📚 Decrypting iOS Applications

Created: 01.10.2020

There are several tools available that perform decryption of iOS applications. iOS applications that are downloaded from AppStore are encrypted. AppStore simply won’t allow to upload an app without proper signature and encryption. To get .ipa from the device for further analysis one needs a tool. There are several tools available now (October, 2020). I’ve prepared a simple overview of the differences and how they work.

I’ve taken a single application (in my case it was Bear) and decrypted it using several different tools. Frida-is-dumo and CrackerXI+ had the same output (md5 matches), clucth had a difference in several bytes.

On installation steps, possible issues and usage see here.

Frida-ios-dump

For installation steps refer to the official website or this database. For usage see here. Loads the application into RAM and copies it. Requires frida-server running on mobile device and frida installed on the host.

Clutch

For installation and usage see here. Works on its own. Doesn’t laucnch the application. Doesn’t decrypt everything. Also couldn’t properly install the latest version. Probably decrypts the code statically, not dumping from memory.

To ensure that the binary was decrypted, I ran:

rabin2 -I [my_decrypted_binary] | grep "crypto"
rabin2 -I [my_encrypted_binary] | grep "crypto"

The first one is /var/tmp/clutch/GUID/[Bundle_name]/bundle_name and the second is /var/containers/Bundle/Application/[GUID]/[Bundle_name]/bundle_name.

In my case, rabin2 (rabin usage here and here) detected both to be valid Mach-O files (which is an equivalent to PE on Windows systems) and the first one was crypto true while the second - crypto false.

NB! The strings appear to be unencrypted. So, you can retrieve strings with rabin2 -z [my_encrypted_binary] . Also, the compilation flags are not affected.

Also, we can test with r2 disassembler to see whether there was any difference.

r2 [my_decrypted_binary] # can be disassembled
r2 [my_encrypted_binary] # can't be disassembled

CrackerXI+

Also launches and reads from RAM, like frida-ios-dump. GUI-based and uses bfinject. Might fail sometimes.

⚠ïļ I’ve also noticed weird behaviour: after decryption this application might start crashing and require reinstalling (which doesn’t always work).