BlogContact

iOS

Reverse Engineering iOS applications in .app format

iOS apps are not as easily reverse-engineered as most Android apps, because they are compiled into a binary. When you run the file command on the binary, you should see Mach-O which confirms this is an iOS application:

$ file app
app: Mach-O 64-bit x86_64 executable, flags:<NOUNDEFS|DYLDLINK|TWOLEVEL|PIE>

Decompiling

To reverse engineer this binary, it is basically the same procedure as reversing any other ELF binary for example. You can use a decompiler to get some insight into the code structure, and what functions are called.

There is a lot of source code from built-in Apple functions, so searching for function names is often a good idea to understand what it is doing, instead of guessing or reversing by hand. For example, the CCCrypt() function has the following arguments (source):

CCCryptorStatus CCCrypt(
	CCOperation op,			/* kCCEncrypt, etc. */
	CCAlgorithm alg,		/* kCCAlgorithmAES128, etc. */
	CCOptions options,		/* kCCOptionPKCS7Padding, etc. */
	const void *key,
	size_t keyLength,
	const void *iv,			/* optional initialization vector */
	const void *dataIn,		/* optional per op and alg */
	size_t dataInLength,
	void *dataOut,			/* data RETURNED here */
	size_t dataOutAvailable,
	size_t *dataOutMoved);

In addition to this, enums are also useful to know, as the numbers in the decompiled code might not explain what it really means:

.plist files

you might find .plist files in the .app directory. These files are in a special format but can be parsed by tools such as plistutil into XML files:

Resources

For another more practical guide and example, see this article:

https://github.com/OWASP/owasp-mastg/blob/master/Document/0x06c-Reverse-Engineering-and-Tampering.mdgithub.com
A walkthrough of various tasks in iOS reverse engineering
PreviousCompiling C for AndroidNextPython

Last updated