内容简介:Mass Surveillance, is an (un)Complicated Businesstriaging a massively popular iOS application, with a dark sideby: Patrick Wardle / December 20, 2019
Mass Surveillance, is an (un)Complicated Business
triaging a massively popular iOS application, with a dark side
by: Patrick Wardle / December 20, 2019
Our research, tools, and writing, are supported by "Friends of Objective-See" such as:
Want to play along?
I’ve uploaded a decrypted copy of the application and decrypted traffic captures:
Download:
Background
Recently, I was approached by the New York Times (NYT) to assist with the investigation into a massively popular iOS application, ToTok
.
Apparently “American officials familiar with a classified intelligence” had determined that ToTok
, was actually a spying tool. :scream:
“ It is used by the government of the United Arab Emirates to try to track every conversation, movement, relationship, appointment, sound and image of those who install it on their phones. ” -New York Times
Today, we’ll walk thru a triage of the ToTok
iOS application.
The main goal of this blog post is to provide the technical details, about how one may go about triaging an iOS application, using ToTok as a “case-study”
That is say, the aim is simply to discuss our analysis procedure and binary analysis, and note some (interesting) observations.
ToTok
(by “Breej Holding Ltd.”) is a massively popular application in the United Arab Emirates (UEA). In fact recently it was the #1 “trending” app in Dubai:
…while on the iOS app store, similarly ranked quite highly:
It’s reviews (over 32,000!) are largely positive, and mostly laud the fact that this application is not blocked in the UEA (Skype, WhatsApp, etc. are blocked, while using VPNs to access blocked services is illegal).
“ Finally a VoIP application which works in UAE. Hopefully it starts this way. The voice and video clarity is simply amazing!! Thanks a lot ToTol and TRA of UAE. ” -Mustafa Abdul Ahad
“ Really, thank you for this app. I can finally make a call/video call easily with my family since other apps are banned in my current living country. Thankyou ” -Jckarhmrv
“ I never posted any positive comments or feedback but TOTOK forced me to appreciate your efforts and give love to your unbeatable application. In UAE TOTOK is like water :droplet: in desert… ” -Saqib Saleem
“ …I’m going to give great thanks to all your team that you guys have done great job :kissing_heart::kissing_heart::kissing_heart: specially for UAE users where all apps are blocked for calling and now this is totally free and still not blocked… ” -Pakistan
“ Finest app of 2019, really impressive with the way app is designed. Most importantly it works in the UAE and that’s a true blessing ” -BeingGaurav
“ It’s great to have such an app in a county where Audio & video calls are banned! ” -baghya
…it’s almost as if ToTok
is too good to be true!
The app is also recommended on various sites around the Internet, especially as a solution to other apps being blocked in the UAE:
Analysis Setup
Analyzing iOS applications is not the most trivial process, as said applications are distributed (via the iOS App Store) in an encrypted format.
The two main approaches to analyze an iOS application include:
-
on a jailbroken iOS device
-
via advanced virtualization (i.e. corellium )
Both are frowned upon by Cupertino, who quickly (when possible) patch all iOS bugs in attempt to thwart jailbreaks or worse, turn to (dubious) legal action.
Unfortunately this leaves security researchers in somewhat of bind, as analysis options are limited.
Apple has promised “developer” devices, to allow independent security researcher both audit iOS proper and analyze iOS applications.
Though these phones have yet to make it into the hands of researches (AFAIK). However if/when they do, they will be hugely welcomed.
Without access a virtualization solution, we’re ‘stuck’ performing our analysis of ToTok
on a jailbroken phone. Luckily, thanks to the incredible checkra1n
we can jailbreak (and thus analyze iOS applications) even recent versions of iOS!
For details on checkm8/checkra1n see:
- “Developer of Checkm8 explains why iDevice jailbreak exploit is a game changer”
- “The One Weird Trick SecureROM Hates”
Again, mahalo to all the (many) researchers/hackers who made this incredible tool!
Assuming you have access to vulnerable device (iPhone5x - iPhone X), setting up an analysis environment is fairly straightforward, and detailed in “From checkra1n to Frida: iOS App Pentesting Quickstart on iOS 13” :
- Jailbreak with
checkra1n
…which installsCydia
- Setup
iProxy
- Install other tools such as
Frida
, etc
Hooray! You’re now able to begin analyzing iOS applications on your (jailbroken) iOS device.
Analyzing ToTok
Now, let’s take a peek at ToTok
application.
As this is more of a basic triage (vs. a full-fledged analysis) our goals will be:
-
decrypting the application
-
decrypting (and monitoring) it’s network traffic
First, we install the ToTok
application on our jailbroken iOS device:
It will end up in the /private/var/containers/Bundle/Application
folder ( <UUID>/ToTok.app
):
As noted, the main application binary will be encrypted (via Apple’s FairPlay DRM
). We can confirm this by dumping the load commands of the application’s binary ( ToTok.app/ToTok
) and observing the presence of a LC_ENCRYPTION_INFO_64
command:
otool -Vl ToTok.app/ToTok ... Load command 12 cmd LC_ENCRYPTION_INFO_64 cmdsize 24 cryptoff 253952 cryptsize 4096 cryptid 1 pad 0
For more information about iOS App encryption, see:
We’ll shortly discuss how to fully decrypt the application, but for now there are still lots of unencrypted files to peek at.
Most notably, we can examine the application’s Info.plist
file. It’s rather large, but here’s various pieces of it:
$ cat ToTok.app/Info.plist <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" ... > <plist version="1.0"> <dict> <key>MinimumOSVersion</key> <string>13.0</string> <key>CFBundleIdentifier</key> <string>ai.totok.videochat</string> <key>UIBackgroundModes</key> <array> <string>audio</string> <string>fetch</string> <string>remote-notification</string> <string>voip</string> </array> <key>NSAppTransportSecurity</key> <dict> <key>NSAllowsArbitraryLoads</key> <true/> </dict> <key>CFBundleLocalizations</key> <array> <string>en</string> <string>Arabic</string> <string>zh_CN</string> <string>zh_TW</string> </array> <key>FacebookAppID</key> <string>1454446651523910</string> <key>NSMicrophoneUsageDescription</key> <string>Allow ToTok to access Microphone to make voice messages and voice/video calls</string> <key>NSCalendarsUsageDescription</key> <string>Allow ToTok to access Calendar to remind you of ToTok Event</string> <key>NSLocationWhenInUseUsageDescription</key> <string>Your location is required for providing local weather informatio</string> <key>NSPhotoLibraryAddUsageDescription</key> <string>Allow ToTok to access Gallery to send/save pictures</string> <key>NSContactsUsageDescription</key> <string>Allow ToTok to read Contacts to find your friends who is using ToTok now</string> <key>NSSiriUsageDescription</key> <string>You can use Siri to call your ToTok contacts directly.</string> <key>NSCameraUsageDescription</key> <string>Allow ToTok to access Camera to take photos and videos</string>
Some observations include:
-
The presence of the
UIBackgroundModes
tells iOS that is should (continue) running in the background.Read more about
UIBackgroundModes
in Apple’s documentation . -
The
NSAppTransportSecurity
/NSAllowsArbitraryLoads
keys tells iOS that the application should be allowed to transmit data via HTTP (normally iOS enforces HTTPS only).Read more about
NSAllowsArbitraryLoads
in Apple’s documentation . -
The
CFBundleLocalizations
array contains localizations for English, Chinese (zh_CN
), Taiwanese (zh_TW
), and Arabic. -
The
FacebookAppID
(1454446651523910
) appears to be tied to a company named ‘Yeecall’ (more on this later!)
-
The presences of various
*UsageDescription
key/value pairs, tells iOS what to display when the app requests permissions.Here we see the
ToTok
is interested in the: microphone, calendar, location, photos, contacts, siri integration, and camera.
Explicit user approval is required in order for ToTok to be able to access the mic/camera, and user information (photos, location, etc).
…however such access is required for “legitimate” functionality of the app, and thus, most users will allow.
Before we decrypt the binary to perform static analysis, let’s analyze ToTok
’s network traffic.
Network Traffic
Rather unsurprisingly ToToks
network communications are all encrypted via SSL. Moreover, the application performs certificate pinning in an attempt to complicate MiTM attacks. However when performing local analysis (on a jailbroken device) neither of these are really obstacles.
First, we setup a remote proxy (say on your MacBook). Then on the iOS device (under the network settings), we specify the address of our proxy to instruct iOS to route all the traffic thru said proxy. I personally use Charles
proxy application (though Burp would work as well.
“ Charles is an HTTP proxy / HTTP monitor / Reverse Proxy that enables a developer to view all of the HTTP and SSL / HTTPS traffic between their machine and the Internet. ” - https://www.charlesproxy.com/
There are several detailed tutorials online the describe how to setup and configure a proxy in order to view (even SSL’d) traffic coming off your iOS device.
In short, we need to install and trust the proxy (Charles’) certificate on the iOS device:
As noted ToTok
uses SSL pinning in order to improve the security of its network communications, which means that the application will reject the proxy’s certificate and connections will fail.
For more information on SSL pinning, read:
Luckily, it’s fairly easy to locally bypass this (so that we can sniff all ToTok
s traffic) by installing and configuring SSL Kill Switch 2
.
Now we’re all set to sniff ToTok
’s encrypted traffic!
Firing up the app, we’re able to observe the (now decrypted) traffic:
The majority of the application’s traffic routes thru the capi.im.totok.ai
server. The server uses a self-signed certificate (SHA-256: C9 27 30 CC D5 FE C0 46 3D E8 5A A6 6D FA AB 2F 3B 92 4E 04 C5 1E 0B 6F A4 31 FE 78 33 48 B5 74
), with the issuing country set to AE (United Arab Emirates):
I’ve uploaded two (decrypted) traffic captures (format: Charles Proxy “sessions”).
Download:
The network traffic is fairly standard, for what we’ve expect to see in fully-feature chat application. Here we’ll peruse through some of the requests.
When the app first launches, it makes various GET
requests to capi.im.totok.ai
.
For example:
https://capi.im.totok.ai/uc/state/AABqbEEgqCA=/white? n=cJECAUMZzcI=&c=iJXfhRcO4JU=&did=3yDQkh1qf8iai1UKOGNUnr8sJIo=&model=iPhone &pkg=ai.totok.videochat&clientver=1.2.9&loc=en-US_US
Breaking out the parameters:
cJECAUMZzcI= iJXfhRcO4JU= 3yDQkh1qf8iai1UKOGNUnr8sJIo= iPhone ai.totok.videochat 1.2.9 en-US_US
The server simply responds with:
{ "response": { "white": false }, "responseHeader": { "status": 200, "version": "1.0" } }
Another GET
request also to capi.im.totok.ai
goes to the /api/idc/find
API endpoint, which returns:
{ "response": { "uc": "capi.im.totok.ai", "pfm": "capi.im.totok.ai", "doodle": "in.debug.yeecall.com:8080", "uc_ssl": "capi.im.totok.ai", "pfm_ssl": "capi.im.totok.ai", "doodle_ssl": "capi.im.totok.ai", "idcIdx": 1, "wallet_ssl": "capi.im.totok.ai" }, "responseHeader": { "status": 200, "version": "1.0" }
…another reference to yeecall
.
Moving on, after verifying the user, the application downloads the user’s profile picture from https://ucdefault-sg.oss-ap-southeast-1.aliyuncs.com/
The site, aliyuncs.com, appears to be part of Alibaba’s Cloud.
If the user has authorized ToTok
to access their contacts, the app then attempts to upload the entire address book via a POST
request:
https://capi.im.totok.ai/log/report/report?n=cJECAUy9BHI=&c=iJXfhRiqKSU=&did=3yDQkh1qf8iai1UKOGNUnr8sJIo=&model=...
{ "appver": "1.2.9", "os": "iOS", "time": 1576888571519.1421, "app": "ToTok", "event": "contact", "uid": "AAAAAs7FxJY=", "data": { "version": "1.0", "contacts": [{ "familyName": "Smith", "birthday": 0, "modifyDate": 1576134814000, "nickname": "", "displayName": "John Smith", "organizationName": "Apple", "departmentName": "", "namePrefix": "", "nameSuffix": "", "id": 1, "primaryIDs": [{ "value": "(808) 265-3214", "label": "_$!<Home>!$_" }], "middleName": "", "jobTitle": "", "contactType": 0, "note": "", "phoneticMiddleName": "", "phoneticGivenName": "", "emailAddresses": [], "createDate": 1576134814000, "phoneticFamilyName": "", "givenName": "John" }, { "familyName": "Turner", "birthday": 0, "modifyDate": 1576136649000, "nickname": "", "displayName": "Tina Turner", "organizationName": "Apple", "departmentName": "", "namePrefix": "", "nameSuffix": "", "id": 2, "primaryIDs": [{ "value": "(814) 523-4155", "label": "_$!<Home>!$_" }], "middleName": "", "jobTitle": "", "contactType": 0, "note": "", "phoneticMiddleName": "", "phoneticGivenName": "", "emailAddresses": [], "createDate": 1576136649000, "phoneticFamilyName": "", "givenName": "Tina" }] }, "language": "en", "network": "WiFi", "osver": "13.1.3" }
The argument could be made that this is simply (user-approved) “legitimate” functionality of the application, used to connect users with their friends :grimacing:
If media content such as images are transmitted between users, this generates a POST
request (with the contents of the file) to https://capi.im.totok.ai/pfm/up/AABqbEEgqCA=/sendtouser
to upload the content. The server responds with information about the successful upload:
{ "response": { "download": { "url": "https://capi.im.totok.ai/pfm/download/file?fid=5dfe1lqtkl9555884b0b0001ae7119 ... "size": 81664, "fid": "5dfe1lqtkl9555884b0b0001ae7119", "md5": "a3b89da4ccb998ef9fa66fb11bafcfa1" } }, "responseHeader": { "status": 200, "version": "1.0" } }
Prior to upload, it appears that the item (here, an image) is both encrypted and compressed:
00000000 73 d6 6d 3c be 5a d0 43 b6 cb 23 b1 46 b2 c2 b7 |s.m<.Z.C..#.F...| 00000010 16 71 9b f4 67 51 63 0f 7b 8e d7 44 6c 85 77 f7 |.q..gQc.{..Dl.w.| 00000020 ef 9d 0d b3 a3 2e 27 2d e6 ca 84 7f 9d cc ec 30 |......'-.......0| 00000030 44 00 aa 00 ca 90 f1 c2 d7 48 c7 c9 f8 8c 30 9d |D........H....0.| 00000040 8b 4e b0 8c 03 16 e6 3f 25 20 25 e2 44 29 19 1d |.N.....?% %.D)..| 00000050 49 98 9d 9c 0e 23 ae 8a 54 30 1c fd 7e 2a 6e 76 |I....#..T0..~*nv| 00000060 cf 2b a7 cd 26 88 06 8d 42 15 57 a2 96 4a e3 2c |.+..&...B.W..J.,| 00000070 fc 9f 7f e7 92 cf 06 d0 ef 8e fe fe a6 a4 e4 7f |................| 00000080 d3 88 20 2d e5 77 56 4d 32 7b c7 b0 6b 17 04 e0 |.. -.wVM2{..k...| 00000090 7c e4 18 9f b2 e9 56 90 2c af dd c8 9b 35 f5 e2 ||.....V.,....5..| 000000a0 f7 03 f8 1b 2f 6d a7 ef 91 88 f8 80 82 74 2e ec |..../m.......t..| 000000b0 44 61 b3 d2 5d 3a a3 92 ef c4 48 d9 08 bb 29 e6 |Da..]:....H...).|
At this time, it is unknown if the application utilizes end-to-end encryption …or (if so), if said encryption is sufficient.
ToTok’s privacy policy does state:
“Messages: all data is stored heavily encrypted so that local ToTok engineers or physical intruders cannot get access.”
…but this seems to only address “stored data”?
Finally, if the user has authorized ToTok
to utilize location services, the app will make a request to meiduoyun.ws.amberweather.com
:
https://meiduoyun.ws.amberweather.com/api/v1/weather?appid=12027&lang=en&lat=25.276987&lon=55.296249&pkg=ai.totok.videochat...
Note this request contains the user’s exact geo-coordinates (i.e. lang=en&lat=25.276987&lon=55.296249
).
App Decryption
In order to perform static analysis of ToTok
, we need to decrypt its application binary.
To decrypt the application binary on our jailbroken analysis device, we use Clutch
; a “ high-speed iOS decryption tool.” This utility takes the bundle id of the iOS application to decrypt (e.g. ai.totok.videochat
) and outputs a (fully) decrypted .ipa!
root# Clutch -d ai.totok.videochat Clutch[10196:1254709] command: Dump specified bundleID into .ipa file Zipping ToTok.app Dumping <totok> (arm64) Patched cryptid (64bit segment) Dumping <shareextension> (arm64) ... Successfully dumped framework ToTokCommonBase! Dumping <external> arm64 Successfully dumped framework PINRemoteImage! Dumping <asyncdisplaykit> arm64 Dumping <totok3rdsdk> arm64 ... Zipping ToTokCommonBase.framework Zipping External.framework Zipping ToTok3rdSDK.framework Zipping ShareExtension.appex DONE: /private/var/mobile/Documents/Dumped/ai.totok.videochat-iOS13.0-(Clutch-(null)).ipa Finished dumping ai.totok.videochat in 9.3 seconds </totok3rdsdk> </asyncdisplaykit> </external> </shareextension> </totok>
Another option to dump the encrypted application binary is via Fridump
. If run with the -s
option, this will also running strings on all the dumped files:
patrick$ python fridump.py -U -s ToTok ______ _ _ | ___| (_) | | | |_ _ __ _ __| |_ _ _ __ ___ _ __ | _| '__| |/ _` | | | | '_ ` _ \| '_ \ | | | | | | (_| | |_| | | | | | | |_) | \_| |_| |_|\__,_|\__,_|_| |_| |_| .__/ | | |_| Current Directory: /Users/patrick/Downloads/fridump-master Output directory is set to: /Users/patrick/Downloads/fridump-master/dump Creating directory... Starting Memory dump... Running strings on all files: Progress: [##################################################] 100.0% Complete Finished!
For a tutorial on using Fridump, checkout:
Either way, we now have a decrypted application bundle and can poke around at the app’s binary code.
As the application (and it’s frameworks) are a massive 25MB+, due to time constraints our analysis is limited.
However, I’ve uploaded the unencryptedToTok.ipa if you’d like to dig more!
When analyzing a binary, one of the first steps is to extract embedded strings and classes (via Class-dump
). This can often shed significant insight into the capabilities of the binary and/or reveal other interesting contact.
Digging thru ToTok
strings and classes we gain some potential insight into it’s possible origins:
/Users/jiangyaguang/Downloads/totok/YeeCall/Classes/TKSystemInfo.m
/Users/jiangyaguang/Downloads/totok/YeeCall/Classes/Call/TKCallSessionViewController.m
patrick$ class-dump ToTok.app/ToTok @interface <b>YeecallContact</b> : NSManagedObject { } @interface <b>YeecallReminder</b> : NSManagedObject { } @interface <b>YeeCallSecurityPolicy</b> : AFSecurityPolicy { }
As previously noted, we uncovered other ties to YeeCall
. Based on these embedded strings it’s relatively clear that ToTok
is largely composed of code from YeeCall . According to CrunchBase YeeCall is “a software company that has developed Yeecall messenger app for video & voice calling.” It is rather unsurprising that ToTok
s is simply based on existing code/an product (vs. written entirely from scratch).
It’s possible that “Breej Holding Ltd” (that “publisher” of the iOS app), simply contracted or licensed existing code from “YeeCall” to create the ToTok
application. This would be a simple and efficient way to quickly create a new fully-featured application. This also explains the rather odd CFBundleLocalizations
of <string>Arabic</string>
, <string>zh_CN</string>
, and <string>zh_TW</string>
It’s more than likely that “Breej Holding Ltd” is not an actual iOS developer / publishing company:
“A technical analysis and interviews with computer security experts showed that the firm behind ToTok, Breej Holding, is most likely a front company affiliated with DarkMatter, an Abu Dhabi-based cyberintelligence and hacking firm where Emirati intelligence officials” -New York Times
Other embedded strings, reveal static.totok.ai
, the server which serves up static content for the app (images, icons, etc). The server appears to be misconfigured, and as such, browsing to it’s root reveals a listing of the all hosted files:
Conclusion
In this blog post, we triaged ToTok
, an iOS application that the American intelligence community has claimed, was spy tool used by the United Arab Emirates government. :see_no_evil:
Our analysis showed that ToTok
, simply does what it claims to do…and really nothing more. Assuming the claims that ToTok
is actual designed to spy on it’s users, this “legitimace” functionality of the app, is really the genius of the whole mass surveillance operation: no exploits, no backdoors, no malware, …again, just “legitimate” functionality that likely afforded in-depth insight in a large percentage of the country’s population.
Think about it this way
…you’re a (rather surveillance-happy) foreign government who’d love to monitor your citizens.
In five easy steps:
- Ban popular apps such as WhatsApp, Skype
- Create a free alternative app that provides this banned functionality.
- Submit the app to the iOS app store, where it’s readily approved by Apple.
- Create fake reviews & social media posts that recommend the application.
- Wait as the citizens of your country readily embrace the app and it’s popularity soars.
…hooray! Now you have access to users’ address books, chats, location and more, in a completely “legitimate”, Apple-approved manner!
Such collection provides a sufficient “phase 1” (much like the NSA’s bulk metadata collection program) of a more comprehensive intelligence operation. Once you know who’s talking to whom, and perhaps even what they are saying, you can identify specific individuals of interest and target them with more advanced capabilities. This “phase 2” includes more traditional offensive cyber-operations, which are far more targeted, stealthy, and invasive. However, such a phase is far more expensive and difficult to scale and thus requires a sufficient “phase 1” component …like ToTok
For more information on “phase 2” cyber-operations in the Middle East, check out:
love these blog posts? support my tools & writing on patreon :)
以上就是本文的全部内容,希望对大家的学习有所帮助,也希望大家多多支持 码农网
猜你喜欢:本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们。