I'm working on research that requires me to be able to load an iOS app from a custom piece of code running on the device. I more or less want to modify the current sandbox and then run an existing application in it. I would rather not modify the application, although I realize at some point I'll at least have to re-sign it.
Mocana can apparently do this with their "MAP" technique, but I've not seen any papers or presentations explaining the technical details of how this is accomplished.
I was attempting to dlopen an application's executable and then dlsym on it's main. That moderately works, but requires a debug version of the application. Trying to use an archived version is problematic since the symbol table is separate. Not sure if there is a way to merge the symbol table with the executable. Tried unsuccessfully with lipo, but no real luck (says the architectures are the same and won't merge).
Any direction or good publications would be appreciated.
Related
My goal is to build a swift iOS framework which uses two other frameworks (included as separate projects) and which shouldn't reveal the source code after built.
Is there some text/guide/documentation which would explain and navigate me through the process of building such a framework properly and correctly?
I built framework with aggregate target adding and linking frameworks on which my custom framework is dependent using run script as indicated here. I was able to add built of my custom framework to my custom app, together with other two dependencies (again as a separate projects), and run it on the device. However, I am not convinced by the correctness of my custom framework built.
Moreover, I was not able to upload the archive to the Appstore due to the various errors of "Unsupported architectures...", "CFBundleIdentifier Collision...", "Invalid Bundle...", "Invalid Binary" and so on. After sorting these errors out according to the various stackoverflow answers and installing the app from the TestFlight, the app crashed after launch and wasn't working at all.
I was checking various blog posts, stackoverflow questions/answers and Apple Framework Programming Guide but nothing gave me comprehensive understanding on building custom framework under conditions described above.
Everything I did was just following step-by-step tutorials without explanation of the purpose of the steps. I am sure I am missing the basics. Could you please help me and give me some guides?
I can understand you frustration. I, a while ago too searched probably for many documents on how to write a framework correctly but like you I also didn't find anything really that satisfying. From my own experiences I can give a couple of advices.
NO External Libraries
In my opinion DO NOT use external libraries in your own framework. I don't really know what your frameworks purpose is but most of the stuff you want to do can be done without using external libraries. Depending on other libraries is not a good idea especially if its a framework you are working on. Anytime these libraries get updated or even worse if they don't you will have to wait for them to be updated or find another library.So rather than this happening later on I think its better if you do it from the start. So loose the external libraries.
Universal Framework Binary
Second one is pretty easy. Generating a universal framework. I suggest you don't use a script. Most of the scripts I found were either outdated or they didn't work at all. Later on I found out that actually it was pretty easy to generate one on your own. You can do this by building your project once for a real device and one for the simulator.Then you can generate a universal binary by using the command lipo -create "Your simulator executable path" "your iOS device executable path" -output "your framework name". What this does is that it combines your two executable files and generates a universal one. Then you can just go and copy your simulator documents from the modules file and paste them in you iphoneos modules file. I am going to share a link were you can go through the walkthrough yourself. https://medium.com/wireless-registry-engineering/create-a-universal-fat-swift-framework-b7409bbfa18f
Use Objective-C(If you can)
This one is bit of a tricky one unless you know objective-c. What I would recommend is that you implement your framework using Objective-C and writing a swift wrapper around it. I would not have said this if you were creating an iOS app but in case of a framework I still think you should go for objective-c. This is because Objective-c has been around for over 30 years and most of the very old apps are in objective-c. If you want your framework to easily be used by older apps coded in objective-c I recommend you go with it. I have read tons of posts on how people have problems trying to use frameworks written in swift in their objective-c apps. Swift will be the first and probably only choice in the near future but not just yet. On the plus side if you still haven't you will have learnt Objective-C which will give definitely give you a better understanding on how things work. It will be challenging but I promise you it will be worth your while .I have a good read on this which you can checkout yourself. https://academy.realm.io/posts/altconf-conrad-kramer-writing-iOS-sdk/
Naming Conventions
This is a pretty straight forward one. I suggest you stick to apples naming conventions. This is because you will be sharing your code this time and people will look for familiarity when trying to integrate your framework. This will make your code easier to understand. You can check out these two links for more info.https://github.com/raywenderlich/objective-c-style-guide (obj-c) https://github.com/raywenderlich/swift-style-guide (swift)
Access Control
This in my opinion is an important one. When working on you framework think before you implement a class or a function. Consider if you would like someone else to be able to use that part of your code. You may want to limit the user while they use your framework and correct access control is the way to do it. You can easily guide the users so the users do exactly what you want them to do with your framework.
Document Your Code
This is a must if you want your framework be a professional one. You should be documenting every function and variable the user will use. Documenting and explaining what your code does makes a lot of peoples lives easy. You don't one anyone trying to understand what your code does for half an hour while you could have easily written a small explanation for what the parameters do and one that function or variable should be used for.
Test Your Code
Last but not least do write tests for your code. This does take some time but it assures you that your code works the way it should.
Look at other good frameworks
You should definitely checkout other open source libraries and look at what they have done. Usually there is no point in reinventing the wheel unless you are doing something absolutely different but even then there are very familiar ways to do things. I can suggest you check out the mantle sdk(https://github.com/Mantle/Mantle). Another one is the very popular Alamofire sdk(https://github.com/Alamofire/Alamofire) and also the Realm sdk(https://github.com/realm/realm-cocoa). These are good examples of frameworks. Take a look at them. Look how they have done things. It will give you an insight on how your framework should look like.
I know all of these points may also be valid if you were writing an app but what makes these a must is the fact that you will be sharing your code with others. You may manage by not doing some of these while implementing an app but for a framework things do change a little bit. It is always a pleasure to work with easy to use frameworks which make coding a pleasure. These types of small things will make your framework preferable. Happy coding.
I'm very interested in using GStreamer's iOS framework http://docs.gstreamer.com/display/GstSDK/Installing+for+iOS+development for video streaming, but when I add the framework to a blank project and add a few lines of code to take advantage of its powerful features, the final IPA is 27MB. This is just way to big to be adding to my project, what is the best way to go about stripping this down the the bare necessities as I'm sure I'm only using a small percent of the code that is included in the SDK.
Here's a pic showing the package contents of the IPA:
Thanks!
In the gst_ios_main.h you can disable all the plugins that you don't need (make sure to enable linker optimizations so that unused code is removed). If that's not enough, you can build your own stripped down version of the iOS binaries with http://cgit.freedesktop.org/gstreamer/cerbero/ (you need to remove things from the .package and .recipe files to only build what you need). Just disabling things from gst_ios_main.h should be enough in 99% of the cases though.
Note that by default you'll build applications for multiple architectures, as such the resulting application will be rather large. Depending on your use case you can drop some architectures.
On another note, gstreamer.com is providing an completely outdated version of GStreamer and is in no way related to the GStreamer project. The official website is http://gstreamer.freedesktop.org .
SDKs have their source code encapsulated away from you, the user. You get access only to header files. Thus you just can't extract some class from it because you don't have access to the implementation file.
Of course if this library is opensource you can attempt to isolate one class, but sometimes everything is so deeply connected, that it is close to impossible.
I'd like to restrict how much access to resources jailbreak tweaks receive. Things like network/keychain/location access... Is it possible to manually add a entitlements plist per tweak?
Many thanks.
Tweak is a dylib - it will be loaded in a process. That process may have entitlements and those entitlements will be used for the tweak. That's it. Tweak doesn't have it's own entitlements.
As for your question. Because of what I said before you can't restrict just a tweak - your restrictions will be applied to the whole process that is being tweaked. You can't do anything about that. That's how tweaks work - they are dylibs dynamically loaded into process address space. After that the tweak becomes a part of the process. So any restrictions will be applied to the whole process which includes the tweak, application code and any other dylib/framework application is linked to.
So if you want to develop an application which will help a user put restrictions on tweaks, I don't think you can do such a thing. What you can do is to analyze which application are being tweaked, what entitlements does they have, what frameworks and dylibs are used by a tweak (mainly the private ones). And from that user can either enable or disable that tweak. You can even analyze import section and string literals of the tweak to determine exactly which APIs does it use.
Update
Could you explain to me how a native process communicates with a
tweak, before being loaded within the process space?
It doesn't. Before injecting tweak is a separate dylib that is not linked to any binary. CydiaSubstrate does all the injecting. The main part of the CydiaSubstrate is a special loader dylib. It's linked dynamically to launchd process on device start, to the process which is the first process in the iOS that starts all other processes. When a new process is spawned CydiaSubstrate loader dylib checks all tweak filters to see which ones it needs to inject into the process and injects them. After that tweak is loaded into process address space (becomes a part of the process) and tweak's constructor is called where usually all the hooks are being setup.
Could you explain to me as to how this is accomplished?
Suppose you have an array of objc class names, C/C++ functions, frameworks and dylibs as strings usage of which you would like to detect. There's easy solution. You can open tweak's file and just search through it for any matches. As tweaks are usually not very large it shouldn't take much time. And there's more difficult solution. Use dyld or any other API to parse mach-o sections to find imported symbols and string literals and then search through them for any matches.
I'm not sure if this answers your question from a user side, but if you are making a tweak, you can add XXX_CODESIGN_FLAGS = -Sentitlements.xml to your Makefile to add the entitlements described in entitlements.xml.
There is a process called app wrapping:
IPA is disassembled (taken apart + sometimes executable part of is is really disassembled)
Some new binary code, resources, segments are added
IPA is assembled again
Quite often this process is used as compile time AOP (to add some aspect like security, audit etc to application).
Have you seen any guide + tools which are used for this?
Here is good overview on app wrapping for iOS: http://pauldotcom.com/wiki/index.php/Episode226#Library_Injection
I need to debug the startup for an ios application on an actual device... and by start up I mean the very first instruction that is is executed when the OS hands control over to the app. Not "main". Also, this application doesn't have any symbols (ie. the debug information isn't available.. yet). I don't care if I have to debug at the CPU instruction level. I know how to do that (done it for over 30 years). I want the debugger to stop when control is about to transfer to the app. When I use the Attach|by Name command and run, it just says "Finished running".
Oh, and this application was not built in XCode. It is, however an application I built, signed and provisioned and moved to the device. The application does run since I can see the console output. Just in case you're thinking I'm some hacker trying to debug someone's application.
How's that for a tall order? I'll bet nobody can answer this... I've not been able to find any information on how I could do this with an XCode-built project. I wonder if it is simply not possible or "allowed" by the Apple overlords?
What do you say, Stack Overflow gods?
UPDATE: I should clarify something. This application is not built with any commercially available or open-source tool. I work with a tools vendor creating compilers, frameworks, and IDEs. IOW, you cannot get this tool... yet. In the process of bootstrapping a new tool chain, one regularly must resort to some very low-level raw debugging. Especially if there are bugs in the code generated by the tools.
I'm going to answer my own question because I think I've stumbled upon a solution. If anyone has anything more elegant and simple than this, please answer as well. On to the steps:
Starting with a raw monolithic iOS executable (not a bundled .app, but the actual binary mach-o file that is the machine code).
Create a new like-named empty Xcode project. Build and run it on the device.
Locate the output bundle's .app folder.
Copy the above raw iOS executable over the existing one in the .app bundle's folder.
The application will now have an invalid signature and cannot be deployed and run.
Run codesign against the app bundle (you can find out the command-line by running xcodebuild on the above Xcode project).
In the bundle's .app folder, run otool -h -l on the binary image. Locate the LC_UNIXTHREAD load command and find the value associated with the 'pc' register. This is address where the os loader will jump to your application. If this address is odd, then these are Thumb instructions otherwise it will be ARM (I think that's how it works).
Add a symbolic breakpoint (I used GDB instead of LLDB) and enter the address as '*0x00001234' as the symbol.
Select Product|Perform Action|Run Without Building.
Assuming that GDB is able to evaluate the breakpoint expression and set the break point, and you've selected Product|Debug Workflow|Show Disassembly When Debugging, the process should break at the very first instruction to be executed in the application.
You can now single step the instructions and use the GDB console to get/set register values.
Your question does not make sense - main is the entry point into the application. It is the first code that should be encountered, unless possibly you have initialize() overridden for some classes (but even then I think main would get hit before the runtime).
I think you are seeing some kind of odd error on launch and you think you want to set a breakpoint on entry to catch it, but far more likely what would help you is to describe the problem on launch and let one of the 4000 people who have seen and fixed the same crash help you...
However, if you really want to use GDB to break on an application with no symbols (but that you launch from XCode) you can have GDB break on an assembly address as per:
How to break on assembly instruction at a given address in gdb?
To find the address of main (or other methods) you can use tool or atos, some examples in this question:
Matching up offsets in iOS crash dump to disassembled binary
ADDITION:
If for some reason XCode cannot launch your application for debugging, you could also jailbreak and install GDB on the device itself which would give complete control over debugging. If XCode can launch you application I see no reason why being able to break at an arbitrary memory address does not give you the ability you seek...
One solution for applications with webviews is to run them in the iOS Simulator, and connect to that with the remote-debugger in macOS Safari. This is off-topic but maybe the one or other could benefit.
http://hiediutley.com/2011/11/22/debugging-ios-apps-using-safari-web-inspector/
Or use NetCat for iOS... not the most perfect solution, but at least you see what's going on.