During forensic analysis it’s not too rare to run into some suspicious application. In this article I’m going to learn to reverse engineer iOS applications.
Analysis flow
First, we need to get IPA file from the device. There are different ways to do so (please, refer to BTFM and RTFM). Here I’m going to use the easiest one:
ipainstaller -i $(ipainstaller -l | grep -i [package_partial_name]) | grep Bundle
scp root@[device_ip]:/path/to/Bundle/ .
Note that this method only works only if the application was not downloaded from AppStore, because the applications installed that way are encrypted and to get the code one needs to dump it decrpyted from memory (frida-ios-dump.py with frida-server) or decrypt it statically ().
Then open the Bundle folder on PC and look for Info.plist. Let’s find any strings that start with NS and end with UsageDescription.
cd *.ipa/[package_name].app
grep 'UsageDescription' Info.plist -A1
You sould see something like that:
<key>NSPhotoLibraryUsageDescription</key>
<string>You can choose a profile picture from your photo library</string>
<key>NSPhotoLibraryAddUsageDescription</key>
<string>Allow Kindle to access your photos to save images.</string>
--
<key>NSCameraUsageDescription</key>
<string>Kindle would like to access the camera</string>
--
<key>NSAppleMusicUsageDescription</key>
<string>We use this to play audio in certain interactive books or magazines</string>
Inspect the application and make sense of all its entitlements. Why, for example, Kindle application needs to access my Camera? May be to set Avatar. And what if it was a simple game? Anyway, always check this since it might be an indication of malware application (although it’s very hard to get one uploaded to AppStore, it’s still possible. Besides, there are ways to sideload applications).
Entitlements
Here is an article which contains a section about iOS entitlements.
To decode certificate
openssl x509 -in certificate.crt -text -noout
Extract xml from Info.plist:
binwalk -e -y=xml ./Telegram\ X
r2 -qc 'izz~PropertyList' ./Telegram\ X
grep -a -A 5 'PropertyList' /var/containers/Bundle/Application/
15E6A58F-1CA7-44A4-A9E0-6CA85B65FA35/Telegram X.app/Telegram\ X
Custom URL schemes and Unviersal URL schemes:
rabin2 -zq Telegram\ X.app/Telegram\ X | grep openURL
LAContext
User Presence
User Presence works with TouchID through Keychain. While LAContext just delegates the credentials check to the system, here Keychain services will present the authentication dialog to the user and return data or nil depending on whether a suitable fingerprint was provided or not. LAContext will present success or failure.
Both using LocalAuthentication framework.
otool -L <AppName>.app/<AppName>
â Unlike macOS and Android, iOS currently (at iOS 12) does not support temporariness of an item’s accessibility in the keychain: when there is no additional security check when entering the keychain (e.g. kSecAccessControlUserPresence or similar is set), then once the device is unlocked, a key will be accessible.
MSTG-AUTH-8: “Biometric authentication, if any, is not event-bound (i.e. using an API that simply returns “true” or “false”). Instead, it is based on unlocking the keychain/keystore.”
MSTG-STORAGE-11: “The app enforces a minimum device-access-security policy, such as requiring the user to set a device passcode.”
https://blog.nvisium.com/dont-touch-me-that-way https://www.inversecos.com/2022/06/how-to-reverse-engineer-and-patch-ios.html