Thursday 13 April 2017

iOS Application Pentesting Part 3 : Extracting iOS App Class Information

Every application has his own group of codes which contents lots of information about the functionality and so on. It will always better if we can extract all the possible information about our application which we are going to attack.

Toady we will see How to Extract Class Information Of iOS Application.

Apple has made some modification in their security and now days most the app store apps are encrypted which first need to decrypt to extract class information.

So first we will see class dumping of non-encrypted apps.

Dumping Class Information Of Pre-Installed Applications
We have 2 ways the find the app.
1) find / -type d -iname "Dam*.app"
2) If the app is customly installed using IPA file then his save directory would be Applications/

I am using the command line search for Damm Vulnerable iOS Application which is developed by  Prateek Gianchandani.

We found the application locations in /Applications/

Now first get into this folder [DamVulnerableIOSApp] you will see in green color file which is executable file for that app. So we need to use this file name dump class.

Now lets extract this app class information.


As we can see we have tons of output, So it is better if we can save this output in a file to analyse further.
To do this, we can use sftp. So using sftp login to your device using sftp root@ and type your root user password.
then sftp /Applications/ > outputfilename
The file will be downloaded to your home folder if you are using mac and for windows user it will get saved in your Users Profile home folder.

Those class information, helps us to understand the flow of the applications and logic.

Dumping Class Information Of Encrypted Apps

As we know that Applications are downloaded from App Store placed in   /var/containers/Bundle/Application . Those apps are usually encrypted to avoid information disclosure. Which makes extracting class information and all a very tough task.

To overcome this issues, we need to use clutch binary and placed this binary into the /usr/bin folder and give this binary full access using chmod +x clutch

First i used command clutch -i [This command will extract all installed application with their bundle id.
Ex. application.<Bundle ID>

In our case, i am using Rediffmail app for the demo. So we have application name as Rediffmail NG and its bundle ID is -

Now use command clutch -b [ This command will create a new file /var/tmp/clutch/<>/directory.

As we can see from upper picture, file as been save to /var/tmp/clutch/someid/. So lets go into this directory.
So we have a executable file in this directory. Great !

Now use command class-dump-z RediffmailNG [This command will now extract the class information]

Thats all for this part.

iIf you enjoying this post please do share and comment. We love to hear from your. :)

 < Previous Post
iOS Application Pentesting Part 2 : iOS Application Basics

No comments:

Post a Comment