-
Evernote Export
IOS Application Security Part 10 IOS Filesystem and
Forensics.html[25.05.2014 18:03:59]
In this article, we will be looking at the IOS filesystem,
understand how the directories are organized, look at some
important files, and look at how
we can extract data from database and plist files. We will look
at how applications store their data in their specific directories
(sandbox) and how
we can extract them.
One of the important things to note is that in all the previous
articles, we have been logging in to the device as the user root.
There is another kind
of user with the username mobile. A mobile user has less
privileges than a root user. All the applications run with the user
mobile, with the
exception of Cydia and some other applications which run with
root privileges. Some of Apples internal daemons or services also
run with root
privileges. A quick ps aux will make this very clear. On the
extreme left, you will see the USER column. We can see that Cydia
runs with root
privileges, whereas all other applications run with mobile user,
for e.g /Applications/AppStore.app/AppStore while some of the
daemons for
e.g/usr/sbin/wifid run with root privileges. Some other
applications that you install via Cydia may also run with root
privileges. By default, once you
jailbreak the device, the password for both root and mobile user
is alpine.
IOS Application Security Part 10 IOS Filesystem and
ForensicsSource:
http://highaltitudehacks.com/2013/08/20/ios-application-security-part-10-ios-filesystem-and-forensics/
IOS Application Security Part 10 IOS Filesystem and Forensics
Aug 20th, 2013
Posed by Prateek Gianchandani
http://highaltitudehacks.com/2013/08/20/ios-application-security-part-10-ios-filesystem-and-forensics/http://highaltitudehacks.com/about/
-
Evernote Export
IOS Application Security Part 10 IOS Filesystem and
Forensics.html[25.05.2014 18:03:59]
It is possible for you to configure an app to run with root
privileges. For more details on it, check out this answer on Stack
Overflow.
Lets ssh into the device. Go to /Applications. You can see some
apps in this folder. Most of them are apps that come preinstalled
with IOS, and
then there are some apps installed via Cydia, for e.g the
Terminal app. Please note that all the apps running inside
/Applications folder dont run in
a sandboxed environment whereas all the applications in the
location /var/mobile/Applications run in a sandboxed environment.
We will discuss
sandboxing later in this article. However, they still run with
the user mobile by default unless specifically configured to run
with the user root.
All the apps downloaded from the App Store go inside the
/var/mobile/Applications/ directory. It also contains the apps that
you installed using
installipa or an external source like Cydia. All these apps run
in a sandboxed environment.
http://stackoverflow.com/a/8796556/119114
-
Evernote Export
IOS Application Security Part 10 IOS Filesystem and
Forensics.html[25.05.2014 18:03:59]
Please note that from IOS 4 or later, every app resides in an
environment called Sandbox. The main purpose of this is to ensure
that the app is not
allowed to access any data outside of its own sandbox. This
ensures better security. It is however possible to access certain
portions of the user
data from within an application using proper permissions. This
includes permission to fetch the users Contacts, photos etc.
However, there has
been certain debate about this as well. For e.g from IOS 6, an
app can get access to a users contacts after taking proper
permission from the
user. Prior to this, an app could access a users contacts
without taking any permission from the user and it caused quite
acontroversy for the Path
app.
It is also possible to access many other things outside of an
apps sandbox using Entitlements. You can read the complete
documentationhere. For
e.g, to access read write permissions to the calendar of a user,
the entitlements key
com.apple.security.personal-information.calendars has to be
marked as YES in the .entitlements file.
Lets look at the directory structure of a particular
application. Lets go inside the Snapchat app directory. This
directory structure is common for all
apps.
The Snapchat.app (Appname.app) folder contains all the assets
(images), plist files and the binary for the app.The Documents
folder is to used to store any file. This provides a seperate
directory to this application folder that could only be used within
the context of this application. Here is a line taken from Apples
documentation Put user data in the /Documents/. User data is any
data that cannot be recreated by your app, such as user documents
and other user-generated content.tmp folder is used for putting
temporary user data. The application developer should be
responsible for freeing up the memory occupied by the files in this
folder.The Library folder can be used to keep files that are not
essentially user data files.
You can find more information here. Here is a screenshot from
Apples documentation.
http://arstechnica.com/gadgets/2012/02/path-addresses-privacy-controversy-but-social-apps-remain-a-risk-to-users/http://developer.apple.com/library/ios/#documentation/Miscellaneous/Reference/EntitlementKeyReference/Chapters/EnablingAppSandbox.htmlhttp://developer.apple.com/library/mac/#documentation/FileManagement/Conceptual/FileSystemProgrammingGUide/FileSystemOverview/FileSystemOverview.html#//apple_ref/doc/uid/TP40010672-CH2-SW28http://developer.apple.com/library/mac/#documentation/FileManagement/Conceptual/FileSystemProgrammingGUide/FileSystemOverview/FileSystemOverview.html#//apple_ref/doc/uid/TP40010672-CH2-SW28
-
Evernote Export
IOS Application Security Part 10 IOS Filesystem and
Forensics.html[25.05.2014 18:03:59]
Gathering information from database fles.Apple uses sqlite
databases to store a lot of its information. These databases
usually have the extension .db or .sqlitedb. Many features for
developers such as Core Data, NSUserDefaults etc operate from
these sqlite databases on a low level. These database files can be
used to
extract a lot of information for a particular application or
from the operating system in general. This could include call
history, or stored mails from
within an application etc. To find all the .db files, use the
command find . -name *.db
-
Evernote Export
IOS Application Security Part 10 IOS Filesystem and
Forensics.html[25.05.2014 18:03:59]
This gives you a list of all the database files stored within
the device. Lets take a look at some of the important database
files.
I have the gmail app installed on my device. This file looks of
interest to me.
It looks like this file contains some important information.
Lets analyze this file using the sqlite client. Please note that
you will need to install the
sqlite client named sqlite3 on your device first. Lets open this
file using the command sqlite3 file_name.
You will notice that you get a sqlite interpreter. Lets turn the
headers on so that we can see the headers of all column values. You
can then use
the command .tables to have a look at all the tables for this
database.
Some of the tables that look interesting are cached_contacts,
cached_queries and cached_messages. Lets dump out all the
information from the
table cached_messages
As we can see, it dumps out all the cached emails.
Similarly, we can dump out all the SMS database from the device
which is found on the location /private/var/mobile/Library/SMS. In
this dump, you
-
Evernote Export
IOS Application Security Part 10 IOS Filesystem and
Forensics.html[25.05.2014 18:03:59]
can see a message with the text Test message for ios security
tutorial.
Another example could be the contacts database. It could be
found at the location /var/mobile/Library/AddressBook
And you can find the call history at the location
/private/var/wireless/Library/CallHistory
-
Evernote Export
IOS Application Security Part 10 IOS Filesystem and
Forensics.html[25.05.2014 18:03:59]
Sometimes doing all these things through command line might be
an overkill and take too much time. A much better way of analysing
all this
information would have been to export the file that you want to
your desktop. For e.g, lets download the Address Book Sqlite
database.
-
Evernote Export
IOS Application Security Part 10 IOS Filesystem and
Forensics.html[25.05.2014 18:03:59]
We can then analyze this database using a GUI Sqlite client. In
my case, i am using MesaSQLite. Its free and easy to use. In
MesaSQLite go
toFile, then Click on Open Database, select this db file, then
inside the Content tab, select a table and click on Show All
.
-
Evernote Export
IOS Application Security Part 10 IOS Filesystem and
Forensics.html[25.05.2014 18:03:59]
As you can see, a lot of information can be gathered from these
database files. I recommend that you try to explore more of these
database files in
the operating system and also the database files inside every
app bundle.
Gathering information from plist fles.Plist files are structured
text files that are used for storing various settings and
configuration for a particular app. Since the information is stored
in a
structured way in a plist file in key-value pairs, it is very
easy to change this information and hence developers sometimes end
up storing more
information in these files than it should actually be used
for.
Even on a non-jailbroken device, plist files can be extracted by
using the tool iExplorer. You can also get a quick look at the
plist file using
iExplorer. For e.g, below is the information stored in a plist
file on the Defcon IOS app.
-
Evernote Export
IOS Application Security Part 10 IOS Filesystem and
Forensics.html[25.05.2014 18:03:59]
And here is a screenshot from the User.plist file contained in
the Snapchat app inside Documents folder. The first highlighted
section is actually the
authentication token for that particular user and the second
highlighted section is the username for that Snapchat user.
-
Evernote Export
IOS Application Security Part 10 IOS Filesystem and
Forensics.html[25.05.2014 18:03:59]
Plist files may also contain confidential information like
usernames or passwords. The important thing to note is that is that
anyone can extract a
plist file from a device even if its not jailbroken. You can
also extract plist files from itunes backup files. Developers over
the last few years have
stored confidential information in plist files which is not the
correct way. A vulnerability was found in the Linkedin IOS app
where the developer was
storing user authentication information in plist files. You can
find more information about it here.
If you want to read the plist file from the terminal itself, you
will first have to convert it into xml format using the tool
plutil. The command isplutil -
covert xml1 [filename]. First, lets search for all the plist
files in the device by using the 2 commands as shown in the figure
below.
.
Now, lets covert any one file to xml format.
The file is now organized in a structure format. Lets open the
file using vim.
http://blog.scoopz.com/2012/04/07/linkedin-ios-app-also-vulnerable-to-plist-identity-theft/
-
Evernote Export
IOS Application Security Part 10 IOS Filesystem and
Forensics.html[25.05.2014 18:03:59]
As you can see, we are now able to analyze the contents of the
plist file.
Conclusion
In this article, we looked at the IOS filesystem, learnt how the
directory structure is organized, looked at some important files
and learnt how to
extract information from database and plist files. In the next
article, we will take a sample application and use all the
techniques learnt in the
previous articles to perfom a detailed security analysis of the
app.
Local DiskEvernote Export