var img = document.createElement('img'); img.src = "https://calabrone.net/piwik.php?idsite=2&rec=1&url=https://stinger.io" + location.pathname; img.style = "border:0"; img.alt = "tracker"; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(img,s);
Skip to main content

Header Files

A header file contains C-language definitions and structures. Centralizing information into a header file facilitates the creation and update of programs. Because #include statements are used to insert header files into a C-language program, header files are often referred to as include files.

A header file is a file with a .h extension that typically contains function prototypes, constants, and declarations. This could be relative information to find certain types of functions that you may want to explore further in vulnerability research.

In iOS, header files are typically associated with Objective-C. However, we can “create” header files for Swift language as well. They may not be as accurate as ObjC, but can help when needed.

Dumping headers can only be performed on an unencrypted binary. So, you should check the binary to ensure that it is decrypted:

otool -l $BINARY | grep -A 4 LC_ENC | grep cryptid

If the result of cryptid is “0” then the binary is not encrypted. If the value is a “1” then it is encrypted and must be decrypted on the device before analyzing it.

To dump the headers:

ktool dump --headers --out headers binaryName

This will dump the headers from “binaryName” into an output directory called “headers”.

Header Example

% otool -l binaryName | grep -A 5 LC_ENC | grep cryptid
      cryptid 0

% ktool dump --headers --out headers binaryName

In this example, the binary is not encrypted, and the ktool utility was able to successfully dump the headers without any errors. It is not uncommon to get some errors when the app is written in Swift. However, this example was written in Objective-C.

Depending on the size of the binary, there could be hundreds of header files. By dumping them into a directory, we can easily grep through them all to look for specific classes or methods.

Below is a quick example of searching for “encryption”:

% grep -riE 'encrypt' headers
headers/GADSDKCoreContext.h:-(void)encryptSignalDictionary:(id)arg0 completionHandler:(id)arg1 ;

Or, you can just go into the directory and review the full files:

% cd headers

% cat PasscodeTextField.h

#ifndef PASSCODETEXTFIELD_H
#define PASSCODETEXTFIELD_H

#import <UIKit/UIKit.h>
#import <Foundation/Foundation.h>
#import <CoreFoundation/CoreFoundation.h>

@interface PasscodeTextField : UIView {
    NSString *vacantStyle;
    NSString *filledStyle;
}

@property (weak, nonatomic) UITextField *textField; // ivar: _textField
@property (retain, nonatomic) NSMutableArray *dataSource; // ivar: _dataSource
@property (nonatomic) NSUInteger complexity; // ivar: _complexity
@property (nonatomic) UIColor *color; // ivar: _color
@property (nonatomic) CGFloat size; // ivar: _size
@property (nonatomic) NSInteger style; // ivar: _style
@property (copy, nonatomic) id *getPasscode; // ivar: _getPasscode

-(id)initWithFrame:(struct CGRect )arg0 ;
-(void)passcodeChanged:(id)arg0 ;
-(void)clearPasscode;
-(void)showKeyboard;
-(void)hideKeyboard;
-(void)layoutSubviews;
-(void)touchesBegan:(id)arg0 withEvent:(id)arg1 ;
-(void)passwordWithString:(id)arg0 ;
-(void)backspace;
-(id)getPassword;

@end

#endif

In this example, you can see the import statements, the interface, the property assignments, and finally the classes/methods at the bottom. This information will be used later on when trying to bypass a function, or when looking at crash reports.