14.2. Other Reverse Engineering Tools

Often, developers aren’t the only ones with their hands in an application prior to its release. One or more red teams will undoubtedly test applications designed for government and military uses before they are placed in the warfighter’s hands. In order to beat these red teams, applications must be designed with rock solid encryption, be free of forensic data leakage, and be able to withstand an attack from what could end up being a foreign government some day, should a device be intercepted. By using the techniques in this book to attack applications as they are being developed, you’ll find that over time your application will take longer and longer to breach. If a developer—who has intimate knowledge of the application’s source code—is unable to breach his own application in a reasonable amount of time, chances are a red team will also be similarly frustrated. This is true at least if the developer is as skilled in penetration testing techniques as the red team.

Many great debugging and disassembly tools can give you the same glimpse into your application that professional red teams, as well as criminal adversaries, have. This book has covered free tools, such as gdb and otool, but many commercial solutions provide advanced functionality, such as decompiling (from assembly back into C), intuitive user interfaces, and much more. Among the best reverse engineering tools are: