Documentation: App Analysis



Performing an Analysis of the Application Binary

In order to enable idb’s remaining functions, the analysis of the application binary has to be triggered by clicking the ‘Analyze Binary’ button. This will download the decrypted application binary and perform some basic analysis to extract information such as:

  • Encryption?: Is a segment of the app marked as encrypted.
  • Cryptid: If so, which cryptid is assigned to that segments.
  • PIE: Is the application compiled as a Position-Independent Executable (PIE) and thus takes advantage of ASLR.
  • Stack Canaries: Are stack canaries enabled for the application.
  • ARC: Does the application use Automatic Reference Counting (ARC).

If the application binary is encrypted, idb uses Stefan Esser’s dumpdecryoted to decrypt it before downloading and analyzing it.

Application Binary Details Application Binary Details

Application Binary

Once “Analyze App Binary” was clicked and completed, the “Application Binary” tab becomes fully active. It provides three functions: display shared libraries, display strings, and extract class signatures and functions.

Shared Libraries

The “Shared Libraries” tab allows you list all the external libraries the app references. This allows for the easy discovery of any suspicious frameworks that may be in use by the app. Internally, idb uses otool to analyze the binary. Since idb runs otool on the host, this is an OS X feature only at this point. There are plans for moving the analysis onto the device which will make the feature available for other platforms as well.

Listing Shared Libraries

Strings

Application binaries frequently include data of interest such as API keys, credentials, encryption keys, URLs, etc. The strings tab extracts all strings in the (decrypted!) application binary and displays them right in the UI.

Strings

Class and Method Signature Dumping

When reversing, instrumenting (e.g., using Cycript or Mobile Substrate), or simply trying to understand an app, knowing all of the classes and method signatures of the app is of great help. idb provides a convenient way for obtaining these from compiled iOS applications. Under the hood, this function uses cycript and the weak_classdump script by Elias Limneos. To use this, simply click the “Dump Classes” button in idb while the device is unlocked.

Note: Since iOS 8, there seems to be some issue with running weak class-dump. Working on a better solution that works across platforms.

Weak Classdump

This will launch the app with cycript attached and dump all the class information. Depending on the size of the application, this process will take up to several minutes. There is no visual feedback that class information is being dumped, but the device will play the “locking” sound once the dump is complete. In some rare instances the app may crash during this process which may lead to an incomplete class dump.

Please wait

At any time during the process the “List Results” button can be used to retrieve all of the class information that has been collected thus far. To gain a full list, you should wait until the execution of weak_classdump is finished. The results will look similar to this:

Classdump Results