App Environment
There are two directories that make up a complete app installation; Bundle & Data. These two directories are located in different parts of the file system. There can be a third directory available in some cases. This is called the App Group Shared Data directory. This is an area where apps from the same development team can share data across multiple apps.
| Name | Directory Path |
|---|---|
| Bundle | /private/var/containers/Bundle/Application/UUID |
| Data | /private/var/mobile/Containers/Data/Application/UUID |
| App Group Shared Data | /private/var/mobile/Containers/Shared/UUID |
NOTE: It is important to note that if the same app is removed and re-installed the UUID of the app directories will change.
When performing a penetration test on an app, you will want to obtain the direct path to all of these directories. Below are a couple of ways to find this information:
To find the Bundle directory, run the ps command:
ps -A | grep -i binaryname
There are a couple of ways to find the appropriate Data directory; timestamps and search strings:
Change to the Data directory prefix (above), and check the timestamps of the data:
cd /private/var/mobile/Containers/Data/Application
ls -ltr
Additionally, you can use the find command:
cd /private/var/mobile/Containers/Data/Application
find . –iname “*searchstring*” | awk –F\/ ‘{ print $2 }’ | head -1
Another quick and easy way to obtain the app environment is to simply use the Objection framework. Launch the app, and run this command on your macOS system:
objection -g 'App Name' run env
IPA Files
In many cases, you will be provided an IPA file for the app that is to be tested. We covered how to install these in the previous section. However, there is a lot of analysis we can perform with the IPA file from the macOS system. In fact, even if we install the app from the App Store we will pull down an IPA file for analysis.
If you extract the IPA file, you will notice that it is - essentially - the Bundle directory.
To extract the IPA on the Mac, open a Terminal and use the unzip command:
unzip -qq appname.ipa –d appname/
cd appname/Payload
If you look at the extracted app in the Finder, when you get to "Payload/appname.app", just right click on appname.app and select "Show Contents". This will take you inside the app directory.
If you want to open Finder to the extracted directory, change into the directory and use the "open" command:
unzip -qq appname.ipa –d appname/
cd appname/Payload/appname.app/
open .
App Groups
App Groups are used to share data between multiple applications. An App Group creates a secure container that multiple processes are allowed to access. This secure container is outside of the individual applications sandbox, yet still accessible to the apps. To participate in an App Group, the applications must contain the same app prefix (e.g., com.example.)
App Groups are setup in Xcode, and have only 3 simple rules:
- You must add the proper entitlements for the app to access the shared location.
- Enable the App Group feature in your Developer account
- Add the proper App Group to your App ID
To check if your app is using App Groups, you can pull the entitlements from the app.
jtool2 --ent ${BINARY}
Entitlements can be pulled from the binary or the app directory:
codesign -d --entitlements - binary
codesign -d --entitlements - App/Payload/Example.app
If App Groups exist, be sure you evaluate any files that are stored in:
/private/var/mobile/Containers/Shared/UUID/