Reversing iOS

🍎 iOS Applications RE

During forensic analysis it’s not too rare to run into some suspicious application. In this article I’m going to learn to reverse engineer iOS applications.

Analysis flow

First, we need to get IPA file from the device. There are different ways to do so (please, refer to BTFM and RTFM). Here I’m going to use the easiest one:

ipainstaller -i $(ipainstaller -l | grep -i [package_partial_name]) | grep Bundle
scp root@[device_ip]:/path/to/Bundle/ . 

Note that this method only works only if the application was not downloaded from AppStore, because the applications installed that way are encrypted and to get the code one needs to dump it decrpyted from memory (frida-ios-dump.py with frida-server) or decrypt it statically ().

iOS IPA

When installed on the device, *.ipa is unzipped into a corresponding folder. That’s the contents:

• Payload
• Payload/Application.app
• iTunesArtwork
• iTunesMetadata.plist
• WatchKitSupport/WK

The *.ipa’s Payload is made of:

• MyApp
• Application
• Info.plist
• Launch images
• MainWindow.nib
• Settings.bundle
• Custom resource files

Project folder language.lproj:

• Base.lproj - for storyboards
• en.lproj - for English strings
• de.proj - for German strings

To read.

Info.plist contains configuration information for the application, such as its bundle ID, version number, and display name.