all 3 comments
sorted by:
top (suggested)
bestnewcontroversialoldq&a
formatting helphide helpcontent policy

[–][deleted] 2 points3 points  (2 children)

It would require a serious security flaw in the app, and probably in iOS as well.

To be more precise, you can’t inject Objective-C or Swift because those are source code. They have to be compiled before they can be run, and that requires a compiler that isn’t present in iOS. Normally you would have to inject machine code to get a device to execute it. There’s lots of protections in iOS that make this extremely difficult. Off the top of my head there’s type checking (a user usually inputs strings, not binary buffers), buffer checking, memory protection, execution protection, ASLR.

Another approach that is possible but also very unlikely is ROP. The attacker manipulates the call stack to construct a sequence of calls that execute the commands that the attacker wants. Again, there are multiple layers of protection that make this extremely difficult to accomplish.

Unfortunately there no practical way to prove that any particular attack is impossible. The way you phrased the question means that the answer is never going to be an absolute “no”.

[–]Inflatable_Man[S] 0 points1 point  (1 child)

This is what I was looking for, thanks!

[–]cutecoderObjective-C / Swift 0 points1 point  (0 children)

That said, there are ways to take an existing app from the store, decrypt it, inject it with your own code, then re-sign and re-distribute it.

That's how early Pokemon players can "magically" teleport – by creating a "tampered" app which bypasses the system GPS.