JAMESSTEVENSON.

ME

IOS AND ANDROID APPLICATION

SECURITY FUNDAMENTALS
APPLICATION classes.dex Info.plist More...
ARCHITECTURE

APPLICATION
INFORMATION iOS plist file Android Manifest File More...

FILES

COMMON
Exploiting exported
APPLICATION Broken Cryptography
activities
More...

ISSUES

OTHER RESOURCES Articles Books Courses

JAMESSTEVENSON.ME
Android A directory for native libraries

application
used by the application. Contains
lib multiple directories for each
supported CPU architecture that
the application has been
compiled for.

architecture assets
·A directory for application assets.
This is for arbitrary storage;
anything provided by the
application creator can be stored
In both iOS and Android, the application is an archive of multiple files. On Android, this here.
file is referred to as an APK, and on iOS an IPA file. These archives can be renamed to ·The application manifest in a
binary XML formatted file that
a zip file, decompressed, and have their contents extracted. In some cases, this is not contains application metadata —
AndroidManifest.xml for example, its name, version,
the best approach for reverse-engineering the files, so custom tools exist for proper
permissions, etc.
extraction (i.e., for Android APK tool and Jadx-gui can be used, while Ghidra can be

used for reviewing iOS MacO files). The classes.dex file contains the
This file contains compiled application code in the
precompiled resources Dex file format. There can be
resources.arsc —such as strings, classes.dex
additional .dex files (named
colours, or styles. classes2.dex, etc.) when the
application uses multidex.

A directory for APK A directory with all resources that

META-INF metadata – including res are not compiled into
signatures. resources.arsc (icons, images, etc.).

JAMESSTEVENSON.ME
 iOS application Frameworks
Containing the application native
libraries as .dylib or .framework
files.

architecture PlugIns
Used for storing application
extensions and modules (stored as
For both Android and iOS it is inside these archives that contain the actual file that is .appex files).

to be run. As Android uses the Java runtime, these files are classes.dex files (compiled

Dalvik assembly), while in iOS, it is a MacO binary. Used to store application data -
including offline data, temporary
Core Data
cache data, and functionality such as
undoing actions.
Containing application-
Info.plist specific configurations.

The PkgInfo provides an alternate

PkgInfo way to specify the type and creator
codes of an application or bundle.
If this file is present, it
denotes that the
_CodeSignature application has been
signed.
The MachO file is located inside the
MachO extracted IPA file inside the
<application-name>.app folder.

A zipped archive ·en.lproj, fr.proj, Base.lproj, etc. are

Assets.car containing application the naming convention for language
assets (i.e., icons, etc.). packs containing specific resources
Base.lproj for their respective language.
Base.Iproj is the base language pack
if one isn’t provided.
JAMESSTEVENSON.ME
 APPLICATION MOBILE OPERATING SYSTEMS

INFORMATION IOS PLIST FILE

ANDROID MANIFEST
FILES IOS
FILE
ANDROID

The plist file contains an assortment of application Like iOS, Android APK files also include a file detailing
Both iOS and Android have respective configuration data the application configuration.
files that contain application
configuration information; in iOS, this is
the info.plist file, and in Android, this is UsageDescription - The application Package name and application ID
the AndroidManifest.xml file. permission purpose strings

Application components
iOS plist file CFBundleURLTypes - Custom URL schemes
Depending on how the application was retrieved from
the device/ created, the plist file may be in XML or Intent filters
binary (bplist) format. If it is in binary format, it can be
NSAppTransportSecurity – The Application
converted to xml with the following command (on
Transport Security (ATS) configuration
Linux). Icons and labels information

apt install libplist-utils

plistutil -i Info.plist -o Info_xml.plist
UTExportedTypeDeclarations and Permissions
UTImportedTypeDeclarations – Exported
and imported custom document types
Device compatibility information

JAMESSTEVENSON.ME
iOS common application issues
The next two pages summarises a selection of key areas present in mobile applications (iOS
and Android) that are susceptible to attack by malicious actors and penetration testers. Many
of these apply across both iOS and Android.

Cookies Caches Snapshots / Screenshots

NSURLSession is a class responsible for providing an Similar to Android, when the home button is pressed, a
iOS application cookies can be stored in the API for downloading from and uploading data to screenshot is taken of the current screen, which may
application’s Library/Cookies/cookies.binarycookies endpoints indicated by URLs. It stores data in cache contain sensitive information. On non-jailbroken
file or in its keychain. The Objection command 'ios files related to these requests and responses. These devices, an attacker would need physical access to a
cookies get' can be used to retrieve these. files can be found in the application’s folder under device. However, on a jailbroken device, these can be
'/Library/Caches/<Bundle Identifier>' or via 'objection accessed in the application’s sandboxed folder at
ios nsurlcredentialstorage dump' or 'ios 'Library/Caches/Snapshots/' or
nsuserdefaults get'. 'Library/SplashBoard/Snapshots'.

Keychain Broken Cryptography Local Authentication

Encrypting sensitive data inside an application is a
The iOS keychain was designed to solve the issue of fairly standard approach used in application Local authentication should be performed using the
application developers needing to store secret or development. While this is the case, several Touch / Face ID framework or via the iOS keychain.
sensitive data in a secure and encrypted database. misconfigurations can lead to broken cryptography
The keychain is not secure on jailbroken devices and and vulnerable data. One of these is where the
can be dumped with Objection 'ios keychain dump'. encryption key is hardcoded or predictable in the
codebase and could be retrieved via reverse
engineering.

Custom Keyboards Logs

From iOS 8.0, it’s possible to install custom keyboards As with all programming, many application developers
onto iOS devices. This opens up a door for potential may use logging to debug their applications. When
information leakage vulnerabilities from typing in logging is left in a release application, this may lead to
sensitive information via a malicious keyboard. sensitive or private information being disclosed.
Applications can restrict what keyboards can be used
on specific aspects of their application.

JAMESSTEVENSON.ME
Android common application
These two pages summarises a selection of key areas present in mobile applications (iOS and
Android) that are susceptible to attack by malicious actors and penetration testers. Many of

issues
these apply across both iOS and Android.

Exploiting exported activities Insecure data storage Sensitive data in memory

When an activity is exported, it can be invoked from ·Sensitive data should not be stored in the external Similar to iOS, it is also important to ensure that the
external applications or via adb. This means that if storage, and when stored in the internal storage, the amount of sensitive data in memory is limited. As all
there is an authentication mechanism before a user MODE_WORLD_READBALE and sensitive data will be in memory at some stage, it is
would normally be able to reach an activity, but it is MODE_WORLD_WRITABLE modes should be limited as critical to ensure that this is as brief as possible. A
exported, then a malicious actor would be able to call much as possible. memory dump of an application can be achieved via
the activity directly. This can be done using the 'adb objection or fridump.
adb shell am start -n
com.example.demo/com.example.test.MainActivity'.

Tapjacking Task hijacking

Task hijacking the process of having a specially

Tapjacking is an attack where a malicious application crafted malicious application that has its
overlays a target application and modifies its UI to android:taskAffinity set to the same affinity as the
make the user believe they are interacting with the vulnerable app. In the scenario where the malicious
normal application. For a malicious application to application is already on the task stack and has been
achieve this, the target application will need to have an opened, and the vulnerable activity is attempted to be
exported activity. If it has any permissions, the opened, the malicious application is switched to
malicious application will need to share them. instead.

JAMESSTEVENSON.ME
Android Software Learn Reverse
Internals Quick Engineering Through
Reference Android Games
https://www.JamesStevenson.me/androidbook/ www.Udemy.com/course/learn-reverse-engineering-
through-android-games/?
referralCode=CBA24934A92B1E58B76C

www.JamesStevenson.me/Articles
J JAMESSTEVENSON.ME