Analyzing iOS is hard for security researchers because unlike its Android rival, iOS is closely guarded and tightly managed by Apple. But a recent publication by Aleph Research, the security research arm of HCL AppScan, describes how iOS can be emulated on the popular QEMU emulator and operated using a command-line processor. While this is not yet an emulation of iOS in its entirety, the setup described provides highly effective tools to analyze iOS and its apps.
But to understand the significance of this publication, it is important to understand why analyzing the security of iOS has been hard for researchers.
iOS is a closed source operating system. Technically speaking, some of its code is open sourced — mostly the code that is common to OSX and iOS — but a lot of it remains closed. This means that it is proprietary to Apple and maintained under its tight control. As a result, security researchers struggle to analyze its inner workings and discover vulnerabilities.
In contrast, open source software is easily viewable and analyzable by anyone. Security researchers have unencumbered access to explore the code and look for vulnerabilities. And when those are found, the developer community often steps in to fix the broken code. Open source software is therefore a classic case of ‘sunlight is the best disinfectant’ — its transparency enables uncovering problems and fixing them.
Running iOS on a popular emulator like Quick Emulator, or QEMU, can help security researchers dissect and inspect its inner workings, and apply security testing techniques like automatic fuzzing to detect new vulnerabilities. So why haven’t they done so already?
It turns out that emulating iOS on QEMU has been an elusive undertaking because Apple’s lack of transparency and documentation makes it hard. In the book ‘MacOS and iOS Internals’ by Jonathan Levin — considered by many the bible of OS internals — Levin writes that “emulation of iOS has been an unofficial “holy grail” of sorts for researchers and reversers”.
In a set of two posts, the first of which was published on June 17, 2019, Jonathan Afek of Aleph Research provides a detailed description of how iOS can be mounted on QEMU. Using the setup described by Afek, AppScan researchers, and also the security research community at large, will now be able to better analyze iOS internals and use their testing tools to identify vulnerabilities in the operating system and its applications.
HCL AppScan is a provider of application security testing tools for web application, APIs and mobile apps. Expert research from the Aleph Research team helps AppScan ensure its testing tools remain current with new technologies and attack tactics. You can visit HCL AppScan at cloud.appscan.com, and read more research from Aleph Research at alephsecurity.com.