There are several tools available that perform decryption of iOS applications. iOS applications that are downloaded from AppStore are encrypted. AppStore simply won’t allow to upload an app without proper signature and encryption. To get .ipa from the device for further analysis one needs a tool. There are several tools available now (October, 2020). I’ve prepared a simple overview of the differences and how they work.
I’ve taken a single application (in my case it was Bear) and decrypted it using several different tools. Frida-is-dumo and CrackerXI+ had the same output (md5 matches), clucth had a difference in several bytes.
On installation steps, possible issues and usage see here.
For installation steps refer to the official website or this database. For usage see here. Loads the application into RAM and copies it. Requires
frida-server running on mobile device and
frida installed on the host.
For installation and usage see here. Works on its own. Doesn’t laucnch the application. Doesn’t decrypt everything. Also couldn’t properly install the latest version. Probably decrypts the code statically, not dumping from memory.
To ensure that the binary was decrypted, I ran:
rabin2 -I [my_decrypted_binary] | grep "crypto" rabin2 -I [my_encrypted_binary] | grep "crypto"
The first one is
/var/tmp/clutch/GUID/[Bundle_name]/bundle_name and the second is
In my case, rabin2 (rabin usage here and here) detected both to be valid
Mach-O files (which is an equivalent to PE on Windows systems) and the first one was
crypto true while the second -
NB! The strings appear to be unencrypted. So, you can retrieve strings with
rabin2 -z [my_encrypted_binary]. Also, the compilation flags are not affected.
Also, we can test with r2 disassembler to see whether there was any difference.
r2 [my_decrypted_binary] # can be disassembled r2 [my_encrypted_binary] # can't be disassembled
Also launches and reads from RAM, like
frida-ios-dump. GUI-based and uses
bfinject. Might fail sometimes.
⚠️ I’ve also noticed weird behaviour: after decryption this application might start crashing and require reinstalling (which doesn’t always work).