/mar 20, 2014

Introducing the iOS Reverse Engineering Toolkit

By Steve Jensen

It should be the goal of every worker to expend less time and energy to achieve a task, while still maintaining, or even increasing, productivity. As an iOS penetration tester, I find myself repeating the same manual tasks for each test. Typing out the same commands to run various tools that are required to help me do my job. And to be honest, it’s completely monotonous. Every time I fat-finger a key, I lose productivity, forcing me to expend more time and energy to achieve the task. I’m a fan of automation. I’m a fan of streamlined innovation that saves me time and still accomplishes, for the most part, the same results. It was this desire to save time, and reduce my likelihood of suffering from carpal tunnel, that I created the iOS Reverse Engineering Toolkit.

What is iRET?

So what is iRET? Well, for lack of a better, more eloquent definition, it’s a toolkit that allows you to automate many of the manual tasks an iOS penetration tester would need to perform in order to analyze and reverse engineering iOS applications. And the bonus is…this can all be performed right on the device. Still sound like an interesting toolkit? Great, read on. Already sold? Download the toolkit here.

iRET Features

What exactly does iRET do that can help you, an iOS penetration tester, perform your job more efficiently? Below, in Figure #1, is a screenshot of the main landing page of the application. This page lets you know what tools need to be installed, and even tells you if they aren’t. This is also the page where you select the installed application you would like to being analyzing/reverse engineering.

Figure #1 – Main iRET Page

The tools, listed on the left in the image above, and dependencies required to run iRET are freely available both on the web and within various repositories on Cydia. After selecting an application from the dropdown, the user is redirected into the main iRET functionality page. Below is an overview of each feature associated with the iRET toolkit.

Figure #2 – Binary Analysis Tab

Binary Analysis: The binary analysis tab automates the execution of otool, which is used to extract information about the binary. The displayed data includes binary header information, such as if PIE is enabled and targeted architecture. It identifies if the binary is encrypted, if it has stack-smashing protecting enabled, and if it has automatic resource counting enabled.

Figure #3 – Keychain Analysis Tab

Keychain Analysis: The keychain analysis tab automates the execution of ptoomey’s “keychain_dumper” utility. This utility allows the user to analyze the keychain contents, including passwords, keys, certificates, etc. for any sensitive information.

Figure #4 – Database Analysis Tab

Database Analysis: The database analysis tab automatically populates a dropdown containing all databases (.db, .sqlite, .sqlite3) found within the selected application. Once a database is selected from the dropdown, sqlite3 is automated to display the content of the database.

Figure #5 – Log Viewer Tab

Log Viewer: The log view tab contains two pieces of functionality. First, it lets the user review the last 100 lines of the system log (syslog) file contained on the device. Second, all identified log and text files associated with the selected application are loaded into a dropdown menu, and when selected, their content is displayed.

Figure #6 – Plist Viewer Tab

Plist Viewer: The plist view tab fills a dropdown with all of the property list files that were found for the selected application. When the user selects a property list file from the dropdown, its content will be displayed to the user.

Figure #7 – Header Files Tab

Header Files Part 1: The header files tab has three pieces of automated functionality. The first function identifies if the binary is encrypted. If the binary is encrypted, then the binary will be automatically decrypted. The second piece of functionality performs a class dump of the unencrypted binary into separate header files. These associated header files are then loaded into a dropdown menu, as seen in Figure #7 above. The third piece of function takes place when the user selects a header file from the dropdown menu. Once a header file is selected from the dropdown, the content of this header file is automatically converted to a theos logify format, as seen in Figure #8 below, allowing the user to easily copy/paste the content into the theos tab for quick theos tweak creation.

Figure #8 – Headers in Theos Logify Format

The theos tab is multifunctional, and allows the user to create, edit, save and build a theos tweak in just minutes. The first part of the theos tab is the tweak creation process. Here, a form is provided, as seen in Figure #9 below, for the user to enter the information required to create the theos tweak.

Figure #9 – Theos Form

After the theos tweak is created a dropdown is shown that allows the user to select the “makefile” or “Tweak.xm” file for viewing/editing purposes, as seen in Figure #10 below.

Figure #10 – Theos Files Displayed

Once a user selects one of the files in the dropdown, the file can then be viewed/edited. After making any changes the user can click the “Save” button to save those changes to the selected file, as seen in Figures #11 and #12 below.

Figure #11 – Viewing the Theos makefile


Figure #12 – Viewing the Copy/Pasted Header File into the Tweak.xm File

After the user has made their changes to the tweak and is ready to build it, all they need to do is click the “Build” button, at which point the tweak will be compiled and automatically copied to the /Library/MobileSubstrate/DynamicLibraries directory, as seen in Figure #13 below.

Figure #13 – Building and Installing the Theos Tweak

After the tweak has been installed, the user simply resprings their device and launches the application they have targeted by the theos tweak. The final tab, and piece of functionality in the iRET toolkit is the screenshot tab.

Figure #14 – Screenshot Tab

Screenshot Tab: This tab allows the user to view the cached screenshot, if any, of the selected application. The iRET toolkit, like any toolkit, is not a panacea for iOS mobile penetration testing. However, it will allow you to automate many of the tasks that are required in analyzing iOS applications.

Download the iRET toolkit.

Special Thanks:

I would like to give a special thanks to all of the iOS tool/utility creators who make our jobs easier through their tireless research and contributions, including Dustin Howett (theos), Stefan Esser (dumpdecrypted), Patrick Toomey (keychain_dumper), as well as many others. I would like to thank the creators of the iNalyzer tool, which was the inspiration for iRET. I would also like to thank Richard Zuleg, who contributed his time and effort in helping me with the Python portion of this application, Bucky Spires for his assistance in troubleshooting many of the issues I experienced developing this toolkit, and Dan DeCloss for this help beta testing and making sure iRET was ready to be shared with the public. Without the efforts and assistance of those mentioned above, the development of this toolkit would never have been possible…at least not without a lot of caffeine, late nights and frustrated yelling.

Related Posts

By Steve Jensen

Steve Jensen is a Principal Consultant on the MPT team at Veracode. He began his career as a software developer where he quickly learned the value of application security. He has been performing penetration testing for over a decade and is an avid mobile security researcher. He can usually be spotted hanging around a pool table, where the conversation usually starts with, “How much you wanna bet…"