General iOS Knowledge

Literature

Here is a link to our papers on iOS. The iOS Access Control Demystified paper should be very helpful for anyone working on iOracle. Please do not share these papers, unless you are sure they have already been published.

Websites:

• Official Apple Documentation
• Official iOS Security White Paper
• Guides on low level Objective-C
• The iPhone Wiki
• iPhone Development Wiki

Books:

• The iOS Hacker's Handbook
• *OS Internals Volume III
• Max OS X and iOS Internals To the Apple's Core
• Mac OS X Internals
• The IDA Pro Book

Useful Tips

Installing Beta Firmware

Apple allows developers to test beta firmware by installing it on their devices. The process seems to be fairly simple. Go to https://developer.apple.com/download/ on the iOS device. Download the iOS Configuration Profile and install it on the iOS device. Go to Settings > General > Software Update and install the beta using the over-the-air installer I think that betas can also be installed by restoring to the beta firmware. It should also be possible to downgrade from the beta to the latest release by restoring to the latest release.

Debugging and Anti-Debuggers

GDB seems to fail when you attach it to programs compiled for multiple architectures. A tool called lipo can be used to extract the code for a single architecture from the original executable. Then gdb can be run on the extracted, single architecture version.

iTunes on OS X has anti-debugging functionality. This guide seems to be obsolete, but it might provide some insight. This guide works with minor modifications. The most significant difference is mentioned in the guide's comments. When you break on exit and look at the backtrace, the function that called the exit might have a different name/address. For me, it was still the function in frame #1 of the backtrace. Note that the number in "br add command 2" represents the number of the breakpoint to respond to with automated commands. If you only have one breakpoint, you would use "br add command 1". The last bit about the segfault is very easy to address. When the segfault happens just use "thread return" and "c" to prevent the application from crashing. After this happens it seems that the anti-debugger stops working but you can continue debugging iTunes.

Working with Jailbroken Device

• Youtube channel I trust for jailbreak tutorials
• Tutorial with a good list of tools to install after jailbreaking.
• How to add a repo to cydia to get more tools.
• ssh over usb connecting iOS device to desktop.
• 64 bit iOS utilities for jailbroken devices

Developing Jailbreaks

• 2011 video by Esser on kernel exploitation
• Presentation on iOS 7.1.2 evad3rs jailbreak
• iOS 8 attack surface 2015
• IOKit fuzzing 2015
• Part 1 of iOS 8 TaiG jailbreak analysis
• Part 2 of iOS 8 TaiG jailbreak analysis
• OS X Sandbox Escape

iOS Firmware

• Apple Hosted Firmware Downloads
• Third Party Collection of iOS Firmware, Take care to download the right version (not beta and no prerequisites)
• Decrypting iOS kernel (Not necessary for iOS 10 and later)
• Firmware Keys (not necessary for iOS 10 and later)
• General tool for working with iOS firmware
• Video on creating custom firmware which uses tool in previous line
• Tool for extracting root file systems from firmware (Windows)
• I find that 7zip on windows works well for extracting files from ipsw or dmg formats.
• Tool from Levin for handling firmware file system

Decrypting iOS Apps

• Decrypting 3rd Party App iOS 7
• Decrypting 3rd Party App (Outdated)
• Automated app decryption - Clutch

Cross Compiling and Code Signing

You will need a special makefile to compile a c program on OS X such that the resulting executable can run on ARM. You can find an example makefile in the code samples here. This is another example makefile:

GCC=/Applications/Xcode.app/Contents/Developer/usr/bin/gcc
SDK=/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS8.2.sdk
ARCH=armv7
SOURCE=looker.c
machFinder: $(SOURCE)
    $(GCC) -arch $(ARCH) -isysroot $(SDK) $(SOURCE) -o looker

• The SDK path will change with each new update of XCode. Usually the version number at the end of the path is all that needs to change.
• The ARCH represents the architecture of the device you want to run your executable on. A few to consider are armv7, armv7s, and arm64.
• The SOURCE is just the file containing your C code.
• This example names the output looker, but you can put whatever name for the executable you want after the -o

You might need to sign your code before it will execute on an iOS device. I have had success using ldid to sign programs for jailbroken devices. ldid is a console tool from cydia that runs on iOS devices.