Back in July 2021, I had a look at the protections provided by Arxan to detect jailbroken devices in PokemonGO for iOS
(Gotta Catch ‘Em All: Frida & jailbreak detection).
To continue walking along the path of iOS reverse engineering, I recently had a look at two iOS applications
protected by a solution providing both native code obfuscation and RASP (Runtime Application Self Protection) protections.
I ended up with two blog posts:
The first part is an in-depth analysis of RASP detections methods on iOS while the second part details
native code obfuscation and a new technique to bypass inlined syscalls (without Frida/Frida’s stalker and without a disassembler)
The obfuscator mentioned in these blog posts provides strong and state-of-the-art protections to hinder reverse engineering.
When dealing with obfuscation, saying that something is broken does not make really sense
as if an attacker is skilled and strongly motivated, he will very likely achieve his goal.
Moreover, this series of blog posts do not (and can’t) exhaustively evaluate the strength of this commercial
- The applications analyzed might not use the latest version of the obfuscator.
- All the obfuscation features might not have been enabled by the developers (e.g. for performance reasons).
- The developers might have weakened the obfuscation scheme (unintentionally).
In summary, these blog posts aim at sharing – from a technical point of view – what RASP and native code
obfuscation look like on iOS. The scripts/code associated with these blog posts will not be published as it
does not really bring more information.
The commercial solution not mentioned in the blog posts is and remains a good choice for protecting assets from
reverse engineering. If you have doubts I would be very happy to discuss it.