Changes since Frida 12.7.12 for injecting Frida-Gadget

[sushi2k]

Hi,

I was just testing the new feature since Frida 12.7.12, where the Frida Gadget can be installed in a running iOS app on a non-jailbroken device that is running in debug mode (repackaing with the Frida-gadget is not needed anymore):

Changes in 12.7.12: Full-featured iOS lockdown integration and unified devices, so Frida-based tools don’t need to worry as much about jailed vs jailbroken. When interacting with a jailed iOS device, Gadget is now injected automatically and there is no need to repackage the app, it only has to be debuggable. (https://frida.re/news/2019/09/18/frida-12-7-released/)

See also: https://www.nowsecure.com/blog/2020/01/02/how-to-conduct-jailed-testing-with-frida/

I was testing this with the sample app that I created (https://github.com/sushi2k/SwiftSecurity). There was no Frida server running on the iOS device, the app was not re-packaged with Frida and just in debug mode. When I was attaching Frida to the running process the frida-gadget was injecting and I got the Frida CLI:

$ frida -U "SwiftSecurity"
     ____
    / _  |   Frida 12.8.5 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://www.frida.re/docs/home/

[iPhone::SwiftSecurity]-> Frida.version
"12.8.5"

But in the app when I press the button "Check for RE Tools" it's not detecting Frida, and it looks like this https://github.com/sushi2k/SwiftSecurity/blob/master/swiftsecurity.png?raw=true

If I start the Frida-server on the jailbroken phone, the button turn's red. As the frida-gadget is injected into the app the library should be able to detect it (see https://github.com/securing/IOSSecuritySuite/blob/master/IOSSecuritySuite/ReverseEngineeringToolsChecker.swift#L18).

Any idea why your library is not detecting this "new" injection mechanism in Frida?

Sorry if this post became a bit too long and complicated...

[r3ggi]

Hey @sushi2k,

I have to investigate that. Probably that Frida's mode gets the task port of the inspected process and does not load any new module :-)

[sushi2k]

Was just surprised that the frida-gadget wasn't detected in memory. Seems we need to dig a little bit deeper into that :-)

[r3ggi]

Seems that Frida acts like a debugger and uses the com.apple.debugserver to inject to the processes (https://github.com/frida/frida-core/blob/69f9f1baf0bdb744ed651652b0e546eae624b071/src/fruity/fruity-host-session.vala#L405)

You can use IOSSecuritySuite.denyDebugger() and see that Frida will be unable to inject its gadget.

[r3ggi]

Alright, I probably have a solution :-)

I monitored what flags in the process' kp_proc structure are modified when Frida is attached. Turns out that P_SELECT is set, so we can detect that.

The code below should work (requires further testing, I'm afraid of possible false positives):

private static func checkPSelectFlag() -> Bool {
        var kinfo = kinfo_proc()
        var mib: [Int32] = [CTL_KERN, KERN_PROC, KERN_PROC_PID, getpid()]
        var size = MemoryLayout<kinfo_proc>.stride
        let sysctlRet = sysctl(&mib, UInt32(mib.count), &kinfo, &size, nil, 0)

        if sysctlRet != 0 {
            print("Error occured when calling sysctl(). This check may be not reliable")
        }

        return (kinfo.kp_proc.p_flag & P_SELECT) != 0
    }

[sushi2k]

Awesome! Thanks for sharing. That is very helpful. We also have a ticket for that, to add this new Frida feature into the MSTG in case you are interested in that ;-) https://github.com/OWASP/owasp-mstg/issues/1624

[r3ggi]

Unfortunately, I'm currently totally out of time. :-(

I'll try to test and add this check to the ISS soon.