An analyst has also the choice to submit IPA archives for analysis. However, only IPAs with decrypted
Mach-O files can be executed due to Apple’s FairPlay DRM. Nevertheless, this feature
stays interesting for analysts that for example are able to extract a decrypted
IPA from a suspicious device.
For the sake of this blog post, we have created a small demonstration app that
behaves maliciously. It is called MyContacts and is meant to act as a simple contact viewer and caller.
The IPA file was submitted with Live Interaction enabled.
Sandbox I takes screenshots periodically throughout the app execution, saving
only the images that changed. The resulting report shows the screenshotting
feature prominently. The most interesting screenshot is shown at the beginning:
In the “Screenshots” section, all taken shots can be viewed interactively in a
slideshow or as thumbnails. Here we see how that app requested permission
to access the contacts database and the microphone, and then tried to call a different number than was selected:
Signatures and Classification
Sandbox I has an increasing set of roughly 230 behavior signatures which rate
and classify the behavior. With the signature overview, a malware analyst gets the possibility to swiftly assess if the app’s behavior is bad or not. Here we see that MyContacts
does behave maliciously and has capabilities that are considered to be
malintent, for example, its capability to install and launch apps:
This excerpt shows all triggered behavior signatures:
the classification spider graph consolidates the behavior signature ratings in
order to show what type of potential malware we are likely looking at:
Capturing and HTTPS inspection
An important feature of app analysis is network analysis. Joe Sandbox I can
analyze multiple protocols like HTTP or DNS, but also seldom used ones like
FTP, SMTP, etc. Intercepting encrypted traffic is also possible. Here we see how
MyContacts leaks email and phone numbers over HTTPS:
behavior was rated by our signatures as malicious:
A core part of any malware sandbox is its ability to trace behavior. Joe Sandbox I intercepts
interesting APIs, like accessed files or sysctl requests. Here we see how the app opens the previously requested URL:
We also see that email and contact information is being encrypted:
Analysis – IPA Archive
In addition to dynamic analysis, the app is also analyzed statically. This is
done on two levels: the apps IPA archive as well the apps executable. For App
Store apps, the installation directory itself is analyzed.
we see the content of the IPA archive:
interesting file types are extracted and further analyzed, like Plist and Mach-O files. This excerpt shows the apps
extracted property list (Plist) in the "embedded.mobileprovision" file
reveals that the app has the capability of being provisioned to any device:
This is an indication that an app could bypass Apple's code review procedure if it attempts to abuse enterprise certificates that are used for in-house app distribution.
Analysis – Disassembly
Sandbox I extracts all interesting functions from the apps Mach-O if it is not encrypted. For App Store submissions, the binary is
decrypted from the memory and then statically analyzed. The report then
presents the ARM disassembly code as well as meta information if available.
we see an excerpt of a function that does a jailbreak check:
is worth mentioning that Joe Sandbox's integrated search functionality gives the analyst the possibility to easily search through the report. Each search hit provides additional information:
have demonstrated the power of Joe Sandbox I, which enables an analyst to
swiftly understand and detect threats that target iOS systems. We have shown
that apps from the App Store as well as IPA files can be analyzed. With the help of the Live Interaction feature, the analyst can seamlessly interact with the app. Standard
features like screenshotting and network capturing were illustrated, including
interception of encrypted traffic. We then demonstrated the API dynamic
analysis capabilities. Finally, static analysis features for Plists and Mach-O as well as for disassembly
in Joe Sandbox? Register for free at Joe Sandbox Cloud Basic or contact us for
an in-depth technical demo!
Sandbox I is intended for malware analysis only and does not provide decrypted
IPA files from the AppStore. The
iPhone analysis device does not have any SIM installed, nor does it provide
physical camera or microphone access. With Joe Sandbox I analysts can only
analyze apps and do not get any access to iPhone services such as phone
calls, SMS, photography, etc.