libMobileGestalt is a private library in iOS that describes the capabilities of the device: system version, build version, device type, device features, status of the airplane mode, …
Apple obfuscates this information which makes it hard to know the capabilities of the device. In January 2017, I presented a method for Deobfuscating libMobileGestalt keys. At that time there were 673 known obfuscated keys and I managed to recover 564 out of the 673 keys (83%).
Since this previous article, Apple has released 2 major iOS versions, and new obfuscated keys have been added. In this post I quickly recap what is libMobileGestalt and provide the updated list of recovered keys.
/usr/lib/libMobileGestalt.dylib is a private library which provides an API to retrieve the capabilities of the iOS device, as well as some runtime information: system version, build version, device type, current status of the airplane mode, …
In a previous post ( constructor and destructor attributes ), I described the constructor attribute and mentioned software protection as a possible use case:
A constructor attribute could be used to implement a software protection. You could encrypt your executable with a custom encryption and use a constructor function to decrypt the binary just before it is loaded.
In this post I describe such a protection with an example.