Ha, I found myself going down a similar route and threw in the towel once I was trying to decompile/edit/recompile. This is dedication, would love to know the hours involved. I set myself a cutoff and stuck to it.
This was initially an internal post at Texts.com that we decided to share, and I scrapped mention of the fact I had tried the exact same approach a few weeks prior and reached my time-box as well.
I initially spent two hours trying to modify different instructions, and then gave up. I saw another blog post written by a reverse engineer by the name of "Hassan Mostafa" (aka cyclon3) that previously succeeded in the same approach (taking Hopper Disassembler to Instagram on iOS) and I was inspired to try again that night, but I had no luck. I even found and attempted to modify the same instructions.
I decided to call it quits, and then a few weeks later with a bit of a grudge, I spontaneously tried again and I had it done in about 30 minutes after finding the sandbox function.
Ok, that makes sense! Sometimes when you read a blog post that is well written and cogent it makes it feel like the author did it in 20 min!
If I end up in the same arena I think I’ll look for debugging code next. I love certificate pinning as a user, but as a forensic analyst I fucking loath it.
Even as a user I don’t there’s a good reason to love cert pinning. If you’re going up against adversaries that can compromise web pki they also probably have some other exploits up their sleeve to pwn you.
Cert pinning pretty much serves to protect companies from people reversing their protocols and little else imo.
As a westerner I can only speak for others a little bit, but this is a very western perspective. Even Kazakhstan has been caught doing sketchy stuff with their CA.
If it’s managed well, certificate pinning takes the web PKI out of the implicit trust envelope for your app.
From a pure security perspective, why trust someone you don’t have to trust? The web PKI CA bundle is great for cases where it’s hard to have a unique trust root for your application - like you’re running in a browser with no privileges - but if you’re distributing code then you’ve already solved that problem.
Managed well, it should be completely transparent to users as well. Managed poorly and it can be catastrophic (your app is dead until users upgrade it).
i agree, feels sort of like "we have a walled garden dont anybody else use it cuz our stuff is super secret and secure, trust us(tm)"; it's a layer of obscurity for their "security" - in reality its the app on a users pc that both has this "secrecy" as well a the "handshake" to open it
Useless trivia: I believe Hassan Mostafa is the referee from the Quidditch World Cup in the fourth Harry Potter book. Obscure characters are my favorite SNs and dummy data.
That's handy, and you can almost certainly hook the TLS send/receive functions in other ways, like with Frida, but being able to bypass pinning instead means that the researcher can route the traffic through existing tools like Burp Suite or mitmproxy.
Routing real app traffic through an intercepting proxy can be a real time-saver depending on what the researcher is trying to do. E.g. if they want to automatically tamper with a parameter in a request that doesn't happen until after some kind of authentication/session setup, it's much faster to let the app do all of that and configure the proxy to just make the one change, versus having to write a whole client that does all of the initial steps and then makes the modified request, or writing an eBPF filter that makes the changes the researcher is interested in.
Very clever way of doing this (though I have a feeling you could probably enforce pinning even in sandboxed mode). I remember trying to MitM Snapchat back in college and couldn't figure it out as they were also using cert pinning.
I tried the same thing, and while I managed to patch the application and intercept the requests, I gave up when trying to RE the shared object responsible for request signing. I couldn't even find the entry point. For a relatively small social media app they had insane security already back in 2015.
Ha, same. I think I was eventually trying to hook into kernel-level functions and do it that way (I was using the Android client) but couldn't get far there either, though I think it's technically doable. IIRC, they were using some kind of vtable patching protection around kernel functions to ensure integrity.
I built anti-cheat software (and hardware) before, and it felt like anti-cheat level security. I had an axe to grind with Snapchat, as they rejected me after the first interview round :P
Snapchat’s founding principle and only differentiator from day one has been untrusted client security. There were way too many years where the general public believed that a Snapchat could not be saved. I give huge credit to Snapchat for accidentally teaching the public that if human eyeballs can see something, it can be recorded forever. Now that is taken for granted, even last week’s Saturday Night Live TV sketch referenced what a fundamentally flawed security model Snapchat has.
What? That wasn't a principle of theirs. They explicitly exclude "screenshot detection avoidance" from their bug bounty policy: https://hackerone.com/snapchat?type=team . They always have. As far as they're concerned, that's not a security issue.
For the uninitiated: TikTok is known to send and receive telemetry packages through headers in other requests (IIRC), and employs the use of a virtual machine(!) to execute encrypted client code.
Fundamentally, it’s hard to enforce certificate pinning if the user can modify the binary. Even if sandbox mode used certificate pinning, there would likely be some other way of removing the pinned cert checks.
> there would likely be some other way of removing the pinned cert checks
Yes, but it's significantly harder than flipping a bit. There's also clever ways of countering this (e.g. checksumming the public key). Of course, even this is technically hackable, but extremely time-consuming in practice. Imagine getting the public key and adding a bunch (and by a bunch, I mean like 16k) of random ops throughout the control flow that crash the app if any random byte of the key is wrong. For extra fun, offset the byte by the instruction pointer. Good luck debugging that.
Exactly I was pointing out why some may choose certain models. I would say that building a platform takes many considerations and the choices made led to this outcome. Apple made different choices and is often vilified for trying to maintain these protections.
Apple has been slowly making progress of opening up their platform. The next 3 years will introduce a new landscape for apps. People will still be complaining.
You're right, it probably could have been implemented by only assigning the output of the sandbox flag function in the consumer function to true, but in this case it worked fine. :)
This made me think back of the days of +Orc [1]. I believe a lot of knowledge common back then, like how to find and nop out an undesired branch, has been lost. Which is fair, there’s way more other tech to learn nowadays.
I always feel nostalgic when I see references to +Orc, or Fravia (RIP).
But I think there's still a lot of people doing the NOP-patching thing, albeit with more complexity. There continue to be people breaking DRM, and investigating random [mobile] apps with hex-editors & etc.
It's harder to get started these days as programs are more complex, but at the same time the knowledge required is more accessible.
Out of interest, why not? I've needed to reverse engineer APIs in the past and using Android apps was always much easier so we always did that when the APIs were available.
Since the Messenger Application on desktop is much closer to the usage model of the Texts.com client. We want to replicate the desktop client as closely as possible. It can be assumed there’s going to be properties that are unique to the desktop client and vice versa.
Would a runtime binary checksum have helped to complicate such modification? This isn’t sop for mobile apps? Do iOS or Android SDK’s provide such facilities? Presumably associated with the official release process and enforced on their respective non-jailbroken platforms?
Basic questions, admittedly. Just noticed that the final solution was to simply modify a few bytes of the binary, which seemed preventable.
Seems Meta’s (or at least Messenger’s) RE defense is quite lenient here. Should be trivial for them to drop IsUsingSandbox() from prod builds entirely, that’s before we get into advanced obfuscation techniques.
At least when I worked there, protecting against reverse engineering was never a goal. Cert pinning is to make it harder for an adversary to tamper, not to make it harder for the user to.
Their Android application in particular allows the participation in a developer program which allows access to one of these menus. Not available on macOS and iOS unfortunately!
Years ago I did manage to get into the impressively huge debug menu in the iOS Messenger app on a jailbroken device. So they do exist there, or at least did back then.
I remember the first time I ever cracked an app, I was so convinced I would fail, but it turns out that finding these sorts of easy-to-modify JNE/JEZ spots is easier than it seems. Even if you pick wrong you can just revert to the original file and try a different spot.
I imagine this would be something that AI will be able to do easily in an automated fashion, you can literally just try flipping the JEZ/JNZ in a bunch of candidate spots and launching the app and seeing if the nag screen comes up.
I will say that ChatGPT did a decent job of explaining non-documented instructions in prior attempts of binary patching.
Now if I could feed an AI a binary and have it tell me where what is happening in a very broad scope, that'd be a game changer, and I'd say that's quite attainable with a high-context window LLM as they seemingly understand hex-formatted byte-code quite well.
How come applications from such big players are not completely obfuscated and have all kinds of other protections in them to e.g. deny modified binaries from running?
As the person who made this call originally at Facebook for the apps--it's not worth it. Any sufficiently advanced or motivated person/group/government would break through eventually...such is the nature of shipping client binaries. You can spend a ton of time and money trying to prevent it (for example Pinterest once was trying to ship their own custom language + vm, which I advised against) OR...just accept that your client code is compromised by default, put logic on the server, and move on with your life.
Cert pinning is basically free and is sort of a "you must be this tall to ride the ride" thing--not secure, but keeps the riff raff out.
Obfuscation has costs, and certificate pinning is more to make it more difficult for user-adversarial MITM than to prevent reverse engineering. Although the impact on reverse engineering is more than a happy accident.
At the end of the day, your code runs on user machines, and they can observe what the code does, so it's always possible to deobfuscate, and if one person does it and shares their results, it becomes very easy to replicate. That doesn't mean obfuscation is useless, but you shouldn't put too much time into it.
Because doing so is pointless for a mobile/front-end app. The attacker has physical access to the device; there's no way to stop them at this point. The only thing you can do is make the process more annoying in hopes that they will get frustrated and give up.
It's probably a matter of priorities, as well as cost v. benefit.
Obfuscation would've had very little effect on the outcome of this experiment, but might've changed the approach to involve dynamic instrumentation a little more. The most effective obfuscation I've seen is VM obfuscation, but that presents a significant performance impact. Obfuscation would also make legitimate debugging harder.
Preventing modified binaries is done at the system level, and could feasibly be implemented at the application level and is common, but this functionality itself could be both bypassed, or modifications could simply be implemented after security checks have completed (once again, through dynamic instrumentation libraries like Frida).
Engaging in a cat-and-mouse game with reverse engineers probably isn't in Meta's best interest.
Good question, Proxyman is the one I'm using in the writeup. It does route all application through it on macOS, and you can proxy iOS devices as well by installing a self-signed certificate on the device and connecting it through the proxy.
Unfortunately while this thing helps it doesn't actually conclusively stop any speculation. If I wanted to spy on you via app, I would encrypt the data inside the HTTPS stream and only decrypt it on my server.
Pretty sure anything you encrypt client side can be decrypted client side, as long as you have control over the binary and OS/hardware. It's just a matter of effort.
Not the case with asymmetric encryption, you could encrypt with a public key and only the server's private key would be able to decrypt it. Not even the client could.
I think the person you're replying to perhaps meant that if you have total control of the hardware and the binary you can pull the value prior to being sent to the encrypt function.
Asymmetric encryption is very computationally expensive - there's a reason that it's typically only feasible to use for signing a hash or as part of a key exchange to agree upon a shared symmetric key.
Envelope encryption works for that - client generates a random symmetric key, encrypts the data symmetrically, then asymmetrically encrypts just the key (which is then thrown away on the client). Both the symmetrically encrypted body and asymmetrically encrypted key are sent.
They only need the server's public key to encrypt it client side. But if all you want is to see if they're spying on you, you could go one step above and see if they're calling system APIs to your mic/camera/keyboard, instead of observing the network activities.
And if spying works without using the microphone or whatever, the alternative is almost worse - it means Meta et al has such a good virtual “mind reading” Skinner model of you that they have a good hunch of what you will talk and think about. If we are not there yet, it’s only a matter of time with enough machine learning…
This is always what has screwed with me the most about this AdTech thought experiment: Both likelihoods (listening-in vs astute prediction models) are equally bad; and whoever downplays either as "business as usual" or "humans are predictable", respectively, ought to be called out for it.
It's NOT good when you listen to conversations without explicit (or implied, for that matter) consent, just as it's equally NOT good to exploit human predictive models to such a precise degree for profit. You SHOULDN'T be complicit to these practices, and saying that it's "just what it is" is one more person in the arena that's throwing their hands up to allow it. Attempt for change is ALWAYS better than apathy for complacency - before every interaction exists to become a transaction.
My hypothesis is that it's not listening nor is it predicting based on the individual, instead it's reacting to web surfing behaviors of your associates.
For example, you and your partner use the same wifi at home a lot, and you both visit a close friend's house and use their wifi every time you're there. Services that you use in both places (e.g. Facebook, Google) now have a graph where there's a very strong link between you and your partner, and a weaker but still important link between the two residential IP addresses.
Now you're at home, just had dinner with your partner, and you say you are considering buying a guitar. An hour later you open your phone and see ads for guitars. "Honey, did you search for guitars already?" "No, why?" "Oh no! It heard me! Or it knows me too well! Uninstall all your apps!"
No, what happened is that last night you were at that friend's house, told your friend about your guitar desires, and all morning that friend has been doing a bit of market research themselves, perhaps to see what you're on about and maybe consider getting it for you. The graph connects the dots, and advertisers suspect that perhaps guitar ads should go not only to your friend, but also to you (by that weak association) just in case you might be the one who buys the guitar.
The uncanniness is a function of you having no idea that your friend was building up this slight likelihood that you're about to buy a guitar, combined with even a very weak signal poking out above the noise given no other recent signals.
My theory is that we're all just WAY less interesting than we think we are.
Male, 40+? A bit more likely than the average human to have a mini mid-life crisis and decide to buy an electric guitar.
These platforms suggest SO many ads to us that even if 99% of the suggestions are total junk that we ignore without even registering, the 1% that represent a lucky roll of the dice still really stick in our memories.
> just as it's equally NOT good to exploit human predictive models to such a precise degree for profit
It should be straight up illegal.
These capitalists insist on nonsense like copyright and intellectual property. They do everything to defend their precious "IP". So why is it that we don't own information pertaining to ourselves?
Personal information should be toxic to them. There should be so much liability involved corporations should be scared to know even a single bit of information about us. They should be scrambling to forget all about us the second our business with them is done. Predictive models? They should be too scared to even have a credit card on file.
I am curious about the legality of this. I guess I assumed that doing this type of thing would technically a DCMA type breech? So this makes me wonder if my assumption wrong? How does this work legally?
It's typically against terms of service to decompile or reverse engineer applications you download in this way, but it's also typically against terms of service to use their services from unofficial clients, so I think they're already way past T&Cs.
I think the implication is that bypassing cert pinning could be considered a violation of the anti-circumvention provisions in the DMCA and WIPO Copyright Treaty, because it results in decryption of copyrighted content without the permission of the copyright owner.
IANAL, but in the US, at least, I think the exemptions for good-faith security research[1] would apply. Maybe even the reverse-engineering for interoperability language in the DMCA itself[2].
I'm not an expert, but I think in the Blizzard v Glider case the courts decided that if you've violated a program's EULA it becomes illegal copyright infringement to duplicate the bits from your disk into RAM
Good reminder that no app is truly ever "closed source" after all there is still the compiled machine code. People used to hand code in this language.
Though I'm personally glad we no longer have to :) it's still way more difficult and compilers can really obfuscate the code (if it isn't already by design)
Developers can store items in keychain on your device/icloud account that are only visible to the apps made by that developer (and not you). It is a feature that it works this way, and this whole concept is fucking insane to me.
On iPhones, three ways to get rid of the keychain data of an app
1. wipe the phone AND you must not restore backups
2. jailbreak the phone
3. the app can wipes its own keychain (but apps don’t expose this feature generally)
I did something similar for Instagram on android few years ago. The usual methods for bypassing certificate didn't work on Instagram, they were statically linking openssl into a shared library called libcoldstart.so. I Spent some time reading openssl documentation and ended up installing a hook to the function that configured the certificate verification.
In case you are curious. I used Frida for installing hooks to native functions.
I don't know why but your comment reminded me of learning about $SSLKEYLOGFILE and the ability to retroactively decrypt traffic captured in Wireshark: https://everything.curl.dev/usingcurl/tls/sslkeylogfile (I was expecting there to be an entry on MDN since my first contact with that env-var was from Mozilla's TLS library but no luck)
I guess it's the fact that in my mental model any supporting library doesn't have to be modified to allow viewing the traffic, and no cert-pining-breaks required
There's no point in implementing cert pinning if you don't also have integrity checking... Being able to alter bytes in the physical file and running it should not be possible (without another bypass).
Cert pinning protects against compromised certificate authorities. There are hundreds of trusted root certificates in most operating system stores so one of them gets breached every once and a while.
Integrity checking is user-hostile, but certificate pinning can be good for users.
I don't know which users integrity checking the executable would be hostile against. But, I see your point that perhaps their reason for cert pinning is to defend against compromised CAs. It does fit the narrative better with their lack of obfuscation and other layers of defense on their app.
Perhaps I'm a bit harsh... but my suggestion to fortune 500 tech company remains. Implement integrity validation as well, otherwise all it takes is editing 2 bytes to bypass your ssl pinning.
Right, but the threat model of SSL pinning is an attacker that has compromised the CA certificate store. The user editing a binary on disk is not a security problem.
> With Meta’s Messenger application for macOS being so close to the Texts.com model—that being a standalone desktop application—Batuhan İçöz who is leading the Meta platform project at Texts.com thought we could gain some valuable insight by analyzing it.
They're being hostile to security researchers - app developers don't like people snooping around their private APIs and whatnot. Nor does google, for that matter.
Every move Apple and Google are making on their platforms is about turning the devices we pay for into devices for the companies whose apps we install.
>I don't get why it has to be this hostile toward developers and why no option is offered to disable it.
If you can convince someone to install a certificate to violate their privacy you can just block the network, forcing the user to flip the setting. This allow apps to be able to protect their user's privacy from nosy enterprise network administrators.
That line of thinking leads you to the path where users are free to install malware and give it all the capabilities it needs because the user chose to do so.
No, but if someone made a knife that was unable to cut their owner I would expect it to have a competitive advantage in the marketplace against a normal knife.
Yes, if the user want to disable all the protections and choose to install malware it's their choice. You can already do so on *nix, Windows, and macOS (albeit more complicated). Not sure why a phone OS would be different.
Your line of thinking is basically "think of the children".
As a new platform that does not have to worry about backwards compatibility they can better design the operating system with lessons learned over the years that desktops have existed.
>Your line of thinking is basically "think of the children".
My line of thinking is that with proper design a platform can have good security. The web platform got sandboxing right. It's a good thing that a website can not cryptolock all your files by just visiting it. Does a website really need to be able to read and write all the files on your system, or perhaps is exposing just a single folder dedicated to the site good enough for most legitimate purposes. A platform can choose what kind of apps it should support. I don't think it is bad for a platform to decide that it does not want to support the needs of a cryptolocker even if that may be limiting what a user can do.
I don't believe that "think[ing] of [user's security]" is a bad thing. User security is valuable for a platform and is essential for scaling.
Unavoidable hard restrictions like this make it dramatically harder to do malware research (thereby reducing security overall) and cause huge & unreasonable problems the moment you see a false positive.
I'm all for user protection, but there is a limit. There's no point aiming for 'impossible' - if the user could be convinced past enough security warnings in the OS, they can equally be convinced to just type their banking passwords into the attacker's phone directly.
I think there's a responsibility on the platform to make possible consequences clear, and make dangerous actions quite difficult, but totally blocking full user control of their own devices is counter productive.
Cracking (abbreviated “[k]”) is the term of art for making small modifications to a compiled binary to toggle functionality (usually disabling license/serial checks, but in this case cert pinning).
This usage is completely consistent with the typical and is well in-bounds.