#Programming

  1. VPNStatus, a replacement for macOS builtin VPN Status

    In this post I present VPNStatus, an application that replicates some functionalities of macOS built-in VPN status menu: list the VPN services and their status connect to a VPN service disconnect from a VPN service possibility to auto connect to a VPN service if the application is running This application also allows to auto connect to an IKEv2 VPN service, something that is currently not possible on macOS.
    [Read More]
  2. macOS VPN architecture from System Preferences down to nesessionmanager

    macOS 10.13 contains a built-in VPN client that natively supports L2TP over IPSec as well as IKEv2. In this post I describe some parts of the internal architecture of the macOS VPN client. This information will be used in a following article to build an application that replicates some functionalities of the VPN status in the menu bar. This application will also allow to auto connect to an IKEv2 VPN service, something that is currently not possible on macOS.
    [Read More]
  3. Apple’s use of Swift in iOS 11.1 and macOS 10.13.1

    A year ago I analyzed how many built-in apps in iOS 10.1 and macOS 10.12 were using Swift: Apple’s use of Swift in iOS 10.1 and macOS 10.12. How many built-in apps are using Swift in iOS 11.1 and macOS 10.13.1? Let’s find it out! Tool to detect binaries using Swift Last year I explained how to write a script that loops through all the files of a folder and print the paths of binaries using Swift.
    [Read More]
  4. Swift: Banning force unwrapping optionals

    Swift Optionals and force unwrapping The Swift programming language supports optional types, which handle the absence of a value. An optional represents two possibilities: Either there is a value and you can unwrap the optional to access that value, or there isn’t a value at all. Here is how you can declare an optional variable in Swift: var myOptionalString: String? The myOptionalString variable can contain a string value or nil.
    [Read More]
  5. Facebook.app for iOS [v. 88.0] cleans up duplicates

    This post follows up the Analysis of the Facebook.app for iOS [v. 87.0]. The version 88.0 of the Facebook.app has now been released: As you can see from the smaller download size, the duplicated resources have been removed. This is confirmed by looking at the app content using GrandPerspective: Only some really small resources escaped the cleanup. The ‘FBFacecastTipJarResources’ resources are indeed still duplicated. Example: Facebook.app/Frameworks/FBSharedFramework.framework/FBFacecastTipJarResources/tip3b.json.gz Facebook.app/Frameworks/FBSharedFramework.framework/tip3b.json.gz
    [Read More]
  6. Analysis of the Facebook.app for iOS [v. 87.0]

    6 months ago I analyzed the version 66.0 of the Facebook.app for iOS: https://blog.timac.org/2016/1018-analysis-of-the-facebook-app-for-ios The version 66.0 was a 165 MB app on an iPad Air 2 (64-bit). It was a monolithic app with its main binary being more than 100 MB. The version 87.0 is now available: 253 MB on the same iPad Air 2 with only 64-bit code. In just 6 months, the Facebook.app size grew by 88 MB!
    [Read More]
  7. Deobfuscating libMobileGestalt keys

    /usr/lib/libMobileGestalt.dylib is a private library which provides an API to retrieve the capabilities of the iOS device, as well as some runtime information: system version, build version, device type, current status of the airplane mode, … The implementation is similar to a key-value database. The library exposes a simple function to retrieve the value for a specified key: id MGCopyAnswer(NSString *inKey); When calling this method with a key, it returns the associated value stored in the database, or nil if the key does not exist.
    [Read More]
  8. mach_portal: Improve amfid patch to support fat binaries

    Ian Beer did an incredible work with his iOS 10.1.1 exploit. The mach_portal proof of concept gives you a root shell on iOS 10.1.1. You can read more about it here: https://bugs.chromium.org/p/project-zero/issues/detail?id=965 While playing with it, I discovered that the amfid patch was only supporting thin arm64 binaries. I did not find a fix online so here is my solution. amfid patch In this PoC amfid is patched to allow any signatures and entitlements.
    [Read More]
  9. Testing if an arbitrary pointer is a valid Objective-C object

    Let’s say you pick a random pointer. Can we know if it points to a valid Objective-C object? Of course without crashing… Well there is no simple solution. In this post I give a solution for 64-bit architectures. The code provided has only been tested on macOS 10.12.1 and iOS 10.1.1 with the modern Objective-C runtime. There is not much documentation available on this subject. There is one article written in 2010 by Matt Gallagher but the content is outdated and not working properly anymore.
    [Read More]
  10. Apple’s use of Swift in iOS 10.1 and macOS 10.12

    Swift has been announced at the WWDC 2014, more than 2 years ago. Most of the sample code projects from Apple are now written in Swift. But does Apple use Swift in iOS 10.1 and macOS 10.12.1? How to detect if a binary is using Swift? A naïve approach would be to check if an app contains the Swift libraries in its Frameworks folder: libswiftCore.dylib, libswiftFoundation.dylib, … Here is the content of the Frameworks folder of the MRT.
    [Read More]