Not able to disassemble iOS Banking app

Question

I use hopper disassembler to disassemble iOS apps. It works fine for most of the apps.

However today I just got curious to understand a banking app so I tried to disassemble it. So, I moved the app from my jailbroken device to my mac and when I tried to disassemble it with hopper it just gives me some useless stuff.

Why is this happening? Is the binary of this banking app encrypted? If yes then how can I decrypt it?

What do they exactly do to obfuscate code ? How does their code differs from other applications code ?

I used iFunbox to get executable of app from my iPhone to my mac. All apps exported in this way have no problem while disassembling. So i think iFunbox does DRM removal. Only this particular banking apps does n't work.

I even tried class dump and it gave me only one file named CDStructures.h with nothing in it.

Answer 1

At the RSA show in SF (2017), I ran into a company that has a product for obfuscating iOS and Android code. They demoed a scenario where a webpage can jailbreak a handset without the user's knowledge and patch an application to send banking credentials to a third party whilst appearing to mostly work for the user. This presents enough of a weakness for there to be at least 2 tools on the market to deal with it (Arxan and Preemptive as far as a quick google yields). I was surprised by the sophistication level, but apparently it is an attack vector that is worth mitigating for companies with high value and high sensitivity ... like a banking app. Wouldn't surprise me at all if they were doing this.

Answer 2

You need to remove iOS app encryption (called FairPlay). Since you have device with jailbreak you can do this. There is at least one tool for doing this.

If you are in doubt about encrypted IPA or not you can use this command:

otool -l BINARY | grep -A 4 LC_ENCRYPTION_INFO

Also keep in mind that in some countries disassembling maybe be illegal.