By: Lenar Safin, Yaroslav Alexandrov, Egor Fominykh, Alexander Chernov

Scheduled on: January 29 at 10:00

The main goal of our work is to find out a sensible way to detect vulnerabilities in binary iOS applications. We present a new fully featured toolset, that constitutes a decompiling and analyzing engine, targeting ARM/AArch64 programs, particularly iOS applications. In general, the analysis workflow consists of four steps:

  • Downloading and decrypting an iOS application from AppStore. We introduce the iOS-crack engine that is capable of automatic downloading, decrypting and dumping memory of AppStore applications using a jailbroken device.
  • Decompiling the iOS application. The toolset is capable of carrying out a completely automated analyses of binary programs, using the LLVM as the intermediate representation language. Unlike known binary code to LLVM translation tools, our decompilation tool aims at a high-level program semantics reconstruction. That is: program CFG reconstruction, advanced analysis and propagation of memory objects and stack pointer tracking, data types reconstructions, program data model construction. Almost all iOS application are written in Objective-C or Swift, so we also take care about precise types reconstruction and use the runtime types information in decompilation process.
  • Static analysis of the iOS application. We introduce our static analysis framework that is able to find all common vulnerabilities of mobile applications, especially iOS applications.
  • Representation of analysis results. The toolset is able to produce a human-readable pseudocode representation of the source binary. During the presentation we will demonstrate our analysis engine in action. We will show real-world examples of the most common security flaws and how they can be found.