Practical iOS Reverse Engineering
Jiska Classen

Day 1 - iOS App Fundamentals

Learning objectives:

At the end of Day 1, students will have the understanding and means to perform basic static and dynamic reverse-engineering of iOS apps to identify and trace the execution of interesting functions, and write scripts to exercise the corresponding code-paths.

Topic overview:

• Apple's public documentation and source code, public frameworks, and private frameworks.

• Attack surface and threat modeling: How to approach an App from a security point of view.

• The Apple App Store security model: Code signing, App Review, Entitlements, the iOS sandbox, and TCC.

• The internal structure of an iOS application: metadata and resources in Application Bundles, third-party frameworks, AppExtensions, and Mach-O internals, FairPlay DRM & decrypting iOS Apps.

• Static analysis: Introduction to Ghidra, navigating through larger binaries, Objective-C and Swift calling conventions and name mangling, tips & tricks for Swift reversing.

• Dynamic Analysis with Frida: initial approaches using frida-trace, combining static and dynamic analysis, writing stand-alone Frida scripts, hooking functions.

Day 2 - iOS User-Space Internals: Tracing Execution, Threads, Fuzzing

Learning objectives:

At the end of Day 2, students will be able to write basic fuzzers to find bugs, read the crash logs, and understand how to identify the underlying vulnerabilities. Students will furthermore understand asynchronous and multi-threaded programming on iOS and be able to follow execution both statically and dynamically. By applying their understanding of the iOS sandbox from Day 1 to XPC, students will be able to assess the security impact of communication between Apps, AppExtensions, and iOS daemons.

Topic overview:

• Working with the DYLD shared cache.

• Manually triggering bugs through custom scripts.

• Reading and interpreting crash logs to identify bugs.

• Discovering runtime state and calling the function with controlled arguments, injecting data.

• Introduction to fuzzing: corpus and input mutation, harnessing using Frida, in-place harnessing, coverage-guidance collecting coverage using Frida Stalker.

• Outlook to more advanced fuzzing techniques: sanitizers, persistent fuzzing, snapshot fuzzing, CmpCov & CmpLog, testcase & corpus minimization.

• Asynchronous programming: Grand Central Dispatch (GCD), threading, Static analysis of asynchronous programming patterns: reverse-engineering blocks in Objective-C and Swift.

• Apps & daemons: XPC, entitlements and access-control, tracing XPC messages.

Day 3 - User-Space Meets Kernel-Space

Learning objectives:

At the end of Day 3, through their understanding of mach messages, syscalls, and IOKit calls, students will be able to follow how user-space applications interact with the iOS kernel through syscalls and IOKit. They will also understand underlying security mechanisms enforced by kernel and user space.

Topic overview:

• iOS kernel overview: main components, drivers, and open-source.

• Where user space meets kernel space: IOKit drivers and syscalls.

• Mach Messages everywhere – a look at what interactions are implemented via Mach Messages and how.

• Sandbox checks in user and kernel space.

• Hardware-based protections and their evolution over time, e.g., PAC, PAN, PXN, CTRR, PPL, SPTM, TXM, Conclaves, and more.

• Understanding internals of IOKit drivers: driver structure, naming functions being called in the kernel, understanding and reverse engineering of IOKit message contents.

Day 4 - Firmware & Forensics

Learning objectives:

Students will be able to get started reverse engineering custom firmware implementations using Apple's RTKit RTOS. Furthermore, students will be able to collect forensic evidence from iPhones and check for indicators of compromise. As an outlook, students are able to put the concepts of the complete four-day course in the context of current public security research.

Topic overview:

• Beyond the AP – The Co-Processors in an iPhone, their tasks, and evolution over time.

• RTKit firmware – Apple's internal firmware formats (Mach-O, ftab), main RTKitOS components.

• Firmware security aspects.

• Patch diffing firmware updates.

• Forensic analysis of backups, sysdiagnoses, and crash logs.

• Inactivity reboot and how it works.

• Discussion of real-world applicability of learnt techniques using recent public research.

• Room for the students' questions, topics chosen based on demand. Note that the trainer has done a lot of public research, so this is one of the most interesting parts of the training ;)

Prerequisites

Students will need to feel comfortable using a Linux/macOS command-line. While familiarity with JavaScript and Python are helpful, understanding of common scripting language concepts is sufficient to follow the course and complete exercises, as we will be referring to examples and documentation and providing guidance where required. Note that this class is very hands-on and will need to write some code to follow along.

Required Materials/Hardware

Students need access either to a physical jailbroken iPhone (iPhone 6 or higher, iOS 12 or higher; iPhone 8 on iOS 16 is recommended) or access to a Corellium virtual iOS device. The trainer will also borrow iPhones for the duration of the training if needed.

Students will need to use a laptop capable of running a virtual machine with internet connectivity, USB pass-through (when using a physical device) at 16GB of RAM and 40GB of free disk space. All required tools can be installed on macOS natively for students who can only use an Apple Silicon Mac.