3 hours 58 minutes

Video Transcription

before we get into dynamic analysis techniques for IOS, let's review arm our analysis process and see how it changes while performing dynamic analysis. So the short answer here is it really doesn't right.
We still wanna handle files properly. We want to run applications in a secure environment. We want to scan them with a V. An attempt to make our job a little easier
by utilizing virus total in some other online resource is if we can, while performing dynamic analysis will again implement a repeatable scientific process with the only real difference being our environmental set up. Our goal here is still the same right. We want to uncover the functionality of the application.
And so we accomplish this by letting the application Ron in the environment
while observing the outcome and recording the results. Now, depending on our findings, we might make changes to the environment and run the application again, and we can repeat this process until we're satisfied with the results and have met our analytical goals.
The process of performing dynamic analysis, whether it's on IOS or Android, is allowing the suspicious mobile application to run on our target platform, which, of course, is on the West. In this instance, we then observe and interpret the results, which can come in the form of network connections, insulation or removal software,
the vice profiling device modifications and other different types of artifacts. And so our approach to dynamic analysis can typically take on three avenues.
We could use an online sandbox, install a framework ourselves, or we could build an environment ourselves. The one you take will depend heavily on your analysis goals.
Let's look at some dynamic analysis challenges for IOS, probably the major hurdle to performing dynamic analysis. It's time for a beginner. Typically, there's a large commitment to create the environment necessary to perform your analysis as really, there's only a choice. Few options out there For quick analysis.
We could submit the sample to Virus Total or Joe Sandbox. However, a lot of the artifacts are only available with a paid subscription. But for a brief look of the file type and the architecture, it could be a quick win for you. Alternatively, you could choose to install third party framework on your own
Now, although these frameworks are driven by research in the open source communities,
sometimes a documentation of the projects are poorly maintained, the code tends to be older, abandoned, and the set of requires a deep knowledge of IOS programming languages and internals.
Now, lastly, you could choose to install and build a tool set on your own. Now, my pain is my favorite option. Right. When you build your own lab, you have the control to install any type of software. You wish it could be commercial. Could be open. Source Could be something you built yourself. Now again, The only downside is the time commit, required to get yourself up and running
and the knowledge of always internals. Now, obviously, these are challenges you can overcome,
and I'm here to get you started at least. So what we'll do in this course is mostly rely on some third party frameworks to aid with our analysis approach and then off line, you can go investigate Building 11 a tool set of your own. Okay, so let's start talking about our dynamic analysis steps.
All right, So for us, Step one is to upload the I p. A to an online sandbox like virus total or Joe sandbox
and see what type of results you are able to retrieve. You want to review any strings network connections, libraries, et cetera, to see if you can uncover the functionality of the program. Also, don't forget you want to confirm any hypothesis you created during your static analysis process.
Next, we'll explore the application at runtime. Now I wanna warn you. Unfortunately, exploring the application isn't as easy if you're coming from a Windows analysis background,
because first we need to get our environment set up a little bit before we do some digging. So with our jail broken device will inject our script JavaScript framework into a running application. If you remember, I mentioned that all ups that get installed from iTunes store encrypted. But luckily for us, the system applications air not, and we'll easily use his method on the springboard app.
Before we access the springboard application, we need to set up our environment. So let's go over a brief list to get us started quickly. First, we need a jail broken device with Sylvia Darwin CC Tools script and open sshh installed. Usually use tools come with Syria, so you should need to add any extra repositories.
I've also included eyepatch and X Code
but we'll talk about those a little later. After completing the jailbreak, you should be able to log into your device with sshh remotely via WiFi. Are U S B. I would also change the root password of Alpine at this point after logging in. I would also take some time to become familiar with the file system and open up a second shell so you can interact with script framework
and run commands at the same time. If you have any problems installing the tools are getting set up in any way.
Be sure to consult the course materials or get in touch with me if you need help.
Now that we have our device set up, we're almost ready to start issuing commands. But first, let's take a look at how applications run on Iowa's. In summary, Objective C is a super set of sea, so an image. The application begins with the main function. This is when the user interacts with the application some way. The first thing that main does and it really has only one job
is to call the method you I application main. This method then creates a U IE application object.
This object communicates very closely with the APP delegate.
The AP delicate is the manager really of the application shared behaviors. This handles test, such as responding to Apple Able offense, responding to notifications and initializing central data structures. These events are triggered by the U IE application object. Once the application finishes with all its work,
the application did finish launching method is returned,
at which point the application window launches. This is whatever the user sees. All subsequent events are handled by the run Luke.
So let's summarize the U Y application class and AP delegate to understand why they're important to us. You application class manages the event, loop high level behaviors and notifies the apple of a delegate of incoming messages. The application Maine is called when an application has launched, meaning we can't access this object through the class methods
and look how the application is functioning.
The AP delegate is a custom object that's created by the developer that's launched at runtime. The main purpose of the APP delegate is to be able to endless day of the application and typically the application has five states, which we can also inspect to see how the application performs
while you perform dynamic analysis, it's important to know the application execution.
Now, the nice thing is that the execution is common among IOS abs, so you'll always know where to begin your analysis. In this instance, it's you I application main. In fact, this is exactly how script works With script, we can connect to the running application and get access to the U. Y object,
which in turn allows us to iterated through the entire internals of the application.
So in our example, we're gonna play with a few system applications, right? We're gonna inject a script into them, and we're gonna modify their behavior at runtime. Now, as I mentioned previously, system applications are encrypted, so this makes our job a little easier. But what if you wanted to use Facebook as a target application? Well, any app you download and run on your device from the APP store is encrypted,
so you first have to decrypt the app,
then dump the AB and then download to your Mac.
After that, you'd analyze it statically, and then once you're finished, you would then upload it back to your device. Now, unfortunately, decrypting and dumping APS is outside the scope of this course, but you could upload in I P A. From 1/3 party repositories for analysis. This is somewhat trivial with city impact or or appsync
with city or absent. All you need to do is connect your device via USB.
Picked the epi. One upload in the tool does the rest.
So script is a command line JavaScript framework that hooks applications and allows you to modify them by running JavaScript and or objective see commands. The general approach here is to run the application, hook the process I D and perform investigative actions to understand the applications functionality in depth
while performing dynamic analysis, we want to change and interact with the different methods of a certain class
or object at runtime. This approach is called methods swizzle ing. To perform this task, however, you need to have some knowledge of the program structure. This comes from the stack analysis process. By dumping the classes and examining the program in a disassembled,
it's important to note also to use this framework and to understand it. Knowing the object of sea and javascript languages will help you immensely
once you're logged into the console. You can start to explore the application and perform runtime modifications to see how the application performs. So next, let me take you through a brief demonstration. How we can use script now before I do. I want to let you know that unfortunately, we're not gonna able to dive into it too deep as this could be an entire video course in itself.
But we will make a few modifications to an app so that you can see its potential to help you with your dynamic analysis.

Up Next

Mobile Malware Analysis Fundamentals

In the Mobile Malware Analysis Fundamentals course, participants will obtain the knowledge and skills to perform basic malware analysis on mobile devices. Participants will perform these tasks by learning and implementing tools and techniques while examining malicious programs.

Instructed By

Instructor Profile Image
Brian Rogalski
CEO of Hexcapes