IOS Pentesting — Static Analysis using IPATool
Hello everyone!
In this article I will be exploring and statistical testing an IOS application. Nothing advance here but sharing and exploring basic static testing steps.
- Download a copy of the app package,AKA (IPA file)
An IPA file is essentially a ZIP archive containing the necessary components for an iOS application.
Tool used: IPATool
note: this tool requires an authentication to your App Store account
To search for the app from the app store :
ipatool search <AppName>To obtain a license for an app :
(almost all apps on App Store will require a license to download the IPA without this step you might get error=”license is required”)
ipatool purchase --bundle-identifier <AppBundleID>To download a copy of the ipa file:
iptool download --bundle-identifier <AppBundleID>note : bundleID is found when we search for the application
2. Analyzing the IPA (Manual)
To open the IPA file we downloaded above, we simply needs to change the extention from (.ipa) to (.zip). Then unzip the file to get all the metadata and other folders.
Payload Folder: This is the heart of the IPA file. It contains the actual application bundle, which is a directory with the same name as the app.
Inside the app bundle, you’ll find:
- Executable file: This is the main code of the app.
- Frameworks: Additional code libraries used by the app.
- Resources: Images, sounds, and other assets.
- Info.plist: A property list file containing metadata about the app
Give yourself time to go through these components and you might file something intresting there! I have found few things there I will be sharing them soon once I get a verification.
Hope this breif article was useful for thoes who are looking to start getting into IOS testing.
Happy IOS hacking !
