created user. We see here that there is one cacao on our account. We drank this cacao, we would like to drink another one, so let's try to log in here. Let's enter another email address. On Gmail it is so simple that we add anything after the plus sign. and we get a deep link to log in to the second account on the same

mailbox. The application opens up, unfortunately this time we did not get any drinks. As they identified that it is the same device, we would like to find out how it happened. We will now start the proxy, so I have to kill this application because it will receive a connection pool. There are other programs, like Charles, for example, most people prefer graphic ones. This is something similar to radars, console-like, everything is done from keyboard shortcuts. There are a lot of them, just press the question mark on any screen and we see the whole help. It's not as difficult as it seems. I've configured everything before. So we will try to register and we should see the traffic here. Okay, we

see that one post went to some endpoint register. We can see what was actually sent there. Here, just Jason with an email flew by and nothing more in response. Let's see what happens when logging. Let's go back to this postage agent. Let's copy this deep link.

We paste it here again to Safari and immediately see what is flying below. Here are two requests already, let's look at the first one, what's going on there. Well, here we see that there is an email again, there is a login password that you could see or not, it was a fragment of this deep link that came in the mail, one to one. And there is some kind of a UI that everyone can probably guess, this is something that identifies our device. We haven't searched much here, we have some token here, it is an access token that we use later to ask for the number of these drinks that we have at the moment on the account. What can we

do now? One of the attack possibilities. we could take the traffic and modify what is flying there, for example, modify the identifier of our device. It is very simple, you set up an intercept, something like a breakpoint in the code, and then all the requests that match this intercept will be stopped there, we will be able to modify them. So we register again. Let's paste this deep link and when the request from the device identifier will be sent, we will try to enter it. We have intercepted the request, now we look inside and by pressing E and then R at the beginning, everything is in help, of course, WIM opens up and here we will modify the last sign in this UI,

where it will be another UI. We'll see what the server is for. and by pressing A once to send a request to the server, A second time to send a request back, to send a response to the client, we see that we land on a newly created account, we have one drink, here we can only look at the next one in JSON. So it's one possibility to attack this app, quite simple and takes a while. But it would be inconvenient to go with some router in the backpack to some cafe and try something there, even writing a script in this METMA. It would be clumsy. You can do it even easier with only a phone, but I'll tell you about it in a

moment.

At the beginning, I mentioned SSL pinning. Probably everyone knows what SSL pinning is. SSL pinning is additional custom validation of certificate. It checks that the root certificate is on the list of trusted certificates. If we add an additional one, the system says: "OK, you have it on the list, I accept it". In iOS, there is a mechanism of delegates. We implement one of these two methods. In it, we get a challenge, i.e. all the information about the connection, what the certificate is, the whole chain. and completion handler, so we can say that it's ok, it's bad, or maybe it's better to cancel this connection. The simplest and most tricky way is to draw a leaf certificate, count the hash and

compare it with what we have in the application. If the hash is correct, it means that this is the certificate we expect, we say OK, otherwise we cancel. And here it was for iOS users that all the frameworks on GitHub make it easy to install it. There is even something like a Trust Kit, it is connected to the application, you don't have to code anything there, you just click XML and it's super easy. But the easier it was for someone to install SSLP-Link, the easier it will be for someone to bypass it later. This TrustKit is already trivial in the context, just like the logic I showed there, because on the Cydia store, i.e. when you have Jbreak on iPhone, there are a lot of such

patches to the core that you pull something like that, SSL pinning no longer starts. more advanced, more inventive approaches, because you can fight with it, someone can fight our fight and it never ends. We could use a debugger or try to decompile the app. And now I will tell you a little about decompilation and I will show you how to modify this application to Kakao, so that every time you go for Kakao, it is free. At the beginning we need a device with J-break, almost always if we want to decompile something. iOS has a lot of security, which of course can be bypassed. Among other things, apps are default encrypted. We need to have an iPhone to decrypt it with J-break. We go to Wikipedia,

we find J-break for the version of the device we have. There is probably no 11 yet, at least publicly. There is not. But it's enough to have some old ones, because most of the apps work 10.2 for example. So, relatively new. We install several tools from CD. Everything is automated. Clutch is used to decode, dump such applications removed from the App Store. AppSync Unified is a core patch that turns off verification of signatures on applications and a console tool to install this application back, this modified one. First, we log in through SSH on iPhone as Daybreak, we use Clutch to dump the application as Co-op, then we take it to the computer, unzip it and now we go to

the compilation. I use something like Hopper. How many people have heard about this tool? This is a much smaller IDE. I can't compare it with Radar yet, because I've used it a lot, but maybe you'll see for yourself what the capabilities of this tool are. Now I'll read the binary here. The one I just showed you, I zipped. We read 64-bit architecture, this one was downloaded for this device. And now, where would we start the attack? As you can see, there are labels on the left. The application is written in Objective-C, an archaic language, which I compare to JavaScript a bit, because everything is done quite dynamically there and all these symbols are there, so we can read from the

code as from an open book, if nothing is fused. We've already seen what it looks like how API requests look like, so the developer probably created some kind of model objects in the code, something like UUID or other things we saw in the request. So let's look for some setter for this UUID and here I find an object of session on the side that has something like UUID. Here we see assembler, but Hopper also has a decompiler, so we will see a C-like code a bit later. We can also look at it. And maybe let's see what causes this setter, what sets the UIID. We'll see where this UIID comes from when it's generated. Of course, there are keyboard shortcuts for presentation, but

it shows that there are many options, that you can click if someone is scared, but it's not such a environment for someone to use keyboard shortcuts. Here we didn't find anything, these are some metadata trash. And these were places that directly call this place in memory, but the language is very dynamic, so there are no direct calls. and we are looking for all references. We found a class, model, login with email, password completion, nothing is hidden, so we jump into this place, we know what will happen here. And in order not to look through assembler, we can generate this pseudo code. There is a bit of garbage here. We are interested in really calling methods. Nothing is run, so we are looking for only such expressions that

we will be able to see. We see some "alloc init", we see "set login password", "cst set uid", it is called from R24, and we see two lines above R24. It is taken from calling some device unique identifier method. So this is what we are looking for. We can now copy this and look for it here on the selector list. We will find the implementation of this method. And here, looking at the charts, we see the Keychain itself. This is a library for keychain service, i.e. such a safe storage on iOS. You write something to the Keychain, and then you can't hack it, but everything can be hacked. And it makes things a bit easier, because if we are looking for some

safe things, we look into the Keychain, because they will probably be there. Below we see the call of the password for service method, so we try to extract some password from the Keychain. We compare them with the error, i.e. we check that if there is no password in the Keychain, below we see that the UID string is generated. and it is saved to the Keychain. So we check that something was in the Keychain, if it is not there, we will generate it, and then we just return what was there. So we generate an ID once, the device will be the same every time. What can a developer who is not a security specialist, who would

like to hack something, not even an assembler, do? Unfortunately, it has to be switched to this assembler, but as the radar, there are arrows on the sides drawn, so you can see where the jump instructions are. We set up on such a jump instruction and we can cover it with notes here, so don't do anything, just omit this instruction. If we suspect a pseudocode, we will see that there is no more IFA, the application will generate a new identifier every time. Now the attacker is spitting out the binary. We can write down the previous binary. And then we do everything the other way around, i.e. we zip the IP back, send it to the device with an

SCP, use the IP installer to install it on the phone and then we just go for free cocoa.

There are many other attacks, I showed only such examples. It was about showing people how easy it is to hack, modify what they wrote. But of course, you can replace the server, replicate its behavior, it would probably be expensive. You could especially write such a simple application yourself using fragments of screenshots, go to this cafe and show an application that is not this application. but if someone would think that the social technology has 100 drinks, then they would get another one. You could probably also look at the quality of mobile application codes, it would probably not be quite difficult to find something on the server, so there is a lot of attack here. - So, could you say

again that it generates a new UI for... This is a question, can you install something from CD to patch the mechanism of generating UUID? You can, but it's not something for security, but it's a fragment of random bytes. then probably other places of the application would also use it, I don't know how it would affect, but you could probably do something like that. Our advice to raise the awareness of security is to bring sensitive things to the backend, because what goes to the client can be read from an open book. It is not hidden in any way, even if we omit it, it can be read, analyzed, modified. Before such homegrown hackers listen to their own

movements, protect your API, i.e. use SSL pinning, you can use custom algorithms. Disassemble the app, because everything is there as in the hand, you can read it. It may use a different language, like Swift, where all the symbols are removed, only some public symbols in libraries. You can also omit them, but it's harder to read something in Swift. This is a trinity that everyone has heard. You know, any security can be bypassed, so you have to choose the level of this security. And for people who write such apps as Cocoa App, Don't trust the client, everything I've said is plain text. Don't use emails to verify generated UIDs. You can use Facebook, for example. It's hard to set up a few Facebook accounts.

If someone is interested in iOS, there is a book written I don't know, 7 years ago. It's like an old iOS, but equally good for Android programmers, because it describes concepts that are important on all mobile platforms. So I highly recommend it if someone is interested. This is me before breaking the record for eating a Bypass in a bar. And this is Krzysiek. Thank you very much for your attention, if you have any questions, I will try to answer them. Did you manage to beat this record in Barna? I landed on the seventh place with time of 6 minutes. It's not the worst, it's not the best, the record holder had 1.5 minutes. If you don't have

more... It doesn't make sense, because some apps don't allow you to install on your phone when you have Cydia or you're rooted on Android. I don't know if it makes sense or not. It's possible that it is on Android, I won't answer that question. There are some mechanisms that are not on iOS, like safety net. I don't know if anyone knows, but it's a Google black box that scans your phone and tells you that this phone is safe or not. You can do something more with it. There is no such thing on iOS. You can install any application, or you can detect j-breaks, debuggers in the code, but you can also bypass such security. And about the performance.

I did a lot of pen tests on iOS and the things I found where apps had the functionality of detecting J-break, it was the functionality of detecting CIDI, so it didn't interest them. whether the core is patched, but whether the CD binaries are in the right place. If these binaries were renamed for a moment, then the application would start working very nicely. In the applications I made. You can also check if there is any SSH, bash or something like that, but you can all be patched again. A colleague from a company that delivers an internal mail program for employees of some corporation said that there was a precedent that these employees wanted to install CD apps. Once jaybraking was more common, it was simpler. They wanted to have

some pirate games, jaybraked their phones. But it was a service phone and the mail program did not work and they hired some hackers to patch this program and provided them with a patched version of this program. And there was a constant fight because they were detecting that there was a J-break and the others were missing the detection. I have a question. Are you able to manage and modify any application in this way? Yes, some can be a bit more complicated, but it's all a matter of time. So if... Fries and cocoa? We can try, McDonald's or something, right? Ok, so the answer is this, I mean think before you answer, or maybe let me know if you do. If I want to convert Tinder so that it returns

me data of people who swap to the right or left, no difference, it's about interaction, is it possible to get this data? Assuming that they are floating somewhere, so I could actually spread Tinder and get personal data? It depends what is in the backend. Once I worked with an application that in JSON server there was a lot of data. Someone adding to the model on the database some fields, just said: "Okay, let's push it to JSON too." And sending a private message to someone, in response to confirmation, his personal data, email address and so on was received. So you have to look at it. I looked at it. I was looking at Tinder. Very interesting app. Unfortunately, what

you are talking about, when I was looking at it, nothing happened and it was unfortunately or not well done. In fact, only the data that is visible in the app came from the backend. But if you swipe left, why do you need the data? If there is no pinning, you can read from API, you know what API is, you can also pull out the key, you can do something like that. We can talk about Tinder later at the bottom. Yes, Tinder is my topic. I don't have a pre-application, I don't know if exif data is deleted when sending photos, because it's always additional metadata. You never know, that's what she said. Thanks, if there were any more detailed

questions, you can ask them now. Thanks.