Trustkit: Code Injection on iOS 8 for The Greater Good

by Alban Diquet, Eric Castro, Angela On-kit Chow
Sept. 19, 2017 0 comments Black Hat belen_caty Pen Testing & Audits

In the pre-iOS 8 world, all code had to be statically linked into the Apps binary, Apple is now allowing third-party frameworks and libraries to be embedded in an Apps package and be dynamically loaded at runtime, as needed by the App. We will describe what has changed exactly and why, and the new opportunities it provides to mobile and security engineers. While doing so, we will also provide a quick overview of the library loading mechanism on iOS as well as how to perform function hooking in a non-jailbroken environment, and how developers can take advantage of this functionality. We will then present a new open-source library for iOS that leverages these mechanisms: TrustKit. TrustKit provides universal SSL public key pinning (NSURLSession, NSURLConnection, UIWebView, Cordova, etc.) and can be deployed within an App in a matter of minutes, without having to modify the Apps source code.