Intro to iOS mobile reverse engineering

A look at the tools, applications and analysis used to reverse engineer iOS applications
Technical Writeup
Intro to iOS mobile reverse engineering

Reverse engineering iOS apps

iOS applications are distributed as compiled binaries and are not readable by default. To reverse engineer an iOS application, the binary needs to be disassembled into a form that is easier to read and understand. This can be done using various tools, which we will look at in this blog post. These tools allow users to disassemble the binary and extract the source code for further analysis.

Once the source code has been extracted, it can be analyzed to understand how the application works and identify potential vulnerabilities or security weaknesses. It is also possible to modify the source code and recompile the app to bypass security controls or certain application functionality.

 

iOS reverse engineering tools

Several tools can be used for reverse engineering iOS mobile apps. Some of the more popular ones include:

  • Hopper Disassembler: This powerful tool can disassemble and decompile iOS apps. It allows you to see an application's assembly code and includes a decompiler that can generate high-level source code from the assembly code.

  • IDA Pro: This is a professional-grade reverse engineering tool that many security researchers and analysts use. It can disassemble and decompile iOS applications.

  • otool: This is a command-line tool included with every version of macOS and can be used to view the contents of iOS app binaries.

  • Class-dump: This is another command-line tool that can generate class information from an iOS app's executable file.

  • Radare2 (also known as "r2"): is a free and open-source reverse engineering framework that can analyze, disassemble, and decompile iOS applications.

  • Strings: A simple utility that can extract and display printable strings from a binary file. It can pull strings from iOS application binaries and be a valuable tool for reverse-engineering iOS applications. 
It's worth noting that reverse engineering iOS applications is a complex process that requires a good understanding of low-level programming concepts and technologies. The above list of tools is not exhaustive, but instead, a lot of the common tools used to get started with IOS reverse engineering.

 

iOS IPA binary analysis

For this blog post and examples, we will work with an intentionally vulnerable iOS application publicly available on GitHub: iGoat-Swift.

Let’s start from the beginning when we have an IPA file for deeper analysis. An iOS application IPA file is essentially a ZIP archive and can be unzipped using the Archive Utility for Mac or any similar utility, depending on the OS being utilized.

iOS IPA files have a “Payload” folder that contains a .app file, often with the same name as the application that is being analyzed (for example, “iGoat-Swift.app”)

On Mac, if you right-click the .app file, you can “Show Package Contents” to display the files that make up the binary.

Screen Shot 2022-12-27 at 4.02.36 PM

Screen Shot 2022-12-27 at 4.03.00 PM

As you can see from the screenshot above, when you review the files within the .app package, there will be a UNIX executable file with the same name. This is the application's main binary file. The additional files within this directory are supportive components that keep the application running (settings, frameworks, SDKs, etc.)

Now that we have a good understanding of the iOS file structure and how to access the applications binary file, we can look into the various reverse engineering tools and how they can be used.

 

Otool

Otool is a handy tool for iOS reverse engineering; it can be versatile and dump various information regarding the iOS application. Here are a few examples of what otool can be used for:

  • To identify the architectures that an iOS application is built for
  • Otool can display a list of shared libraries the application links to. This can be valuable for determining the iOS application's dependencies and understanding the overall implementation better.
  • Otool can display a list of object files that make up an application, which can help better understand the application structure and components used.
  • Lastly, otool can display the symbols (i.e., functions and variables) that an iOS application exports.

One of the most common uses for otool is to check for various libraries and identify if there are any potential vulnerabilities, which we will show a demo of. 

Use the following command to display the libraries: (Adjust for your specific application and path to the binary)

otool -L iGoat-SwiftOtool -L iGoat-Swift

Screen Shot 2022-12-28 at 9.18.00 AM

 

Class-dump

Another great way to understand the behavior of an iOS application is to read the interfaces exposed when dumping its classes. As you probably are aware. iOS applications are no longer exclusively written in Objective-C; they are now written in Swift or a combination of both.

This means we need to adjust some of our tools; the older version of ‘class-dump’ won’t work if there is Swift code within the binary; luckily, two versions are available depending on how the application is developed.

  • Class-dump-Objc
  • Class-dump-Swift 

‘Class-dump’ for Objc can be downloaded either through the link above or installed on mac using Homebrew and the following command.

brew install class-dump

For the swift version of ‘class-dump,’ you can use the link above to download the binary and the following commands to execute.

mv class-dump-swift /usr/local/bin
chmod +x /usr/local/bin/class-dump-swift

Similar to using otool above, go into the directory containing the UNIX executable for your iOS application to run ‘class-dump,’ as you will see in the command below. I have saved the output to a text file and shown an excerpt below.

class-dump-swift iGoat-Swift > iGoat_dump.txt

Screen Shot 2022-12-28 at 10.36.35 AM

Within the output, you will see the classes, methods and even instance variables for the iOS application. This information is a great way to start reverse engineering an application with a better understanding of the application and places to search.

 

Strings command

As the name suggests, the “strings” command is a simple utility used to extra and display the printable strings from a binary file. This can be useful when looking for hardcoded credentials, secrets and similar information that a developer might have left behind unknowingly. Essentially there are three main reasons for running the “strings” command:

  • Identifying potential file paths or application metadata to understand the application's structure and organization of files/resources

  • Identifying hardcoded values such as keys, passwords, or URLs that are being stored as strings within the application binary

  • Lastly, identify user-facing strings such as labels, buttons and messages better to understand the user interface and overall application functionality.

Much information can be gathered by utilizing the strings command and the grep command to fine-tune the results.

strings iGoat-Swift | grep -i secret

The above command, as an example, will search for the word “secret” within the iGoat binary; every use case is different depending on what you are looking for.

Screen Shot 2022-12-28 at 1.42.04 PM

As you can see from my screenshot, searching for specific values (secret in this case) can be handy to find strings within the binary that can be further analyzed through a disassembler.

 

iOS disassemblers

Disassemblers can be used to analyze and understand the code of compiled binaries. In the context of iOS reverse engineering, disassemblers are often used to examine the inner workings of iOS applications, know how they function and search for potential vulnerabilities within.

Several disassemblers are available in iOS reverse engineering, including IDA Pro, Hopper Radare2, Ghidra and Binary Ninja. 

Overall, disassemblers are an essential tool in the arsenal of any iOS reverse engineer, no matter which disassembler you choose. For this blog post, we will show some examples within Hopper, but by no means is that the only disassembler you can use to perform these actions and analyses.

There are two options when working with an iOS application for disassembly: loading the IPA into Hopper and examining the entire application, including third-party components, or loading the UNIX executable to investigate the application source code.

We will continue loading the UNIX executable as we have with the previous examples.

Open the executable with hopper; this will likely take a few minutes to load and perform the built-in automated source code analysis.

Once the executable is loaded up, we are going to first focus on the left-hand side, as you can see in the screenshot below:

Screen Shot 2022-12-28 at 2.56.00 PM

As you can see from the Hopper interface and the screenshot above, there are three options you can select

  • Labels – Contains various memory addresses with their associated names and instructions.
  • Proc – Contains all the methods used by the application
  • Strings – Similar to using the strings command but with a lot more follow-up information

The best option in any disassembler is to use the information you have gathered through previous tools and commands to dig deeper into how those methods interact with the application and identify potential vulnerabilities. 

In our example, we did find some references to various “secrets” and then searched for those within Hopper to see what additional information we could find.

In your searches, you will see methods in the middle of the Hopper window; right-clicking on any of those can show you the references and allow you to dig further into the application logic surrounding that method.

Screen Shot 2022-12-28 at 3.02.26 PM

As you follow the references, you can dig deeper into the methods and the associated code.

Screen Shot 2022-12-28 at 3.26.33 PM

One great feature that only some disassemblers have but Hopper does is the ability to convert machine code into pseudocode for easier readability. This can be done by using the button shown in the screenshot below.

Screen Shot 2022-12-28 at 3.28.26 PM

As you convert the machine code to make it easier to read, you can start to understand the logic behind the methods you are investigating, it can take further analysis depending on the application and the complexity, but this is a great start to get you taking a look at some iOS application reversing within Hopper.

Screen Shot 2022-12-28 at 3.30.04 PM-1

 

Conclusion

Reverse engineering is a complex topic with a large variety of tools, applications and analysis that needs to be completed. The goal of this blog post was to give you a quick overview of some of the tools that can be utilized, how they can be used and to start looking deeper into disassemblers. 

Keep an eye out for future blog posts where we will dig deeper into code modification after reversing, dynamic code changes using Frida and the ability to leverage Corellium to speed up the process.


Keep reading

Thoughts, stories and ideas from the Corellium team.

Keep reading

Thoughts, stories and ideas from the Corellium team.

View all posts

Subscribe to stay connected

Stay up to date with the latest news and announcements.