From b01b46d2f913375ba7ae33412f64c1fe272decfb Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Wed, 18 Mar 2026 19:02:20 +0000 Subject: [PATCH] =?UTF-8?q?Add=20content=20from:=20Taking=20Apart=20iOS=20?= =?UTF-8?q?Apps=E2=80=99=20Anti-Debugging?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- src/mobile-pentesting/ios-pentesting/README.md | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/src/mobile-pentesting/ios-pentesting/README.md b/src/mobile-pentesting/ios-pentesting/README.md index 20876ab16e2..fc432cd9465 100644 --- a/src/mobile-pentesting/ios-pentesting/README.md +++ b/src/mobile-pentesting/ios-pentesting/README.md @@ -156,6 +156,18 @@ Identification of **protections are present in the binary**: - **Environment Variables**: Check for environment variables that may indicate a debugging session. - **Mach Ports**: Detect if mach exception ports are being used by debuggers. + +#### Anti-Debugging & Anti-Tamper Techniques (Layered Checks) + +Real-world apps often layer pre-exec, on-attach, and continuous checks. Common patterns to look for (and how to neutralize them during testing): + +- **Private API side-channel fingerprinting**: private launch APIs (e.g., `SBSLaunchApplicationWithIdentifierAndURLAndLaunchOptions`) are abused to probe for installed bundle IDs (`com.opa334.TrollStore`, `org.coolstar.SileoStore`, `com.tigisoftware.Filza`, etc.) based on return codes/logging. Hook the call and sanitize arguments/return values to emulate a clean device. +- **Self-attestation via code-signing state**: `csops()` with `CS_OPS_ENTITLEMENTS_BLOB` reads entitlements; unexpected values trigger exit. Pair this with integrity checks (CRC32/MD5 of resources, certificate validation, Mach-O metadata like `LC_ENCRYPTION_INFO_64`) to detect re-signing or patching. Instrument these routines and force "expected" results during analysis. +- **Kill-on-attach**: `ptrace(PT_DENY_ATTACH)` combined with `abort()`/`exit()` on attach. Bypass by neutralizing the termination path or hooking `ptrace` to succeed without enforcing denial. +- **Crash forensics sabotage**: overwrite CPU registers before crashing to destroy backtraces. Prefer breakpoints/hooks earlier in the detection path instead of relying on crash logs. +- **Jetsam-based termination**: deliberate memory pressure to trigger jetsam, which yields no normal crash log. Look for large allocations around detection logic and cap/short-circuit them to keep logs. +- **Continuous checks with delayed enforcement**: heartbeat timers re-run detection and enforce later. Trace timers/dispatch sources and keep the process alive by bypassing the delayed kill path. + ### Basic Dynamic Analysis Check out the dynamic analysis that [**MobSF**](https://github.com/MobSF/Mobile-Security-Framework-MobSF) perform. You will need to navigate through the different views and interact with them but it will be hooking several classes on doing other things and will prepare a report once you are done. @@ -1199,6 +1211,7 @@ zero-click-messaging-image-parser-chains.md ## **References & More Resources** +- [https://blog.calif.io/p/taking-apart-ios-apps-anti-debugging](https://blog.calif.io/p/taking-apart-ios-apps-anti-debugging) - [https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06b-basic-security-testing#information-gathering](https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06b-basic-security-testing#information-gathering) - [iOS & Mobile App Pentesting - INE](https://my.ine.com/CyberSecurity/courses/089d060b/ios-mobile-app-pentesting) - [https://mas.owasp.org/MASTG/techniques/ios/MASTG-TECH-0057/](https://mas.owasp.org/MASTG/techniques/ios/MASTG-TECH-0057/) @@ -1227,4 +1240,3 @@ zero-click-messaging-image-parser-chains.md {{#include ../../banners/hacktricks-training.md}} -