How can I monitor an application's API calls on a jailbroken iOS device?

Question

I am performing a review on an iOS application for which I do not have the source code. In order to gain more control over the environment, I am running the application on a jailbroken iPad.

I'd like to be able to monitor the API calls that the application is making...ideally I'd like to find something like Rohitab's MS Windows based API Monitor , but instead for iOS.

I have done some research and found a project by KennyTM called " Subjective-C " that seems that it may do what I need. I actually have been using a cycript script, along with the libsubjc.dylib available on the Google code site .

However, I have been unable to figure out how to correctly get it to start logging calls for an app. Here's the link to the cycript script, written by the author of Subjective-C (libsubjc). I pasted the script below as well.

/*

libsubjc.cy ... Use libsubjc in cycript.
Copyright (C) 2009  KennyTM~ <kennytm@gmail.com>

[...GPL3...]
*/

dlopen("libsubjc.dylib", 10);
if (!dlfun) {
    function dlfun(fn, encoding, altname) { var f = new Functor(dlsym(RTLD_DEFAULT, fn), encoding); if (f) this[altname || fn] = f; return f; }
}

dlfun("SubjC_start", "v");
dlfun("SubjC_end", "v");

dlfun("SubjC_set_file", "v^{sFILE=}");
dlfun("SubjC_set_maximum_depth", "vI");
dlfun("SubjC_set_print_arguments", "vB");
dlfun("SubjC_set_print_return_value", "vB");
dlfun("SubjC_set_print_timestamp", "vB");

SubjC_Deny = 0, SubjC_Allow = 1;

dlfun("SubjC_clear_filters", "v");
dlfun("SubjC_filter_method", "vi#:");
dlfun("SubjC_filter_class", "vi#");
dlfun("SubjC_filter_selector", "vi:");
dlfun("SubjC_default_filter_type", "vi");
dlfun("SubjC_filter_class_prefixes", "viI^*");
dlfun("SubjC_filter_class_prefix", "vi*");

dlfun("fopen", "^{sFILE=}**");
dlfun("fclose", "i^{sFILE=}");

I have been able to load the libsubjc cycript script, and call the SubjC_start function. However, how do I specify an input filehandle for the line starting with dlfun("SubjC_set_file", "v^{sFILE=}");

Has anyone successfully used the "libsubjc.cy" cycript script with the Subjective-C library (libsubjc.dylib) to monitor an app's API calls?

UPDATE

This is at least generating the output file, but I don't see any information populated within the output file (/tmp/test.txt).

cycript -p SpringBoard libsubjc.cy; cycript -p SpringBoard
f = fopen("/tmp/test.txt", "w");

SubjC_set_file(f);
SubjC_set_maximum_depth(15);
SubjC_set_print_arguments(YES);
SubjC_set_print_return_value(YES);
SubjC_set_print_timestamp(YES);
SubjC_default_filter_type(SubjC_Deny);
SubjC_start();
//do stuff
SubjC_end();

Or, if anyone knows of another way to monitor API calls (w/o source code) on a jailbroken device, please let me know

Answer 1

I'm not aware of a direct equivalent to API Monitor. However, Frida is a popular tool for mobile app instrumentation, with a tutorial on iOS usage . Once installed, you can trace API calls with a command like frida-trace -U -i "CCCryptorCreate*" Twitter to trace calls from the Twitter app to functions starting with CCCryptorCreate .

Answer 2

Am not sure whether this helps you are not. Try Charles Prixy

Steps:

1.Install Charles proxy on your mac.
2.Change proxy setting on your mobile (Should go through Charles proxy. Check their website for configuration)

Answer 3

Set up a proxy server on your computer to redirect and track all the API calls. This is a common way to peak into iOS web traffic and you don't need a jailbroken device.