Search code examples
objective-cioscjailbreakcydia

How can I monitor an application's API calls on a jailbroken iOS device?


I am performing a review on an iOS application for which I do not have the source code. In order to gain more control over the environment, I am running the application on a jailbroken iPad.

I'd like to be able to monitor the API calls that the application is making...ideally I'd like to find something like Rohitab's MS Windows based API Monitor, but instead for iOS.

I have done some research and found a project by KennyTM called "Subjective-C" that seems that it may do what I need. I actually have been using a cycript script, along with the libsubjc.dylib available on the Google code site.

However, I have been unable to figure out how to correctly get it to start logging calls for an app. Here's the link to the cycript script, written by the author of Subjective-C (libsubjc). I pasted the script below as well.

/*

libsubjc.cy ... Use libsubjc in cycript.
Copyright (C) 2009  KennyTM~ <[email protected]>

[...GPL3...]
*/

dlopen("libsubjc.dylib", 10);
if (!dlfun) {
    function dlfun(fn, encoding, altname) { var f = new Functor(dlsym(RTLD_DEFAULT, fn), encoding); if (f) this[altname || fn] = f; return f; }
}

dlfun("SubjC_start", "v");
dlfun("SubjC_end", "v");

dlfun("SubjC_set_file", "v^{sFILE=}");
dlfun("SubjC_set_maximum_depth", "vI");
dlfun("SubjC_set_print_arguments", "vB");
dlfun("SubjC_set_print_return_value", "vB");
dlfun("SubjC_set_print_timestamp", "vB");

SubjC_Deny = 0, SubjC_Allow = 1;

dlfun("SubjC_clear_filters", "v");
dlfun("SubjC_filter_method", "vi#:");
dlfun("SubjC_filter_class", "vi#");
dlfun("SubjC_filter_selector", "vi:");
dlfun("SubjC_default_filter_type", "vi");
dlfun("SubjC_filter_class_prefixes", "viI^*");
dlfun("SubjC_filter_class_prefix", "vi*");

dlfun("fopen", "^{sFILE=}**");
dlfun("fclose", "i^{sFILE=}");

I have been able to load the libsubjc cycript script, and call the SubjC_start function. However, how do I specify an input filehandle for the line starting with dlfun("SubjC_set_file", "v^{sFILE=}");

Has anyone successfully used the "libsubjc.cy" cycript script with the Subjective-C library (libsubjc.dylib) to monitor an app's API calls?

UPDATE

This is at least generating the output file, but I don't see any information populated within the output file (/tmp/test.txt).

cycript -p SpringBoard libsubjc.cy; cycript -p SpringBoard
f = fopen("/tmp/test.txt", "w");

SubjC_set_file(f);
SubjC_set_maximum_depth(15);
SubjC_set_print_arguments(YES);
SubjC_set_print_return_value(YES);
SubjC_set_print_timestamp(YES);
SubjC_default_filter_type(SubjC_Deny);
SubjC_start();
//do stuff
SubjC_end();

Or, if anyone knows of another way to monitor API calls (w/o source code) on a jailbroken device, please let me know!


Solution

  • I'm not aware of a direct equivalent to API Monitor. However, Frida is a popular tool for mobile app instrumentation, with a tutorial on iOS usage. Once installed, you can trace API calls with a command like frida-trace -U -i "CCCryptorCreate*" Twitter to trace calls from the Twitter app to functions starting with CCCryptorCreate.