iObfuscate: Unraveling iOS Obfuscation Techniques

Presented at Objective by the Sea version 6.0 (2023), Oct. 12, 2023, 10:55 a.m. (25 minutes).

With the seemingly impenetrable nature of Apple's architecture and multiple barriers against reverse engineering, iOS developers often feel confident in the inherent security by obscurity. Despite this, iOS IPA files come equipped with additional obfuscation mechanisms that reverse engineers must be prepared to defeat. \n\n This presentation dives into the primary techniques used by iOS malware developers to conceal their nefarious payloads from prying eyes. Static techniques offer basic protection in the form of value encryption, identifier renaming, and control-flow obfuscation to thwart human analysts and decompilers. More sophisticated methods strive to protect the runtime via debugging and tampering checks. These techniques even extend to entire virtualization mechanisms resolving custom instructions during application execution.\n\n In this talk, I will unmask iOS obfuscation techniques through code-based examples and explain each methodology. Not only will attendees leave with a comprehensive understanding of iOS obfuscation, but they will also be equipped with multiple open-source, custom Ghidra scripts for deobfuscating different iOS binaries that I will be publishing and sharing.

Presenters:

  • Laurie Kirk - Reverse Engineer at Microsoft
    Laurie Kirk is a Reverse Engineer at Microsoft presenting as an independent researcher. She specializes in cross-platform malware analysis with a focus on mobile threats. She also runs a YouTube channel (@LaurieWired) that covers all sorts of in-depth Malware Analysis, Reverse-Engineering, Exploitation, and security topics.\n\n Laurie received her Bachelor’s Degree from Florida State University in Computer Science and is an active member of the security community. She has spoken at multiple conferences including DEFCON, TROOPERS23, KernelCon, BlueHat, and BSides Seattle.

Links:

Similar Presentations: