AegiScan: A static dataflow analysis framework for iOS application binaries


Aegi(s)Scan(er) is a static dataflow analysis framework for iOS application binaries, which can be used to facilitate vulnerability scanning.


AegiScan utilizes top-down type propagation to resolve Objective-C MsgSend calls, thereby reconstructing the call graph. It then generates the Code Property Graph (CPG) for each function to establish context-sensitive dataflow. Leveraging the call graph, AegiScan integrates the CPGs of different functions for comprehensive inter-procedural analysis. Moreover, AegiScan recovers information lost during optimization (e.g., app thinning) and incorporates it into the analysis.


AegiScan is featured with a combination of binary analysis and graph database. The binary analysis, built on the IR of IDA Pro (aka. Microcode), only needs to be conducted once, with the results stored in the Neo4j graph database for multiple queries. In addition, to facilitate vulnerability scanning, AegiScan provides query APIs based on Neo4j’s Cypher query language and interfaces for developing custom scanners.

Develop customized vulnerability scanners

AegiScan is a framework for static dataflow analysis that supports the creation of tailored vulnerability scanners. The development process involves three primary steps:

  • Step 1: Define your entry points and sensitive operations, and incorporate your IDAPython scripts into src/entries and src/sinks to identify custom entries and operations within the IDB.
  • Step 2: Develop your custom scanners, derived from BaseScan under src/scanners, which include the foundational workflow for generating call graphs and code property graphs that you can adapt to your needs.
  • Step 3: Modify src/ to deploy your custom scanners across various scenarios in iOS apps and other Objective-C binaries.

Furthermore, AegiScan is scalable and capable of supporting additional features in both binary analysis and graph querying. To implement your custom analysis, you may:

  • Revise src/ and the visitors within src/visitors to refine the analysis of individual binary functions.
  • Adapt src/ to customize inter-procedural tasks.
  • Extend src/ and graph models under src/models to tailor code property graph definitions and construct dataflows according to your specifications.
  • Amend src/libs/ to include custom queries and strategies tailored to your analysis goals.

Install & Use

Copyright (c) 2024 Alibaba