iOS otool "is not an object file"

1,168 views
Skip to first unread message

Dewhurst Security

unread,
Aug 24, 2015, 9:31:41 AM8/24/15
to owasp-mobile...@owasp.org
Hi,

Has anyone come across this error before while trying to check if PIE is enabled using otool?

$ otool -hv app.ipa 
app.ipa: is not an object file

Someone asked the question and got a response on StackOverflow:


The only answer on there is:

"The error from otool is because the data file is not a Mach-O object file, which has a pre-defined format used to store code, data, symbols etc.

It's not possible (or nearly impossible) to just convert a data file into an Object file."

Does anyone know if the answer is true? And if so, is there another way to check if PIE and other binary protections are enabled?

Thanks,
Ryan

Andrew Blaich

unread,
Aug 24, 2015, 10:00:41 AM8/24/15
to Dewhurst Security, owasp-mobile...@owasp.org
Hi Ryan,

You'll want to run otool on the binary file. The command above is being run on the .ipa file which is a zip file in essence.
So you can unzip the .ipa file then go into the Payload folder then the NameOfApp.app folder and then run otool on the binary with the same name as the .app folder but without .app.

For example:
otool -hv myapp_unziped/Payload/MyApp.app/AMyApp

myapp_unziped/Payload/MyApp.app/AMyApp (architecture armv7):
Mach header
      magic cputype cpusubtype  caps    filetype ncmds sizeofcmds      flags
   MH_MAGIC     ARM         V7  0x00     EXECUTE    76       7248   NOUNDEFS DYLDLINK TWOLEVEL WEAK_DEFINES BINDS_TO_WEAK PIE

Best,
Andrew

--
You received this message because you are subscribed to the Google Groups "OWASP Mobile Top 10 Risks" group.
To unsubscribe from this group and stop receiving emails from it, send an email to owasp-mobile-top-1...@owasp.org.
For more options, visit https://groups.google.com/a/owasp.org/d/optout.



--

Andrew Blaich, Ph.D.  / Lead Security Analyst at Bluebox Security

Dewhurst Security

unread,
Aug 24, 2015, 10:03:59 AM8/24/15
to Andrew Blaich, owasp-mobile...@owasp.org
Ah! Obsoletely correct! Thanks for spotting my mistake!

I've done it before but I think the StackOverflow answer threw me off course this time.

I'll add an answer to StackOverflow for others searching for the same thing.


Ryan Dewhurst
BSc Ethical Hacking for Computer Security, CCNA



Tel: +33 695 321 773

Dewhurst Security

unread,
Aug 24, 2015, 10:06:00 AM8/24/15
to Andrew Blaich, owasp-mobile...@owasp.org
Although, re-reading the StackOverflow question it looks to be a different issue to mine, so won't add an answer.

I'll add a note to the cheat sheet instead - https://www.owasp.org/index.php/IOS_Application_Security_Testing_Cheat_Sheet

thomas...@gmail.com

unread,
Dec 8, 2016, 2:54:22 PM12/8/16
to OWASP Mobile Top 10 Risks, ry...@dewhurstsecurity.com
In lieu of no upvote mechanism, thanks!
Reply all
Reply to author
Forward
0 new messages