iOS

In this tutorial we show how to do function tracing on your iOS device.

Setting up your iOS device

First off, you will need to jailbreak your device in case you haven’t done so already. Also, we recommend using iOS 7.x as we haven’t performed any recent regression tests on earlier versions. Next, start Cydia and add Frida’s repository by going to Manage -> Sources -> Edit -> Add and enter http://ospy.org. You should now be able to find and install the Frida package which lets Frida inject JavaScript into apps running on your iOS device. This happens over USB, so you will need to have your USB cable handy, though there’s no need to plug it in just yet.

A quick smoke-test

Now, back on your Windows or Mac system it’s time to make sure the basics are working. Run:

$ frida-ps -U

Unless you already plugged in your device, you should see the following message:

Waiting for USB device to appear...

Plug in your device, and you should see a process list along the lines of:

PID NAME
 488 Clock
 116 Facebook
 312 IRCCloud
1711 LinkedIn
…

Great, we’re good to go then!

Tracing crypto calls in the Twitter app

Alright, let’s have some fun. Fire up the Twitter app on your device, and while making sure it stays in the foreground without the device going to sleep, go back to your desktop and run:

$ frida-trace -U -i 'CCCryptorCreate*' Twitter
Uploading data...
CCCryptorCreate: Auto-generated handler …/CCCryptorCreate.js
CCCryptorCreateFromData: Auto-generated handler …/CCCryptorCreateFromData.js
CCCryptorCreateWithMode: Auto-generated handler …/CCCryptorCreateWithMode.js
CCCryptorCreateFromDataWithMode: Auto-generated handler …/CCCryptorCreateFromDataWithMode.js
Started tracing 4 functions. Press ENTER to stop.

Now, CCryptorCreate and friends are part of Apple’s libcommonCrypt.dylib, and is used by many apps to take care of encryption, decryption, hashing, etc.

Reload your Twitter feed or exercise the UI in some way that results in network traffic, and you should see some output like the following:

3979 ms	CCCryptorCreate()
  3982 ms	CCCryptorCreateWithMode()
  3983 ms	CCCryptorCreate()
  3983 ms	CCCryptorCreateWithMode()

You can now live-edit the aforementioned JavaScript files as you read man CCryptorCreate, and start diving deeper and deeper into your iOS apps.