Mobile apps RE

Reverse mobile apps for fun and profit???

MobileHackingLab iOS Application Security Lab - Run Time Dynamic Library Injection Challenge write-up

Welcome to the iOS Application Security Lab: Run Time Dynamic Library Injection Challenge. This challenge focuses on a fictitious app called Run Time , which tracks the steps while running. Your objective is to bypass the app’s protections, deliver the exploit and gain code execution utilizing the dynamic library injection.
iOS Application Security Lab - Run Time Dynamic Library Injection Challenge
Figure: iOS Application Security Lab - Run Time Dynamic Library Injection Challenge

Read More




Reverse engineering and find out hidden backdoor in iOS app

In this post, we will reverse an app using the StoreKit framework and bypass In-app purchases (IAP) features. This case’s quite special as the app will force the user to purchase the app as a free trial before allowing to use. It will auto-renew the monthly price plan if you forget to cancel before the renewal date. There will be no option on the screen to opt-out for IAP. Hidden backdoor
Figure: Hidden backdoor

Read More






Bypass StoreKit In-app purchases of iOS apps using LLDB

In this post, we will reverse engineering an app using StoreKit framework and bypass In-app purchase features. StoreKit is an iOS framework that supports in-app purchases and interactions with the App Store (rate and review app…). It leverages iOS developers to implement in-app purchases feature with ease. However, most developers just made it work without knowing the best practices, which created flaws for attackers to inspect and defeat In-app purchases feature easily, which means they can use the premium content of the app for FREE. Let’s do some reverse engineering and find out what are flaws and how to exploit them using LLDB. StoreKit In-app Purchases
Figure: StoreKit In-app Purchases flow (source: Medium)

Read More


Bypass SSL Pinning with LLDB in iOS app

Imagine that you want to inspect the app to see what’s information exchange between mobile app and server, you can think about using simple proxy tools to sniff requests and responses or more advanced techniques such as a reverse binary file to see what are endpoints, parameters and response payloads… To starting SSL Pinning bypass series, this post will introduce how to leverage LLDB tools to disable SSL pinning in iOS apps and reverse engineering process. purchase screen
Figure: LLDB Attached

Read More


Bypass In-app purchases of react native iOS app

Today we will reverse engineering a react native iOS app and bypass in-app purchase to use locked features. Below is an example of purchase screen whenever tap on premium content. purchase screen
Figure 1: Sample In-app purchases locked contents

Read More