Evernote Export IOS Application security Part 2 - Getting class information of IOS apps.html[25.05.2014 17:57:03] Have you ever checked out an IOS app and thought it was cool, and wondered if you could find some information about the source code of the app, the third-party libraries it uses, or how the code is designed internally ? Have you ever wondered if it was possible to dump all the images, plist files used in any app either preinstalled on your device or downloaded from the App store? If the answer is Yes, then you have come to the right place. In this article, we will look at how we can analyze any preinstalled app on your device or any other app downloaded from App store and discover things about the source code of the app like the classes that it uses, the names of the view controllers it uses, the internal libraries, and even intricate details like the variables and methods names used in any particular class or view controller. We will then look at how we can decrypt the applications downloaded from the App store and dump all the images, plist files that the app uses. Dumping class information for Preinstalled apps on the device Now we are at a stage that we can analyze apps for class information. So let’s dump the class information for the Apple Maps app. The first step would be to locate the Apple Maps app executable. All IOS apps that come preinstalled with the device are stored in the directory/Applications. So let’s navigate to that directory. IOS Application security Part 2 - Getting class information of IOS apps Source: http://highaltitudehacks.com/2013/06/16/ios-application-security-part-2-getting-class-information-of-ios-apps/ IOS Application Security Part 2 - Getting Class Information of IOS Apps Jun 16th, 2013 Posed by Prateek Gianchandani
15
Embed
IOS Application Security Part 2 - Getting Class Information of IOS Apps
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Evernote Export
IOS Application security Part 2 - Getting class information of IOS apps.html[25.05.2014 17:57:03]
Have you ever checked out an IOS app and thought it was cool, and wondered if you could find some information about the source code of the
app, the third-party libraries it uses, or how the code is designed internally ? Have you ever wondered if it was possible to dump all the images,
plist files used in any app either preinstalled on your device or downloaded from the App store? If the answer is Yes, then you have come to the
right place.
In this article, we will look at how we can analyze any preinstalled app on your device or any other app downloaded from App store and discover
things about the source code of the app like the classes that it uses, the names of the view controllers it uses, the internal libraries, and even
intricate details like the variables and methods names used in any particular class or view controller. We will then look at how we can decrypt the
applications downloaded from the App store and dump all the images, plist files that the app uses.
Dumping class information for Preinstalled apps on the deviceNow we are at a stage that we can analyze apps for class information. So let’s dump the class information for the Apple Maps app. The first step
would be to locate the Apple Maps app executable. All IOS apps that come preinstalled with the device are stored in the directory/Applications. So
let’s navigate to that directory.
IOS Application security Part 2 - Getting class information of IOS appsSource: http://highaltitudehacks.com/2013/06/16/ios-application-security-part-2-getting-class-information-of-ios-apps/
IOS Application Security Part 2 - Getting Class Information of IOS Apps Jun 16th, 2013
IOS Application security Part 2 - Getting class information of IOS apps.html[25.05.2014 17:57:03]
Here you will see all the apps that come preinstalled with the device. Now let’s navigate inside the Maps app directory and list the directories.
As you can see, we can see all the images, plist files etc used by this app. We will discuss later how it is possible to fetch all the images and other
files from a particular IOS app. Anyways, hidden in all this mess is an executable for the app with the name Maps as can be seen on the left side in
the image below. Note that the name of the executable will be the same as the name of the app. Note that we can see some pdf’s in the app
bundle as well. I really don’t see the need of including a pdf file in the bundle.
Evernote Export
IOS Application security Part 2 - Getting class information of IOS apps.html[25.05.2014 17:57:03]
To dump the class information for this app, just use the command class-dump-z Maps
As you can see there is just too much output in the terminal right now, hence its better to save the output to a file, in this case with the filename
Evernote Export
IOS Application security Part 2 - Getting class information of IOS apps.html[25.05.2014 17:57:03]
class-dump-Maps.
You can now use sftp to ftp into the device and download the file. You can fetch any file with the command get followed by the path of the file as
shown below.
Since the file is now downloaded locally on the system, let’s open it up in TextMate (you can use textedit or any other app as well)
We can learn a lot about the way the code is designed just by looking at the interface files. For e.g over here you can see a View controller named
Evernote Export
IOS Application security Part 2 - Getting class information of IOS apps.html[25.05.2014 17:57:03]
InfoCardController. As you might have already guessed, this is the VC to display more info about a particular location when we tap on the right
arrow button as shown in the image below.
Evernote Export
IOS Application security Part 2 - Getting class information of IOS apps.html[25.05.2014 17:57:03]
Evernote Export
IOS Application security Part 2 - Getting class information of IOS apps.html[25.05.2014 17:57:03]
Now lets have a look at this view in the app. This page is actually displayed by InfoCardViewController which we found from class-dump-
zinformation.
Evernote Export
IOS Application security Part 2 - Getting class information of IOS apps.html[25.05.2014 17:57:03]
Evernote Export
IOS Application security Part 2 - Getting class information of IOS apps.html[25.05.2014 17:57:03]
If you look at this image and the class information above, you can easily see what are the methods names that get called when you tap on these
buttons. For e.g if i tap on Direction to here, the method that will get called is
IOS Application security Part 2 - Getting class information of IOS apps.html[25.05.2014 17:57:03]
To view the filesystem, just click on files.
Evernote Export
IOS Application security Part 2 - Getting class information of IOS apps.html[25.05.2014 17:57:03]
To check out files for a particular app, click on Apps
Evernote Export
IOS Application security Part 2 - Getting class information of IOS apps.html[25.05.2014 17:57:03]
As you can see, it is very easy to browse the filesystem and upload/download files. In this case, lets download all the image and files present in the
Facebook app. On the left side, look for Facebook and click on it. This will take you to the directory containing Facebook app files. All the images
and files are containing inside the Facebook.app directory.
To download all the files, just press Cmd + A, and right click and select Export to Folder. Then choose the location where you want to save all the
files.
Conclusion
In the first two parts of this article, we have learnt how to setup a mobile auditing environment on a jailbroken device. We then learnt how to dump
the class information for any particular app and use it to understand the design of the code and its internal workings. We also learnt how to decrypt
an app downloaded from the App store and audit it for information. We then learnt how to un-munge images from apps using both sftp and
iExplorer.
Evernote Export
IOS Application security Part 2 - Getting class information of IOS apps.html[25.05.2014 17:57:03]
Well, the good thing is that it is possible to know all the methods that get called by using the class information that we get from class-dump-z.But is
it possible to perform some runtime modification in the app ? For e.g if a method like –(BOOL)isFacebookSessionValid returns false in a particular
case, is it possible for us to manipulate the app in such a way that it returns YES and hence let the application do unexpected things ? Further, is it
possible to create our own custom method and execute it instead of this method whenever this method gets called ? Is it possible to modify the
values of instance variables during runtime, or after any specific instruction ?The answer is YES, and we will learn about it in the next article :).