Detection of function hooking in iOS










1















So far as I know, in iOS there are three techniques of function hooking:



  1. preload library using DYLD_INSERT_LIBRARIES

  2. imported symbol table redirection using fishhook

  3. patch the functions when they are already loaded - i.e. already in memory using substrate MSHookFunction

These expose security issues so I wanna be able to detect when such things happen. For point number 1, I can apply function pointer verification to detect. However for 2 and 3, I haven't had any idea. I am very thankful for ideas that can be done to address the issue.










share|improve this question
























  • Are you developing an app? If so, is it granted root permissions (jailbroken)? For #3 I'd recommend you to take a look at the Cydia Substrate documentation and learn what methods it uses and how they work. Use a jailbroken device to discover exploits your app might be vulnerable to.

    – osvein
    Jan 7 '14 at 0:57











  • Yes, there is no reason not allowing my app to run on jailbroken devices.

    – Krypton
    Jan 9 '14 at 1:59











  • For 3, all I can think of is to compare .text section of binary to .text section in memory. However, iOS binary is encrypted, so this approach is not feasible.

    – Krypton
    Jan 9 '14 at 5:45











  • Have you ever solved this question? I'm trying to defeat xCon iOS tweak for jailbroken devices which seems to hook NSFileManager's methods. Any luck on defeating it?

    – Sergey Grischyov
    Jan 27 '15 at 23:31











  • I still have not found any acceptable solution for this. Please answer if you guys got any clue.

    – Krypton
    Sep 28 '15 at 3:31















1















So far as I know, in iOS there are three techniques of function hooking:



  1. preload library using DYLD_INSERT_LIBRARIES

  2. imported symbol table redirection using fishhook

  3. patch the functions when they are already loaded - i.e. already in memory using substrate MSHookFunction

These expose security issues so I wanna be able to detect when such things happen. For point number 1, I can apply function pointer verification to detect. However for 2 and 3, I haven't had any idea. I am very thankful for ideas that can be done to address the issue.










share|improve this question
























  • Are you developing an app? If so, is it granted root permissions (jailbroken)? For #3 I'd recommend you to take a look at the Cydia Substrate documentation and learn what methods it uses and how they work. Use a jailbroken device to discover exploits your app might be vulnerable to.

    – osvein
    Jan 7 '14 at 0:57











  • Yes, there is no reason not allowing my app to run on jailbroken devices.

    – Krypton
    Jan 9 '14 at 1:59











  • For 3, all I can think of is to compare .text section of binary to .text section in memory. However, iOS binary is encrypted, so this approach is not feasible.

    – Krypton
    Jan 9 '14 at 5:45











  • Have you ever solved this question? I'm trying to defeat xCon iOS tweak for jailbroken devices which seems to hook NSFileManager's methods. Any luck on defeating it?

    – Sergey Grischyov
    Jan 27 '15 at 23:31











  • I still have not found any acceptable solution for this. Please answer if you guys got any clue.

    – Krypton
    Sep 28 '15 at 3:31













1












1








1


1






So far as I know, in iOS there are three techniques of function hooking:



  1. preload library using DYLD_INSERT_LIBRARIES

  2. imported symbol table redirection using fishhook

  3. patch the functions when they are already loaded - i.e. already in memory using substrate MSHookFunction

These expose security issues so I wanna be able to detect when such things happen. For point number 1, I can apply function pointer verification to detect. However for 2 and 3, I haven't had any idea. I am very thankful for ideas that can be done to address the issue.










share|improve this question
















So far as I know, in iOS there are three techniques of function hooking:



  1. preload library using DYLD_INSERT_LIBRARIES

  2. imported symbol table redirection using fishhook

  3. patch the functions when they are already loaded - i.e. already in memory using substrate MSHookFunction

These expose security issues so I wanna be able to detect when such things happen. For point number 1, I can apply function pointer verification to detect. However for 2 and 3, I haven't had any idea. I am very thankful for ideas that can be done to address the issue.







ios security hook cydia-substrate






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Jan 2 '14 at 2:59







Krypton

















asked Jan 2 '14 at 2:21









KryptonKrypton

2,94052442




2,94052442












  • Are you developing an app? If so, is it granted root permissions (jailbroken)? For #3 I'd recommend you to take a look at the Cydia Substrate documentation and learn what methods it uses and how they work. Use a jailbroken device to discover exploits your app might be vulnerable to.

    – osvein
    Jan 7 '14 at 0:57











  • Yes, there is no reason not allowing my app to run on jailbroken devices.

    – Krypton
    Jan 9 '14 at 1:59











  • For 3, all I can think of is to compare .text section of binary to .text section in memory. However, iOS binary is encrypted, so this approach is not feasible.

    – Krypton
    Jan 9 '14 at 5:45











  • Have you ever solved this question? I'm trying to defeat xCon iOS tweak for jailbroken devices which seems to hook NSFileManager's methods. Any luck on defeating it?

    – Sergey Grischyov
    Jan 27 '15 at 23:31











  • I still have not found any acceptable solution for this. Please answer if you guys got any clue.

    – Krypton
    Sep 28 '15 at 3:31

















  • Are you developing an app? If so, is it granted root permissions (jailbroken)? For #3 I'd recommend you to take a look at the Cydia Substrate documentation and learn what methods it uses and how they work. Use a jailbroken device to discover exploits your app might be vulnerable to.

    – osvein
    Jan 7 '14 at 0:57











  • Yes, there is no reason not allowing my app to run on jailbroken devices.

    – Krypton
    Jan 9 '14 at 1:59











  • For 3, all I can think of is to compare .text section of binary to .text section in memory. However, iOS binary is encrypted, so this approach is not feasible.

    – Krypton
    Jan 9 '14 at 5:45











  • Have you ever solved this question? I'm trying to defeat xCon iOS tweak for jailbroken devices which seems to hook NSFileManager's methods. Any luck on defeating it?

    – Sergey Grischyov
    Jan 27 '15 at 23:31











  • I still have not found any acceptable solution for this. Please answer if you guys got any clue.

    – Krypton
    Sep 28 '15 at 3:31
















Are you developing an app? If so, is it granted root permissions (jailbroken)? For #3 I'd recommend you to take a look at the Cydia Substrate documentation and learn what methods it uses and how they work. Use a jailbroken device to discover exploits your app might be vulnerable to.

– osvein
Jan 7 '14 at 0:57





Are you developing an app? If so, is it granted root permissions (jailbroken)? For #3 I'd recommend you to take a look at the Cydia Substrate documentation and learn what methods it uses and how they work. Use a jailbroken device to discover exploits your app might be vulnerable to.

– osvein
Jan 7 '14 at 0:57













Yes, there is no reason not allowing my app to run on jailbroken devices.

– Krypton
Jan 9 '14 at 1:59





Yes, there is no reason not allowing my app to run on jailbroken devices.

– Krypton
Jan 9 '14 at 1:59













For 3, all I can think of is to compare .text section of binary to .text section in memory. However, iOS binary is encrypted, so this approach is not feasible.

– Krypton
Jan 9 '14 at 5:45





For 3, all I can think of is to compare .text section of binary to .text section in memory. However, iOS binary is encrypted, so this approach is not feasible.

– Krypton
Jan 9 '14 at 5:45













Have you ever solved this question? I'm trying to defeat xCon iOS tweak for jailbroken devices which seems to hook NSFileManager's methods. Any luck on defeating it?

– Sergey Grischyov
Jan 27 '15 at 23:31





Have you ever solved this question? I'm trying to defeat xCon iOS tweak for jailbroken devices which seems to hook NSFileManager's methods. Any luck on defeating it?

– Sergey Grischyov
Jan 27 '15 at 23:31













I still have not found any acceptable solution for this. Please answer if you guys got any clue.

– Krypton
Sep 28 '15 at 3:31





I still have not found any acceptable solution for this. Please answer if you guys got any clue.

– Krypton
Sep 28 '15 at 3:31












1 Answer
1






active

oldest

votes


















0














I had the same issue - trying to avoid any potential function hooking within my app.



My app was recently PEN tested and was found to have a vulnerability around function hooking. The security report referenced Frida as one of the main culprits for executing such an act. I'm sure most of you peeps would be familiar with this tool.



OWASP suggests a few remedial solutions for securing your app, but in this context, the section titled Anti-Debugging Checks would be the main focus.



As suggested by OWASP, I used ptrace with PT_DENY_ATTACH - denying a GDB/LLDB process to attach to the application.



From OWASP:




In other words, using ptrace with PT_DENY_ATTACH ensures that no other debugger can attach to the calling process; if a debugger attempts to attach, the process will terminate




Here is the solution I used (for Swift). I also had help from this Raywenderlich.com article (Objective-C). I can confirm that using the linked solution works - the app launches but the debugger cuts out, stopping all logs to the console. This could potentially deter hackers, but there will always be a way to get around this. As stated the Raywenderlich article linked:




Don’t get too comfortable. Hackers often use Cycript, a JavaScript-styled program that can manipulate Objective-C apps at runtime. The scariest thing is that the previous logic to check for debugging activity fails when Cycript is attached. Remember, nothing is truly secure…




However, according to Joseph Lord, writing apps using Swift can hopefully help you here. But then again, the reverse engineer always wins.



I hope this helps, in some way or form ...






share|improve this answer






















    Your Answer






    StackExchange.ifUsing("editor", function ()
    StackExchange.using("externalEditor", function ()
    StackExchange.using("snippets", function ()
    StackExchange.snippets.init();
    );
    );
    , "code-snippets");

    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "1"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader:
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    ,
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );













    draft saved

    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f20875415%2fdetection-of-function-hooking-in-ios%23new-answer', 'question_page');

    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    0














    I had the same issue - trying to avoid any potential function hooking within my app.



    My app was recently PEN tested and was found to have a vulnerability around function hooking. The security report referenced Frida as one of the main culprits for executing such an act. I'm sure most of you peeps would be familiar with this tool.



    OWASP suggests a few remedial solutions for securing your app, but in this context, the section titled Anti-Debugging Checks would be the main focus.



    As suggested by OWASP, I used ptrace with PT_DENY_ATTACH - denying a GDB/LLDB process to attach to the application.



    From OWASP:




    In other words, using ptrace with PT_DENY_ATTACH ensures that no other debugger can attach to the calling process; if a debugger attempts to attach, the process will terminate




    Here is the solution I used (for Swift). I also had help from this Raywenderlich.com article (Objective-C). I can confirm that using the linked solution works - the app launches but the debugger cuts out, stopping all logs to the console. This could potentially deter hackers, but there will always be a way to get around this. As stated the Raywenderlich article linked:




    Don’t get too comfortable. Hackers often use Cycript, a JavaScript-styled program that can manipulate Objective-C apps at runtime. The scariest thing is that the previous logic to check for debugging activity fails when Cycript is attached. Remember, nothing is truly secure…




    However, according to Joseph Lord, writing apps using Swift can hopefully help you here. But then again, the reverse engineer always wins.



    I hope this helps, in some way or form ...






    share|improve this answer



























      0














      I had the same issue - trying to avoid any potential function hooking within my app.



      My app was recently PEN tested and was found to have a vulnerability around function hooking. The security report referenced Frida as one of the main culprits for executing such an act. I'm sure most of you peeps would be familiar with this tool.



      OWASP suggests a few remedial solutions for securing your app, but in this context, the section titled Anti-Debugging Checks would be the main focus.



      As suggested by OWASP, I used ptrace with PT_DENY_ATTACH - denying a GDB/LLDB process to attach to the application.



      From OWASP:




      In other words, using ptrace with PT_DENY_ATTACH ensures that no other debugger can attach to the calling process; if a debugger attempts to attach, the process will terminate




      Here is the solution I used (for Swift). I also had help from this Raywenderlich.com article (Objective-C). I can confirm that using the linked solution works - the app launches but the debugger cuts out, stopping all logs to the console. This could potentially deter hackers, but there will always be a way to get around this. As stated the Raywenderlich article linked:




      Don’t get too comfortable. Hackers often use Cycript, a JavaScript-styled program that can manipulate Objective-C apps at runtime. The scariest thing is that the previous logic to check for debugging activity fails when Cycript is attached. Remember, nothing is truly secure…




      However, according to Joseph Lord, writing apps using Swift can hopefully help you here. But then again, the reverse engineer always wins.



      I hope this helps, in some way or form ...






      share|improve this answer

























        0












        0








        0







        I had the same issue - trying to avoid any potential function hooking within my app.



        My app was recently PEN tested and was found to have a vulnerability around function hooking. The security report referenced Frida as one of the main culprits for executing such an act. I'm sure most of you peeps would be familiar with this tool.



        OWASP suggests a few remedial solutions for securing your app, but in this context, the section titled Anti-Debugging Checks would be the main focus.



        As suggested by OWASP, I used ptrace with PT_DENY_ATTACH - denying a GDB/LLDB process to attach to the application.



        From OWASP:




        In other words, using ptrace with PT_DENY_ATTACH ensures that no other debugger can attach to the calling process; if a debugger attempts to attach, the process will terminate




        Here is the solution I used (for Swift). I also had help from this Raywenderlich.com article (Objective-C). I can confirm that using the linked solution works - the app launches but the debugger cuts out, stopping all logs to the console. This could potentially deter hackers, but there will always be a way to get around this. As stated the Raywenderlich article linked:




        Don’t get too comfortable. Hackers often use Cycript, a JavaScript-styled program that can manipulate Objective-C apps at runtime. The scariest thing is that the previous logic to check for debugging activity fails when Cycript is attached. Remember, nothing is truly secure…




        However, according to Joseph Lord, writing apps using Swift can hopefully help you here. But then again, the reverse engineer always wins.



        I hope this helps, in some way or form ...






        share|improve this answer













        I had the same issue - trying to avoid any potential function hooking within my app.



        My app was recently PEN tested and was found to have a vulnerability around function hooking. The security report referenced Frida as one of the main culprits for executing such an act. I'm sure most of you peeps would be familiar with this tool.



        OWASP suggests a few remedial solutions for securing your app, but in this context, the section titled Anti-Debugging Checks would be the main focus.



        As suggested by OWASP, I used ptrace with PT_DENY_ATTACH - denying a GDB/LLDB process to attach to the application.



        From OWASP:




        In other words, using ptrace with PT_DENY_ATTACH ensures that no other debugger can attach to the calling process; if a debugger attempts to attach, the process will terminate




        Here is the solution I used (for Swift). I also had help from this Raywenderlich.com article (Objective-C). I can confirm that using the linked solution works - the app launches but the debugger cuts out, stopping all logs to the console. This could potentially deter hackers, but there will always be a way to get around this. As stated the Raywenderlich article linked:




        Don’t get too comfortable. Hackers often use Cycript, a JavaScript-styled program that can manipulate Objective-C apps at runtime. The scariest thing is that the previous logic to check for debugging activity fails when Cycript is attached. Remember, nothing is truly secure…




        However, according to Joseph Lord, writing apps using Swift can hopefully help you here. But then again, the reverse engineer always wins.



        I hope this helps, in some way or form ...







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Nov 15 '18 at 15:47









        PlazPlaz

        11




        11





























            draft saved

            draft discarded
















































            Thanks for contributing an answer to Stack Overflow!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid


            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.

            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f20875415%2fdetection-of-function-hooking-in-ios%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            Top Tejano songwriter Luis Silva dead of heart attack at 64

            政党

            天津地下鉄3号線