Super good article/tutorial, but I think to get the app binary, he could just have downloaded it in iTunes in his computer and unpack the .ipa file (which is basically a signed .zip file, if I remember correctly). The binary should be in it.
Yep, that still works! Just copy the .ipa from the local ~/Library/iTunes/ subdirectory and decompress it. It would have saved him all the trouble with jailbreaking, finding an old enough device, finding the correct version of iTunes to run against, etc. But I imagine a jailbroken device is its own reward.
But those .ipa files only contain encrypted executables, I believe it's called Fairplay DRM. As far as I know there are no tools available to offline decrypt such binaries, so if you're looking to reverse engineer one, you still need a real jailbroken phone so you can piggy-back on iOS' just-in-time decryption and dump the cleartext binary.
You can decompress every .ipa files and see bunch of resources and configuration files in plaintext, which can falsely lead you to believe that you have everything decrypted, but the main binary file is still encrypted, and the only way to decrypt is by running software like Clutch on the jailbroken device.
Sorry! Yes, to be clear, the code segments of the binary will be encrypted by FairPlay. But the other segments aren't. The "strings" command will still dump all of the strings in these binaries. You'd need to jailbreak to figure out the algorithm of how those substrings strings were concatenated, but he probably could have deduced what was going on from the "SavedPasswords" string just the same.
I thought about trying the "strings" command first, but I didn't expect that the password would be just laying there. Even if I found the "SavedPassword" string, I couldn't use it the way I did without jailbroken device, because configuration file that contained the saved password wasn't embedded in the application. The password was actually written to configuration file on the device first time it was used.
