7 Ways to Bypass Encryption in iOS Application

What is encryption?

Encryption has always been considered a safe haven when it comes to banking application security. Encryption is the process of encoding information so that only authorized users can read/decrypt it.

Note: When trying to bypass encryption, follow these methods in sequence; if the first method doesn’t work, jump to another method.

1. HardCoded Secret Key

Many times, a secret key is hardcoded into the application itself, as an attacker, we have to identify the hardcoded secret key and then decrypt the data with that secret key. There are many ways to get the hardcoded keys, such as keys stored in the JS file, source code, comments, etc. There are different ways to get the hardcoded secret keys. In this section, we will see how I found the hardcoded key in one of my projects.

c) Search for keywords like UTF8, encryption, encrypt, AES, etc. because it’s very difficult and time-consuming to go into each and every JS, java, and all other files in the application and analyze those files.

To save time, we can use the below-mentioned command to search the specific keywords across all the js files of the application. If you want to search against Java files, you can change the extension to .java and use the same command.

d) In the js file, look at the function that is used for the encryption and decryption. In my case, it was encrypt(e) and decrypt(e). In this function, I identified that UTF8.parse was parsing the key PKDSSAAKey.

Note: It is not necessary that every time the key name will be secretkey or something like that’s why identifying the key name from the source code is very important. 

e) Now search this key name in that js file or all js files. You can see in the above/below screenshot that we found the hardcoded key

.

f) Let's observe the code again and decrypt the data. 

i) The application is using AES Encryption. So, go to https://gchq.github.io/CyberChef/ to decrypt the data. You can use any other decoder as well. 
ii)When the application is using AES, first we have to decode the data with either base64 or hex. Then, decrypt it with AES. So try with both. In my case, base64 decoding was working.
iii) So drag and drop base64 from operations and paste the data in the input section.
iv) For AES encryption/decryption, we need iv & secret key value, but if we observe the code iv=n, it means the secret key and iv are the same.
v) When you enter key and iv, you have to select the type, and we will select UTF8 because, through code, we can see the application is using UTF8.
vi) Now, in the Mode type, we will select ECB, as shown in the code.
vii) In the input, we will select raw, because we have firstly decoded data with base64, if we decoded data with hex then we will choose hex type in the input. 

g)  This is how we can decode the data with a hardcoded key and iv. 

Note: It is very important to understand the logic and then go for decrypting the data. Otherwise, it takes a lot of time, and the chances of getting success are very low. 

2. Encryption Bypass via Hardcoded logic of Encryption/Decryption in js files

I was testing one banking application, and while going through the source code, I found that the application is using AES encryption. So, in order to decrypt the data and perform API-level testing, I started looking for a way to decode it. So, I started examining the JS files and discovered the encryption/decryption logic, and then we constructed a single script to encrypt and decrypt the data. Let’s see how we can do that.

Steps to bypass encryption via analyzing JS files 

a) Unzip the IPA file

b) Go to the binary of the IPA file 

c) Search for keywords like encryption, encrypt, AES, etc. Because it’s very difficult to go into each js file to analyze the js file, that’s why we use this command to search from all the js files together.

-r -  To search inside the directory

d) Open that js file in the visual studio editor or in any editor and analyze the encryption logic.

Decryption Logic

Encryption Logic

e) In this case, the value of iv & salt is dynamic, which means it will generate a new iv & salt value for each request. We can see in the screenshot below that "::" is used to separate the iv and salt values. 

f) Now, with the help of hardcoded logic, we will create a script to encrypt and decrypt the data. I am dividing the script into 3 parts, to understand how to create the script.

3. Encryption bypass via Frida

In one of my projects, with the help of available scripts, I got the hardcoded key. So, firstly, I decompiled the application and identified what kind of encryption they were using. Then, accordingly, I searched for available scripts and tried to bypass the encryption using those scripts. In addition, we can write our own script as well.

a) Enter the below-mentioned command to get the hardcoded key
frida -U -f package_name -l aes.js --no-pause 

There are many scripts available on codeshare and GitHub for gaining secret keys, etc. In my case, I used - https://codeshare.frida.re/@dzonerzy/aesinfo/

U => To use a connected USB device as a target 
f  => To indicate the package name
l  => To load the script aes.js => (Download the script from codeshare according to your iOS version) 
--no-pause => To force Frida to “not to pause” app execution after injecting the script.

4. Encryption bypass via hooking

For hooking, I have already written a detailed blog, which you can read here; so here, I will directly explain how I was able to bypass encryption via hooking in one of my applications. So, we will not explain all the commands in detail here again.

Note: In this scenario, the end goal is to find the class that sends the application's data in a decrypted format, and then we will create a script that uses that class and modifies the data at runtime to perform various attacks.

a) Identify the class that sends data in plain text.
 i) Connect your device via USB and trust the device.
ii) Run the below command to connect the application to the objection and explore the application.

iii) Run the below command to search for the specific class, search the keywords like AES, network, encryption, etc.  

b) Creating a script to decode & modify the data at run time, here blur part is the name of the class and “bankId” is the parameter name and “1” is the value which we are going to tamper on the runtime for performing the attacks.

c) Save the above-mentioned script as decryption.js.
d) Let's see how to test the application and modify the data at runtime.

Note: Whenever you want to modify the script at run time, you have to inject the Frida agent in the application, instead of spawning the application. So that whenever you modify the data in the script, like parameters or their values save it. These data will be reflected there, so you don’t need to run the command again. 

For injecting the Frida agent, you have to run the Frida command with the PID of the application instead of the package name.

i) Enter the below-mentioned command to get pid of the running application

ii) Run the below-mentioned command and scroll the application to see decrypted data
frida -U -p 7445 -l decryption.js —no-pause

iii) Perform the below-mentioned steps to modify the data or change the parameter's value.
From the decrypted data, take the parameter name, pass the value in the script and save the script, and go to the same module of the application again, and you will see the response with that passed parameter value. 

So this is how you can modify the script at runtime and perform the testing without running the command again and again with the help of the Frida agent.

5. Encryption bypass Via JavaScript debugging 

a. How to debug an iOS application?

i) Connect your iOS device to your Mac with the USB cable
ii) On iPhone, Go to Settings > Safari > Advanced and toggle on Web Inspector.

iii) In the Macbook, go to Safari > Preferences 

iv) Go to Advanced => click on the checkbox Show Develop menu in the menu bar.

v) Go to the develop option => click on iPhone and select your iOS Application.

b. How to set a breakpoint?

Go to the Safari Browser => Right Click => Inspect element => Source => open Js file => double click on a line where you want to set breakpoint. So basically, breakpoints are set to pause the request and analyze the request.

c. How to bypass encryption?

Bypassing encryption via debugging is a hit and trial process, you have to analyze the js file and set the breakpoint accordingly. Usually, in the js file, you have to understand how the application is encrypting and decrypting the data and setting the breakpoints accordingly to bypass the encryption. Sometimes we can see the data in plain text as well via setting breakpoints at the correct function.

Refer to my webinar recording Webinar: Understanding Payment Gateway Related Vulnerabilities, for understanding how to use and set breakpoints. (This part will start at 54 min) 

6. Encryption bypass via Frida tracing 

Frida Tracing is used to trace the function calls.

In one of my projects, I tried other methods to bypass encryption, but they didn't work. So I tried Frida tracing, where I searched for different words related to encryption to check if there is any function that passes the data in plain text. Later, I came across a function that passed the data in plain text. 

So when we run the Frida trace command, it automatically creates the folder with the name handlers; this folder contains multiple JS files(These JS files contain the function's name, which gets called while scrolling the application).

Let’s see how to perform this 

a) Run the below command and scroll the application to see data in plain text
Frida-trace -U -F package_name -m ''*[* *encrrypt*]''

b) A folder with the name handlers will be created. 

c) So I have gone through all the js files and identified that a js file was having a function “payment” and passing the parameter “wallet_id”. Here, I came across that I can perform attacks like IDOR, SQL injection, etc.

So I opened that script, changed the value of “wallet_id” manually, and saved it again to perform the IDOR attack. (This script is already created in the handler folder, we just change the parameter value). 

Run the same Frida trace command:
(Frida-trace -U -F package_name -m ''*[* *encrrypt*]'') 
or 
Run the below command with the modified script.
Frida -U -f package_name -l script.js 

This is how you can bypass the encryption via Frida tracing.

7. Encryption bypass via Radare2

Radare2 is an open-source framework that can perform disassembly, debugging, analysis, comparing data, and manipulation of binary files. It helps to track functions & binary.

Steps to bypass encryption via Radare2

1) Unzip the IPA file

2) Go to the unzipped folder and copy the binary of the IPA file.

target = This is the binary inside the binary of the application, go inside the test.app and you will see one binary with the same name.

3) Reduce the size of binary

lipo -thin arm64 test -o test32

Lipo => Lipo is the command-line tool to reduce the binary size.

4) To Check the binary size

5) Analyze the js file for identifying the name of functions, so here we can see some functions are getting passed with the name “getEncryptedPassword”

6) Go inside the application with radare2.

7) For tracking and dumping the data of any function, we need the reference ID of that function, so run the below command to get the “Reference ID” of any function.

8) Now we have the reference ID, so to go inside a particular function, just write the reference ID and hit enter.

9) For dumping all the data of the particular function, run the below command

10) After dumping the data, analyze the response and find the hardcoded secret key.

11) In my scenario, the secret key and iv were the same, so with the help of the cyberchef decoder, we decoded the data in the same way as mentioned in the first scenario.

Note: Identifying the correct function and hardcoded key isn’t easy; it will take time, so be patient.