Reverse Engineering iOS applications in .app format
iOS apps are not as easily reverse-engineered as most Android apps, because they are compiled into a binary. When you run the file command on the binary, you should see Mach-O which confirms this is an iOS application:
To reverse engineer this binary, it is basically the same procedure as reversing any other ELF binary for example. You can use a decompiler to get some insight into the code structure, and what functions are called.
There is a lot of source code from built-in Apple functions, so searching for function names is often a good idea to understand what it is doing, instead of guessing or reversing by hand. For example, the CCCrypt() function has the following arguments (source):
CCCryptorStatus CCCrypt( CCOperation op, /* kCCEncrypt, etc. */ CCAlgorithm alg, /* kCCAlgorithmAES128, etc. */ CCOptions options, /* kCCOptionPKCS7Padding, etc. */constvoid*key,size_t keyLength,constvoid*iv, /* optional initialization vector */constvoid*dataIn, /* optional per op and alg */size_t dataInLength,void*dataOut, /* data RETURNED here */size_t dataOutAvailable,size_t*dataOutMoved);
In addition to this, enums are also useful to know, as the numbers in the decompiled code might not explain what it really means:
/*!@enum CCOptions @abstract Options flags, passed to CCCryptorCreate(). @constant kCCOptionPKCS7Padding Perform PKCS7 padding. @constant kCCOptionECBMode Electronic Code Book Mode (default is CBC)*/enum { /* options for block ciphers */ kCCOptionPKCS7Padding =0x0001, kCCOptionECBMode =0x0002};
.plist files
you might find .plist files in the .app directory. These files are in a special format but can be parsed by tools such as plistutil into XML files:
$ file app.plist
app.plist: Apple binary property list
$ plistutil -i app.plist
