Skip to content

Latest commit

 

History

History
94 lines (82 loc) · 7.63 KB

attack-tree.md

File metadata and controls

94 lines (82 loc) · 7.63 KB

Attack Tree Analysis for nst/ios-runtime-headers

Objective: Gain unauthorized access to or control over an iOS application that utilizes ios-runtime-headers, leading to data exfiltration, security bypass, or code injection.

Attack Tree Visualization

Goal: Gain unauthorized access to or control over an iOS application... ├── 1. Identify Interesting Classes/Methods [CRITICAL] │ └── 1.1. Statically Analyze Headers / Dynamically Inspect [HIGH-RISK] │ └── 1.1.2. Use Cycript/Frida to list classes/methods, hook methods, dump memory. [HIGH-RISK] ├── 2. Extract Sensitive Data │ ├── 2.1 Access Data [CRITICAL] │ │ ├── 2.1.1. Use Cycript/Frida to invoke methods/access ivars. [HIGH-RISK] │ │ └── 2.2. Hook Methods and Intercept Data [HIGH-RISK] │ │ └── 2.2.1. Use Frida/Cycript to hook and log data. [HIGH-RISK] │ └── 3. Exfiltrate Data [HIGH-RISK, CRITICAL] │ └── 3.1 Send data to attacker-controlled server ├── 4. Bypass Security Controls │ ├── 4.1. Identify Security Mechanisms [CRITICAL] │ │ └── 4.1.1. Use Cycript/Frida to observe method calls. [HIGH-RISK] │ └── 4.2. Disable/Circumvent Mechanisms [CRITICAL] │ ├── 4.2.1. Method Swizzling [HIGH-RISK] │ │ └── 4.2.1.1. Replace security check methods. [HIGH-RISK] │ └── 4.2.2. Hook Methods and Modify Return Values [HIGH-RISK] │ └── 4.2.2.1. Use Frida/Cycript to force return values. [HIGH-RISK] └── 5. Inject Malicious Code └── 5.1. Inject and Execute Code [CRITICAL] └── 5.1.1. Method Swizzling [HIGH-RISK] └── 5.1.1.1. Replace a method with malicious code. [HIGH-RISK]

Attack Tree Path: 1. Identify Interesting Classes/Methods [CRITICAL]

  • 1.1. Statically Analyze Headers / Dynamically Inspect [HIGH-RISK]:
    • Description: The attacker uses the ios-runtime-headers to understand the application's structure. This involves examining the header files to identify classes and methods related to sensitive operations (data handling, security, networking). Dynamic inspection uses tools like Frida or Cycript to observe the application's behavior at runtime.
    • 1.1.2. Use Cycript/Frida [HIGH-RISK]:
      • Description: Frida and Cycript are powerful dynamic instrumentation tools. The attacker uses them to:
        • List all loaded classes and their methods.
        • Hook (intercept) method calls to observe arguments and return values.
        • Dump memory regions associated with specific objects to find sensitive data.
      • Why High-Risk: These tools are readily available, well-documented, and provide a direct way to explore the application's internals.
      • Why Critical: This is the essential first step for almost all other attacks. Without this information, the attacker is operating blindly.

Attack Tree Path: 2. Extract Sensitive Data

  • 2.1 Access Data [CRITICAL]:
    • Description: After identifying interesting targets, the attacker attempts to directly access the data.
    • 2.1.1. Use Cycript/Frida to invoke methods/access ivars. [HIGH-RISK]:
      • Description: The attacker uses Frida/Cycript to:
        • Call methods directly that might return sensitive data (e.g., a method that retrieves an API key).
        • Access instance variables (ivars) directly, bypassing any getter methods that might have security checks.
      • Why High-Risk: Direct access is often possible if methods/ivars are not properly protected.
    • 2.2. Hook Methods and Intercept Data [HIGH-RISK]:
      • Description: Instead of directly calling methods, the attacker intercepts calls to those methods.
      • 2.2.1. Use Frida/Cycript to hook and log data. [HIGH-RISK]:
        • Description: The attacker uses Frida/Cycript to:
          • Hook (intercept) a method call.
          • Log the arguments passed to the method.
          • Log the return value of the method.
        • Why High-Risk: This allows the attacker to passively observe data flow without needing to know the exact structure of the data or how to call the methods directly.
  • 3. Exfiltrate Data [HIGH-RISK, CRITICAL]:
    • 3.1 Send data to attacker-controlled server:
      • Description: Once the attacker has obtained sensitive data (through any of the above methods), they send it to a server they control. This could be done using standard networking APIs, or by injecting code to perform the exfiltration.
      • Why High-Risk: Once data is obtained, exfiltration is relatively straightforward.
      • Why Critical: This is the ultimate goal of a data extraction attack – getting the data off the device and into the attacker's hands.

Attack Tree Path: 4. Bypass Security Controls

  • 4.1. Identify Security Mechanisms [CRITICAL]:
    • 4.1.1. Use Cycript/Frida to observe method calls. [HIGH-RISK]:
      • Description: Similar to identifying data-handling methods, the attacker uses Frida/Cycript to find methods related to security checks (jailbreak detection, certificate pinning, etc.).
      • Why High-Risk: Frida/Cycript make this reconnaissance easy.
      • Why Critical: Understanding the security mechanisms is necessary to bypass them.
  • 4.2. Disable/Circumvent Mechanisms [CRITICAL]:
    • 4.2.1. Method Swizzling [HIGH-RISK]:
      • Description: The attacker replaces the implementation of a security check method with their own code.
      • 4.2.1.1. Replace security check methods. [HIGH-RISK]:
        • Description: The attacker replaces the original method with a "no-op" (no operation) implementation that always returns a value indicating success (e.g., "not jailbroken").
        • Why High-Risk: Method swizzling is a powerful technique that can completely disable security checks.
    • 4.2.2. Hook Methods and Modify Return Values [HIGH-RISK]:
      • Description: Instead of replacing the entire method, the attacker intercepts the call and modifies the return value.
      • 4.2.2.1. Use Frida/Cycript to force return values. [HIGH-RISK]:
        • Description: The attacker uses Frida/Cycript to hook the method and, regardless of the original logic, force it to return a specific value that bypasses the security check.
        • Why High-Risk: This is a less intrusive way to bypass checks than full method swizzling, but still very effective.

Attack Tree Path: 5. Inject Malicious Code

  • 5.1. Inject and Execute Code [CRITICAL]:
    • 5.1.1. Method Swizzling [HIGH-RISK]:
      • Description: The attacker replaces a legitimate method with a method containing their malicious code.
      • 5.1.1.1. Replace a method with malicious code. [HIGH-RISK]:
        • Description: The attacker overwrites the original method's implementation with their own code, which can perform any desired action (steal data, open a reverse shell, etc.).
        • Why High-Risk: Method swizzling provides a direct way to inject and execute arbitrary code within the application's context.
        • Why Critical: This gives the attacker the highest level of control over the application.