Not able to disassemble iOS Banking app

R

2

12

I use hopper disassembler to disassemble iOS apps. It works fine for most of the apps.

However today I just got curious to understand a banking app so I tried to disassemble it. So, I moved the app from my jailbroken device to my mac and when I tried to disassemble it with hopper it just gives me some useless stuff.

Why is this happening? Is the binary of this banking app encrypted? If yes then how can I decrypt it?

What do they exactly do to obfuscate code ? How does their code differs from other applications code ?

I used iFunbox to get executable of app from my iPhone to my mac. All apps exported in this way have no problem while disassembling. So i think iFunbox does DRM removal. Only this particular banking apps does n't work.

I even tried class dump and it gave me only one file named CDStructures.h with nothing in it.

Ringworm answered 4/6, 2017 at 13:6 Comment(3)

Given that it's a banking app the code might be obfuscated in some way. – Lying 4/6, 2017 at 13:53

What do they exactly do to obfuscate code ? Is there any way to view actual assembly instructions? How does their code differs from other applications code ? I even tried class dump and it gave me only one file named CDStructures.h. – Ringworm 4/6, 2017 at 13:59

There are tools to obfuscate method names, e.g. using macros. They could also just use C. Without seeing the app it's a bit hard to say. – Remanent 13/6, 2017 at 12:26

M

3

You need to remove iOS app encryption (called FairPlay). Since you have device with jailbreak you can do this. There is at least one tool for doing this.

If you are in doubt about encrypted IPA or not you can use this command:

otool -l BINARY | grep -A 4 LC_ENCRYPTION_INFO

Also keep in mind that in some countries disassembling maybe be illegal.

Mariannamarianne answered 11/6, 2017 at 21:37 Comment(5)

What is wrong with my answer? I don't see any information about removed FairPlay in original question. – Mariannamarianne 12/6, 2017 at 9:33

I used iFunbox to get executable of app from my iPhone to my mac. All apps exported in this way have no problem while disassembling. So i think iFunbox does DRM removal. Only this particular banking apps does n't work. – Ringworm 13/6, 2017 at 8:10

FairPlay seemed to be used to encrypt audio files (MP4) rather than applications. – Horologium 13/6, 2017 at 18:11

@JackG. all IPA files you install from AppStore are encrypted. You can't disassemble app without removing FairPlay. – Mariannamarianne 13/6, 2017 at 19:39

@JohnTracid you are right , I ran otool -l BINARY | grep -A 4 LC_ENCRYPTION_INFO on the binary and it gave me cmd LC_ENCRYPTION_INFO_64 cmdsize 24 cryptoff 16384 cryptsize 5619712 cryptid 1. Note that cryptid is non-positive so app is encrypted and I have to decrypt the executable. For more info iphonedevwiki.net/index.php/Crack_prevention – Ringworm 15/6, 2017 at 8:19

P

3

At the RSA show in SF (2017), I ran into a company that has a product for obfuscating iOS and Android code. They demoed a scenario where a webpage can jailbreak a handset without the user's knowledge and patch an application to send banking credentials to a third party whilst appearing to mostly work for the user. This presents enough of a weakness for there to be at least 2 tools on the market to deal with it (Arxan and Preemptive as far as a quick google yields). I was surprised by the sophistication level, but apparently it is an attack vector that is worth mitigating for companies with high value and high sensitivity ... like a banking app. Wouldn't surprise me at all if they were doing this.

Petrol answered 14/6, 2017 at 23:6 Comment(0)

Recommended topics

Hot tags