7.2. Encrypted Binaries

A full class dump and symbol table dump can give you enormous insight into what’s going on inside an application. Attackers will, no doubt, use these tools to map out your application before attacking it. If your application is distributed in the App Store, these tools won’t return meaningful results initially, as App Store binaries are encrypted. The encryption applied to App Store executables is similar to the FairPlay DRM used on iTunes music. With a jailbroken device and a debugger, however, an attacker can access the unencrypted program code in memory to make it easy to read with tools like class-dump-z.

When an application is loaded into the memory of an iOS device, it must be decrypted first in order to execute. Using a debugger, the decrypted copy of the application can be dumped from memory and into a file, where tools such as class-dump and nm can better analyze its construction.