Detection of function hooking in iOS
So far as I know, in iOS there are three techniques of function hooking:
- preload library using DYLD_INSERT_LIBRARIES
- imported symbol table redirection using fishhook
- patch the functions when they are already loaded - i.e. already in memory using substrate MSHookFunction
These expose security issues so I wanna be able to detect when such things happen. For point number 1, I can apply function pointer verification to detect. However for 2 and 3, I haven't had any idea. I am very thankful for ideas that can be done to address the issue.
ios security hook cydia-substrate
|
show 1 more comment
So far as I know, in iOS there are three techniques of function hooking:
- preload library using DYLD_INSERT_LIBRARIES
- imported symbol table redirection using fishhook
- patch the functions when they are already loaded - i.e. already in memory using substrate MSHookFunction
These expose security issues so I wanna be able to detect when such things happen. For point number 1, I can apply function pointer verification to detect. However for 2 and 3, I haven't had any idea. I am very thankful for ideas that can be done to address the issue.
ios security hook cydia-substrate
Are you developing an app? If so, is it granted root permissions (jailbroken)? For #3 I'd recommend you to take a look at the Cydia Substrate documentation and learn what methods it uses and how they work. Use a jailbroken device to discover exploits your app might be vulnerable to.
– osvein
Jan 7 '14 at 0:57
Yes, there is no reason not allowing my app to run on jailbroken devices.
– Krypton
Jan 9 '14 at 1:59
For 3, all I can think of is to compare.text
section of binary to.text
section in memory. However, iOS binary is encrypted, so this approach is not feasible.
– Krypton
Jan 9 '14 at 5:45
Have you ever solved this question? I'm trying to defeat xCon iOS tweak for jailbroken devices which seems to hook NSFileManager's methods. Any luck on defeating it?
– Sergey Grischyov
Jan 27 '15 at 23:31
I still have not found any acceptable solution for this. Please answer if you guys got any clue.
– Krypton
Sep 28 '15 at 3:31
|
show 1 more comment
So far as I know, in iOS there are three techniques of function hooking:
- preload library using DYLD_INSERT_LIBRARIES
- imported symbol table redirection using fishhook
- patch the functions when they are already loaded - i.e. already in memory using substrate MSHookFunction
These expose security issues so I wanna be able to detect when such things happen. For point number 1, I can apply function pointer verification to detect. However for 2 and 3, I haven't had any idea. I am very thankful for ideas that can be done to address the issue.
ios security hook cydia-substrate
So far as I know, in iOS there are three techniques of function hooking:
- preload library using DYLD_INSERT_LIBRARIES
- imported symbol table redirection using fishhook
- patch the functions when they are already loaded - i.e. already in memory using substrate MSHookFunction
These expose security issues so I wanna be able to detect when such things happen. For point number 1, I can apply function pointer verification to detect. However for 2 and 3, I haven't had any idea. I am very thankful for ideas that can be done to address the issue.
ios security hook cydia-substrate
ios security hook cydia-substrate
edited Jan 2 '14 at 2:59
Krypton
asked Jan 2 '14 at 2:21
KryptonKrypton
2,94052442
2,94052442
Are you developing an app? If so, is it granted root permissions (jailbroken)? For #3 I'd recommend you to take a look at the Cydia Substrate documentation and learn what methods it uses and how they work. Use a jailbroken device to discover exploits your app might be vulnerable to.
– osvein
Jan 7 '14 at 0:57
Yes, there is no reason not allowing my app to run on jailbroken devices.
– Krypton
Jan 9 '14 at 1:59
For 3, all I can think of is to compare.text
section of binary to.text
section in memory. However, iOS binary is encrypted, so this approach is not feasible.
– Krypton
Jan 9 '14 at 5:45
Have you ever solved this question? I'm trying to defeat xCon iOS tweak for jailbroken devices which seems to hook NSFileManager's methods. Any luck on defeating it?
– Sergey Grischyov
Jan 27 '15 at 23:31
I still have not found any acceptable solution for this. Please answer if you guys got any clue.
– Krypton
Sep 28 '15 at 3:31
|
show 1 more comment
Are you developing an app? If so, is it granted root permissions (jailbroken)? For #3 I'd recommend you to take a look at the Cydia Substrate documentation and learn what methods it uses and how they work. Use a jailbroken device to discover exploits your app might be vulnerable to.
– osvein
Jan 7 '14 at 0:57
Yes, there is no reason not allowing my app to run on jailbroken devices.
– Krypton
Jan 9 '14 at 1:59
For 3, all I can think of is to compare.text
section of binary to.text
section in memory. However, iOS binary is encrypted, so this approach is not feasible.
– Krypton
Jan 9 '14 at 5:45
Have you ever solved this question? I'm trying to defeat xCon iOS tweak for jailbroken devices which seems to hook NSFileManager's methods. Any luck on defeating it?
– Sergey Grischyov
Jan 27 '15 at 23:31
I still have not found any acceptable solution for this. Please answer if you guys got any clue.
– Krypton
Sep 28 '15 at 3:31
Are you developing an app? If so, is it granted root permissions (jailbroken)? For #3 I'd recommend you to take a look at the Cydia Substrate documentation and learn what methods it uses and how they work. Use a jailbroken device to discover exploits your app might be vulnerable to.
– osvein
Jan 7 '14 at 0:57
Are you developing an app? If so, is it granted root permissions (jailbroken)? For #3 I'd recommend you to take a look at the Cydia Substrate documentation and learn what methods it uses and how they work. Use a jailbroken device to discover exploits your app might be vulnerable to.
– osvein
Jan 7 '14 at 0:57
Yes, there is no reason not allowing my app to run on jailbroken devices.
– Krypton
Jan 9 '14 at 1:59
Yes, there is no reason not allowing my app to run on jailbroken devices.
– Krypton
Jan 9 '14 at 1:59
For 3, all I can think of is to compare
.text
section of binary to .text
section in memory. However, iOS binary is encrypted, so this approach is not feasible.– Krypton
Jan 9 '14 at 5:45
For 3, all I can think of is to compare
.text
section of binary to .text
section in memory. However, iOS binary is encrypted, so this approach is not feasible.– Krypton
Jan 9 '14 at 5:45
Have you ever solved this question? I'm trying to defeat xCon iOS tweak for jailbroken devices which seems to hook NSFileManager's methods. Any luck on defeating it?
– Sergey Grischyov
Jan 27 '15 at 23:31
Have you ever solved this question? I'm trying to defeat xCon iOS tweak for jailbroken devices which seems to hook NSFileManager's methods. Any luck on defeating it?
– Sergey Grischyov
Jan 27 '15 at 23:31
I still have not found any acceptable solution for this. Please answer if you guys got any clue.
– Krypton
Sep 28 '15 at 3:31
I still have not found any acceptable solution for this. Please answer if you guys got any clue.
– Krypton
Sep 28 '15 at 3:31
|
show 1 more comment
1 Answer
1
active
oldest
votes
I had the same issue - trying to avoid any potential function hooking within my app.
My app was recently PEN tested and was found to have a vulnerability around function hooking. The security report referenced Frida as one of the main culprits for executing such an act. I'm sure most of you peeps would be familiar with this tool.
OWASP suggests a few remedial solutions for securing your app, but in this context, the section titled Anti-Debugging Checks would be the main focus.
As suggested by OWASP, I used ptrace with PT_DENY_ATTACH - denying a GDB/LLDB process to attach to the application.
From OWASP:
In other words, using ptrace with PT_DENY_ATTACH ensures that no other debugger can attach to the calling process; if a debugger attempts to attach, the process will terminate
Here is the solution I used (for Swift). I also had help from this Raywenderlich.com article (Objective-C). I can confirm that using the linked solution works - the app launches but the debugger cuts out, stopping all logs to the console. This could potentially deter hackers, but there will always be a way to get around this. As stated the Raywenderlich article linked:
Don’t get too comfortable. Hackers often use Cycript, a JavaScript-styled program that can manipulate Objective-C apps at runtime. The scariest thing is that the previous logic to check for debugging activity fails when Cycript is attached. Remember, nothing is truly secure…
However, according to Joseph Lord, writing apps using Swift can hopefully help you here. But then again, the reverse engineer always wins.
I hope this helps, in some way or form ...
add a comment |
Your Answer
StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f20875415%2fdetection-of-function-hooking-in-ios%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
I had the same issue - trying to avoid any potential function hooking within my app.
My app was recently PEN tested and was found to have a vulnerability around function hooking. The security report referenced Frida as one of the main culprits for executing such an act. I'm sure most of you peeps would be familiar with this tool.
OWASP suggests a few remedial solutions for securing your app, but in this context, the section titled Anti-Debugging Checks would be the main focus.
As suggested by OWASP, I used ptrace with PT_DENY_ATTACH - denying a GDB/LLDB process to attach to the application.
From OWASP:
In other words, using ptrace with PT_DENY_ATTACH ensures that no other debugger can attach to the calling process; if a debugger attempts to attach, the process will terminate
Here is the solution I used (for Swift). I also had help from this Raywenderlich.com article (Objective-C). I can confirm that using the linked solution works - the app launches but the debugger cuts out, stopping all logs to the console. This could potentially deter hackers, but there will always be a way to get around this. As stated the Raywenderlich article linked:
Don’t get too comfortable. Hackers often use Cycript, a JavaScript-styled program that can manipulate Objective-C apps at runtime. The scariest thing is that the previous logic to check for debugging activity fails when Cycript is attached. Remember, nothing is truly secure…
However, according to Joseph Lord, writing apps using Swift can hopefully help you here. But then again, the reverse engineer always wins.
I hope this helps, in some way or form ...
add a comment |
I had the same issue - trying to avoid any potential function hooking within my app.
My app was recently PEN tested and was found to have a vulnerability around function hooking. The security report referenced Frida as one of the main culprits for executing such an act. I'm sure most of you peeps would be familiar with this tool.
OWASP suggests a few remedial solutions for securing your app, but in this context, the section titled Anti-Debugging Checks would be the main focus.
As suggested by OWASP, I used ptrace with PT_DENY_ATTACH - denying a GDB/LLDB process to attach to the application.
From OWASP:
In other words, using ptrace with PT_DENY_ATTACH ensures that no other debugger can attach to the calling process; if a debugger attempts to attach, the process will terminate
Here is the solution I used (for Swift). I also had help from this Raywenderlich.com article (Objective-C). I can confirm that using the linked solution works - the app launches but the debugger cuts out, stopping all logs to the console. This could potentially deter hackers, but there will always be a way to get around this. As stated the Raywenderlich article linked:
Don’t get too comfortable. Hackers often use Cycript, a JavaScript-styled program that can manipulate Objective-C apps at runtime. The scariest thing is that the previous logic to check for debugging activity fails when Cycript is attached. Remember, nothing is truly secure…
However, according to Joseph Lord, writing apps using Swift can hopefully help you here. But then again, the reverse engineer always wins.
I hope this helps, in some way or form ...
add a comment |
I had the same issue - trying to avoid any potential function hooking within my app.
My app was recently PEN tested and was found to have a vulnerability around function hooking. The security report referenced Frida as one of the main culprits for executing such an act. I'm sure most of you peeps would be familiar with this tool.
OWASP suggests a few remedial solutions for securing your app, but in this context, the section titled Anti-Debugging Checks would be the main focus.
As suggested by OWASP, I used ptrace with PT_DENY_ATTACH - denying a GDB/LLDB process to attach to the application.
From OWASP:
In other words, using ptrace with PT_DENY_ATTACH ensures that no other debugger can attach to the calling process; if a debugger attempts to attach, the process will terminate
Here is the solution I used (for Swift). I also had help from this Raywenderlich.com article (Objective-C). I can confirm that using the linked solution works - the app launches but the debugger cuts out, stopping all logs to the console. This could potentially deter hackers, but there will always be a way to get around this. As stated the Raywenderlich article linked:
Don’t get too comfortable. Hackers often use Cycript, a JavaScript-styled program that can manipulate Objective-C apps at runtime. The scariest thing is that the previous logic to check for debugging activity fails when Cycript is attached. Remember, nothing is truly secure…
However, according to Joseph Lord, writing apps using Swift can hopefully help you here. But then again, the reverse engineer always wins.
I hope this helps, in some way or form ...
I had the same issue - trying to avoid any potential function hooking within my app.
My app was recently PEN tested and was found to have a vulnerability around function hooking. The security report referenced Frida as one of the main culprits for executing such an act. I'm sure most of you peeps would be familiar with this tool.
OWASP suggests a few remedial solutions for securing your app, but in this context, the section titled Anti-Debugging Checks would be the main focus.
As suggested by OWASP, I used ptrace with PT_DENY_ATTACH - denying a GDB/LLDB process to attach to the application.
From OWASP:
In other words, using ptrace with PT_DENY_ATTACH ensures that no other debugger can attach to the calling process; if a debugger attempts to attach, the process will terminate
Here is the solution I used (for Swift). I also had help from this Raywenderlich.com article (Objective-C). I can confirm that using the linked solution works - the app launches but the debugger cuts out, stopping all logs to the console. This could potentially deter hackers, but there will always be a way to get around this. As stated the Raywenderlich article linked:
Don’t get too comfortable. Hackers often use Cycript, a JavaScript-styled program that can manipulate Objective-C apps at runtime. The scariest thing is that the previous logic to check for debugging activity fails when Cycript is attached. Remember, nothing is truly secure…
However, according to Joseph Lord, writing apps using Swift can hopefully help you here. But then again, the reverse engineer always wins.
I hope this helps, in some way or form ...
answered Nov 15 '18 at 15:47
PlazPlaz
11
11
add a comment |
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f20875415%2fdetection-of-function-hooking-in-ios%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Are you developing an app? If so, is it granted root permissions (jailbroken)? For #3 I'd recommend you to take a look at the Cydia Substrate documentation and learn what methods it uses and how they work. Use a jailbroken device to discover exploits your app might be vulnerable to.
– osvein
Jan 7 '14 at 0:57
Yes, there is no reason not allowing my app to run on jailbroken devices.
– Krypton
Jan 9 '14 at 1:59
For 3, all I can think of is to compare
.text
section of binary to.text
section in memory. However, iOS binary is encrypted, so this approach is not feasible.– Krypton
Jan 9 '14 at 5:45
Have you ever solved this question? I'm trying to defeat xCon iOS tweak for jailbroken devices which seems to hook NSFileManager's methods. Any luck on defeating it?
– Sergey Grischyov
Jan 27 '15 at 23:31
I still have not found any acceptable solution for this. Please answer if you guys got any clue.
– Krypton
Sep 28 '15 at 3:31