In the previous article you looked at beginning iOS forensics in general. This guide looks at how to reverse engineer an app binary.
Decrypting the Binary
This requires a jailbroken phone with the OpenSSH Cydia package installed.
Using a jailbroken phone, navigate to Settings -> Wi-Fi and click the “i” icon to get details of the current wifi connection. Note the IP Address (For example, 10.0.0.198)
Launch an SFTP / SSH client such as Cyberduck
Connect to sftp://email@example.com:22 (The default root password for all iOS devices is alpine. You may want to change that if you’ll be leaving OpenSSH active)
Since you are not Apple, you will get a warning about an unknown fingerprint, press OK
iOS 7 : The user applications are located at the location /var/mobile/Applications
iOS 8+ : The application bundle is stored in the location /var/mobile/Containers/Bundle/Application (Appname.app) whereas the application data (Documents, Library, tmp folder) is stored in the location /var/mobile/Containers/Data/Application. The name of the folder (a unique ID) will also be different for the same application. So while checking an application, it is recommended to look at both the locations.
- note that /var may not work, you may need to navigate to /private/var to see the “mobile” folder
- Using dumpdecrypted
- git clone firstname.lastname@example.org:stefanesser/dumpdecrypted.git
- Upload dumpdecrypted.dylib to iphone, then ssh to the iphone (
iPhone:~ root# DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/mobile/Containers/Bundle/Application/xx-xxxx-xx/Scan.app/Scan mach-o decryption dumper
- Then Scan.decrypted will be saved to current directory. Run this to verify if it’s decrypted.
iPhone:~ root# class-dump-z Scan.decrypted
- Using Clutch
- First disable code signing:
killall Xcode cp /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS.sdk/SDKSettings.plist ~/ /usr/libexec/PlistBuddy -c "Set :DefaultProperties:CODE_SIGNING_REQUIRED NO" /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS.sdk/SDKSettings.plist /usr/libexec/PlistBuddy -c "Set :DefaultProperties:AD_HOC_CODE_SIGNING_ALLOWED YES" /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS.sdk/SDKSettings.plist
download and extract Clutch, cd into project folder
open project and set signing identity to your team
- close project, in command line
xcodebuild clean build
- Then copy the build file to the phone
scp ./build/Clutch email@example.com:/usr/bin/Clutch
- SSH back into the device
ssh firstname.lastname@example.org Clutch -b com.appcomp.appName
It will output something like “DONE: /private/var/mobile/Documents/Dumped/x.x.x-iOS8.0-(Clutch-2.0.4)-2.ipa”
- Cyberduck copy the ipa file to your computer
Here’s a quick list of tools that aid in reverse engineering the code:
List symbols from object files.
strings Print the strings of printable characters in files.
otool Use to examine the Objective-C runtime information stored in the Mach-O file.
class-dump and class-dump-z Uses otool but can see actual Objective-C interfaces and declarations.
Keychain Dumper See which keychain items are accessible to an attacker when a device is jailbroken.
IDA Pro Commercial disassembler and debugger. Standard when it comes to iOS reverse engineering (Also because of https://www.hex-rays.com/products/ida/support/idadoc/1687.shtml)
Hooking and Patching
In addition to understanding how the code works, you can modify it to intercept function calls - called hooking. You can use this to monitor methods or replace security checks, for example. Here’s a list of popular tools to help with the process:
Cydia Impactor Use this to install IPA files on iOS.
Cydia Substrate The very popular code modification platform.
MSHookFunction Hijack the behavior of native code or a private symbol.
Besides looking at the data stored on the device and in the app, you’ll need to analyze the data an app sends and receives over the network. That can give you a lot of data and insight as to how the app works. Check out the Intercepting Network Traffic article next to learn how to do that.