iOS Runtime Injection Example #1

A common approach to implement access control within iOS apps is to display a lock screen and ask the user to enter a PIN. When the correct PIN is entered, the lock screen fades out and the main view of the application appears. By manipulating the iOS runtime it is often possible to circumvent such measures.

Let’s take SpringBoard1 as an example. The following cycript example demonstrates iOS runtime injection to bypass the iPhone/iPad passcode lock: First of all it’s necessary to replace the method “isPasswordProtected”. After patching this method the SpringBoard assumes that there’s no passcode lock configured. All we have to do now is to remove the passcode lock screen by calling the method “unlockWithSound”. Now we have full access to the home screen.

Important Note: When bypassing a passcode lock using this approach, Apple’s Data Protection still remains intact. Thus this technique does not reveal any new information compared to dumping raw data directly from the file system, but it demonstrates the diverse possibilities of iOS runtime injection.

  1. Step 1: Attach cycript to the SpringBoard process:

    iPhone:~ root# cycript -p SpringBoard
  2. Step 2: Let’s see if the device is password protected:

    cy# [SBAwayController.sharedAwayController isPasswordProtected]
  3. Step 3: As a passcode lock is configured (return value of 1; see above) we have to replace the implementation of isPasswordProtected:

    cy# SBAwayController.messages['isPasswordProtected'] = function() { return NO; }
  4. Step 4: Verification of the runtime patch:

    cy# [SBAwayController.sharedAwayController isPasswordProtected]
  5. Step 5: Finally we call the unlockWithSound method to access the home screen:

    cy# [SBAwayController.sharedAwayController unlockWithSound:YES ]

Things could get even worse if an app would use its own encryption routines and a hardcoded encryption key within the app (imagine a “secure” password vault app). One approach could be to reverse engineer the app, extract the key out of the disassembly and decrypt the contents manually. But wouldn’t it be much easier to just manipulate the runtime, remove the lock screen and get the decryption done transparently. More on this topic to come soon. Stay tuned.

1 SpringBoard is the standard application that manages the iOS home screen.