Hacking and Securing iOS Applications by Jonathan Zdziarski

Objective-C, like many modern languages, is a reflective language; it can observe and modify its own behavior at runtime. Reflection allows program instructions to be treated like data, allowing a program to make modifications to itself. The Objective-C runtime allows a program not only to create and call ad hoc method, but to create ad hoc classes and methods on the fly. Objective-C is also based upon a simple Smalltalk-esque messaging framework; methods aren’t “called” in the sense of traditional subroutines, but rather are sent messages. If you know the right station to tune into, you can intercept these messages and see what’s going on in a program. And if you know the right way to send messages—then you can really start to manipulate what happens inside an Objective-C application. This chapter will demonstrate how an attacker can manipulate and abuse the runtime of your Objective-C application to cause your application to malfunction on his behalf. Bypassing security locks, breaking logic checks, accessing privileged parts of your application, or stealing memory—all of these, and more, can be performed by an attacker using his own jailbroken device and a stolen copy of a victim’s application data.

Manipulating the runtime of an application feels a lot like social engineering; you’re essentially telling an application “create this object,” or “change the contents of this variable” while it’s running, seemingly fooling it into thinking that ...