AD5031: CheckNotEncrypted¶

Summary¶

Property	Value
ID	AD5031
Name	CheckNotEncrypted
Category	Security
Severity	Note
Applies to	Mach-O (macOS/iOS)

Description¶

Checks if a Mach-O binary is encrypted using FairPlay DRM (typically from App Store distribution). Encrypted binaries cannot be fully analyzed for security features.

How It Works¶

The rule checks for the presence of LC_ENCRYPTION_INFO or LC_ENCRYPTION_INFO_64 load commands in the Mach-O header. These load commands indicate that sections of the binary are encrypted.

Why This Matters¶

FairPlay Encryption¶

Apple uses FairPlay DRM to encrypt iOS apps distributed through the App Store. When you download an app, iOS decrypts it at runtime using keys stored in the Secure Enclave.

This means: - The raw binary on disk has encrypted code sections - Static analysis tools cannot examine the encrypted portions - Security scanning results may be incomplete

Analysis Implications¶

When analyzing encrypted binaries:

Incomplete security assessment: Many rules that examine code sections will not function correctly
Header information is still available: Metadata like load commands, entitlements, and linked libraries are not encrypted
Linked library checks work: Rules checking for dangerous imports still function

Getting Unencrypted Binaries¶

For complete security analysis, you need unencrypted binaries:

For your own apps: - Use development/Ad Hoc builds (not App Store builds) - Build from source with CODE_SIGN_ENCRYPT_BINARY = NO - Archive without App Store distribution

For App Store apps (research/security audit): - Decrypt on a jailbroken device using tools like clutch, frida, or flexdecrypt - Only decrypt binaries you have legal rights to analyze

How to Fix¶

This is an informational check. The "fix" depends on your use case:

For Security Analysis¶

Obtain an unencrypted version of the binary:

# Example using frida-ios-dump (requires jailbroken device)
python dump.py com.example.app

For Your Own Apps¶

Build without encryption for internal security testing:

# In Xcode project settings:
# Build Settings → Code Signing → Encrypt Binary → No

# Or for xcodebuild:
xcodebuild -configuration Debug CODE_SIGN_INJECT_BASE_ENTITLEMENTS=NO

Accept Limited Analysis¶

If you must analyze an encrypted binary, note that: - Load command analysis works (PIE, stack protection flags, etc.) - Entitlement analysis works - Import/export analysis works - Code-level checks may be incomplete

AD5011: Require Code Signature
AD5001: Enable PIE