From 50ac2e86665c1c110aedced471eced188cd2ddc8 Mon Sep 17 00:00:00 2001 From: cpholguera Date: Sat, 25 Jun 2022 11:27:50 +0200 Subject: [PATCH] Update Corellium info and about decrypting IPAs (#2124) * update corellium info and about decrypting IPAs --- Document/0x04c-Tampering-and-Reverse-Engineering.md | 2 +- Document/0x06b-Basic-Security-Testing.md | 4 +++- Document/0x06c-Reverse-Engineering-and-Tampering.md | 4 +++- Document/0x06h-Testing-Platform-Interaction.md | 2 +- 4 files changed, 8 insertions(+), 4 deletions(-) diff --git a/Document/0x04c-Tampering-and-Reverse-Engineering.md b/Document/0x04c-Tampering-and-Reverse-Engineering.md index f1c7a52e2a..95b430f408 100644 --- a/Document/0x04c-Tampering-and-Reverse-Engineering.md +++ b/Document/0x04c-Tampering-and-Reverse-Engineering.md @@ -101,7 +101,7 @@ QEMU based emulators for Android take into consideration the RAM, CPU, battery p In simple words, an emulator is a much closer imitation of the targeted platform, while a simulator mimics only a part of it. -Running an app in the emulator gives you powerful ways to monitor and manipulate its environment. For some reverse engineering tasks, especially those that require low-level instruction tracing, emulation is the best (or only) choice. Unfortunately, this type of analysis is only viable for Android, because no free or open source emulator exists for iOS (the iOS simulator is not an emulator, and apps compiled for an iOS device don't run on it). The only iOS emulator available is a commercial SaaS solution - Corellium. We'll provide an overview of popular emulation-based analysis frameworks for Android in the "Tampering and Reverse Engineering on Android" chapter. +Running an app in the emulator gives you powerful ways to monitor and manipulate its environment. For some reverse engineering tasks, especially those that require low-level instruction tracing, emulation is the best (or only) choice. Unfortunately, this type of analysis is only viable for Android, because no free or open source emulator exists for iOS (the iOS simulator is not an emulator, and apps compiled for an iOS device don't run on it). The only iOS emulator available is a commercial SaaS solution - [Corellium](0x06c-Reverse-Engineering-and-Tampering.md#corellium). We'll provide an overview of popular emulation-based analysis frameworks for Android in the "Tampering and Reverse Engineering on Android" chapter.

diff --git a/Document/0x06b-Basic-Security-Testing.md b/Document/0x06b-Basic-Security-Testing.md index b4c6598a29..7cb2287d49 100644 --- a/Document/0x06b-Basic-Security-Testing.md +++ b/Document/0x06b-Basic-Security-Testing.md @@ -32,7 +32,7 @@ Unlike the Android emulator, which fully emulates the hardware of an actual Andr #### Testing on an Emulator -Corellium is the only publicly available iOS emulator. It is an enterprise SaaS solution with a per user license model and does not offer any trial license. +[Corellium](0x06c-Reverse-Engineering-and-Tampering.md#corellium) is the only publicly available iOS emulator. It is an enterprise SaaS solution with a per user license model and does not offer community licenses. #### Getting Privileged Access @@ -350,6 +350,8 @@ $ class-dump Telegram In order to retrieve the unencrypted version, you can use tools such as [frida-ios-dump](https://github.com/AloneMonkey/frida-ios-dump "frida-ios-dump") (all iOS versions) or [Clutch](0x08-Testing-Tools.md#clutch) (only up to iOS 11; for iOS 12 and above, it requires a patch). Both will extract the unencrypted version from memory while the application is running on the device. The stability of both Clutch and frida-ios-dump can vary depending on your iOS version and Jailbreak method, so it's useful to have multiple ways of extracting the binary. +>**IMPORTANT NOTE:** In the United States, the Digital Millennium Copyright Act 17 U.S.C. 1201, or DMCA, makes it illegal and actionable to circumvent certain types of DRM. However, the DMCA also provides exemptions, such as for certain kinds of security research. A qualified attorney can help you determine if your research qualifies under the DMCA exemptions. (Source: [Corellium](https://support.corellium.com/en/articles/6181345-testing-third-party-ios-apps)) + ##### Using Clutch Build [Clutch](0x08-Testing-Tools.md#clutch) as explained on the Clutch GitHub page and push it to the iOS device through `scp`. Run Clutch with the `-i` flag to list all installed applications: diff --git a/Document/0x06c-Reverse-Engineering-and-Tampering.md b/Document/0x06c-Reverse-Engineering-and-Tampering.md index cd97fbd9b9..66d75b17ae 100644 --- a/Document/0x06c-Reverse-Engineering-and-Tampering.md +++ b/Document/0x06c-Reverse-Engineering-and-Tampering.md @@ -598,10 +598,12 @@ While developing and debugging an application, the Xcode toolchain generates x86 #### Corellium -Corellium is a commercial tool which offers virtual iOS devices running actual iOS firmware, being the only publicly available iOS emulator ever. Since it is a proprietary product, not much information is available about the implementation. Corellium has no trial or community licenses available, therefore we won't go into much detail regarding its use. +Corellium is a commercial tool which offers virtual iOS devices running actual iOS firmware, being the only publicly available iOS emulator ever. Since it is a proprietary product, not much information is available about the implementation. Corellium has no community licenses available, therefore we won't go into much detail regarding its use. Corellium allows you to launch multiple instances of a device (jailbroken or not) which are accessible as local devices (with a simple VPN configuration). It has the ability to take and restore snapshots of the device state, and also offers a convenient web-based shell to the device. Finally and most importantly, due to its "emulator" nature, you can execute applications downloaded from the Apple App Store, enabling any kind of application analysis as you know it from real iOS (jailbroken) devices. +Note that in order to install an IPA on Corellium devices it has to be unencrypted and signed with a valid Apple developer certificate. See more information [here](https://support.corellium.com/en/articles/6181345-testing-third-party-ios-apps). + ## Binary Analysis An introduction to binary analysis using binary analysis frameworks has already been discussed in the "[Dynamic Analysis](0x05c-Reverse-Engineering-and-Tampering.md#dynamic-analysis "Dynamic analysis")" section for Android. We recommend you to revisit this section and refresh the concepts on this subject. diff --git a/Document/0x06h-Testing-Platform-Interaction.md b/Document/0x06h-Testing-Platform-Interaction.md index ab3444a1c9..d2dcb322fb 100644 --- a/Document/0x06h-Testing-Platform-Interaction.md +++ b/Document/0x06h-Testing-Platform-Interaction.md @@ -204,7 +204,7 @@ and then search for the Entitlements key region (`Entitlements`). #### Entitlements Embedded in the Compiled App Binary -If you only have the app's IPA or simply the installed app on a jailbroken device, you normally won't be able to find `.entitlements` files. This could be also the case for the `embedded.mobileprovision` file. Still, you should be able to extract the entitlements property lists from the app binary yourself (which you've previously obtained as explained in the "iOS Basic Security Testing" chapter, section "Acquiring the App Binary"). +If you only have the app's IPA or simply the installed app on a jailbroken device, you normally won't be able to find `.entitlements` files. This could be also the case for the `embedded.mobileprovision` file. Still, you should be able to extract the entitlements property lists from the app binary yourself (which you've previously obtained as explained in the "iOS Basic Security Testing" chapter, section ["Acquiring the App Binary"](0x06b-Basic-Security-Testing.md#acquiring-the-app-binary)). The following steps should work even when targeting an encrypted binary. If for some reason they don't, you'll have to decrypt and extract the app with e.g. Clutch (if compatible with your iOS version), frida-ios-dump or similar.