iOS Application Security | Part 4 | Extracting the IPA file and Local Data storage of an application

Introduction

This article explains the process for extracting the IPA and Local Data Storage of an iOS application from an iPhone/iPad to physical disk on your computer. After going through the write-up, you will be able to understand the importance of doing the whole process from a security perspective. The prerequisites required is to access the iPhone remotely and having an understanding of the iOS file system. Refer to our previous article “Understanding the iOS File System” if required. Let’s get started.

Extracting the IPA file of any iOS ApplicationIntroduction

Just like .APK file is regarded as the setup file for an Android application, .IPA is the package file for an iOS application. The difference being that an .IPA file can only be installed on a non-jailbroken iPhone via one of the below methods
  • Enterprise Mobile Device Management This requires a company-wide certificate signed by Apple.
  • via sideloading i.e., by signing an app with a developer's certificate and installing it on the device via Xcode. A limited number of devices can be installed with the same certificate.
Let’s see how we can extract the IPA file of an application installed from App Store.

The first step for IPA file extraction is to find the ‘.app directory’ of the application which is the bundle container of the application. For this, we would enter into the desired application directory.




Now, we will try to find the .app directory of the application we require (say Facebook). This can be done by using the following command:





The highlighted text in the screenshot is the name of the directory of Facebook application.

It is important to note that the name of .app directory may or may not be the same as the display name of the application. If we do not get the .app directory we are looking for, we can simply use ‘ls *’ which will list down all the directories and then we can search manually.


The next step is to copy the .app directory to an empty directory with the exact name ‘Payload’. This is done as shown in the screenshot.


Now, we need to compress the Payload directory to any desired location using ‘zip’ utility. If ‘zip’ is not installed, we need to install it using ‘apt-get’. Once ‘zip’ is installed, we can compress and extract the zip archive to our system. We should explicitly name the file as ‘.ipa’ in order to make it useful for further analysis, installation etc.

For getting it on our computer, we just need to use scp or sftp as shown in the screenshot.


Compressing and Extracting the Local Data Storage

For extraction of local data storage, we need to find out the location of data container of the application. In order to do so, we must first understand the following points:

On the first launch of the application on the device, iOS creates the data container and bundle container for the application.
On the path Library/Caches/Snapshots, a directory with exactly the same name gets created.

So, we can make use of this fact to locate the Local Data Storage of the application. We shall proceed in the following manner:

Open the Info.plist file of the application and search for the key ‘Bundle Identifier’ as shown in the screenshot.




Now, we need to search for a directory with the exact name as CFBundleIdentifier in the Local Data Storage Directory. This can be done as shown.


We can even refine our search as shown here.


The same can be made easy by using a tool named ‘installipa’ which is available with ‘IPA Installer Console’ from Cydia.


Once, we reach the Local Data Storage Directory, we can compress the files using any tool like zip, rar or 7zip.


We also need to extract the <BundleIdentifier>.plist file (if present) at the path '/var/mobile/Library/Preferences' and include it in our zip file using the following command:



We can then move the compressed file to any location of our choice.



Now, we will again make use of scp or sftp for getting the file on our computer.



Extracting the Shared Storage

Some applications make use of shared storage directory. The files under this directory hosts data shared among the application groups and their extensions. This helps them share data securely without causing a disturbance in the sandboxing.

To identify the shared storage, first navigate to the Shared Data Directory.




Now, search for the application name within this directory.



It can be observed that ‘Facebook’ application uses two shared data directories.

The next step is to enter into these directories, compress all the data present and move the compressed file to the location of your choice.


In the last step, extract the files to your computer using scp or sftp.



Conclusion

In this article, we have learnt how to extract the IPA and Local Data Storage of an iOS application to a computer. We need to have these files in order to start static analysis of the application. Up next, we will try to understand the structure of an iOS application and try to gather as much information from that as necessary for understanding the workings of an application on an iPhone.

Post a Comment

0 Comments