I thought this deserved a new thread...
As documented here, I have really been pounding Claude Code pro, auditing customer facing sister B4A/i apps.
Once I finished these audits I got to thinking "I wonder if it could do a vulnerability analysis".
Could it ever, the B4i version was the most interesting...
After doing a Tools -> Build Server -> Build Release App then Tools -> Build Server -> Build Release App -> Download Last Build to build the release .ipa
An initial prompt was similar to:
"there is an iOS .ipa at D:\xxx\xxx\xxx\xxx\xxx\Objects\xxx.ipa --- analyse for vulnerabilities"
It did a fairly superficial analysis, initial report included:
of particular interest: NO Objective-C decompilation - that needs macOS tooling (otool/class-dump) or Ghidra/Hopper
I don't have Ghidra (a free,open source software reverse engineering tool framework developed by the US Defence Dept/National Security Agency).
Spooky - and baulked at what looked like an arduous install process - including prerequisite of JDK 21.
I had JDK 19 installed so i prompted Claude Code with something like:
"set up Ghidra headless here against my JDK 19 and run its decompiler on xxx.ipa"
Churn churn churn - it went away and downloaded Ghidra and tried to run it with JDK 19.
It eventually decided JDK 19 was not going to work - so with my blessing - it installed JDK 21 ant then successfully decompiled my ipa.
After at least 45 minutes of decompiling - into D:\xxx\xxx_decompiled - including a 9MB objective c file and a few other bits.
So I then prompted:
"do a vulnerability analysis using files in D:\xxx\xxx_decompiled"
And after more to and fro during which I gave some details of related security measures I have taken I prompted.
"give a document level vulnerability assessment"
SORRY - I edited out all the juicy stuff
As documented here, I have really been pounding Claude Code pro, auditing customer facing sister B4A/i apps.
Once I finished these audits I got to thinking "I wonder if it could do a vulnerability analysis".
Could it ever, the B4i version was the most interesting...
After doing a Tools -> Build Server -> Build Release App then Tools -> Build Server -> Build Release App -> Download Last Build to build the release .ipa
An initial prompt was similar to:
"there is an iOS .ipa at D:\xxx\xxx\xxx\xxx\xxx\Objects\xxx.ipa --- analyse for vulnerabilities"
It did a fairly superficial analysis, initial report included:
of particular interest: NO Objective-C decompilation - that needs macOS tooling (otool/class-dump) or Ghidra/Hopper
I don't have Ghidra (a free,open source software reverse engineering tool framework developed by the US Defence Dept/National Security Agency).
Spooky - and baulked at what looked like an arduous install process - including prerequisite of JDK 21.
I had JDK 19 installed so i prompted Claude Code with something like:
"set up Ghidra headless here against my JDK 19 and run its decompiler on xxx.ipa"
Churn churn churn - it went away and downloaded Ghidra and tried to run it with JDK 19.
It eventually decided JDK 19 was not going to work - so with my blessing - it installed JDK 21 ant then successfully decompiled my ipa.
After at least 45 minutes of decompiling - into D:\xxx\xxx_decompiled - including a 9MB objective c file and a few other bits.
So I then prompted:
"do a vulnerability analysis using files in D:\xxx\xxx_decompiled"
And after more to and fro during which I gave some details of related security measures I have taken I prompted.
"give a document level vulnerability assessment"
SORRY - I edited out all the juicy stuff
Last edited: