Reverse Engineering iOS Testing - Cybersecurity Academy

Introduction

Reverse engineering in iOS testing is the process of analyzing compiled iOS applications to uncover their internal workings, hidden functionalities, potential vulnerabilities, and how they interact with other systems. This process helps ethical hackers, app auditors, and security researchers understand and secure iOS mobile apps more effectively.

🧠 Core Concepts

IPA: iOS App Archive - the package format of iOS apps
Mach-O: Executable binary format used in iOS
Class-dump: Tool to extract Objective-C class headers from binaries
Obfuscation & Anti-Reversing: Techniques used by developers to hinder reverse engineering

🛠️ Environment Setup

To reverse engineer iOS apps, you'll need the following:

macOS or a virtual macOS environment
Jailbroken iOS device or an emulator (like Corellium or checkra1n)
Tools: class-dump, Hopper Disassembler, Frida, Cycript, Ghidra

🔬 Step-by-Step Guide

Step 1: Obtain the .ipa File

Download the app from the App Store using tools like Apple Configurator 2 or extract it from a jailbroken device using scp.

Step 2: Unpack the IPA

unzip AppName.ipa -d AppFolder/
cd AppFolder/Payload/

This reveals the app binary (usually named after the app) inside the Payload directory.

Step 3: Analyze with class-dump

Extract Objective-C class structures:

class-dump -H AppName -o headers/

Step 4: Disassemble the Binary

Load the binary in Hopper, Ghidra, or IDA Pro to explore functions, string references, and control flow.

Step 5: Dynamic Analysis with Frida

frida -U -n AppName -l inject.js

This allows you to hook into live processes and manipulate memory or bypass security controls.

💡 Real-World Examples

🔓 Example: Bypassing Jailbreak Detection

// Jailbreak check code in Objective-C (disassembled)
if ([[NSFileManager defaultManager] fileExistsAtPath:@"/Applications/Cydia.app"]) {
    return YES;
}

Using Frida, you can override this logic at runtime:

Interceptor.attach(Module.findExportByName(null, 'objc_msgSend'), {
  onEnter: function (args) {
    var path = Memory.readUtf8String(args[2]);
    if (path.indexOf("Cydia.app") !== -1) {
      Memory.writeUtf8String(args[2], "/invalid");
    }
  }
});

🚀 Pro Tips

Always verify IPA files are untampered – some may be encrypted with FairPlay
Use otool to inspect Mach-O headers and loaded libraries
Look for hardcoded API keys or secrets in strings or plist files
Cross-reference class dumps with app screens to identify handlers or logic
Use Frida-trace to automatically generate hookable traces of key functions

🧰 Tools You Should Know

class-dump – Extract Objective-C headers
Ghidra – Open-source reverse engineering suite
Frida – Dynamic instrumentation toolkit
Hopper Disassembler
Cycript