iOS App Types
During the intelligence gathering phase, you will want to determine the type of app you are testing. This could be an app written in Objective-C, Swift, SwiftUI, or using Hybrid technologies. This information will be helpful in later sections when you are probing the app for vulnerabilities.
Determine App Type
The table below outlines some of the programming languages, or frameworks that you will run across, and if they produce Native apps or Hybrid apps.
| Framework | Type | What to look for: |
|---|---|---|
| Objective-C | Native | Objective-C links to libobjc.A.dylib: otool -L $BINARY |
| Swift | Native | Swift links to libswiftCore.dylib: otool -L $BINARY, or check symbols: nm -m $BINARY | grep -i swift |
| SwiftUI | Native | SwiftUI links to the SwiftUI.framework & libswiftUIKit.dylib |
| Xamarin | Native | Xamarin apps are written in C## instead of Objective-C or Swift. A Xamarin app will have the Mono libraries. Check with otool -L $BINARY |
| Cordova | Hybrid | Hybrid apps will contain the “www” directory inside the Bundle directory. Inside of that, there will be a “js” folder that contains the appropriate JavaScript framework. |
| Ionic | Hybrid | Same as Cordova. |
| Sencha Touch | Hybrid | Same as Cordova. |
| Kendo UI | Hybrid | Same as Cordova. |
| Framework 7 | Hybrid | Same as Cordova. |
| jQuery Mobile | Hybrid | Same as Cordova. |
| Many others... | Hybrid | Same as Cordova. |
If your app is a Hybrid app, then you can extract the IPA file and review the HTML/JavaScript files that are in use:
% unzip -qq ipaname.ipa
% cd Payload/appname.app/www
Review all the files in the 'www' directory looking for sensitive data such as encryption keys, credentials, or to find out how the app is building some of these mechanisms.
Analyze Cordova Apps
Review the files in the "www" directory to determine the version of the framework that is in use. Search for CVEs associated with the framework and version the app is using. There have been many critical CVEs released for these frameworks.
For Cordova, the latest reference is located here: https://cordova.apache.org/docs/en/latest/config_ref/index.html
Config File Inspection
The Cordova framework will have a file called 'config.xml' in the application Bundle directory. This is the main configuration file that defines several aspects of the mobile application, like enabled plugins, platform specific settings and list of custom hooks.
| Name | Value | Description |
|---|---|---|
| Log Level | <preference name="loglevel" value="DEBUG" /> | May expose critical data by logging it to the Apple System Log (ASL) |
| Access Origin | <access origin='*'/> | Any malicious app can potentially open a malicious webpage by using the exposed intent functionality |
| Features | <feature name='LocalStorage'> <param name='ios-package' value='CDVLocalStorage'/> </feature> | Examine the Feature name and value, and how that may affect the application |
| Preferences | <preference name='BackupWebStorage' value='cloud'/> | Examine the Preferences and how they may affect the application |
The config.xml file resides at the root of the Cordova project folder
which as the following structure:
-
hooks: modifies the way the Cordova CLI works
-
platforms: platforms of which the native code will be built for
-
plugins: plugins extend the JavaScript APIs of the framework
-
www: stores the HTML, JavaScript and CSS files.
Note: The frameworks are available for several platforms, so it will be common to find configuration info for an Android app in the iOS app (or vice versa). One of the reasons to develop with these frameworks is that they can use the same code base across multiple platforms.
HTML, JavaScript, CSS Files
All HTML, JavaScript, and CSS files are in the www directory. Carefully examine these files. Some common things to look for are listed below:
-
Review the JavaScript files for any unsafe or deprecated functions.
-
Review the JavaScript files for the "console.log" API, and determine what type of information may be logged from the application.
-
Check the version of any JavaScript presentation library, such as JQuery, and research any security issues related to that version. It is common to find mobile apps with old versions of these libraries on the device.
-
Check for any "frontend" JavaScript frameworks such as the ones listed below:
-
React
-
Angular
-
Vue.js
-
JQuery
-
JQuery Mobile
-
React
-
Any file with a
.jsextension should be reviewed
-
-
Check for CryptoJS usage. This is a client-side encryption library. As it is client side, it typically stores the encryption key on the device for use. If you can recover this key, then you can easily decrypt the data.