Time
3 hours 58 minutes
Difficulty
Beginner
CEU/CPE
4

Video Transcription

00:00
Wolf will get IOS applications Next. What are they? Well, IOS applications are pieces of software developed for the iPhone IOS, written in Objective C or Swept. If you aren't familiar with objectives here, Swift Objective C is an object oriented programming language created in the 19 eighties.
00:18
Objective C is based off the sea programming language,
00:21
with some features added to perform messaging functions. But really, for the purposes of this course, you can think of objective See as just see
00:29
now, because Objective C is a bit of a no language Apple developed Swift in 2014. Swift is also object oriented and was meant to replace Objective See. Swift is easier to use for a new programmers, and it's currently the recommended language for OS X and IOS Development
00:48
to create an application. The main tool used for development is called X Code. X Code is an integrated development environment containing a suite of tools for developing IOS in Mac OS applications.
01:00
Once you've written your application in X code, the files and necessary components are bundled, signed and then send off to Apple for approval.
01:08
In IOS, application is created using event handling model based on touch fence When creating applications. Developer use frameworks present in the coca touch and media layers. These layers provide access to components that drive these events, as well as create applications that use audio, video and other multimedia service's.
01:27
The applications have a file extension of dot i p A,
01:32
but they're similar to ZIP files. The I pay files contain all the executed all code images Resource Is and other information files that it required to run an application. But we'll take a look at those files and the structure in a second.
01:46
During arm our analysis process, we're gonna be fooling with ease. I p files quite a bit. So although it's important to know which frameworks are exposed in each wear, I wouldn't focus so much on knowing every single component which is available to us in each layer.
02:00
However, if you need a reference, you can look at the diagram we made earlier, or you can take a look at the documentation on Apple's website.
02:07
I'll go ahead and add a link in the extra material and provide for reference
02:13
before we get into the structure of an application. Let's see how it runs
02:16
so if you remember. During our security discussion, we introduced the idea of sandboxes sandboxes, one of Apple's ways to mitigate exploitation. The goal in the sandbox is to limit one application could do or what resource is it has if it were to become compromised or be inherently malicious. IOS applications running their own sandbox,
02:37
each one containing three containers.
02:39
The 1st 1 is the bundle container. This is called the application bundle. Theat Bundle contains all the files package together so an app can run will focus on this container quite a bit as it contains a lot of information we can extract during our malware analysis process.
02:55
The data directory is a storage location for files the application uses to organize its data. At a minimum, it's divided into three directories, but it could have more depending on how the developer intended an application to run.
03:08
The document directory is for user generated content and has filed story in which the user will interact with
03:16
the library is similar. However, this directory is not exposed to the user and it's not used for data files. These files store app or systems specific information. The temp folders for temporary storage Thes files don't persist between application launches.
03:32
Leslie the at main request access to additional container directories.
03:37
For example, the iCloud Container this'll directory provides a structured system for storing files that make use of I clap.
03:44
As I mentioned, I pay files are like ZIP files. When we break up our app, which we're going to do in the next exercise, it's gonna contain a set of files will need to examine during our static analysis techniques in Module three. But for now, let's examine the structure and become familiar with the file types.
04:00
A few minutes ago, we said that applications are packaged in application bundles.
04:04
The application bundle director is named payload, and it contains. All the files were card for an application. The list here contains some example files, and depending on how an author develops an application, you could see more or less when you extract the application. However, in the at bundle, the APP execute herbal info dot p list
04:23
an application. Icons are all required, so you'll see these every time
04:28
the AP executed. Well, as we mentioned is the executed will code of the application. This would be the same name you've given the application. The information Property List filed is a structured file that contains configuration information for the application.
04:42
The system also relies on the presence of this file toe Identify. Revel in information about your application and any other related files.
04:49
The risk of the files are categorized as resource is. Resource is our data files that outside your application and day typically consist of things like images, icons, sounds, the nip files, string files and any other configuration files. Most resource is files can be localized for a particular language or region
05:09
or shared by all localization Sze.
05:11
Okay, so let's break up this lovely lecture with an exercise In this exercise, we're gonna be looking at the structure of an I. P. A. File to accomplish. This will identify the file first and then we'll examine its contents. In this exercise, we're not gonna use any unique tools or a special VM. So no worries. There
05:29
also, the application isn't malicious. We're not gonna be running it. So all you need is a Lennox virtual machine, Andy and an archive tools such as wins it. If you do, you're ready to go.
05:39
If not feel free to pause the video and fire up one of the virtual machines we talked about in the intro. Then when you're ready, come back and perform the exercises with me Before we begin. Let's go over the steps were going to take in some ring. We're gonna move the file over to our virtual machine. Then we'll run a couple tools on the app and recorder results.
05:59
Let's begin.
06:00
All right. So if you could see here, I've fired up Callie Lennox with a command prompt. I also went ahead and move the lab files to a folder on the desktop called Lab Files. So we should be ready to go there. We're gonna be working with the files in the exercises. One folder. So let's navigate to that directory now.
06:25
Okay, great. So we've got two files here now. A good practice he should get into. The habit of doing is to get MD five hash of the filing question. In this case, the MD five will ensure the file you're working with is an exact copy of the one I provided to you
06:40
during your analysis. Verifying the MD five will help you ensure nothing has changed during the file handling process. So we have two files here filed up in an empty fives so quickly. Let's get the MD five of filed up bin and compare it to the contents of the MD Files file. And we'll do this using the MP five. Some command
06:59
with file as a target.
07:01
All right, let's do that now.
07:04
Okay,
07:05
I some
07:09
found Ben.
07:11
Okay, so there's our hash, and let's compare it to what's in empty fives using that. Get command.
07:17
You
07:18
Okay, Great. So there we go. The hashes do match. Next, we'll examine a file. That bin now, I've already told you it's an i. P A file. We use the file command just to confirm this. It's also a good idea to get into the habit of doing because sometimes during your analysis process, you just handed files. And if you go ahead and identify the file first,
07:38
then that could steer your analysis process one way or another.
07:42
So let's just go ahead and confirm that this is an IOS application. By running the file command
07:47
file,
07:48
I'll stop in. That's our target.
07:51
Okay, great. It's confirmed. It's an IOS application, and if you remember in the last line. IOS applications are zip files, basically. So we can go ahead and use the on archive or tool or just any tool that you want to use. I'm gonna use unzip to go ahead and on archive the contents of the file. So bun zip,
08:15
final stop in.
08:18
Okay, it's unzipped.
08:20
All right. Now, what we can do is examine the contents. So let's look at that.
08:26
All right, look at that. A payload directory. If you remember, the payload directory contains the AB bundle. So let's confirm that we can just CD into that directory.
08:41
Okay? Look at that. We've even got more information now. Now we've got the AB name Devi a virgin too. So we should be able just to descend into this directory and view the contents of the apple bundle. So let's do that.
08:58
Okay? And then we'll list the directory contents.
09:03
Okay? So it looks like we have successfully navigated to the application bundle. So now if you remember from the last side, there's a couple files that should be here. We already got some images, so we see the images here, but we also should have in info dot p list and the actual application. So let's take a look through the contents and see if we can find them.
09:24
Let's see. So we've got some images. We know that. Let's move up a little bit.
09:28
Okay, so here's the info dot P list. We know we should have that.
09:33
Here we go. This is the application. It should be the application. What we can do is we can use the file command again to see if this is the actual application. So let's do that
09:43
file D V I a
09:48
too. Okay,
09:50
Marco, 64 bit perfect. And we can even check out and see what the info dot p. Let's see what type of file that is.
10:00
Okay, it's an apple binary property list file. We'll learn more about those later, but there you go. Now you've successively browse through an IOS application. Good job.
10:09
All right. In this exercise, we examine it I p a. In its contents, we learned that an IOS application is just like a zip file and we can review the contents just by unzipping them. Also, we reveal that the at bundle is contained within payload folder In this at bundle contains all the files necessary for an i p A file to run

Up Next

Mobile Malware Analysis Fundamentals

In the Mobile Malware Analysis Fundamentals course, participants will obtain the knowledge and skills to perform basic malware analysis on mobile devices. Participants will perform these tasks by learning and implementing tools and techniques while examining malicious programs.

Instructed By

Instructor Profile Image
Brian Rogalski
CEO of Hexcapes
Instructor