De-obfuscating iOS crash reports

As part of Appdome’s protection for applications, Appdome offers Control-Flow Relocation to any iOS mobile app. Appdome’s deobfuscation tool allows the application owner to recover the correct stack trace from the crash report.

This Knowledge Base article provides step-by-step instructions for getting and using Appdome’s deobfuscation tool.

We hope you find this knowledge base useful and enjoy using Appdome!

De-obfuscating iOS crash reports with Appdome deobfuscation tool

Appdome is a no-code mobile integration platform as a service (iPaaS). Appdome allows users to add a wide variety of features, SDKs and APIs to Android and iOS applications. Using a simple ‘click to add’ user interface, anyone can easily add a verity of code obfuscation methods to any mobile application – in seconds, no-code or coding required.

There are no development or coding prerequisites to use Appdome. For example, there is no SDK, libraries, or plug-ins to implement. Likewise, there is no requirement to mark, symbolicate or manually obfuscate code inside Android or iOS apps. Appdome’s technology automatically obfuscates the mobile app binary as if multiple obfuscation methods were natively coded in the app.

Sometimes when app built with Control-Flow Relocation crashes, the developer will not be able to understand the reason for the crash from the crash report.

For example, a sample application “Professor” crashes in the function this_should_crash. But when we look at the crash report, it shows some random address:

Termination Signal: Segmentation fault: 11
Termination Reason: Namespace SIGNAL, Code 0xb
Terminating Process: exc handler [0]
Triggered by Thread:  0

Filtered syslog:
None found

Thread 0 name:  Dispatch queue: com.apple.main-thread
Thread 0 Crashed:
0   ???                           	0x000000010224c06c 0 + 4330930284
1   professor                     	0x0000000102240f50 -[UIButton(PuzzleWord) markWordSelected] + 20304 (PuzzleWord.m:14)
2   professor                     	0x0000000102242300 -[PuzzleView wordSelected:] + 25344 (PuzzleView.m:158)
3   UIKit                         	0x000000018af8164c -[UIApplication sendAction:to:from:forEvent:] + 96
4   UIKit                         	0x000000018b0a2870 -[UIControl sendAction:to:forEvent:] + 80
5   UIKit                         	0x000000018af87700 -[UIControl _sendActionsForEvents:withEvent:] + 440
6   UIKit                         	0x000000018b0bd1a8 -[UIControl touchesEnded:withEvent:] + 572
7   UIKit                         	0x000000018b0049e0 -[UIWindow _sendTouchesForEvent:] + 2428

After running Appdome’s deobfuscation tool, the report is much more reasonable:

Termination Signal: Segmentation fault: 11
Termination Reason: Namespace SIGNAL, Code 0xb
Terminating Process: exc handler [0]
Triggered by Thread: 0

Filtered syslog:
None found

Thread 0 name: Dispatch queue: com.apple.main-thread
Thread 0 Crashed:
0 professor                     	0x0000000102243e90 this_should_crash + 32400 (main.m:21)
1 professor                     	0x0000000102240f50 -[UIButton(PuzzleWord) markWordSelected] + 20304 (PuzzleWord.m:14)
2 professor                     	0x0000000102242300 -[PuzzleView wordSelected:] + 25344 (PuzzleView.m:158)
3 UIKit                         	0x000000018af8164c -[UIApplication sendAction:to:from:forEvent:] + 96
4 UIKit                         	0x000000018b0a2870 -[UIControl sendAction:to:forEvent:] + 80
5 UIKit                         	0x000000018af87700 -[UIControl _sendActionsForEvents:withEvent:] + 440
6 UIKit                         	0x000000018b0bd1a8 -[UIControl touchesEnded:withEvent:] + 572
7 UIKit                         	0x000000018b0049e0 -[UIWindow _sendTouchesForEvent:] + 2428

You can also choose not to symbolicate the file, and only correct the obfuscated addresses:

Termination Signal: Segmentation fault: 11
Termination Reason: Namespace SIGNAL, Code 0xb
Terminating Process: exc handler [0]
Triggered by Thread: 0

Filtered syslog:
None found

Thread 0 name: Dispatch queue: com.apple.main-thread
Thread 0 Crashed:
0 professor                     	0x0000000102243e90 0x10223c000 + 32400
1 professor                     	0x0000000102240f50 -[UIButton(PuzzleWord) markWordSelected] + 20304 (PuzzleWord.m:14)
2 professor                     	0x0000000102242300 -[PuzzleView wordSelected:] + 25344 (PuzzleView.m:158)
3 UIKit                         	0x000000018af8164c -[UIApplication sendAction:to:from:forEvent:] + 96
4 UIKit                         	0x000000018b0a2870 -[UIControl sendAction:to:forEvent:] + 80
5 UIKit                         	0x000000018af87700 -[UIControl _sendActionsForEvents:withEvent:] + 440
6 UIKit                         	0x000000018b0bd1a8 -[UIControl touchesEnded:withEvent:] + 572
7 UIKit                         	0x000000018b0049e0 -[UIWindow _sendTouchesForEvent:] + 2428

Prerequisites for De-obfuscating iOS crash reports using Appdome deobfuscation tool

In order to use Appdome’s deobfuscation tool, you’ll need:

How to get Appdome’s deobfuscation tool for De-obfuscating iOS crash reports

Follow these step-by-step instructions to get Appdome’s deobfuscation tool:

Upload a Mobile App to Your Account

Please follow these steps to add a mobile app to your Appdome account.

If you don’t have an Appdome account, click here to create an account.

Add No-Code Control-Flow Relocation to your app

Follow the steps as instructed on the knowledge-based article: Add No-Code Control-Flow Relocation in Mobile Apps

Get the deobfuscation tool for you fused app

  1. Click and open the Build tab
  2. Click the “GO” icon to get to the App Workflow Summary screen.De-obfuscating iOS crash reports on appdome
  3. In the App Workflow Summary screen, click Download crash report deobfuscator to download the script.De-obfuscating iOS crash reports

Alternatively, you can navigate to the App Validation screen and upload your application. When the validation is completed, the App Workflow Summary screen will show up.

How to use Appdome’s deobfuscation tool on your app reports

It is recommended to run the tool on the same mac the application was developed. This way the symbolication process does not requires any additional files.

If it is not the case (i.e. the tool is run on a different machine), you will need to provide the dSYM folder created by Xcode when building the application and specify the path for the symbol file inside it when using the tool. For example, in the example application “Professor”, the path for the symbol file is:

professor.app.dSYM/Contents/Resources/DWARF/professor

The tool must receive the crash report file as an argument. In addition, one or more of the following arguments can be specified:

  • -o,--outfile :Path to the output file
  • -f,--override :Overwrite the input crash file instead of creating an output file
  • -ns,--dont_symbolicate :Do not symbolicate the crash report, only fix the crash addresses
  • -s <symbol file>,--dsym <symbol file> :Path to the corresponding symbol file in the dSYM bundle.

Notice that since the obfuscation of the application is unique (unique per application and per fusion instance) so it changes between builds, so you must use the tool that was generated for the build of the crashing app. If you use the wrong tool for the application, the tool itself will recognize the mismatch and alert you.

After getting Appdome’s deobfuscation tool to a Mobile App 

After getting Appdome’s deobfuscation tool to a Mobile App, there are a few additional steps needed to complete your mobile integration project.

Add Context™ to the Appdome-Fused App

Appdome is a full-featured mobile integration platform. Within Context™, Appdome users can brand the app, including adding a favicon to denote the new service added to the app.
For more information on the range of options available in Context™, please read this knowledge base article.

Sign the Binary Code Obfuscation enabled Appdome-Fused App (Required)

In order to deploy an Appdome-Fused app, it must be signed. Signing iOS app and Signing an Android app are easy using Appdome. Alternatively, you can use Private Signing, download your unsigned app and sign locally using your own signing methods.

Deploy the Appdome-Fused App to a Mobile Device

Once you have signed your Appdome-Fused app, you can download to deploy it using your distribution method of choice. For more information on deploying your Appdome-Fused apps, please read this knowledge base.

That is it – Enjoy Appdome’s deobfuscation tool on your obfuscated app!

How Do I Learn More?

Binary Code Obfuscation is just one of the many features TOTALCode™ can offer in terms of code obfuscation.

You might also want to check out ONEShield™ to find additional security features Appdome can offer your application.

If you have any questions, please send them our way at support@appdome.com or via the chat window on the Appdome platform.

Thank you!

Thanks for visiting Appdome! Our mission is to make mobile integration easy. We hope we’re living up to the mission with your project. If you don’t already have an account, you can sign up for free

Dany Zatuchna

Have a question?

Ask an expert

AvitaMaking your security project a success!