Architeture
$ otool -f BINARY
Encryption
$ otool -l BINARY | grep -A 4 LC_ENCRYPTION_INFO
ASLR
$ otool -Vh BINARY
WH Quest:
Mach header
magic cputype cpusubtype caps filetype ncmds sizeofcmds flags
MH_MAGIC ARM 9 0x00 EXECUTE 45 4684 NOUNDEFS DYLDLINK TWOLEVEL BINDS_TO_WEAK PIE
// Usually the binary is compiled using the PIE flag
Stack Smashing Protection
// you should find certain symbols inside the binary (like _stack_chk_guard and _stack_chk_fail)
$ otool -v -l BINARY | grep stack
Automatic Reference Couting
// binaries built with this option should include symbols called _objc_release, _obj_autorelease, _obj_storeStrong, _obj_retain
$ otool -v -I BINARY | grep release
0x008b8ce4 241789 _objc_autorelease
0x008b8cf4 241790 _objc_autoreleasePoolPop
0x008b8d04 241791 _objc_autoreleasePoolPush
0x008b8d14 241792 _objc_autoreleaseReturnValue
0x008b8ea4 241817 _objc_release
0x008b8ed4 241820 _objc_retainAutorelease
0x008b8ee4 241821 _objc_retainAutoreleaseReturnValue
0x008b8ef4 241822 _objc_retainAutoreleasedReturnValue
0x008b9504 241439 ___cxa_guard_release
0x008b9674 241341 __Block_release
0x008b9ab4 241551 _dispatch_release
0x00a0c3f4 229369 __ZN11GPASWrapperI6GPHashE7releaseEv
0x00a12e8c 241789 _objc_autorelease
0x00a12e90 241790 _objc_autoreleasePoolPop
0x00a12e94 241791 _objc_autoreleasePoolPush
0x00a12e98 241792 _objc_autoreleaseReturnValue
0x00a12efc 241817 _objc_release
0x00a12f08 241820 _objc_retainAutorelease
0x00a12f0c 241821 _objc_retainAutoreleaseReturnValue
0x00a12f10 241822 _objc_retainAutoreleasedReturnValue
0x00a13094 241439 ___cxa_guard_release
0x00a130f0 241341 __Block_release
0x00a13200 241551 _dispatch_release
Dangerous Functions
# otool -v -I BINARY | grep malloc
0x008b9f64 241776 _malloc
0x00a1332c 241776 _malloc
# otool -v -I BINARY | grep free
0x008b9cb4 241583 _free
0x008b9cc4 241584 _freeifaddrs
0x00a13280 241583 _free
0x00a13284 241584 _freeifaddrs
Ref
HowTo: iOS Apps - Static analysis - blog.dornea.nu