Reverse Engineering - Ivan R Blog

Reverse Engineering

A collection of 10 posts

Why embedding secrets in mobile apps is not a good idea

Why embedding secrets in mobile apps is not a good idea

This is a somewhat complicated topic to cover, but I'll try to go into detail on why, generally, this is not a good idea and you should avoid embedding secrets in your mobile applications as much as possible. tl;dr Anyone motivated enough will get these secrets and impersonate your

Decrypting iOS applications - iOS 12 Edition

Reverse Engineering

Decrypting iOS applications - iOS 12 Edition

As some of you may know, with the release of iOS 12.4 Apple accidentally reintroduced a vulnerability [https://www.vice.com/en_us/article/qvgp77/hacker-releases-first-public-iphone-jailbreak-in-years] already patched on iOS 12.3 [https://support.apple.com/en-us/HT210118]. Shortly after this discovery, @Pwn20wnd [https://twitter.com/Pwn20wnd] released a

Analyzing iOS Stalkerware Applications

Analyzing iOS Stalkerware Applications

Stalkerware (a.k.a. Spouseware) applications are invasive applications that an individual installs on a target's device (usually their partner) to spy on them, snooping in as much data as they can. They aim to collect phone calls history, private messages, location data, browsing patterns, and many other private aspects

Investigating some subscription scam iOS apps

Reverse Engineering

Investigating some subscription scam iOS apps

For some reason Apple allows "subscription scam" apps on the App Store. These are apps that are free to download and then ask you to subscribe right on launch. It's called the freemium business model [https://developer.apple.com/app-store/freemium-business-model/], except these apps ask you to subscribe for "X"

Mobile App Sec Assemble

Mobile App Sec Assemble

One of the reasons why I write blog posts about mobile app sec is for future me. I don't have a good memory so these posts help me refresh techniques and steps I need to perform to RE mobile applications, and more than once when I've shared one of my

Tips for Mobile Bug Bounty Hunting

Tips for Mobile Bug Bounty Hunting

My good friend Pete Yaworski [https://twitter.com/yaworsk] encouraged me to join the bug bounty scene for a long time before I decided to jump in and start using my mobile app sec knowledge to ethically hack on mobile apps from public bug bounty programs. Pete, who literally wrote

Reverse Engineering iOS Apps - iOS 11 Edition (Part 2)

Reverse Engineering iOS Apps - iOS 11 Edition (Part 2)

This is the second part of the "Reverse Engineering iOS Apps - iOS 11 Edition" series. In the first part of the series [https://ivrodriguez.com/reverse-engineer-ios-apps-ios-11-edition-part1/] we learned how to setup your phone on iOS 11 and how to decrypt an iOS app. In this second and final part

Reverse Engineering iOS Apps - iOS 11 Edition (Part 1)

Reverse Engineering iOS Apps - iOS 11 Edition (Part 1)

Even though there are already many, many [https://www.google.com/search?q=reverse+engineering+ios+apps] blog posts, tutorials and even youtube videos [https://www.youtube.com/results?search_query=reverse+engineering+ios+apps] about "reverse engineering iOS apps", every time Apple releases a new iOS version the "game"

Proxy iOS 11 applications’ traffic

Proxy iOS 11 applications’ traffic

A big part of understanding how mobile apps work is to identify the endpoints they hit on the server side and the data they send and receive. In order to inspect the mobile app's traffic we'll need to set up a proxy between the app and its server. Most applications

Reversing one thousand binaries

This past week (Nov 3rd) I attended the Hackfest CTF in Quebec city, QC. This was my second CTF and was the fist time I ever found a flag. This is how I found it. The challenge began with a vague message "Reverse 1,000 binaries" and a link to