Is it possible to decompile an application?

I need to encode authentication information for specific parts of my website in my application. Is it possible that the application is "decompiled" and the username and password?

NSURL *url = [NSURL URLWithString:@""];



source to share

4 answers

Yes it is possible. Suppose that if you have something compiled into your application, it can [and will] be discovered by someone, somewhere. Even if this is not possible today, you are creating a frozen record of such information that will be vulnerable to any future attacks, known or unknown.

You really need a user to perform some task that authenticates them. There are a million and one ways to do it, and for each of them there are a million and two ways to do it wrong. :)

Without knowing more about your specific requirements, it is impossible to really say much more outside of "keep it simple and not store and send anything in clear text."



As @Hyperbole said: If you save the username and password as plain text, it will be visible in the executable. It is extremely trivial to inspect an executable for strings, and this is usually the first thing someone maliciously tries.

Right click on any app you downloaded in iTunes and select show in finder. Make a copy of the app on your desktop and rename the app from AppName.ipa to Double click to unzip it and look inside the folder. Go to the Payload folder and then right click on a file (possibly only) called AppName, which looks like an application but has a large circle with a cross through the icon for the icon. Select the package contents. Scroll until you find a file called AppName without an extension and a blackish rectangle with a green "exec" icon. Open this file in a text editor or another text editor. You will findthat most of it ends up with random characters and other crap, but you should see some plain text sometimes. The compiler takes string constants and injects them directly into your application when you compile it in most cases.

You asked about what kind of magazine apps and other users are doing to access content. There are many ways to do this, but from the very beginning, after the server verifies your in-app purchase, the server will record an ID specific to your iTunes account, saying that you purchased a specific log issue. Your application can then request this file from the server by adding the id to the request in the process. The server will respond with a file after viewing the database and determines that you have purchased the content.

Other solutions include signing / hashing a unique key.



Your example will display the username and password without the need for decompilation when sent via plain text in a URL request. Anyone with a sniffer or MITM service got it out of thin air. Better approach would be to use SSL over http * s * protocol. You can take it a step further and prompt for credentials at runtime and / or store the encrypted version in the application.



This is very bad, because it is easy to recover these credentials three times by simply running "lines" against the application binary, without having to decompile it.

Can't you open a dialog asking for credentials the first time you launch the app? Alternatively, you can store them encrypted in a file and then prompt the user for alternative credentials, eg. An access code that outputs the key, but even that won't survive a certain attack if the password is not long.



All Articles