Skip to main content

Overview

Static analysis involves examining an iOS application without executing it. This technique allows you to understand app structure, identify vulnerabilities, and analyze code logic before runtime.
Static analysis is non-invasive and leaves no traces on the device, making it ideal for initial reconnaissance.

Disassembly and Decompilation

Using Hopper Disassembler

Hopper is a powerful tool for disassembling iOS binaries and generating pseudo-code.
1

Extract the IPA

Obtain the decrypted IPA file and extract the main binary:
unzip MyApp.ipa
cd Payload/MyApp.app
file MyApp  # Verify it's a Mach-O binary
2

Load in Hopper

Open the binary in Hopper and wait for analysis to complete. This may take several minutes for large applications.
3

Generate Pseudo-code

Navigate to interesting methods and press ‘Alt+Enter’ to view decompiled pseudo-code.
; Method: -[LoginViewController validateCredentials:]
_objc_msgSend:
    mov     x0, x19
    adrp    x1, #0x100008000
    ldr     x1, [x1, #0x890]
    bl      _objc_msgSend
    cbz     x0, loc_invalid

Ghidra for iOS Analysis

Ghidra is a free alternative with powerful analysis capabilities.
  1. Install Ghidra and the iOS loader plugin
  2. Create a new project and import the Mach-O binary
  3. Run auto-analysis (Analysis > Auto Analyze)
  4. Use the Decompiler window (Window > Decompiler)
Enable the “Objective-C” analyzer for better class and method recognition.

Reading Assembly Code

ARM64 Assembly Basics

Modern iOS devices use ARM64 architecture. Understanding key instructions is essential.

Data Movement

  • mov - Move data between registers
  • ldr - Load from memory
  • str - Store to memory
  • adrp - Load page address

Branching

  • b - Unconditional branch
  • bl - Branch with link (call)
  • ret - Return from function
  • cbz/cbnz - Conditional branches

Arithmetic

  • add/sub - Addition/Subtraction
  • mul - Multiplication
  • cmp - Compare values
  • and/orr - Logical operations

Objective-C Runtime

  • _objc_msgSend - Method calls
  • _objc_retain/_objc_release - Memory management
  • _objc_getClass - Class lookup

Practical Example: Finding Authentication Logic

You need to understand how an app validates premium subscriptions.

Identifying Security Vulnerabilities

Common Vulnerability Patterns

Search for suspicious string patterns:
strings MyApp | grep -i "password\|secret\|apikey\|token"
Look for:
  • API keys in plaintext
  • Default passwords
  • Encryption keys
  • Authentication tokens
Hardcoded credentials are one of the most common vulnerabilities in iOS apps.
Check for usage of insecure storage mechanisms:
  • NSUserDefaults for sensitive data
  • Unencrypted plist files
  • World-readable files in Documents directory
Search for these patterns in pseudo-code:
[NSUserDefaults standardUserDefaults] setObject:password forKey:@"pwd"
[sensitiveData writeToFile:path atomically:YES]
Identify weak or custom crypto implementations:Red flags:
  • Custom encryption algorithms
  • ECB mode encryption
  • Hardcoded IV values
  • MD5/SHA1 for password hashing
// Example of weak crypto
CCCrypt(kCCEncrypt, kCCAlgorithmDES, kCCOptionECBMode, ...)
Look for CommonCrypto API calls with weak algorithms.
Identifying jailbreak detection helps you bypass it:Common detection methods:
  • File existence checks (/Applications/Cydia.app)
  • Fork() system call
  • Symbolic link verification
  • Sandbox integrity checks
if ([[NSFileManager defaultManager] fileExistsAtPath:@"/Applications/Cydia.app"]) {
    return YES; // Jailbroken
}

String Analysis

Extracting Strings

Strings often reveal critical information about app functionality. 
strings MyApp > app_strings.txt

Finding String References

1

Locate interesting strings

Find strings related to your target functionality:
strings MyApp | grep -i "premium\|purchase\|subscription"
2

Find cross-references

In Hopper or Ghidra:
  • Navigate to the Strings section
  • Find your target string
  • View cross-references (X-refs) to see where it’s used
3

Analyze calling functions

Examine the functions that reference these strings to understand the logic.

URL and Endpoint Discovery

strings MyApp | grep -E "^https?://" | sort -u
This reveals:
  • API base URLs
  • Analytics endpoints
  • Debug/staging servers
  • Third-party integrations

Practical Workflow

1

Initial Reconnaissance

  • Extract IPA and identify target binary
  • Run file, otool, and strings for basic info
  • Extract Info.plist and analyze configurations
2

Load in Disassembler

  • Import binary into Hopper or Ghidra
  • Wait for auto-analysis to complete
  • Export class dumps for reference
3

String Analysis

  • Search for relevant keywords
  • Map string references to functionality
  • Document API endpoints and secrets
4

Code Analysis

  • Navigate to target methods
  • Generate pseudo-code
  • Document control flow and logic
  • Identify vulnerabilities
5

Documentation

  • Create detailed notes
  • Screenshot key findings
  • Map out app architecture
  • Plan dynamic analysis targets
Static analysis complete when you have:
  • Understanding of app architecture
  • List of interesting methods and classes
  • Identified potential vulnerabilities
  • API endpoints and authentication mechanisms
  • Targets for dynamic analysis

Advanced Techniques

Class-dump Analysis

Generate Objective-C headers from the binary: 
class-dump -H MyApp -o ./Headers/
Class dumps provide a clean view of all classes, methods, and properties without assembly.

Control Flow Analysis

Use Ghidra’s function graph view to:
  • Visualize execution paths
  • Identify error handling
  • Find unused/dead code
  • Understand complex conditionals

Binary Diffing

Compare different versions to find changes: 
# Using radare2
r2 -A old_binary
# In another terminal
r2 -A new_binary
# Use radiff2 for comparison
radiff2 -g main old_binary new_binary > diff.dot
Binary diffing is invaluable for finding security patches and understanding update changes.

Resources

Hopper

Commercial disassembler for macOS

Ghidra

NSA’s free reverse engineering tool

class-dump

Generate Objective-C headers

ARM64 Reference

Official ARM architecture documentation

Build docs developers (and LLMs) love

Get started for freeTalk to us