iOS key logger implementation

StackOverflow https://stackoverflow.com/questions/15789674

Question

I want to understand how to implement a key logger for iOS. And how can I avoid logging keys in my application, if there is iKeyMonitor (for example) installed on device?

After research I found that ikeyMonitor installs the following files on the device:

Library/Caches/.keycache
Library/MobileSubstrate/DynamicLibraries/MobileSafe.dylib
Library/MobileSubstrate/DynamicLibraries/MobileSafe.plist
Library/MobileSubstrate/DynamicLibraries/keychain.dylib
Library/MobileSubstrate/DynamicLibraries/keychain.plist

Of course it requires MobileSubstrate.

In keycache there are some HTML files that I can open in Safari with the URL localhost:8888.

In the plists there is only com.apple.springboard filter, it means that MobileSafe.dylib (and all hooks) will be applied only on springboard app.

Even if I don't use the default keyboard view in my app for editing a UITextField, the keylogger still works. This means that Hooks are applied on UITextField.

After using class-dump for SpringBoard.app I didn't find any methods that can be related in UITextField's implementation. After using class-dump for MobileSafe.dylib I didn't find any implementation that can be substituted for UITextField either (maybe because it written on C), I think that I should analyze MobileSafe.dylib dynamically with gdb

  1. How can the SpringBoard (that is in plist com.apple.springboard) app have an effect on UITextField class implementation? If I use method swizzling for UITextField in the dylib for com.apple.springboard will it work in other applications too?

  2. What is the general difference between MobileLoader and MobileHooker? At what moment will changes from MobileHooker will be applied to my system?

  3. What should I do to hook a method from UIKit (for example UITextField methods), and change its implementation for all apps on my device?

  4. What method for analyzing iKeyMonitor can you advise me to use?

Was it helpful?

Solution

  1. if it uses springboard in the filter then it can only affect the springboard, to hook all applications you use UIKit as the filter(more on that in 3)

  2. My understanding of the two is that: MobileLoader loads your code into the running application and when this happens, functions with the constructor attribute "__attribute__((constructor))" are called. In one of these constructors, MobileHooker functions are called to replace pre-existing functions/methods in the application. As for when the changes are applied, since they are changed in constructors they should be changed before any of them are actually called.

  3. You simply use the com.apple.UIKit filter(which btw is what the keychain.dylib in iKeyMonitor uses)

  4. class-dump does not show the hooked classes and methods of a tweak because they are not objective-c methods, instead they are functions... The best option would be a disassembler like ida hex-rays.com/products/ida/index.shtml

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top