iOS App Security — 5

Before starting iOS App reverse engineering I started to learn how Apple protect applications. From my understanding when you purchase an application the binary will be encrypted by your private key plus Apple will inject a special byte into header. At install time, iOS tries to decrypt the header with your key, which will succeed if the app was downloaded from the App Store with matching credentials.

So in order to taking look into binary file we have to decrypt it first. I found a tool which is Clutch.

https://github.com/KJCracks/Clutch

basicly what it does is dumping memory in runtime to have a decrypted version of App. it does not mean that after that you can run app on your phone! because it’s still need to be singed by your private key, anyway with dont need it.

When you have your Mach-O binary file you can start doing reverse enginnering. There are couple of tools in order to see the flow of application. When I was student I was using IDA which is very well-known reverse engineering tool and the expensive one. how ever it has a free version that you can use it and has enough features for our job.

https://www.hex-rays.com

But I personally prefer to use Hooper which has Personal License with cost of 133 CAD. Also you can download limited demo version for free

Ok. lets take a look into hooper to see how we have to use it.

As target I took calculator app from my phone and open it into hooper to see what is happening inside. lets take a look into application flow.

You can select Proc to see list of all functions and subroutines. On the menu at the top select CFG Mode which gives a graph of calling function also you can select Pseudo code Mode to have Pseduo code of functions which make thing easier to read.

If you are looking for information from classes and properties or iVars you can search for _metaclass.

We will see how we can use these kind of informations later.

But since in this article i jumped in to tool lets take a look into class_dump. what class_dump does : It generates declarations for the classes, categories and protocols. At the time that it developed it was for Objective-C runtime information.

http://stevenygard.com/projects/class-dump/

but there is a fork of repo with supporting swift which is interesting to take a look

As a sample application i used YahooWeather which i believe is one the most beautiful apps.

As you can see it’s based on obj-c and you see all headers. That would be enough to manipulating an App. We will continue our reverse-engineering with using these tools.