Is there any plans to release a mac desktop client with the Mondo interface to view transactions, stats etc on your computer?
Or possibly a web version?
Its possible to use the URL protocol used in the Mondo app for a desktop client, so the “Log in to Mondo” button .
The problem is iOS binaries are encrypted and mostly all other binaries are not protected at all, this would make it too easy to find out Mondo works - as their login link says it does “magic authentication”.
I’m pretty sure Mondo aren’t using security by obscurity. Where does this information come from?
You’re right, security through obfuscation is not security. iOS does not obfuscate the binaries - maybe does now but didn’t when I last looked - it actually encrypts them.
I presume, without actually looking into it further, the “Log in to Mondo” button calls a URL with a token as a parameter, this endpoint once verified then will redirect you to a URL protocol for Mondo - as an exmaple “mondo://magic-link/1234567890” - which will advertently open the Mondo app.
This process flow should also work for a Mac application, even a Windows one.
Okay, so what’s “magic” about email authentication/ universal links, and why does this cause problems for someone who’d want to make a desktop client to view transactions/stats? And how is it not security by obscurity if they’re relying on the fact that the iOS binary is encrypted to make it not “too easy” to find out “how it works”?
(Sorry for all the questions, I’m not trying to be a pain, I just want to know what I’m missing here )
The Mondo public API including OAuth 2.0 strategy is documented here.
Theres nothing ‘magical’ about the authentication links, they’re just timed token links I guess. If someone wanted to make a desktop client you can, there is no problem with using the method Mondo uses for iOS.
Lets just make this clear, you’re calling it ‘obscurity’ which is not the correct term I am trying to use - the saying is usually “security through obfuscation is not security”. Obfuscation is not encryption. An executables code can be obfuscated or not and the execution will still happen the same way, with an encrypted exe the actual instructions have to be decrypted before they can run - along with Apps from the App Store being signed by Apple themselves - it makes it harder to find out how the process works. I am not saying its impossible, as nothing is unhackable, you just have to put in so many roadblocks that you deter people.
The term I’m using is security by obscurity, which is a distinct term with its own Wikipedia page and describes an approach to system security, not just a matter of obfuscation vs. encryption of binaries.
My initial reply was simply asking what you meant when you said:
The problem is […] mostly all other binaries are not protected at all, this would make it too easy to find out Mondo works - as their login link says it does “magic authentication”
My comment was that if Mondo’s security hinged on the fact that their app binaries are encrypted (which I’m quite sure they don’t), this would not be a wise strategy.
I assume I’m misunderstanding your original post, in which case my bad
Ah sorry my bad! I didn’t know you really meant obscurity - I have to deal with a lot of employees that don’t understand terminology so I have to guess at what they’re trying to say, which I don’t have to here .
I was just trying to point out that the Mondo app is natively protected by iOS security, which makes it hard (not impossible) to find how the authentication works. Mac apps are also protected by OSX. Android and Windows (notably .NET) are so easy to unpack anyone with a knowledge of google and keywords can find an unpacker - especially Android APKs as its just a silly version of a ZIP file - they are just not protected at all its so easy to research and patch executables.
Sorry for the misunderstanding . Theres a reason I don’t talk to customers at work, my brain goes a million miles an hour and my fingers can’t keep up with the demand, I tend to sometimes confuse people.
The issue I see with this at the moment is that to authenticate with modno, you have to click a link recieved via email that opens in your browser. This means that we can easily create a mondo web app that you will view in your browser, but probably makes it a bit harder to create a dedicated standalone desktop app.
I don’t know how easy it is to force your os to open a link within another app.
No worries! I only pressed you because comments from fellow devs that don’t make sense to me play havoc with my imposter syndrome.
Still, (though I haven’t checked) the auth process they’re using in the app is probably identical to the one documented in their API. Also, if I wanted to reverse engineer what is essentially an API transaction I would be MITMing myself to inspect the actual requests made long before I resorted to inspecting executable code. But that’s just me
@Zef You’ll probably want to register a custom URL scheme for your app (e.g. mymondoapp://, implementation varies by OS) and use this in the redirect_uri of the “Authorization code grant” step of the auth process.
(Yeah, authorization. International ambitionz y’all)
Worth noting - compiled Obj-C iOS apps are actually much easier to reverse engineer than most binary formats.
It’s not as trivial as a simple APK, but if you dump an Obj-C iOS app into Hopper, you’ll find that almost every code-path is helpfully labelled with its selector, which makes even ASM relatively readable.
Swift is not as heavily affected by this, as most of its symbols are stripped at runtime. Obj-C can’t really have its symbols stripped properly, because Obj-C selector messaging is built entirely on strings.
I have heard of this before, but didn’t read into it much.
I don’t believe you are correct saying “much easier to reverse engineer than most binaries”, you may get to the headers and paths etc. I know that the apps are protected by Apple’s DRM system, which encrypts segments of the app (not the paths for example), and the keys are unique per device also.
Its possible using a jailbroken device to get the keys to decrypt the application - but jailbroken to me is non-existent as I see 0 point in it.
As with anything - nothing is impossible to reverse enginner (I know I had lots of fun with PPC). I do believe though that iOS apps are protected better than .NET (Windows), Java (Android), etc, don’t you agree?
I have found usually that if you just download the binary through the Mac version of iTunes, nothing seems to be protected in any meaningful way.
Maybe iOS and OSX apps are protected differently. That’s interesting, I will look into that I’v got a few Mac apps that I want to know how they work .
Interesting, the same is not true for me with IDA. Hopper will accept it but ultimately fails to actually produce a useful disassembly. I generally have to run iOS binaries through private tools before I can RE them.
I recently built a web client for Mondo. Not advanced atm but it does do basic viewing of transactions and balances. Uses React & Materialize for anyone interested in the code.
Do you intend to share the code?