Skip to main content

Hard-Coded Data

An iOS app can be configured in many different places. Typically, these are kept in Property List (PLIST), SQLite Databases, JSON, or XML files.

Get app Environment Information

When you install an app, it is placed into a newly generated Globally Unique Identifier (GUID) directory for both the "Bundle" portion of the app, and the "Data" portion. These two directories make up the app sandbox! There is a third directory if the app uses an "App Group" to share information.

NameDirectory
Bundle/private/var/containers/Bundle/Application/(GUID)
Data/private/var/mobile/Containers/Data/Application/(GUID)
App Group Shared/private/var/mobile/Containers/Shared/(GUID)

If you remove an app and then reinstall it, it will be installed in new GUID created directories. It will not use the previous GUID. To get the current environment information:

objection -g 'App Name' run env

Example:

% objection -g com.godaddy.goapp.dev run env
Using USB device `iPhone`
Agent injected and responds ok!
Determining environment...
Running command... `env`

Name               Path
-----------------  -------------------------------------------------------------------------------------------
BundlePath         /private/var/containers/Bundle/Application/8EE061EB-9AC1-488B-B525-3D6B0F25032D/Polaris.app
CachesDirectory    /var/mobile/Containers/Data/Application/A1362F7B-A6E2-431E-B1FD-BA6EEAB709CA/Library/Caches
DocumentDirectory  /var/mobile/Containers/Data/Application/A1362F7B-A6E2-431E-B1FD-BA6EEAB709CA/Documents
LibraryDirectory   /var/mobile/Containers/Data/Application/A1362F7B-A6E2-431E-B1FD-BA6EEAB709CA/Library
Asking jobs to stop...
Unloading objection agent...

The BundlePath directory is where the executable, Info.plist, and library files are stored on the device.

You infer the "Data" directory from the remaining paths listed. The Data path contains the Documents, Library, & Caches directories. In the example above the Data directory would be:

/var/mobile/Containers/Data/Application/A1362F7B-A6E2-431E-B1FD-BA6EEAB709CA/

Note: For simplicity, I will refer to the Bundle directory as $APP, and the Data directory as $DATA, in the steps below (and other documents).

Review Info.plist

The Info.plist file is the main application configuration. It contains things like permissions, URL schemes, applicable devices, etc.

To review the Info.plist file on the device:

cd $APP                                                           
plutil Info.plist

Apple documentation for iOS Info.plist Keys:

https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Articles/iPhoneOSKeys.html#//apple_ref/doc/uid/TP40009252-SW1

Check for Other PLIST Files

To search for other PLIST files on the device:

cd $APP
find . -type f -exec grep -ali plist {} \;

cd $DATA
find . -type f -exec grep -ali plist {} \;

It is not uncommon to find a PLIST file embedded in a PLIST file. This is typically done using the NSKeyedArchiver APIs for serialization of data. It will look like a bunch of hex strings, because that is exactly what it is. See the next section to decode this information.

Search for Databases

To search for database files:

# Bundle directory:
find $APP -type f -exec grep -ali sqlite {} \;
find $APP -type f -exec grep -ali data {} \;
find $APP -iname \*.db
find $APP -iname \*.sqlite
find $APP -iname \*.sqlite3
find $APP -iname \*.realm\*
find $APP -iname \*.mx
find $APP -iname \*.pflock	
find $APP -iname \*.cblite
find $APP -iname \*.cblite2

# Data directory:
find $DATA -type f -exec grep -ali sqlite {} \;
find $DATA -type f -exec grep -ali data {} \;
find $DATA -iname \*.db
find $DATA -iname \*.sqlite
find $DATA -iname \*.sqlite3
find $DATA -iname \*.realm\*
find $DATA -iname \*.mx	
find $DATA -iname \*.pflock
find $DATA -iname \*.cblite
find $DATA -iname \*.cblite2

To open an SQLite database for review:

sqlite3 filename.db

To list the tables in the database:

  > .tables

To review the data in a table:

  > select * from tablename;

To exit the database:

  > .exit

Search for JSON/XML/Text/Certificates/Other Files

To search for these files:

# Bundle directory: 
find $APP -iname \*.txt
find $APP -iname \*.xml
find $APP -iname \*.json
find $APP -iname \*.cer
find $APP -iname \*.pem
find $APP -iname \*.cert
find $APP -iname \*.crt
find $APP -iname \*.pub
find $APP -iname \*.key
find $APP -iname \*.pfx
find $APP -iname \*.p12
find $APP -iname \*.pkcs7
find $APP -iname \*.html
find $APP -iname \*.md
find $APP -iname \*.js
find $APP -iname \*.m
find $APP -iname \*.h
find $APP -iname \*.swift
find $APP -iname \*.log

# Data directory:
find $DATA -iname \*.txt
find $DATA -iname \*.xml
find $DATA -iname \*.json
find $DATA -iname \*.cer
find $DATA -iname \*.pem
find $DATA -iname \*.cert
find $DATA -iname \*.crt
find $DATA -iname \*.pub
find $DATA -iname \*.key
find $DATA -iname \*.pfx
find $DATA -iname \*.p12
find $DATA -iname \*.pkcs7
find $DATA -iname \*.html
find $DATA -iname \*.md
find $DATA -iname \*.js
find $DATA -iname \*.m
find $DATA -iname \*.h
find $DATA -iname \*.swift
find $DATA -iname \*.log