Advanced Frida Usage Part 4 – Sniffing location data from locationd in iOS

					<div>
				<div>
		<div>
							<div>
			<div>
						<h2>Introduction</h2><p>Welcome to Part 4 of our Advanced Frida Usage series. In part <a href="https://8ksec.io/advanced-frida-usage-part-3-inspecting-ios-xpc-calls/" rel="noreferrer" target="_blank">three</a> of our Frida blog posts, we went over what is XPC, how to use it, and how to intercept it with Frida.</p><p>This blog post will discuss how to use XPC tools for this job, some of them are <a href="https://github.com/hot3eed/xpcspy" rel="noreferrer" target="_blank">xpcspy</a> and <a href="https://github.com/nsecho/gxpc" rel="noreferrer" target="_blank">gxpc</a>. xpcspy tool is already well covered with tutorials, while the gxpc is a new tool inspired by xpcspy. It behaves the same as the xpcspy with small additions, such as recursively parsing messages (if the dictionary contain some other dictionary, it will be parsed as well), additionally it supports <code>xpc_connection_set_event_handler</code> which prints the address of the block implementation.</p><h2>Installation</h2><p>As with <a href="https://github.com/frida/frida-go" rel="noreferrer" target="_blank">frida-go</a>, gxpc supports macOS, Linux and Android. We will use macOS as a host machine. We first need to install <a href="https://go.dev/doc/install" rel="noreferrer" target="_blank">go</a> and download <a href="https://github.com/frida/frida/releases/latest" rel="noreferrer" target="_blank">frida-core-devkit</a> for our machine.</p><p>For our machine, we will download <code>macos-arm64</code> since we are working on M1 which for the Frida version <em>16.0.19</em> is <code>frida-core-devkit-16.0.19-macos-arm64.tar.xz</code>.</p><p>After downloading the devkit, we will move <code>libfrida-core.a</code> and <code>frida-core.h</code> files to appropriate locations.</p><p>Now that we have everything ready, we can now run <code>go install github.com/nsecho/gxpc@latest</code>.</p>						</div>
			</div>
				</div>
	</div>
						</div>
	
			
					<div>
				<div>
		<div>
							<div>
			<div>
														<img alt="" height="763" src="https://i0.wp.com/8ksec.io/wp-content/uploads/2023/07/installing_gxpc.png?fit=800%2C763&amp;ssl=1" width="800" />															</div>
			</div>
				</div>
	</div>
						</div>
	
			
					<div>
				<div>
		<div>
							<div>
			<div>
						<h4><strong>How gxpc works ?</strong></h4><p><strong>gxpc</strong> works by using frida bindings that are written in Go using <a href="https://github.com/frida/frida-go" rel="noreferrer" target="_blank">frida-g</a>o. Frida bindings enable the user to use Frida’s functionality using other languages, such as Python, Swift, node.js, Go, etc. Go has the option to interact with C code using <strong>cgo</strong>. In order to link the <strong>frida-go</strong>, we need to have <strong>frida-core</strong> dynamic libraries installed on the system as well as <strong>frida-core.h</strong> header file which is included inside the <strong>frida-core-devkit</strong>&nbsp;which we need to install.</p><p>Internally, <strong>gxpc</strong> traces specific <strong>xpc_*</strong> functions which we can see inside the <strong>source.js</strong> file.</p>						</div>
			</div>
				</div>
	</div>
						</div>
	
			
					<div>
				<div>
		<div>
							<div>
			<div>
														<img alt="" height="137" src="https://i0.wp.com/8ksec.io/wp-content/uploads/2023/07/intercepting_functions.png?fit=800%2C137&amp;ssl=1" width="800" />															</div>
			</div>
				</div>
	</div>
						</div>
	
			
					<div>
				<div>
		<div>
							<div>
			<div>
						<p>We can see the comment <em>Intercept these functions</em> which immediately tells us what will be done with these variables. It is using <code>Module.findExportByName</code> API which we have seen in previous blog posts.</p><p>It is then followed by a bunch of functions that are used to extract data out of the dictionary or array, such as <code>xpc_dictionary_get_value</code> or <code>xpc_copy_description</code>.</p><p>For each of the functions that should be intercepted, <code>Interceptor.attach</code> is called to intercept it. Once these functions are called, function <code>parseAndSendDictData</code> is called with the function name as a first parameter, <code>xpc_connection_t</code> as a second parameter and <code>xpc_object_t</code> as a third argument. <code>parseAndSendDictData</code> creates a JSON dictionary and extracts the data out of <code>xpc_object_t</code> to JavaScript objects. Once all the objects are parsed, they are added to the dictionary and sent to the Go code using <code>send</code> Frida’s function. </p><h2>Using gxpc</h2><p>Now that we have installed <strong><em>gxpc</em></strong> and went over how it works, let’s connect our iPhone using a USB cable, and to confirm that the device is connected we will use <code>gxpc -l</code> to list devices.</p>						</div>
			</div>
				</div>
	</div>
						</div>
	
			
					<div>
				<div>
		<div>
							<div>
			<div>
														<img alt="" height="161" src="https://i0.wp.com/8ksec.io/wp-content/uploads/2023/07/gxpc_list_devices.png?fit=800%2C161&amp;ssl=1" width="800" />															</div>
			</div>
				</div>
	</div>
						</div>
	
			
					<div>
				<div>
		<div>
							<div>
			<div>
						<p>We can see that we have our standard <code>local</code> and <code>socket</code> devices available as well as newly connected <code>iPhone</code> device of type <code>USB</code>.</p><p>By default, gxpc will connect to the USB device if one is connected. We can also attach to the process by name(<code>locationd</code>, <code>SpringBoard</code>) or by PID. We also have an option to spawn the binary where the process is resumed once the script is loaded.</p><p>We will attach to <code>locationd</code>, which is the primary daemon responsible for location data. To do that, we will use <code>gxpc -n locationd</code>.</p>						</div>
			</div>
				</div>
	</div>
						</div>
	
			
					<div>
				<div>
		<div>
							<div>
			<div>
														<img alt="" height="773" src="https://i0.wp.com/8ksec.io/wp-content/uploads/2023/07/gxpc_running.png?fit=800%2C773&amp;ssl=1" width="800" />															</div>
			</div>
				</div>
	</div>
						</div>
	
			
					<div>
				<div>
		<div>
							<div>
			<div>
						<p>After running, we can see immediately a bunch of <strong>xpc_dictionary_set_string</strong> functions being intercepted. We can blacklist specific connections, by using <strong>-b</strong> or <strong>–blacklist</strong> flag for <strong>gxpc</strong>. In this case, we will blacklist <strong>DICT CREATION</strong>.</p>						</div>
			</div>
				</div>
	</div>
						</div>
	
			
					<div>
				<div>
		<div>
							<div>
			<div>
														<img alt="" height="152" src="https://i0.wp.com/8ksec.io/wp-content/uploads/2023/07/gxpc_filtering.png?fit=800%2C152&amp;ssl=1" width="800" />															</div>
			</div>
				</div>
	</div>
						</div>
	
			
					<div>
				<div>
		<div>
							<div>
			<div>
						<p>The tool will return a lot of functions being hit, to further filter on the data, let’s search in the terminal for the string <strong>longitude</strong>.</p>						</div>
			</div>
				</div>
	</div>
						</div>
	
			
					<div>
				<div>
		<div>
							<div>
			<div>
														<img alt="" height="693" src="https://i0.wp.com/8ksec.io/wp-content/uploads/2023/07/gxpc_longitude.png?fit=800%2C693&amp;ssl=1" width="800" />															</div>
			</div>
				</div>
	</div>
						</div>
	
			
					<div>
				<div>
		<div>
							<div>
			<div>
						<p>We can see that we have found the match inside the <code>bplist17</code> which is sent using <code>xpc_connection_send_notification</code> function. The data contains a lot of useful information, such as longitude, latitude, accuracy, etc. </p>

Now we can use the same approach to analyse different applications/binaries to analyse to which applications/daemons they are talking to and what that communication looks like. This could gives us a more opportunities to find some vulnerabilities.