Full Report
Mobile assessments are always fun as the environment is constantly evolving. A recent trend has been the use of custom protocols for communication between the application and server. This holds particularly true for financial institutes who are aiming to protect both the confidentiality and integrity of data. Most of these custom protocols are over TCP, wrap data in custom crypto, which usually includes signing of the payload to prevent tampering. Even when transmitted over HTTPS, we have noticed a trend where data within the HTTP body gets encrypted and signed using some custom crypto. Both of these processes can greatly frustrate testers using standard network intercepting tools.
Analysis Summary
# Tool/Technique: Cycript and Substrate
## Overview
Cycript and Cydia Substrate are powerful tools used primarily on jailbroken iOS devices to interact with running applications at runtime and dynamically inject code. This combination is employed by mobile security testers to reverse-engineer, debug, and bypass application protections, particularly when facing challenges like custom network protocols, certificate pinning, or jailbreak detection, without needing to patch the application binary.
## Technical Details
- Type: Tool/Framework (Dynamic Instrumentation)
- Platform: iOS (Android substrate also mentioned as being available/powerful)
- Capabilities: Dynamic code injection, runtime method hooking (swizzling), inspecting application state, logging data from within the application process.
- First Seen: The article was published in March 2016, discussing established tools.
## MITRE ATT&CK Mapping
This focuses on techniques used for **Analysis** and **Defense Evasion** during penetration testing or adversary operations on mobile platforms.
- **T1055 - Process Injection**
- T1055.012 - OS Specific Secondary Channel
- *Mapping Rationale: Cycript/Substrate dynamically injects instrumentation/code into a running application process.*
- **T1027 - Obfuscated Files or Information**
- T1027.004 - Compile-Time, Bytecode, or Output Obfuscation
- *Mapping Rationale: By hooking functions, testers analyze data (like encrypted payloads) before or after encryption, effectively bypassing network-level obfuscation.*
- **T1564 - Impair Defenses**
- T1564.003 - Disable or Bypass Security Features
- *Mapping Rationale: Used to bypass runtime checks like jailbreak detection.*
## Functionality
### Core Capabilities
- **Dynamic Injection:** Allows testers to attach to a running process (via PID or Application Name) to gain an interactive console session.
- **Method Swizzling (Basic):** Replacing existing application methods with custom code.
- **Runtime Inspection:** Ability to examine internal application state, properties, and method signatures.
- **Scripting:** Ability to load custom Cycript script files (`.cy`) for repetitive tasks (e.g., setting up custom logging functions).
### Advanced Features
- **Function/Message Hooking:** Advanced use of Substrate functions (`MS.hookMessage` for instance methods and `hookFunction` for class methods) to intercept function calls.
- **Argument Manipulation:** The ability to modify arguments passed into hooked functions *before* they execute, allowing testers to alter data sent over custom protocols (e.g., changing payloads) without needing decryption keys or proxying.
- **Custom Logging:** Techniques demonstrated for setting up custom logging (e.g., to the system log via `NSLog`) to capture internal application data, such as unencrypted JSON payloads sent over custom network protocols.
## Indicators of Compromise
Since Cycript/Substrate are primarily analysis/testing tools used by security professionals (or red teamers), the indicators below relate to the *deployment* of these tools on a target device, suggesting a targeted assessment or compromise.
- File Hashes: [N/A based on article content]
- File Names: `cycript`, `common.cy` (custom script file)
- Registry Keys: [N/A - Mobile context, uses filesystem/Cydia setup]
- Network Indicators: [N/A - The tools themselves are primarily local execution/injection tools]
- Behavioral Indicators:
- Attachment of a debugging process (`cycript`) to a legitimate application process.
- Dynamic manipulation of Objective-C method dispatch tables observed in memory analysis.
- Excessive use of IPC (Inter-Process Communication) to relay data to external logging tools (e.g., `socat` connecting to syslog).
## Associated Threat Actors
The context suggests these are tools used by **Mobile Penetration Testers**, **Security Researchers**, or potentially **Adversaries** performing detailed reverse engineering to bypass financial application security measures. No specific APT group is named regarding the *use* of Cycript/Substrate in this article, only the *application* of the technique against financial institutions.
## Detection Methods
Detection focuses on recognizing the unauthorized execution or modification of running processes on the host mobile device.
- Signature-based detection: [N/A for runtime instrumentation tools outside of known Cydia/Substrate installations]
- Behavioral detection: Monitoring for dynamic library loading (`MSSubstrate`) within non-system binaries, or unusual process attachment behaviors.
- YARA rules if available: [N/A based on article content]
## Mitigation Strategies
The primary defense against the techniques described involves hardening the application against runtime manipulation, which is common in mobile security.
- Prevention measures: Implementing **Strong Jailbreak Detection** mechanisms that monitor application integrity and runtime environment changes.
- Hardening recommendations:
1. **Code Hardening:** Utilize compilers/linkers that make dynamic hooking more difficult (though rarely insurmountable).
2. **Runtime Integrity Checks:** Implement checks on function addresses and method tables.
3. **Obfuscate Sensitive Logic:** Move decryption/signing logic away from easily hookable Objective-C runtime interfaces where possible (though the article implies difficulty even when data is encrypted over HTTPS).
## Related Tools/Techniques
- **Clutch:** Used to obtain unencrypted IPA copies for header dumping.
- **class-dump-z:** Used to generate header files to identify target functions/selectors.
- **Frida/Objection:** Modern dynamic instrumentation frameworks often used as alternatives or successors to Cycript/Substrate tooling.