Authentication bypass is the process of removing the limitations imposed by Apple on iOS devices, allowing users to install and run apps that are not authorized by Apple. Authentication not only gives users more control over their devices, but also pose security risks and compromise the integrity of the iOS ecosystem. As a result, many iOS apps include authentication, jailbreak detection mechanisms, which can detect if the device has authentication and take action to prevent the app from running or might limit its functionality.
LLDB is a powerful tool for runtime manipulation and debugging in iOS; it can also be used for authentication bypass, bypassing jailbreak detection mechanisms. By using LLDB to modify the behavior of an app at runtime, we can disable or authentication bypass, bypass authentication detection mechanisms also other security checks and run the app on a jailbroken device.
To bypass authentication mechanisms using LLDB, we’ll need to identify where in the app’s code the authentication is being performed. This can vary depending on the app, but common techniques include checking for the presence of certain files or directories that are indicative of a jailbroken device or checking for the presence of certain system libraries or processes that are only present on jailbroken devices.
Exploration of Runtime Manipulation
In iOS development, debugging and runtime manipulation are essential tools for identifying and resolving issues in an app. One powerful tool for runtime manipulation is LLDB, the Low-Level Debugger. LLDB is a command-line tool that allows you to interact with an iOS app at runtime, inspect its state, and modify its behavior on the fly. In this blog post, we’ll explore how to use LLDB for runtime manipulation in iOS.
Prerequisites-
Before diving into the demonstration there are some prerequisites that are essential to better understand the blog. It is assumed that the reader has prior knowledge of Frida and LLDB and also has a basic understanding of the iOS application structure. These will help in better understanding how the application works and how it stores the values.
LLDB is built on top of the LLVM compiler infrastructure and is designed to be fast and lightweight. It provides a powerful set of commands for debugging and introspection, including support for breakpoints, watchpoints, and expression evaluation. With LLDB, you can stop an app’s execution at any point, inspect its call stack, examine its memory, and modify its variables and objects.
To get started with LLDB, you’ll need to set a breakpoint in your code. A breakpoint is a point in your code where the debugger will pause the execution of the app, allowing you to inspect its state.
Dynamic Exploration
Command-lldb
The above command will wait for DVIA-v2 to finish, so make sure it is closed before beginning.
Once it is finished, launch DVIA-v2. On the loading screen Now execute the following commands in a new Mac terminal window:
- Place your iPhone IP Address in the placeholder. Give it a second to run, and it should show you something like the below:
- Now type c into the LLDB terminal and press Enter. DVIA-v2 to fully load when the application flow resumes as a result.
- We must first figure out the ASLR offset. The addresses in memory will be random each time we start because ASLR is in use. Therefore, we must do this again each time DVIA-v2 is restarted. Now dump the image sections in LLDB.
- Before we jump on LLDb, we start with binary extract after extracting the IPA. You can extract the IPA using the unzip command. Now extract the binary here because you will need to reverse the binary file and check how the functionality works.
Commands- Unzip Test.IPA
After extracting the application you will get a payload folder, and in this folder, you will get other things related to the application like Application binary, library, Frameworks, Images, Plist files. Application binary also exists in this folder.
image dump sections DVIA-v2
Here we mentioned ASLR offset so,
What is ASLR Offset?
ASLR stands for Address Space Layout Randomization, which is a security mechanism used by modern operating systems to randomize the memory layout of programs at runtime. The purpose of ASLR is to make it more difficult for attackers to exploit vulnerabilities in programs by making it harder to predict the memory layout of a program.
ASLR randomizes the base address of a program’s executable and its dynamically linked libraries (DLLs) in memory. This means that every time a program is executed, the memory addresses of its code and data sections will be different. The offset between the base address and the actual memory address is called the ASLR offset.
For example, let’s say a program has a function called “foo” located at address 0x1000 in its executable file. Without ASLR, the function would always be loaded at address 0x1000 in memory. However, with ASLR enabled, the base address of the program’s executable might be randomized to 0x4000, resulting in a new address for the “foo” function of 0x5000. In this case, the ASLR offset would be 0x4000.
ASLR is a widely used security technique, and its effectiveness depends on the degree of randomness introduced in the memory layout. However, attackers can still potentially bypass ASLR by using information leaks or other techniques to deduce the base address and compute the actual memory addresses of program elements.
- Now we can calculate the offset by subtracting the value in the box at the bottom from the value in the box above it. The places of these will be the same.
0x0000000100000000-0x0000000100e5c000=0xe5c000
- To reverse the iOS application you will use a hopper disassembler. After getting on the hopper you can load the binary, and you’ll get the assembly code of the application.
- Now you will search for the string in hooper which you can get in the application. Post that you will find the reference.
- Knowing the offset allows you to look into the hopper’s function and locate the comparison you are looking for.
- Now, you should be able to display it in the LLDB console using the determined ASLR offset.
- Using the estimated ASLR offset, you can then display it on the LLDB terminal.
dis -s 0xe5c000-0x00000001001bd300
Now let’s set a breakpoint on the jump you are interested in.
br set -a 0x1004b1314
- Select method 1 and enter your login information into the application’s login screen.
- The arrow should be pointed at where you can put the breakpoint, as shown below.
- Now if you look at the registers, you will see the values being evaluated for the jump.
- For reading register values, you need to throw the command on LLDB
register read
- Given that you wish to reverse the jump instruction’s logic, you must check the x0 register because if it equals 0x0, the jump will be executed, sending you an unsuccessful message.
0x10484d314 <+1592>: tbz w0, #0x0, 0x10484d3d0
- When we set a breakpoint in our code, we can inspect the values of registers to understand the state of our program at that point in time. In this case, we specifically checked the value of register x0 and found that it was set to 0. This indicated that we were using incorrect login credentials.
To modify this and test our program with correct credentials, we can use LLDB to change the value of register x0 to 0x1. This will simulate the use of correct credentials in our program and allow us to test it accordingly.
register write x0 0x1
- Because you have incorrect credentials, you can see from the registers that x0 is definitely 0x0. Now change it to 0x1.
- Post that, you need to restart the app by typing c in the lldb terminal and pressing Enter.
- You should now see the success notification on the application!
Conclusion
Bypassing authentication using LLDB is a technique that can be useful for pentesting or debugging purposes. However, it’s important to note that bypassing authentication without permission can be illegal and unethical. It’s also important to note that bypassing authentication can have serious security implications, as it can allow unauthorized access to sensitive data or functionality within an application.
With that said, if we have permission to bypass authentication in an iOS app for pentesting purposes, we can use LLDB to modify the behavior of the app and bypass authentication checks. The general process involves identifying where the authentication check is being performed in the app’s code, setting a breakpoint at the start of the authentication check using LLDB, modifying the values of variables or objects used in the authentication check, and then continuing execution of the program with the modified values.
While this technique can be effective in bypassing authentication, it’s important to use it responsibly and ethically. Developers should ensure that their apps have proper authentication and authorization mechanisms in place to prevent unauthorized access. Pentesters should obtain explicit permission before attempting to bypass authentication, and should only do so in a controlled environment to minimize any potential harm. Additionally, any vulnerabilities or weaknesses that are discovered through this process should be reported to the app developer and addressed in a responsible manner.
About Payatu
Payatu is a research-powered, CERT-In empaneled cybersecurity consulting company specializing in security assessments of IoT product ecosystems, Web applications & Networks with a proven track record of securing applications and infrastructure for customers across 20+ countries.
Want to check the security posture of your organization? Browse through Payatu’s Service and get started with the most effective cybersecurity assessments.
