IOS Pentesting — Static Analysis using IPATool

NoorHomaid
2 min readJul 28, 2024

--

Hello everyone!

In this article I will be exploring and statistical testing an IOS application. Nothing advance here but sharing and exploring basic static testing steps.

  1. Download a copy of the app package,AKA (IPA file)

An IPA file is essentially a ZIP archive containing the necessary components for an iOS application.

Tool used: IPATool

note: this tool requires an authentication to your App Store account

IPAtool

To search for the app from the app store :

ipatool search <AppName>

To obtain a license for an app :

(almost all apps on App Store will require a license to download the IPA without this step you might get error=”license is required”)

ipatool purchase --bundle-identifier <AppBundleID>

To download a copy of the ipa file:

iptool download --bundle-identifier <AppBundleID>

note : bundleID is found when we search for the application

The above 3 steps in terminal

2. Analyzing the IPA (Manual)

To open the IPA file we downloaded above, we simply needs to change the extention from (.ipa) to (.zip). Then unzip the file to get all the metadata and other folders.

after unzipping the IPA file

Payload Folder: This is the heart of the IPA file. It contains the actual application bundle, which is a directory with the same name as the app.

Inside the app bundle, you’ll find:

  1. Executable file: This is the main code of the app.
  2. Frameworks: Additional code libraries used by the app.
  3. Resources: Images, sounds, and other assets.
  4. Info.plist: A property list file containing metadata about the app

Give yourself time to go through these components and you might file something intresting there! I have found few things there I will be sharing them soon once I get a verification.

Hope this breif article was useful for thoes who are looking to start getting into IOS testing.

Happy IOS hacking !

--

--