Pentest List Wiki
  • What is Pentest List Wiki?
  • OFFENSIVE SECURITY
    • External Infrastructure
      • Discovery
        • Email Address Discovery
        • Subdomain Discovery
        • Data Discovery
        • Port & Service Discovery
      • Exploitation
        • Password Spraying
        • Vulnerability Scanning
    • Internal Infrastructure
      • General Discovery
        • AD Attack Path Discovery
        • Port & Service Discovery
      • Credential Discovery
        • Passwords and NetNTLM
        • SAM & LSA secrets
        • NTDS.dit secrets
        • LSASS secrets
        • DCSync
        • DPAPI secrets
      • Movement
        • Credential Spraying
        • SMB Relaying
        • Pass The Hash
      • Infiltration/Exfiltration
        • Pivoting (Proxying)
    • Web Application
      • Discovery
        • Testing API Keys
        • Vulnerability Scan
        • Web Content Discovery
        • Parameter Discovery
        • VHOST Discovery
        • CMS Scanners
      • Exploitation
        • Authentication
          • Email Address Forms
          • AWS Cognito
        • JSON Web Tokens
        • Injection Attacks
          • SQL Injection
          • Cross-Site Scripting
          • HTTP Headers
      • Bypasses
        • Cloudflare Bypass
        • HTTP 403 Bypass
    • Mobile (iOS/Android)
      • iOS
        • IPA Decryption
        • Filesystem Analysis
        • Static Analysis
    • Cloud
      • AWS
        • Vulnerability Scanners
        • S3 Buckets
      • Azure
        • Vulnerability Scanners
        • m365 & Entra ID
  • DEFENSIVE SECURITY
    • Forged Kerberos Tickets
    • Logon Event Visualisation
Powered by GitBook
On this page
  • Reviewing the IPA Folders and supporting files
  • Reviewing the app binary
  1. OFFENSIVE SECURITY
  2. Mobile (iOS/Android)
  3. iOS

Static Analysis

How to review an IPA file.

Reviewing the IPA Folders and supporting files

At this point, you should have a decrypted IPA file. If you do not, please read IPA Decryption.

Change the IPA file into a .zip by renaming it something.zip and open the archive.

In this archive, is the IPA binary and all of the supporting files and folders that we can review for issues.

  • App Binary

    • A binary will be present which is the compiled application. Take a look at this later as there are many things to be done with the actual application and we're interested in what surrounds it.

  • "Frameworks" Folder

    • This folder may contains external frameworks that are implemented within the application. For example, frameworks for Jailbreak detection, SSL pinning and more.

  • example-certificate.der

    • There may be a .der file (CA Certificate) that is used for certificate pinning

  • Info.plist

    • This contains critical information about the configuration of an iOS mobile app

  • Other files

    • A wide range of files may exist in the archive. Review them all one by one for possible issues.

Reviewing the app binary

  • A quick first thing to try is running "strings" on the binary to find any human readable values

    • On a mac, use the command strings <app>

  • To really understand the IPA and what it's doing, you must disassemble the IPA

MobSF

MobSF is useful tool to use for IPA analysis and provides a graphical overview of many areas:

docker run -it --rm -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest

PreviousFilesystem AnalysisNextCloud

Last updated 11 months ago

You could use

Hopper (hopperapp.com)
https://github.com/MobSF/Mobile-Security-Framework-MobSF