Website of Daniel A. Mayer

New Idb Features: Classdump, Cert Installer, Hosts File Editor, Screenshot Utility

During the last weeks I released a few new features as well as stability and usability improvements for idb. The more notable ones are:

  • Integration of weak_classdump by Elias Limneos to dump class and method information in the form of header files.
  • Addition of a new /etc/hosts file editor.
  • Fixing of the CA certificate installer / manager.
  • Adding documentation and increasing visibility for the screenshot utility.

All of the features are now documented in the new Manual on Github.

Updated Talk at SOURCE Boston 2014

Last weekend I also spoke at SOURCE Boston about idb and some of the new features. SOURCE is a great conference with excellent talks and an audience size that makes it personal enough to connect and engage with many of the attendees.

Read more about the new idb features and see my updated slide deck after the jump.

Video recording coming soon.

New idb features

Below is an excerpt from the idb Manual which introduces the new features.

Class and Method Signature Dumping

When reversing, instrumenting, or simply trying to understand an app, knowing all of the classes and method signatures of the app is of great help. idb provides a convenient way for obtaining these from compiled iOS applications. Under the hood, this function uses cycript and the weak_classdump script by Elias Limneos. To use this, simply click the “Dump Classes” button in idb while the device is unlocked.

Weak Classdump

This will launch the app with cycript attached and dump all the class information. Depending on the size of the application, this process will take up to several minutes. There is no visual feedback that class information is being dumped, but the device will play the “locking” sound once the dump is complete. In some rare instances the app may crash during this process which may lead to an incomplete class dump.

Please wait

At any time during the process the “List Results” button can be used to retrieve all of the class information that has been collected thus far. To gain a full list, you should wait until the execution of weak_classdump is finished. The results will look similar to this:

Classdump Results

Tools

This tab groups several miscellaneous tools.

Tools

Screenshot Utility

The screen shot utility is a simple wizard that can be used to test whether an app is disclosing sensitive data in the automatic backgrounding screenshots taken by iOS. After starting the wizard, the “Launch Application” button can be used to launch the app under investigation (make sure the device screen is on and not locked):

Launch App

After clicking “Continue”, the next screen asks you to background the application by clicking the home button on the device. Once you did, click “Continue” to see whether a screenshot was found. If it was, idb downloads it and allows you to open it in your default image viewer. If no screenshot is found, a corresponding message is displayed.

Screenshot found

CA Certificate Manager

Installing new CA certificates on the iDevice can be cumbersome at times. This function aims at making the process faster by automatically making the respective certificate accessible to the iDevice.

First, if your iDevice is set up to go through Burp Suite, clicking “Install Burp Cert” will automatically launch a URL handler on the device which redirects to http://burp/cert and allows the installation of the Burp CA cert with one click (make sure the device screen is on and not locked).

Burp CA Install

iOS Cert Install Dialog

Second, for all other certificates, you can use the “Certificate Manager”.

idb cert manager

In order to install a new certificate, click on “Import” and select the desired certificate file. Both PEM and DER formats are supported. After selecting the file, idb will internally serve the file on an HTTP server and trigger a URL handler on the device in order to install it. After installation, use the “Refresh” button to update the certificate list.

idb cert manager

Finally, clicking “Delete”, will remove the file from the iDevice’s trust store.

/etc/hosts File Editor

The /etc/hosts file editor provides a simple way to modify the host applications connect to. In order to intercept traffic for an app, one would typically use a tool such as Burp Suite and set the iOS system proxy to make the app connect to it. However, when the app does not respect proxy settings or communicates via non-HTTP protocols, this may fail. In these instances modifying the /etc/hosts may help in pointing the app at a running proxy instance which then forwards traffic to the actual server expected by the app.

idb’s interface is very simple. The “Load” button retrieves the current /etc/hosts file from the device and displays it. After making the desired modifications, clicking “Save” will store the new file on the device.

Hosts File Editor

Comments