Reversing iOS apps for fun and profit

Alt Tech Talks Berlin 2013 !

Kuba Brecka @kubabrecka

What is reverse engineering?

• Forward engineering

• Source code → Compiler → Binary

• Source code → Optimizations → High-level intermediate code → Optimizations → Assembly instructions → Optimizations → Binary

• Reverse engineering

• Source code → Optimizations → High-level intermediate code → Optimizations → Assembly instructions → Optimizations → Binary

Why should I care?• Maybe you’re just curious

• Security analysis

• Malware analysis

• Undocumented APIs

• Lost source code

• Black-hat reasons

Tools of trade• IDA Pro

• Hopper

• classdump

• otool

• LLDB

• radare2

Assembly crash courseARM (32-bit):

MOV R0, #0xA20 ADD R0, PC LDR R1, [R0] BLX some_procedure B loc_9060 CMP R0, #0 BEQ loc_9060 CBZ loc_9060

x86 (32-bit):

mov eax, ebx add eax, 44h mov eax, [eax+10h] call some_procedure jmp loc_2EB5 cmp eax, 0 jz loc_2EB5

Demo

What you get for free• List of classes and categories in the app

• and their methods and types and signatures and properties and ivars and …

• List of used external classes, frameworks, APIs

• List of used constant strings in the app

• List of used selectors

What you get with a little more effort

• List of 3rd-party libraries bundled in the binary

• Complexity of methods, what branches and loops they contain

• Where are external APIs and classes used

IPAs and encryption• Apps from the App Store are encrypted (FairPlay

DRM)

• Binary is decrypted only in memory

• To obtain a decrypted binary:

• jailbreak

• run the app

• dump its memory

Language does matterbytecode /

native

meta information in binary

obfuscation

C native zero usually no

Java bytecode lots quite common

Objective-C native lots usually no

Thank you.Kuba Brecka @kubabrecka