Introducing the iOS Reverse Engineering Toolkit

It should be the goal of every worker to expend less time and energy to achieve a task, while still maintaining, or even increasing, productivity. As an iOS penetration tester, I find myself repeating the same manual tasks for each test. Typing out the same commands to run various tools that are required to help me do my job. And to be honest, it’s completely monotonous. Every time I fat-finger a key, I lose productivity, forcing me to expend more time and energy to achieve the task. I’m a fan of automation. I’m a fan of streamlined innovation that saves me time and still accomplishes, for the most part, the same results. It was this desire to save time, and reduce my likelihood of suffering from carpal tunnel, that I created the iOS Reverse Engineering Toolkit.

What is iRET?

So what is iRET? Well, for lack of a better, more eloquent definition, it’s a toolkit that allows you to automate many of the manual tasks an iOS penetration tester would need to perform in order to analyze and reverse engineering iOS applications. And the bonus is…this can all be performed right on the device. Still sound like an interesting toolkit? Great, read on.

Already sold? Download the toolkit here.

iRET Features

What exactly does iRET do that can help you, an iOS penetration tester, perform your job more efficiently? Below, in Figure #1, is a screenshot of the main landing page of the application. This page lets you know what tools need to be installed, and even tells you if they aren’t. This is also the page where you select the installed application you would like to being analyzing/reverse engineering.

Figure #1 – Main iRET Page

Figure1

The tools, listed on the left in the image above, and dependencies required to run iRET are freely available both on the web and within various repositories on Cydia. After selecting an application from the dropdown, the user is redirected into the main iRET functionality page. Below is an overview of each feature associated with the iRET toolkit.

Figure #2 – Binary Analysis Tab

Figure2

Binary Analysis: The binary analysis tab automates the execution of otool, which is used to extract information about the binary. The displayed data includes binary header information, such as if PIE is enabled and targeted architecture. It identifies if the binary is encrypted, if it has stack-smashing protecting enabled, and if it has automatic resource counting enabled.

Figure #3 – Keychain Analysis Tab

Figure3

Keychain Analysis: The keychain analysis tab automates the execution of ptoomey’s “keychain_dumper” utility. This utility allows the user to analyze the keychain contents, including passwords, keys, certificates, etc. for any sensitive information.

Figure #4 – Database Analysis Tab

Figure4

Database Analysis: The database analysis tab automatically populates a dropdown containing all databases (.db, .sqlite, .sqlite3) found within the selected application. Once a database is selected from the dropdown, sqlite3 is automated to display the content of the database.

Figure #5 – Log Viewer Tab

Figure5

Log Viewer: The log view tab contains two pieces of functionality. First, it lets the user review the last 100 lines of the system log (syslog) file contained on the device. Second, all identified log and text files associated with the selected application are loaded into a dropdown menu, and when selected, their content is displayed.

Figure #6 – Plist Viewer Tab

Figure6

Plist Viewer: The plist view tab fills a dropdown with all of the property list files that were found for the selected application. When the user selects a property list file from the dropdown, its content will be displayed to the user.

Figure #7 – Header Files Tab

Figure7

Header Files Part 1: The header files tab has three pieces of automated functionality. The first function identifies if the binary is encrypted. If the binary is encrypted, then the binary will be automatically decrypted. The second piece of functionality performs a class dump of the unencrypted binary into separate header files. These associated header files are then loaded into a dropdown menu, as seen in Figure #7 above. The third piece of function takes place when the user selects a header file from the dropdown menu. Once a header file is selected from the dropdown, the content of this header file is automatically converted to a theos logify format, as seen in Figure #8 below, allowing the user to easily copy/paste the content into the theos tab for quick theos tweak creation.

Figure #8 – Headers in Theos Logify Format

Figure8

The theos tab is multifunctional, and allows the user to create, edit, save and build a theos tweak in just minutes. The first part of the theos tab is the tweak creation process. Here, a form is provided, as seen in Figure #9 below, for the user to enter the information required to create the theos tweak.

Figure #9 – Theos Form

Figure9

After the theos tweak is created a dropdown is shown that allows the user to select the “makefile” or “Tweak.xm” file for viewing/editing purposes, as seen in Figure #10 below.

Figure #10 – Theos Files Displayed

Figure10

Once a user selects one of the files in the dropdown, the file can then be viewed/edited. After making any changes the user can click the “Save” button to save those changes to the selected file, as seen in Figures #11 and #12 below.

Figure #11 – Viewing the Theos makefile

Figure11

Figure #12 – Viewing the Copy/Pasted Header File into the Tweak.xm File

Figure12

After the user has made their changes to the tweak and is ready to build it, all they need to do is click the “Build” button, at which point the tweak will be compiled and automatically copied to the /Library/MobileSubstrate/DynamicLibraries directory, as seen in Figure #13 below.

Figure #13 – Building and Installing the Theos Tweak

Figure13

After the tweak has been installed, the user simply resprings their device and launches the application they have targeted by the theos tweak.

The final tab, and piece of functionality in the iRET toolkit is the screenshot tab.

Figure #14 – Screenshot Tab

Figure14

Screenshot Tab: This tab allows the user to view the cached screenshot, if any, of the selected application.

The iRET toolkit, like any toolkit, is not a panacea for iOS mobile penetration testing. However, it will allow you to automate many of the tasks that are required in analyzing iOS applications.

Download the iRET toolkit.

Special Thanks:

I would like to give a special thanks to all of the iOS tool/utility creators who make our jobs easier through their tireless research and contributions, including Dustin Howett (theos), Stefan Esser (dumpdecrypted), Patrick Toomey (keychain_dumper), as well as many others. I would like to thank the creators of the iNalyzer tool, which was the inspiration for iRET. I would also like to thank Richard Zuleg, who contributed his time and effort in helping me with the Python portion of this application, Bucky Spires for his assistance in troubleshooting many of the issues I experienced developing this toolkit, and Dan DeCloss for this help beta testing and making sure iRET was ready to be shared with the public. Without the efforts and assistance of those mentioned above, the development of this toolkit would never have been possible…at least not without a lot of caffeine, late nights and frustrated yelling.

Eric | March 20, 2014 8:45 pm

Thanks Stephen, this toolkit will help me get started in reverse engineerng iOS apps. Since the Zorenium iOS bot variant was discovered more iOS reverse engineering toolkits like this one needs to be created. Thanks again and one day I hope to be a sec researcher full time.

JSON3 | March 21, 2014 6:27 am

Wonderful!
Thank you very much.

Dov Verthiem | March 23, 2014 12:54 am

Great Job!
P.s. The creator of iNalyzer tool name is Chilik Tamir. He gave a full presentation at HITB Amsterdam in 2013 about the tool.

sean | March 23, 2014 5:39 am

Just thought it might be worth mentioning here to save anyone else the trouble… You will need to install python before this will work.

sec | March 24, 2014 2:42 pm

Nice tool. It would be even nicer if you could make it show the app entitlements. As you surely know, they are embedded as strings in the app binary, so it would actually be very easy to automate this functionality (now I usually do it manually: “strings | grep -A 20 <?xml")

sec | March 24, 2014 2:43 pm

edit: “strings AppBinaryName | grep -A 20 <?xml"

Steve Jensen | March 25, 2014 3:39 am

The downloadable zip contains an updated “Readme” file that provides additional dependency information.

Steve Jensen | March 25, 2014 6:35 pm

sec, I’ll work on getting this added into the next release.

Eric | March 26, 2014 11:03 am

Steve,

You should add this toolkit to Github or some of other online repo site where users can contribute code to the project. Just thinking…

Pedro | March 26, 2014 12:09 pm

This sounds very good!!!

mc | March 27, 2014 8:23 am

Great tool !
I have somme issue with the class-dump-z (0.2a).
It is installed on my ipad but iRet tool mark it as “not installed”. So I can’t dump the app.
Any idea ?

iPad:~ root# which class-dump-z
/usr/bin/class-dump-z
iPad:~ root# class-dump-z
Usage: class-dump-z []

where options are:

Steve Jensen | March 28, 2014 11:40 pm

For those having questions or issues about the toolkit you can contact me via the email address listed in the README document or contact me on twitter at handle @S3Jensen.

Alexander Skiba | April 7, 2014 2:48 pm

Could you please put this on Github?

Steve Jensen | April 8, 2014 5:47 pm

I will be putting the code on github very soon.

    Alexander Skiba | April 8, 2014 7:16 pm

    Excellent. Thank you *very, very much*.

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

*

RSS feed for comments on this post