Analysis of Obfuscation Techniques Found in FairPlay
nicolodev (via Hacker News):
FairPlay comprises a set of algorithms created by Apple for digital rights management (also called DRM, digital rights management). FairPlay is currently used to manage the decryption of iOS applications during their installation on Apple devices. In fact, we know that Apple distributes all applications in the Apple Store through the IPA file format. The IPA file format contains encrypted information that will then be used by the operating system to install an application. All of the encrypted information is handled through FairPlay, which takes care of keeping the decryption key and the whole process secure to avoid the possibility of decrypting the contents of.ipa files to share the contents of an app (perhaps paid for) in the wrong hands.
[…]
If during processing, such as during decryption, a cryptographic algorithm performs a simple addition, it is possible to make the arithmetic expression more complex. […] I have already written in a previous post how to be able to create these expressions by applying transformation rules. The process Apple used is the same: take a constant from the code, rewrite the constant using arithmetic operators, and then apply the transformations. Do we already have an expression? We continue to apply the rules of transformations. Note that only some transformations can be applied since they do not change the semantics of the original expression. At the end of the process, the expression is translated back into machine language so that it can be reinserted within the binary.
[…]
Opaque predicates are another very “cheap” technique for introducing obfuscation within instructions. This technique consists of introducing some always true or always false conditions that cause the decompiler to explore blocks of instructions with zero utility. The always true or always false conditions include a direct or indirect jump to basic blocks that will never be executed: they do not present additional functionality, they only add complexity to the functions being analyzed.
[…]
Very subtly the stack is moved up (or down, depending on how you want to build the stack).
[…]
We can then see how the basic blocks have all been brought to the same de facto level by horizontally extending the graph of basic blocks. The case of control flow flattening taken to the extreme drives the analyst crazy[…]
If you are wondering how Apple obfuscate its software, the answer is simple: they built some extensions for LLVM that applies code transformation directly to LLVM IR.
I’m gonna go out on a limb and suggest that this obfuscation scheme is legacy, and they keep it merely as defense in depth and because it’s tested so why not.
Modern Macs can do remote attestations from a trusted boot chain all the way up to specific apps, which obviates the need for this sort of obfuscation. The memory spaces will be protected by the operating system as long as SIP is enabled, and if it’s not enabled or has been disabled / the root partition has been modified, then that will be detectable by Apple remotely. Although code obfuscation is fun (I’ve built a virtualization based obfuscation in the past), a properly implemented remote attestation and security architecture does obsolete it. It’s therefore mostly useful on Windows/Linux PCs where these schemes don’t really hang together.
Previously:
- Web Environment Integrity
- iOS Apps on Mac Require System Integrity Protection
- App Attest
- ScreenShield: SDK to Prevent Screenshots
- FairPlay Streaming