App Environment
There are three directories that make up a complete app installation; Bundle & Data. These two directories are located in different parts of the file system. There can be a third directory available in some cases. This is called the App Group Shared Data directory. This is an area where apps from the same development team can share data across multiple apps.
| Name | Directory Path |
|---|---|
| Bundle | /private/var/containers/Bundle/Application/UUID |
| Data | /private/var/mobile/Containers/Data/Application/UUID |
| App Group Shared Data | /private/var/mobile/Containers/Shared/UUID |
NOTE: It is important to note that if the same app is removed and re-installed the UUID of the app directories will change.
When performing a penetration test on an app, you will need to obtain the direct path to all of these directories. Below are a couple of ways to find this information:
appinfo command
Using the appinfo command, you can find all three locations:
appinfo <search-term>
This will produce output similar to below:
% appinfo DVIA
Bundle Name : DVIA-v2
Bundle ID : com.example.dvia2
Bundle Path : /var/containers/Bundle/Application/C190D49A-29F7-4D93-823B-DBB081E4A5EE/DVIA-v2.app
Data Container : /var/mobile/Containers/Data/Application/3BFE8727-D733-4C12-9C15-3D851BC2A552
Group Container : Not found
Bundle Directory
To find the Bundle directory, run the ps command on the device:
# on the device:
ps -A | grep -i binaryname
Data Directory
There are a couple of ways to find the appropriate Data directory; timestamps and search strings:
Change to the Data directory prefix (above), and check the timestamps of the data:
# on the device:
cd /private/var/mobile/Containers/Data/Application
ls -ltr
Additionally, you can use the find command:
# on the device:
cd /private/var/mobile/Containers/Data/Application
find . –iname “*searchstring*” | awk –F\/ ‘{ print $2 }’ | head -1
Another quick and easy way to obtain the app environment is to simply use the Objection framework. Launch the app, and run this command on your macOS system:
objection -g 'App Name' run env
App Groups
App Groups are used to share data between multiple applications. An App Group creates a secure container that multiple processes are allowed to access. This secure container is outside of the individual applications sandbox, yet still accessible to the apps. To participate in an App Group, the applications must contain the same app prefix (e.g., com.example.)
App Groups are setup in Xcode, and have only 3 simple rules:
- You must add the proper entitlements for the app to access the shared location.
- Enable the App Group feature in your Developer account
- Add the proper App Group to your App ID
To check if your app is using App Groups, you can pull the entitlements from the app.
getentitlements <bundle-id>
If App Groups exist, be sure you evaluate any files that are stored in:
/private/var/mobile/Containers/Shared/UUID/
IPA Files
In many cases, you will be provided an IPA file for the app that is to be tested. We covered how to install these in the previous section. However, there is a lot of analysis we can perform with the IPA file from the macOS system. In fact, even if we install the app from the App Store we will pull down an IPA file for analysis.
If you extract the IPA file, you will notice that it is - essentially - the Bundle directory.
To extract the IPA on the Mac/Linux host, open a Terminal and use the unzip command:
unzip -qq appname.ipa –d appname/
cd appname/Payload
This will perform a quiet extraction of the ipa file and place the contents into a directory called appname.