#IOS

  1. Apple’s use of Swift in iOS 11.1 and macOS 10.13.1

    A year ago I analyzed how many built-in apps in iOS 10.1 and macOS 10.12 were using Swift: Apple’s use of Swift in iOS 10.1 and macOS 10.12. How many built-in apps are using Swift in iOS 11.1 and macOS 10.13.1? Let’s find it out! Tool to detect binaries using Swift Last year I explained how to write a script that loops through all the files of a folder and print the paths of binaries using Swift.
    [Read More]
  2. Deobfuscating libMobileGestalt keys

    /usr/lib/libMobileGestalt.dylib is a private library which provides an API to retrieve the capabilities of the iOS device, as well as some runtime information: system version, build version, device type, current status of the airplane mode, … The implementation is similar to a key-value database. The library exposes a simple function to retrieve the value for a specified key: id MGCopyAnswer(NSString *inKey); When calling this method with a key, it returns the associated value stored in the database, or nil if the key does not exist.
    [Read More]
  3. mach_portal: Improve amfid patch to support fat binaries

    Ian Beer did an incredible work with his iOS 10.1.1 exploit. The mach_portal proof of concept gives you a root shell on iOS 10.1.1. You can read more about it here: https://bugs.chromium.org/p/project-zero/issues/detail?id=965 While playing with it, I discovered that the amfid patch was only supporting thin arm64 binaries. I did not find a fix online so here is my solution. amfid patch In this PoC amfid is patched to allow any signatures and entitlements.
    [Read More]
  4. Apple’s use of Swift in iOS 10.1 and macOS 10.12

    Swift has been announced at the WWDC 2014, more than 2 years ago. Most of the sample code projects from Apple are now written in Swift. But does Apple use Swift in iOS 10.1 and macOS 10.12.1? How to detect if a binary is using Swift? A naïve approach would be to check if an app contains the Swift libraries in its Frameworks folder: libswiftCore.dylib, libswiftFoundation.dylib, … Here is the content of the Frameworks folder of the MRT.
    [Read More]
  5. Checking if Reduced Motion is enabled on iOS 7

    Apple introduced in iOS 7.0.3 a setting to reduce motion ( http://support.apple.com/kb/HT5595 ) : Settings -> General -> Accessibility -> Reduce Motion Sadly there is no public API to know if the user enabled “Reduce motion”. Here is how to get the value of this setting using a private API. Note that you should not use this code for applications submitted to the App Store. #include <dlfcn.h> + (BOOL) reduceMotionEnabled { BOOL (*_UIAccessibilityReduceMotionFunction)(void) = (BOOL (*)(void)) dlsym(RTLD_DEFAULT, "_UIAccessibilityReduceMotion"); if(_UIAccessibilityReduceMotionFunction !
    [Read More]
  6. Detecting the iOS device hardware architecture (32-bit/64-bit)

    In a previous post I explained how to detect if an app runs in a 32-bit or 64-bit iOS Simulator. It was not explaining how to detect if an iOS app runs on a 32-bit or 64-bit iOS device. This post aims at giving a generic method that can detect all cases: 32-bit application running in a 32-bit iOS Simulator 32-bit application running in a 64-bit iOS Simulator 64-bit application running in a 64-bit iOS Simulator 32-bit application running in a 32-bit iOS device 32-bit application running in a 64-bit iOS device 64-bit application running in a 64-bit iOS device Below is the method is64bitHardware.
    [Read More]
  7. Detecting if an app runs in a 32-bit or 64-bit iOS Simulator

    With Xcode 5, it is now possible to compile an application for armv7 and/or arm64. You can compile an application as 32-bit and/or as 64-bit and you can run this application in a 32-bit or 64-bit iOS Simulator: In fact there are 3 different cases: 32-bit application running in a 32-bit iOS Simulator 32-bit application running in a 64-bit iOS Simulator 64-bit application running in a 64-bit iOS Simulator It is possible to distinguish these 3 different cases but this is not as easy as I would expected.
    [Read More]