Practical iOS App, User-, Kernel-Space, and Firmware Reverse-Engineering

This 4-day training will equip you with a toolbox of indispensable techniques and methods for diving into the world of hacking apps and discovering system internals on Apple's mobile devices. While covering all basics to get beginner reverse-engineers started, intermediate and even advanced attendees are provided with appropriately challenging content and exercises.

After getting started with static reverse engineering and dynamic testing iOS apps using Ghidra and Frida, we'll pivot to challenges posed by programs written in Objective-C and Swift, which use asynchronous programming using Grand Central Dispatch and Cross-Process Communication (XPC). We'll be using Frida to trace control flow, find interesting code paths, manipulate data, and finally collect code coverage – everything you'll need to get started writing custom fuzzers for vulnerability discovery. Going deeper into the internals of iOS, the user-space analysis will be followed up by a dive into the XNU kernel. Starting with a broad overview of the interactions between user- and kernel-space, including Mach messages and syscalls, we'll be taking a closer look at IOKit, the common API used by iOS apps and daemons to communicate with drivers. This is followed up with a look into RTKit-based firmware and an overview of the network of Co-Processors in an iPhone. We'll finish with an introduction to mobile forensics, allowing us to check for indicators of compromise.

The training will include hands-on exercises on virtual or physical iOS devices. Advanced iOS app internals are conveyed by breaking them down into small, easily comprehensible chunks and exercises building up on each other to form a general understanding of iOS concepts. Students will be guided through using free and open-source reverse-engineering software and frameworks (such as Ghidra and Frida) to understand the internals and perform security testing of closed-source apps and daemons. Students will be provided with slides, exercises, solutions including custom tooling, and cheat sheets to follow along the training.

The following outline is intended to give an overview over what will expect you in the training. Minor adaptations can be made during the training to adjust to trainee questions, interests and progress, and therefore does not represent a guaranteed schedule.

Venue

This training will take place February 24-28, 2025 at RE//verse located in Orlando, Florida.

Day 1 - iOS App Fundamentals

Learning objectives:

At the end of Day 1, students will have the understanding and means to perform basic static and dynamic reverse-engineering of iOS apps to identify and trace the execution of interesting functions, and write scripts to exercise the corresponding code-paths.

Topic overview:

Day 2 - iOS User-Space Internals: Tracing Execution, Threads, Fuzzing

Learning objectives:

At the end of Day 2, students will be able to write basic fuzzers to find bugs, read the crash logs, and understand how to identify the underlying vulnerabilities. Students will furthermore understand asynchronous and multi-threaded programming on iOS and be able to follow execution both statically and dynamically. By applying their understanding of the iOS sandbox from Day 1 to XPC, students will be able to assess the security impact of communication between Apps, AppExtensions, and iOS daemons.

Topic overview:

Day 3 - User-Space Meets Kernel-Space

Learning Objectives:

At the end of Day 3, through their understanding of mach messages, syscalls, and IOKit calls, students will be able to follow how user-space applications interact with the iOS kernel through syscalls and IOKit.

Topic Overview:

Day 4 - Firmware & Forensics

Learning Objectives:

Students will be able to get started reverse engineering custom firmware implementations using Apple's RTKit RTOS. Furthermore, students will be able to collect forensic evidence from iPhones and check for indicators of compromise. As an outlook, students are able to put the concepts of the complete four-day course in the context of current public security research.

Topic Overview:

Key Takeaways

Reverse engineering previously unknown internals of iOS apps, operating system components, and firmware on your own. Automating iOS bug discovery with custom fuzzers. The methods we teach allow students to research on their own and broaden their knowledge beyond this course.

Who should take this course?

This class is aimed at anyone interested in mobile app and system security, including pentesters, security or vulnerability researchers, or app developers.

Audience Skill Level

Beginner/Intermediate

Student Requirements

Students will need to feel comfortable using a Linux/macOS command-line. While familiarity with JavaScript and Python are helpful, understanding of common scripting language concepts is sufficient to follow the course and complete exercises, as we will be referring to examples and documentation and providing guidance where required.

What students should bring

Students will need to have access either to a physical jailbroken iPhone (iPhone 6 or higher, iOS 12 or higher) or access to a Corellium virtual iOS device for the duration of the training.

Students will need to use a laptop capable of running a virtual machine with internet connectivity, USB pass-through (when using a physical device) at 16GB of RAM and 40GB of free disk space. All required tools can be installed on macOS natively for students who can only use an Apple M1/M2/M3 laptop.

What students will be provided with

For students who do not have access to a jailbroken iPhone or Corellium, we will provide jailbroken iPhones upon request. We will be providing a (x86_64) virtual machine image with all required tooling. Students will get access to all training materials, including slides, exercises, solutions including custom tooling, and cheat sheets.

Trainer

Dr.-Ing. Jiska Classen is a wireless and mobile security researcher and research group leader. The intersection of these topics means that she digs into iOS internals, reverse engineers wireless firmware, and analyzes proprietary protocols. Her practical work on public Bluetooth security analysis tooling uncovered remote code execution and cryptographic flaws in billions of mobile devices. She also likes to work on obscure and upcoming wireless technologies, for example, she recently uncovered vulnerabilities in Ultra-wideband distance measurement and reverse engineered Apple's AirTag communication protocol. She has previously spoken at Black Hat USA, DEF CON, RECon, hardwear.io, Chaos Communication Congress, Chaos Communication Camp, Gulasch Programmier Nacht, MRMCDs, Easterhegg, Troopers, Pass the Salt, NotPinkCon, gave various lectures and trainings, and published at prestigious academic venues.


RE//verse 2025 · BlackHat Europe 2024 · OBTSv7 · BlackHoodie @ Hexacon 2024 · BlackHoodie @ TROOPERS 2024 · OBTSv6 · home