Repackaging attack

Android

主要有两种方式:

  1. Add new Malicious Smali files
  2. Modify existing Smali files

Example 1

Mobile Security Labs

Example 2

Mobile Security Certificate Pinning

Exploit

$ keytool -genkey -keystore example.keystore -keyalg RSA -validity 10000 -alias example
$ apktool d [app_name].apk

// Modify your app


$ apktool b <app_folder>
$ mv dist/[app_name].apk ./malicious.apk

// If an error said 'Please specify alias name'
$ jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore example.keystore malicious.apk example


// Verify  
 
➜  RASP jarsigner -verify example-signed.apk jar
verified.

iOS

需要一张Apple developer certificate.

没有的话, 改测试无法进行.

此外, repack之前需要decrypt app, 你可以使用Clutch(安装). 假如运行Cluth之后, 发现可decrypt的app中没有你要的, 证明该App未加密, 可以直接利用ifunbox导出, 进行后续工作.

若要确认是否加密, 可以使用 otool.


ITS-iPhone-6s-black:~ root# find /private/var/mobile/Containers/Bundle/Application/ -name 'yourapp'
/private/var/mobile/Containers/Bundle/Application/3FDA7FA6-48BE-4567-94D2-F9AB0AE3D394/yourapp.app/yourapp


ITS-iPhone-6s-black:/private/var/mobile/Containers/Bundle/Application/3FDA7FA6-48BE-4567-94D2-F9AB0AE3D394/yourapp.app root# otool -l yourapp | grep crypt
     cryptoff 16384
    cryptsize 6914048
      cryptid 0
     cryptoff 16384
    cryptsize 6995968
      cryptid 0

cryptid == 1的话, 证明该 App 是加密的.

Example 1

Rethinking & Repackaging iOS Apps: Part 1 - Bishop Fox

Inject dylib到App中, 安装到iPhone上, 将会有Log输出.

Xcode - Devices - Device Log.

Example 2

Rethinking & Repackaging iOS Apps: Part 2 - Bishop Fox

Example 3

How App Store Apps are Hacked on Non-Jailbroken Phones – Zdziarski's Blog of Things

Show Comments