Skip to main content

App Configuration / Hard-Coded Data

An iOS app can be configured in many different places. Typically, these are kept in Property List (PLIST), SQLite Databases, JSON, or XML files.

Review Info.plist

The Info.plist file is the main application configuration. It contains things like permissions, URL schemes, applicable devices, etc.

To review the Info.plist file on a macOS/Linux system:

cd App/Payload/Example.app
plutil -p Info.plist

Apple documentation for iOS Info.plist Keys:

https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Articles/iPhoneOSKeys.html#//apple_ref/doc/uid/TP40009252-SW1

Check for Other PLIST Files

To search for other PLIST files on the device:

find App -type f -exec grep -ali plist {} \;

It is not uncommon to find a PLIST file embedded in a PLIST file. This is typically done using the NSKeyedArchiver APIs for serialization of data. It will look like a bunch of hex strings, because that is exactly what it is. See the next section to decode this information.

Search for Databases

Typically, mobile databases are dynamically created when the application first launches. The only thing you can get from the IPA file is if the app uses a particular type of database, based on the Libraries or Header files.

To search for database usage:

grep -riIE 'sqlite|sqlite3|sqlcipher|couchbase|realm' App

Search for JSON/XML/Text/Certificates/Other Files

To search for these files:

find App -iname \*.txt
find App -iname \*.xml
find App -iname \*.json
find App -iname \*.cer
find App -iname \*.pem
find App -iname \*.cert
find App -iname \*.crt
find App -iname \*.pub
find App -iname \*.key
find App -iname \*.pfx
find App -iname \*.p12
find App -iname \*.pkcs7
find App -iname \*.html
find App -iname \*.md
find App -iname \*.js
find App -iname \*.m
find App -iname \*.swift
find App -iname \*.log

Jailbreak Detection

grep -iwE 'cydia|jail|bash|sshd|apt|isJailbroken|frida|sileo|substrate|jb|substrate|apt' App

Hardcoded Sensitive Information

Caution: This may provide false positives!

/usr/bin/grep -rwiE 'password\s*=\s*|pass\s*=\s*|username\s*=\s*|secret\s*=\s*|key\s*=\s*|token\s*=\s*' App
/usr/bin/grep -rE 'PRIVATE KEY|ssh-' App
/usr/bin/grep -riE '(Head\w*: Auth\w*:)' App
/usr/bin/grep -riE '(?i)stripe(.{0,20})?[sr]k_live_[0-9a-zA-Z]{24}' App

Biometrics Usage

grep -riIhE 'LAContext' App

Pasteboard Usage

Check if the app monitors the clipboard:

grep -riIEh 'UIPasteboardChangedNotification|generalPasteboard\]\.string|@select(cut\:)|@select(copy\:)' App/headers

Firebase Usage

Check if the app utilizes Google Firebase for backend database:

find App -iname GoogleService-Info.plist

If this PLIST file is found, extract the Database URL:

/usr/libexec/PlistBuddy -c 'Print :DATABASE_URL' App/Payload/Example.app/GoogleService-Info.plist

If the app uses Firebase, then check that proper access controls are in place:

curl -o /dev/null --silent --head --write-out '%{http_code}\n' DBURL.json

Note: Change DBURL to the URL found in the PLIST file!

If the HTTP response code is anything other than 200, then proper access controls are in place. Otherwise, you should get a JSON output.