#Reverse Engineering

  1. Comparing iPhone OS 1.0 with iOS 14 using tree maps

    If you followed the recent Apple events, you probably saw a picture of the A14 and M1 dies… that got me thinking about what you would see if you could pass iOS under X-Rays… In my previous article about the evolution of the programming languages from iPhone OS 1.0 to iOS 14, I analyzed iOS based on the number of binaries and their programming languages. As I pointed out in this past post, the size of the binaries were not taken in account. In this new article, I look at iPhone OS 1.0 and iOS 14 from a size perspective using tree maps.
    [Read More]
  2. Evolution of the programming languages from iPhone OS 1.0 to iOS 14

    In my previous article about Apple’s use of Swift and SwiftUI in iOS 14, I counted the number of built-in apps in iOS using Swift and SwiftUI. Several readers asked if I could provide a percentage rather than an absolute number. In this new article, I will answer this question by measuring the total number of binaries in iOS. I will go one step further and also count the number of binaries using other programming languages: Objective-C, C++ and C. Finally to be as complete as possible, I ran this analysis on all major iOS releases, from iPhone OS 1.0 to iOS 14. This will provide a detailed overview of the evolution of the different programming languages over more than a decade of iOS development.
    [Read More]
  3. Deobfuscated libMobileGestalt keys (iOS 12)

    libMobileGestalt is a private library in iOS that describes the capabilities of the device: system version, build version, device type, device features, status of the airplane mode, … Apple obfuscates this information which makes it hard to know the capabilities of the device. In January 2017, I presented a method for Deobfuscating libMobileGestalt keys. At that time there were 673 known obfuscated keys and I managed to recover 564 out of the 673 keys (83%). Since this previous article, Apple has released 2 major iOS versions, and new obfuscated keys have been added. In this post I quickly recap what is libMobileGestalt and provide the updated list of recovered keys.
    [Read More]
  4. Constraints on QuickLook plugins

    A QuickLook plugin on macOS 10.14 has several constraints to satisfy. If one of the limits is exceeded, the plugin will immediately be killed and no preview will be visible. Having such restrictions makes sense but they appear to be undocumented. This article addresses the lack of information about these constraints.
    [Read More]
  5. QuickLook plugin to visualize .car files (compiled Asset Catalogs)

    In a previous article, I reverse-engineered the .car file format used to store the compiled assets of an Asset Catalog. I also demonstrated how to create a tool to manually parse such files. While this tool can extract a lot of information, it is cumbersome to use if you want to quickly see all the assets contained in a car file.
    [Read More]
  6. Reverse engineering the .car file format (compiled Asset Catalogs)

    An Asset Catalog is an important piece of any iOS, tvOS, watchOS and macOS application. It lets you organize and manage the different assets used by an app, such as images, sprites, textures, ARKit resources, colors and data.
    [Read More]
  7. VPNStatus, a replacement for macOS builtin VPN Status

    In this post I present VPNStatus, an application that replicates some functionalities of macOS built-in VPN status menu:
    [Read More]
  8. macOS VPN architecture from System Preferences down to nesessionmanager

    macOS 10.13 contains a built-in VPN client that natively supports L2TP over IPSec as well as IKEv2. In this post I describe some parts of the internal architecture of the macOS VPN client. This information will be used in a following article to build an application that replicates some functionalities of the VPN status in the menu bar. This application will also allow to auto connect to an IKEv2 VPN service, something that is currently not possible on macOS.
    [Read More]
  9. Deobfuscating libMobileGestalt keys

    /usr/lib/libMobileGestalt.dylib is a private library which provides an API to retrieve the capabilities of the iOS device, as well as some runtime information: system version, build version, device type, current status of the airplane mode, …
    [Read More]