Mobile Application Security: The Apple iPhone - Development

1/13/2011 9:13:37 AM
Development for the iPhone is performed with Xcode and the iPhone SDK. Code can be run either within the emulator or on a development device. For some applications (for example, those using the Keychain), a physical device is required. Debugging is done within Xcode via gdb, although for jailbroken devices, a third-party gdb can be installed on the device itself for debugging any phone application.

Decompilation and Disassembly

Objective-C applications decompile fairly cleanly, if you have the right tools. Many Apple developers may be familiar with otool, which comes with the OS X developer tools. otool is a straightforward executable disassembler that can parse Mach-O type executables. otool has also been ported to ARM and is available via several sources. otool is very flexible; see otool(1) for details. Here’s a common usage:


In Cydia, the package that includes otool is Darwin CC Tools. We, of course, take no responsibility for anything bad that happens from running sketchy Cydia apps!

otool -toV /Applications/

Objective-C segment
Module 0x22b52c
version 7
size 16
symtab 0x0022c940
sel_ref_cnt 0
refs 0x00000000 (not in an __OBJC section)
cls_def_cnt 1
cat_def_cnt 0
Class Definitions
defs[0] 0x00204360
is a 0x0020a560
super_class 0x001a5f44 CALCanvasItem
name 0x001c6574 CALCanvasAttributedText
version 0x00000000
info 0x00000001 CLS_CLASS
instance_size 0x0000015c
ivars 0x00224300
ivar_count 13
ivar_name 0x001a54e2 _text
ivar_type 0x001a53d0
ivar_offset 0x0000012c
ivar_name 0x001a54e8
ivar_type 0x001a5940 c
ivar_offset 0x00000130
ivar_name 0x001a5502 _generalAttributes
ivar_type 0x001a665c @"NSMutableDictionary"
ivar_offset 0x00000134
ivar_name 0x001a66dc _fontName
ivar_type 0x001a6020 @"NSString"

ivar_offset 0x00000138
ivar_name 0x001a6034 _fontSize
<and much, much more>

Try running this on several OS X or iPhone binaries using grep to search for interesting strings.

For current versions of the iPhone OS (verified on 3.0), you can use the class-dump or class-dump-x tools (; also available in Cydia and in MacPorts for OS X) to get very readable information on class declarations and structs from Objective-C object code. You have the option of either installing the iPhone binary on a jailbroken device or running the binary under OS X. Because of the architectural difference between the phone and Intel Macs, you’ll need to run the tool against packages compiled for the iPhone simulator.

From the OS X Terminal (Applications | Utilities | Terminal), you can do the following:


For more information on using the Terminal under OS X, see

  class-dump-x /Developer/Platforms/iPhoneSimulator
.platform/Developer/ SDKs/iPhoneSimulator3.0.sdk/Applications
< snip >
protocol CALCanvasTextProtocol

- (id)attributes;
- (id)foregroundColor;
- (float)fontSize;
@protocol CALDetachmentDelegate
- (int) decideDetachmentFor:(id)fp8 withOccurrence:(id)fp12 ;
@protocol CALSubscribeOperationUIHandler
- (BOOL)acceptHandlingOfSubscribeCreationOperation:(id)fp8;
- (BOOL)handleSubscribeCreationErrorForOperation:(id)fp8;
- (id)displayStringForSubscribeCreationNotification:(id)fp8;
- (id)calendarIDOfSourceForOperation:(id)fp8;
- (id)handleSubscribeCreationPostDownloadForOperation:(id)fp8
autoRefreshChoices :(id)fp12;
@protocol CalControllerProtocolDelegate
- (void)selectNode:(id)fp8 checked:(int)fp12 ;
- (void)selectAndShowEntity:(id)fp8;
- (void)removeAllSelectedObjects;

As you can see, this code outputs declarations of the classes and protocols used by the Mobile Safari application. Of course, this is only useful if you’ve come across an x86-compiled iPhone app that you need to disassemble—which is not terribly likely, unless you’re trying to reverse-engineer the Apple-provided apps. For most cases, you’ll want to use a jailbroken phone and then ssh into the device to use the iPhone version of class-dump-x and/or otool.

Another tool that expands on the output of class-dump by resolving additional symbols is otx ( Although not runnable on the iPhone itself, otx is another tool that can give you some insight into what is visible when others are examining your applications. Listing 3-1 shows some otx output.

Listing 1. otx Output
-(BOOL)[NSString(NSStringExtras)  isFeedURLString]
+0 00003488 55 pushl %ebp
+1 00003489 89e5 movl %esp,%ebp
+3 0000348b 53 pushl %ebx
+4 0000348c 83ec14 subl $0x14,%esp
+7 0000348f 8b5d08 movl 0x08(%ebp),%ebx
+10 00003492 c744240844430700 movl $0x00074344,0x08(%esp)
+18 0000349a a180a00700 movl 0x0007a080,%eax
+23 0000349f 89442404 movl %eax,0x04(%esp)
+27 000034a3 891c24 movl %ebx,(%esp)
+30 000034a6 e850420800 calll 0x000876fb
-[(%esp,1) _web_hasCaseInsensitivePrefix:]
+35 000034ab 84c0 testb %al,%al
+37 000034ad 744b je 0x000034fa
+39 000034af c744240854430700movl $0x00074354,0x08(%esp) :
+47 000034b7 a184a00700 movl 0x0007a084,%eax
+52 000034bc 89442404 movl %eax,0x04(%esp)

+56 000034c0 891c24 movl %ebx,(%esp)
+59 000034c3 e833420800 calll 0x000876fb
-[(%esp,1) rangeOfString:]
+64 000034c8 3dffffff7f cmpl $0x7fffffff,%eax
+69 000034cd 742b je 0x000034fa
+71 000034cf 89442408 movl %eax,0x08(%esp)
+75 000034d3 a148a00700 movl 0x0007a048,%eax
+80 000034d8 89442404 movl %eax,0x04(%esp)
+84 000034dc 891c24 movl %ebx,(%esp)
+87 000034df e817420800 calll 0x000876fb
-[(%esp,1) substringToIndex:]
+92 000034e4 8b1544a00700 movl 0x0007a044,%edx
+98 000034ea 89550c movl %edx,0x0c(%ebp)
+101 000034ed 894508 movl %eax,0x08(%ebp)
+104 000034f0 83c414 addl $0x14,%esp
+107 000034f3 5b popl %ebx

Preventing Reverse-Engineering

At this point, you may be asking yourself, “What can I do to prevent people from reverse-engineering my programs?” The answer is quite simply: You can’t do much. If someone is motivated to crack or reverse-engineer your application, they can use far more powerful commercial tools than these to make doing so even easier. Plus, the development effort required to prevent reverse-engineering costs money, especially if you have to revise your protection or obfuscation mechanisms.

If you absolutely can’t be dissuaded from implementing some form of “copy protection” or activation scheme, you can try to hide from some of the aforementioned mechanisms such as class-dump by putting your logic into plain C or C++ and ensuring that you strip your binaries. But don’t burn a lot of time on this—remember that all these schemes can be easily defeated by a knowledgeable attacker.

  •  Building Android Apps : Installing KiloGap in the Emulator
  •  Building Android Apps : Build KiloGap
  •  Building Android Apps: Create an Android Virtual Device
  •  Building Android Apps: Going Native - Setting Up the Environment
  •  Building Android Apps: Introduction to PhoneGap
  •  iPhone Application Development : How Xcode and Interface Builder Implement MVC
  •  iPhone Application Development : Understanding the Model-View-Controller Paradigm
  •  Building Android Apps: Going Offline - Debugging
  •  Building Android Apps: Creating a Dynamic Manifest File
  •  Building Android Apps: Online Whitelist and Fallback Options
  •  The Basics of the Offline Application Cache
  •  Building Android Apps: Web SQL Database (part 4) - Deleting Rows
  •  Building Android Apps: Web SQL Database (part 3) - Selecting Rows and Handling Result Sets
  •  Building Android Apps: Web SQL Database (part 2) - Inserting Rows
  •  Building Android Apps: Web SQL Database (part 1) - Creating a Database
  •  Building Android Apps: Web Storage
  •  Building Android Apps : Simple Bells and Whistles
  •  Building Android Apps : Traffic Cop
  •  iPhone Application Development : Exploring Interface Builder - Connecting to Code
  •  iPhone Application Development : Customizing Interface Appearance
    Top 10
    Windows 7 : Detecting and Resolving Computer Problems (part 2) - Tracking Errors in the Event Logs
    Building the WinPE Image
    SQL Server 2008 : Performing Nonlogged DML Operations
    Synchronizing Mobile Data : Using RDA
    Windows Server 2008 R2 Active Directory Domain Services Primer : Outlining AD DS’s Components
    Preparing Multimedia Data for Silverlight
    SharePoint 2010 : Upgrading an Existing Extranet Solution from SharePoint 2007
    Windows Phone 7 : Packaging, Publishing, and Managing Applications
    Optimizing for Vertical Search : Optimizing for Image Search (part 2) - Optimizing Through Flickr and Other Image Sharing Sites
    SQL Server 2008 : Transact-SQL Programming - The max Specifier
    Most View
    The best music apps for your iOS Device (Part 3) - ITUNES U, VOXER
    Android Permissions Review
    Building Android Apps : Detecting Browsers with WURFL
    SQL Azure : Tuning Techniques (part 3) - Indexing
    Cloud Application Architectures : Machine Image Design
    Windows Azure : Messaging with the queue - Working with basic queue operations
    Sync Your iPad with iTunes : Manually Transferring Music, Movies, Podcasts, and More on Your iPad (Drag-and-Drop Method)
    ASP.NET and AJAX
    Internet Explorer Security Settings
    Multifaceted Tests : Bypassing Field Length Restrictions & Attempting Cross-Site Tracing Interactively
    Exchange Server 2010 : Deploying a Database Availability Group (part 3)
    The New iPad
    Understanding the SharePoint Server Roles
    Find it online
    Programming Hashing Algorithms (part 1) - The HashAlgorithm Class
    Microsoft XNA Game Studio 3.0 : Displaying Images - Using Resources in a Game (part 4) - Filling the Screen
    .NET Compact Framework : Drawing Text
    SQL Server 2008: Working with System Databases
    Mixing Windows and Forms
    Send an Email via SMTP