iOS Reverse Engineering

Created: 09.10.2020

During forensic analysis it’s not too rare to run into some suspicious application. In this article I’m going to learn to reverse engineer iOS applications.

Analysis flow

First, we need to get IPA file from the device. There are different ways to do so (please, refer to BTFM and RTFM). Here I’m going to use the easiest one:

ipainstaller -i $(ipainstaller -l | grep -i lassen) | grep Bundle

scp root@[device_ip]:/path/to/Bundle/ . 

Then open the Bundle folder on PC and look for Info.plist. Let’s find any strings that start with NS and end with UsageDescription.

cd *.ipa/[package_name].app
grep 'UsageDescription' Info.plist -A1

You sould see something like that:

<key>NSPhotoLibraryUsageDescription</key>
	<string>You can choose a profile picture from your photo library</string>
	<key>NSPhotoLibraryAddUsageDescription</key>
	<string>Allow Kindle to access your photos to save images.</string>
--
	<key>NSCameraUsageDescription</key>
	<string>Kindle would like to access the camera</string>
--
	<key>NSAppleMusicUsageDescription</key>
	<string>We use this to play audio in certain interactive books or magazines</string>

Inspect the application and make sense of all its entitlements. Why, for example, Kindle application needs to access my Camera? May be to set Avatar. And what if it was a simple game? Anyway, always check this since it might be an indication of malware application (although it’s very hard to get one uploaded to AppStore, it’s still possible. Besides, there are ways to sideload applications).

Entitlements

Here is an article which contains a section about iOS entitlements.

To decode certificate

openssl x509 -in certificate.crt -text -noout

Extract xml from Info.plist:

binwalk -e -y=xml ./Telegram\ X
r2 -qc 'izz~PropertyList' ./Telegram\ X
grep -a -A 5 'PropertyList' /var/containers/Bundle/Application/
    15E6A58F-1CA7-44A4-A9E0-6CA85B65FA35/Telegram X.app/Telegram\ X

Custom URL schemes and Unviersal URL schemes:

rabin2 -zq Telegram\ X.app/Telegram\ X | grep openURL