iOS Platform APIs

Testing App Permissions (MSTG-PLATFORM-1)
Overview
In contrast to Android, where each app runs on its own user ID, iOS makes all third-party apps run under the non-privileged mobile user. Each app has a unique home directory and is sandboxed, so that they cannot access protected system resources or files stored by the system or by other apps. These restrictions are implemented via sandbox policies (aka. profiles), which are enforced by the Trusted BSD (MAC) Mandatory Access Control Framework via a kernel extension. iOS applies a generic sandbox profile to all third-party apps called container. Access to protected resources or data (some also known as app capabilities) is possible, but it's strictly controlled via special permissions known as entitlements.
Some permissions can be configured by the app's developers (e.g. Data Protection or Keychain Sharing) and will directly take effect after the installation. However, for others, the user will be explicitly asked the first time the app attempts to access a protected resource, for example:
Bluetooth peripherals
Calendar data
Camera
Contacts
Health sharing
Health updating
HomeKit
Location
Microphone
Motion
Music and the media library
Photos
Reminders
Siri
Speech recognition
the TV provider
Even though Apple urges to protect the privacy of the user and to be very clear on how to ask permissions, it can still be the case that an app requests too many of them for non-obvious reasons.
Some permissions such as Camera, Photos, Calendar Data, Motion, Contacts or Speech Recognition should be pretty straightforward to verify as it should be obvious if the app requires them to fulfill its tasks. Let's consider the following examples ragarding the Photos permission, which, if granted, gives the app access to all user photos in the "Camera Roll" (the iOS default system-wide location for storing photos):
The typical QR Code scanning app obviously requires the camera to function but might be requesting the photos permission as well. If storage is explicitly required, and depending on the sensitivity of the pictures being taken, these apps might better opt to use the app sandbox storage to avoid other apps (having the photos permission) to access them. See the chapter "Data Storage on iOS" for more information reagarding storage of sensitive data.
Some apps require photo uploads (e.g. for profile pictures). Recent versions of iOS introduce new APIs such as UIImagePickerController (iOS 11+) and its modern replacement PHPickerViewController (iOS 14+). These APIs run on a separate process from your app and by using them, the app gets read-only access exclusively to the images selected by the user instead of to the whole "Camera Roll". This is considered a best practice to avoid requesting unnecessary permissions.
Other permissions like Bluetooth or Location require deeper verification steps. They may be required for the app to properly function but the data being handled by those tasks might not be properly protected. For more information and some examples please refer to the "Source Code Inspection" in the "Static Analysis" section below and to the "Dynamic Analysis" section.
When collecting or simply handling (e.g. caching) sensitive data, an app should provide proper mechanisms to give the user control over it, e.g. to be able to revoke access or to delete it. However, sensitive data might not only be stored or cached but also sent over the network. In both cases, it has to be ensured that the app properly follows the appropriate best practices, which in this case involve implementing proper data protection and transport security. More information on how to protect this kind of data can be found in the chapter "Network APIs".
As you can see, using app capabilities and permissions mostly involve handling personal data, therefore being a matter of protecting the user's privacy. See the articles "Protecting the User's Privacy" and "Accessing Protected Resources" in Apple Developer Documentation for more details.
Device Capabilities
Device capabilities are used by the App Store to ensure that only compatible devices are listed and therefore are allowed to download the app. They are specified in the Info.plist file of the app under the UIRequiredDeviceCapabilities key.
1
<key>UIRequiredDeviceCapabilities</key>
2
<array>
3
    <string>armv7</string>
4
</array>
Copied!
Typically you'll find the armv7 capability, meaning that the app is compiled only for the armv7 instruction set, or if it’s a 32/64-bit universal app.
For example, an app might be completely dependent on NFC to work (e.g. a "NFC Tag Reader" app). According to the archived iOS Device Compatibility Reference, NFC is only available starting on the iPhone 7 (and iOS 11). A developer might want to exclude all incompatible devices by setting the nfc device capability.
Regarding testing, you can consider UIRequiredDeviceCapabilities as a mere indication that the app is using some specific resources. Unlike the entitlements related to app capabilities, device capabilities do not confer any right or access to protected resources. Additional configuration steps might be required for that, which are very specific to each capability.
For example, if BLE is a core feature of the app, Apple's Core Bluetooth Programming Guide explains the different things to be considered:
The bluetooth-le device capability can be set in order to restrict non-BLE capable devices from downloading their app.
App capabilities like bluetooth-peripheral or bluetooth-central (both UIBackgroundModes) should be added if BLE background processing is required.
However, this is not yet enough for the app to get access to the Bluetooth peripheral, the NSBluetoothPeripheralUsageDescription key has to be included in the Info.plist file, meaning that the user has to actively give permission. See "Purpose Strings in the Info.plist File" below for more information.
Entitlements
According to Apple's iOS Security Guide:
Entitlements are key value pairs that are signed in to an app and allow authentication beyond runtime factors, like UNIX user ID. Since entitlements are digitally signed, they can’t be changed. Entitlements are used extensively by system apps and daemons to perform specific privileged operations that would otherwise require the process to run as root. This greatly reduces the potential for privilege escalation by a compromised system app or daemon.
Many entitlements can be set using the "Summary" tab of the Xcode target editor. Other entitlements require editing a target’s entitlements property list file or are inherited from the iOS provisioning profile used to run the app.
​Entitlement Sources:
1.Entitlements embedded in a provisioning profile that is used to code sign the app, which are composed of:
Capabilities defined on the Xcode project's target Capabilities tab, and/or:
Enabled Services on the app's App ID which are configured on the Identifiers section of the Certificates, ID's and Profiles website.
Other entitlements that are injected by the profile generation service.
2.Entitlements from a code signing entitlements file.
​Entitlement Destinations:
1.The app's signature.
2.The app's embedded provisioning profile.
The Apple Developer Documentation also explains:
During code signing, the entitlements corresponding to the app’s enabled Capabilities/Services are transferred to the app's signature from the provisioning profile Xcode chose to sign the app.
The provisioning profile is embedded into the app bundle during the build (embedded.mobileprovision).
Entitlements from the "Code Signing Entitlements" section in Xcode's "Build Settings" tab are transferred to the app's signature.
For example, if you want to set the "Default Data Protection" capability, you would need to go to the Capabilities tab in Xcode and enable Data Protection. This is directly written by Xcode to the <appname>.entitlements file as the com.apple.developer.default-data-protection entitlement with default value NSFileProtectionComplete. In the IPA we might find this in the embedded.mobileprovision as:
1
<key>Entitlements</key>
2
<dict>
3
    ...
4
    <key>com.apple.developer.default-data-protection</key>
5
    <string>NSFileProtectionComplete</string>
6
</dict>
Copied!
For other capabilities such as HealthKit, the user has to be asked for permission, therefore it is not enough to add the entitlements, special keys and strings have to be added to the Info.plist file of the app.
The following sections go more into detail about the mentioned files and how to perform static and dynamic analysis using them.
Static Analysis
Since iOS 10, these are the main areas which you need to inspect for permissions:
Purpose Strings in the Info.plist File
Code Signing Entitlements File
Embedded Provisioning Profile File
Entitlements Embedded in the Compiled App Binary
Source Code Inspection
Purpose Strings in the Info.plist File
​Purpose strings or usage description strings are custom texts that are offered to users in the system's permission request alert when requesting permission to access protected data or resources.
​
 \
If linking on or after iOS 10, developers are required to include purpose strings in their app's Info.plist file. Otherwise, if the app attempts to access protected data or resources without having provided the corresponding purpose string, the access will fail and the app might even crash.
If having the original source code, you can verify the permissions included in the Info.plist file:
Open the project with Xcode.
Find and open the Info.plist file in the default editor and search for the keys starting with "Privacy -".
You may switch the view to display the raw values by right-clicking and selecting "Show Raw Keys/Values" (this way for example "Privacy - Location When In Use Usage Description" will turn into NSLocationWhenInUseUsageDescription).
​
 \
If only having the IPA:
Unzip the IPA.
The Info.plist is located in Payload/<appname>.app/Info.plist.
Convert it if needed (e.g. plutil -convert xml1 Info.plist) as explained in the chapter "iOS Basic Security Testing", section "The Info.plist File".
Inspect all purpose strings Info.plist keys, usually ending with UsageDescription:
1
<plist version="1.0">
2
<dict>
3
    <key>NSLocationWhenInUseUsageDescription</key>
4
    <string>Your location is used to provide turn-by-turn directions to your destination.</string>
Copied!
For an overview of the different purpose strings Info.plist keys available see Table 1-2 at the Apple App Programming Guide for iOS. Click on the provided links to see the full description of each key in the CocoaKeys reference.
Following these guidelines should make it relatively simple to evaluate each and every entry in the Info.plist file to check if the permission makes sense.
For example, imagine the following lines were extracted from a Info.plist file used by a Solitaire game:
1
<key>NSHealthClinicalHealthRecordsShareUsageDescription</key>
2
<string>Share your health data with us!</string>
3
<key>NSCameraUsageDescription</key>
4
<string>We want to access your camera</string>
Copied!
It should be suspicious that a regular solitaire game requests this kind of resource access as it probably does not have any need for accessing the camera nor a user's health-records.
Apart from simply checking if the permissions make sense, further analysis steps might be derived from analyzing purpose strings e.g. if they are related to storage sensitive data. For example, NSPhotoLibraryUsageDescription can be considered as a storage permission giving access to files that are outside of the app's sandbox and might also be accessible by other apps. In this case, it should be tested that no sensitive data is being stored there (photos in this case). For other purpose strings like NSLocationAlwaysUsageDescription, it must be also considered if the app is storing this data securely. Refer to the "Testing Data Storage" chapter for more information and best practices on securely storing sensitive data.
Code Signing Entitlements File
Certain capabilities require a code signing entitlements file (<appname>.entitlements). It is automatically generated by Xcode but may be manually edited and/or extended by the developer as well.
Here is an example of entitlements file of the open source app Telegram including the App Groups entitlement (application-groups):
1
<?xml version="1.0" encoding="UTF-8"?>
2
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
3
<plist version="1.0">
4
<dict>
5
...
6
    <key>com.apple.security.application-groups</key>
7
    <array>
8
        <string>group.ph.telegra.Telegraph</string>
9
    </array>
10
</dict>
11
...
12
</plist>
Copied!
The entitlement outlined above does not require any additional permissions from the user. However, it is always a good practice to check all entitlements, as the app might overask the user in terms of permissions and thereby leak information.
As documented at Apple Developer Documentation, the App Groups entitlement is required to share information between different apps through IPC or a shared file container, which means that data can be shared on the device directly between the apps. This entitlement is also required if an app extension requires to share information with its containing app.
Depending on the data to-be-shared it might be more appropriate to share it using another method such as through a backend where this data could be potentially verified, avoiding tampering by e.g. the user himself.
Embedded Provisioning Profile File
When you do not have the original source code, you should analyze the IPA and search inside for the embedded provisioning profile that is usually located in the root app bundle folder (Payload/<appname>.app/) under the name embedded.mobileprovision.
This file is not a .plist, it is encoded using Cryptographic Message Syntax. On macOS you can inspect an embedded provisioning profile's entitlements using the following command:
1
$ security cms -D -i embedded.mobileprovision
Copied!
and then search for the Entitlements key region (<key>Entitlements</key>).
Entitlements Embedded in the Compiled App Binary
If you only have the app's IPA or simply the installed app on a jailbroken device, you normally won't be able to find .entitlements files. This could be also the case for the embedded.mobileprovision file. Still, you should be able to extract the entitlements property lists from the app binary yourself (which you've previously obtained as explained in the "iOS Basic Security Testing" chapter, section "Acquiring the App Binary").
The following steps should work even when targeting an encrypted binary. If for some reason they don't, you'll have to decrypt and extract the app with e.g. Clutch (if compatible with your iOS version), frida-ios-dump or similar.
Extracting the Entitlements Plist from the App Binary
If you have the app binary in your computer, one approach is to use binwalk to extract (-e) all XML files (-y=xml):
1
$ binwalk -e -y=xml ./Telegram\ X
2
​
3
DECIMAL       HEXADECIMAL     DESCRIPTION
4
--------------------------------------------------------------------------------
5
1430180       0x15D2A4        XML document, version: "1.0"
6
1458814       0x16427E        XML document, version: "1.0"
Copied!
Or you can use radare2 (-qc to quietly run one command and exit) to search all strings on the app binary (izz) containing "PropertyList" (~PropertyList):
1
$ r2 -qc 'izz~PropertyList' ./Telegram\ X
2
​
3
0x0015d2a4 ascii <?xml version="1.0" encoding="UTF-8" standalone="yes"?>\n<!DOCTYPE plist PUBLIC
4
"-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">\n<plist version="1.0">
5
...<key>com.apple.security.application-groups</key>\n\t\t<array>
6
\n\t\t\t<string>group.ph.telegra.Telegraph</string>...
7
​
8
0x0016427d ascii H<?xml version="1.0" encoding="UTF-8"?>\n<!DOCTYPE plist PUBLIC
9
"-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">\n<plist version="1.0">\n
10
<dict>\n\t<key>cdhashes</key>...
Copied!
In both cases (binwalk or radare2) we were able to extract the same two plist files. If we inspect the first one (0x0015d2a4) we see that we were able to completely recover the original entitlements file from Telegram.
Note: the strings command will not help here as it will not be able to find this information. Better use grep with the -a flag directly on the binary or use radare2 (izz)/rabin2 (-zz).
If you access the app binary on the jailbroken device (e.g via SSH), you can use grep with the -a, --text flag (treats all files as ASCII text):
1
$ grep -a -A 5 'PropertyList' /var/containers/Bundle/Application/
2
    15E6A58F-1CA7-44A4-A9E0-6CA85B65FA35/Telegram X.app/Telegram\ X
3
​
4
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
5
<plist version="1.0">
6
    <dict>
7
        <key>com.apple.security.application-groups</key>
8
        <array>
9
        ...
Copied!
Play with the -A num, --after-context=num flag to display more or less lines. You may use tools like the ones we presented above as well, if you have them also installed on your jailbroken iOS device.
This method should work even if the app binary is still encrypted (it was tested against several App Store apps).
Source Code Inspection
After having checked the <appname>.entitlements file and the Info.plist file, it is time to verify how the requested permissions and assigned capabilities are put to use. For this, a source code review should be enough. However, if you don't have the original source code, verifying the use of permissions might be specially challenging as you might need to reverse engineer the app, refer to the "Dynamic Analysis" for more details on how to proceed.
When doing a source code review, pay attention to:
whether the purpose strings in the Info.plist file match the programmatic implementations.
whether the registered capabilities are used in such a way that no confidential information is leaking.
Users can grant or revoke authorization at any time via "Settings", therefore apps normally check the authorization status of a feature before accessing it. This can be done by using dedicated APIs available for many system frameworks that provide access to protected resources.
You can use the Apple Developer Documentation as a starting point. For example:
Bluetooth: the state property of the CBCentralManager class is used to check system-authorization status for using Bluetooth peripherals.
Location: search for methods of CLLocationManager, e.g. locationServicesEnabled.
1
func checkForLocationServices() {
2
    if CLLocationManager.locationServicesEnabled() {
3
        // Location services are available, so query the user’s location.
4
    } else {
5
        // Update your app’s UI to show that the location is unavailable.
6
    }
7
}
Copied!
See Table1 in "Determining the Availability of Location Services" (Apple Developer Documentation) for a complete list.
Go through the application searching for usages of these APIs and check what happens to sensitive data that might be obtained from them. For example, it might be stored or transmitted over the network, if this is the case, proper data protection and transport security should be additionally verified.
Dynamic Analysis
With help of the static analysis you should already have a list of the included permissions and app capabilities in use. However, as mentioned in "Source Code Inspection", spotting the sensitive data and APIs related to those permissions and app capabilities might be a challenging task when you don't have the original source code. Dynamic analysis can help here getting inputs to iterate onto the static analysis.
Following an approach like the one presented below should help you spotting the mentioned sensitive data and APIs:
1.Consider the list of permissions / capabilities identified in the static analysis (e.g. NSLocationWhenInUseUsageDescription).
2.Map them to the dedicated APIs available for the corresponding system frameworks (e.g. Core Location). You may use the Apple Developer Documentation for this.
3.Trace classes or specific methods of those APIs (e.g. CLLocationManager), for example, using frida-trace.
4.Identify which methods are being really used by the app while accessing the related feature (e.g. "Share your location").
5.Get a backtrace for those methods and try to build a call graph.
Once all methods were identified, you might use this knowledge to reverse engineer the app and try to find out how the data is being handled. While doing that you might spot new methods involved in the process which you can again feed to step 3. above and keep iterating between static and dynamic analysis.
In the following example we use Telegram to open the share dialog from a chat and frida-trace to identify which methods are being called.
First we launch Telegram and start a trace for all methods matching the string "authorizationStatus" (this is a general approach because more classes apart from CLLocationManager implement this method):
1
$ frida-trace -U "Telegram" -m "*[* *authorizationStatus*]"
Copied!
-U connects to the USB device. -m includes an Objective-C method to the traces. You can use a glob pattern (e.g. with the "*" wildcard, -m "*[* *authorizationStatus*]" means "include any Objective-C method of any class containing 'authorizationStatus'"). Type frida-trace -h for more information.
Now we open the share dialog:
​
 \
The following methods are displayed:
1
  1942 ms  +[PHPhotoLibrary authorizationStatus]
2
  1959 ms  +[TGMediaAssetsLibrary authorizationStatusSignal]
3
  1959 ms     | +[TGMediaAssetsModernLibrary authorizationStatusSignal]
Copied!
If we click on Location, another method will be traced:
1
 11186 ms  +[CLLocationManager authorizationStatus]
2
 11186 ms     | +[CLLocationManager _authorizationStatus]
3
 11186 ms     |    | +[CLLocationManager _authorizationStatusForBundleIdentifier:0x0 bundle:0x0]
Copied!
Use the auto-generated stubs of frida-trace to get more information like the return values and a backtrace. Do the following modifications to the JavaScript file below (the path is relative to the current directory):
1
// __handlers__/__CLLocationManager_authorizationStatus_.js
2
​
3
  onEnter: function (log, args, state) {
4
    log("+[CLLocationManager authorizationStatus]");
5
    log("Called from:\n" +
6
        Thread.backtrace(this.context, Backtracer.ACCURATE)
7
        .map(DebugSymbol.fromAddress).join("\n\t") + "\n");
8
  },
9
  onLeave: function (log, retval, state) {
10
    console.log('RET :' + retval.toString());
11
  }
Copied!
Clicking again on "Location" reveals more information:
1
  3630 ms  -[CLLocationManager init]
2
  3630 ms     | -[CLLocationManager initWithEffectiveBundleIdentifier:0x0 bundle:0x0]
3
  3634 ms  -[CLLocationManager setDelegate:0x14c9ab000]
4
  3641 ms  +[CLLocationManager authorizationStatus]
5
RET: 0x4
6
  3641 ms  Called from:
7
0x1031aa158 TelegramUI!+[TGLocationUtils requestWhenInUserLocationAuthorizationWithLocationManager:]
8
    0x10337e2c0 TelegramUI!-[TGLocationPickerController initWithContext:intent:]
9
    0x101ee93ac TelegramUI!0x1013ac
Copied!
We see that +[CLLocationManager authorizationStatus] returned 0x4 (CLAuthorizationStatus.authorizedWhenInUse) and was called by +[TGLocationUtils requestWhenInUserLocationAuthorizationWithLocationManager:]. As we anticipated before, you might use this kind of information as an entry point when reverse engineering the app and from there get inputs (e.g. names of classes or methods) to keep feeding the dynamic analysis.
Next, there is a visual way to inspect the status of some app permissions when using the iPhone/iPad by opening "Settings" and scrolling down until you find the app you're interested in. When clicking on it, this will open the "ALLOW APP_NAME TO ACCESS" screen. However, not all permissions might be displayed yet. You will have to trigger them in order to be listed on that screen.
​
 \
For example, in the previous example, the "Location" entry was not being listed until we triggered the permission dialogue for the first time. Once we did it, no matter if we allowed the access or not, the the "Location" entry will be displayed.
Testing for Sensitive Functionality Exposure Through IPC (MSTG-PLATFORM-4)
During implementation of a mobile application, developers may apply traditional techniques for IPC (such as using shared files or network sockets). The IPC system functionality offered by mobile application platforms should be used because it is much more mature than traditional techniques. Using IPC mechanisms with no security in mind may cause the application to leak or expose sensitive data.
In contrast to Android's rich Inter-Process Communication (IPC) capability, iOS offers some rather limited options for communication between apps. In fact, there's no way for apps to communicate directly. In this section we will present the different types of indirect communication offered by iOS and how to test them. Here's an overview:
Custom URL Schemes
Universal Links
UIActivity Sharing
App Extensions
UIPasteboard
Custom URL Schemes
Please refer to the section "Testing Custom URL Schemes" for more information on what custom URL schemes are and how to test them.
Universal Links
Overview
Universal links are the iOS equivalent to Android App Links (aka. Digital Asset Links) and are used for deep linking. When tapping a universal link (to the app's website), the user will seamlessly be redirected to the corresponding installed app without going through Safari. If the app isn’t installed, the link will open in Safari.
Universal links are standard web links (HTTP/HTTPS) and are not to be confused with custom URL schemes, which originally were also used for deep linking.
For example, the Telegram app supports both custom URL schemes and universal links:
tg://resolve?domain=fridadotre is a custom URL scheme and uses the tg:// scheme.
https://telegram.me/fridadotre is a universal link and uses the https:// scheme.
Both result in the same action, the user will be redirected to the specified chat in Telegram ("fridadotre" in this case). However, universal links give several key benefits that are not applicable when using custom URL schemes and are the recommended way to implement deep linking, according to the Apple Developer Documentation. Specifically, universal links are:
Unique: Unlike custom URL schemes, universal links can’t be claimed by other apps, because they use standard HTTP or HTTPS links to the app's website. They were introduced as a way to prevent URL scheme hijacking attacks (an app installed after the original app may declare the same scheme and the system might target all new requests to the last installed app).
Secure: When users install the app, iOS downloads and checks a file (the Apple App Site Association or AASA) that was uploaded to the web server to make sure that the website allows the app to open URLs on its behalf. Only the legitimate owners of the URL can upload this file, so the association of their website with the app is secure.
Flexible: Universal links work even when the app is not installed. Tapping a link to the website would open the content in Safari, as users expect.
Simple: One URL works for both the website and the app.
Private: Other apps can communicate with the app without needing to know whether it is installed.
Static Analysis
Testing universal links on a static approach includes doing the following:
Checking the Associated Domains entitlement
Retrieving the Apple App Site Association file
Checking the link receiver method
Checking the data handler method
Checking if the app is calling other app's universal links
Checking the Associated Domains Entitlement
Universal links require the developer to add the Associated Domains entitlement and include in it a list of the domains that the app supports.
In Xcode, go to the Capabilities tab and search for Associated Domains. You can also inspect the .entitlements file looking for com.apple.developer.associated-domains. Each of the domains must be prefixed with applinks:, such as applinks:www.mywebsite.com.
Here's an example from Telegram's .entitlements file:
1
    <key>com.apple.developer.associated-domains</key>
2
    <array>
3
        <string>applinks:telegram.me</string>
4
        <string>applinks:t.me</string>
5
    </array>
Copied!
More detailed information can be found in the archived Apple Developer Documentation.
If you don't have the original source code you can still search for them, as explained in "Entitlements Embedded in the Compiled App Binary".
Retrieving the Apple App Site Association File
Try to retrieve the apple-app-site-association file from the server using the associated domains you got from the previous step. This file needs to be accessible via HTTPS, without any redirects, at https://<domain>/apple-app-site-association or https://<domain>/.well-known/apple-app-site-association.
You can retrieve it yourself with your browser or use the Apple App Site Association (AASA) Validator. After entering the domain, it will display the file, verify it for you and show the results (e.g. if it is not being properly served over HTTPS). See the following example from apple.com:
​
 \
1
{
2
    "activitycontinuation": {
3
    "apps": [
4
        "W74U47NE8E.com.apple.store.Jolly"
5
    ]
6
    },
7
    "applinks": {
8
        "apps": [],
9
        "details": [
10
            {
11
            "appID": "W74U47NE8E.com.apple.store.Jolly",
12
            "paths": [
13
                "NOT /shop/buy-iphone/*",
14
                "NOT /us/shop/buy-iphone/*",
15
                "/xc/*",
16
                "/shop/buy-*",
17
                "/shop/product/*",
18
                "/shop/bag/shared_bag/*",
19
                "/shop/order/list",
20
                "/today",
21
                "/shop/watch/watch-accessories",
22
                "/shop/watch/watch-accessories/*",
23
                "/shop/watch/bands",
24
            ] } ] }
25
}
Copied!
The "details" key inside "applinks" contains a JSON representation of an array that might contain one or more apps. The "appID" should match the "application-identifier" key from the app’s entitlements. Next, using the "paths" key, the developers can specify certain paths to be handled on a per app basis. Some apps, like Telegram use a standalone * ("paths": ["*"]) in order to allow all possible paths. Only if specific areas of the website should not be handled by some app, the developer can restrict access by excluding them by prepending a "NOT " (note the whitespace after the T) to the corresponding path. Also remember that the system will look for matches by following the order of the dictionaries in the array (first match wins).
This path exclusion mechanism is not to be seen as a security feature but rather as a filter that developer might use to specify which apps open which links. By default, iOS does not open any unverified links.
Remember that universal links verification occurs at installation time. iOS retrieves the AASA file for the declared domains (applinks) in its com.apple.developer.associated-domains entitlement. iOS will refuse to open those links if the verification did not succeed. Some reasons to fail verification might include:
The AASA file is not served over HTTPS.
The AASA is not available.
The appIDs do not match (this would be the case of a malicious app). iOS would successfully prevent any possible hijacking attacks.
Checking the Link Receiver Method
In order to receive links and handle them appropriately, the app delegate has to implement application:continueUserActivity:restorationHandler:. If you have the original project try searching for this method.
Please note that if the app uses openURL:options:completionHandler: to open a universal link to the app's website, the link won't open in the app. As the call originates from the app, it won't be handled as a universal link.
From Apple Docs: When iOS launches your app after a user taps a universal link, you receive an NSUserActivity object with an activityType value of NSUserActivityTypeBrowsingWeb. The activity object’s webpageURL property contains the URL that the user is accessing. The webpage URL property always contains an HTTP or HTTPS URL, and you can use NSURLComponents APIs to manipulate the components of the URL. [...] To protect users’ privacy and security, you should not use HTTP when you need to transport data; instead, use a secure transport protocol such as HTTPS.
From the note above we can highlight that:
The mentioned NSUserActivity object comes from the continueUserActivity parameter, as seen in the method above.
The scheme of the webpageURL must be HTTP or HTTPS (any other scheme should throw an exception). The scheme instance property of URLComponents / NSURLComponents can be used to verify this.
If you don't have the original source code you can use radare2 or rabin2 to search the binary strings for the link receiver method:
1
$ rabin2 -zq Telegram\ X.app/Telegram\ X | grep restorationHan
2
​
3
0x1000deea9 53 52 application:continueUserActivity:restorationHandler:
Copied!
Checking the Data Handler Method
You should check how the received data is validated. Apple explicitly warns about this:
Universal links offer a potential attack vector into your app, so make sure to validate all URL parameters and discard any malformed URLs. In addition, limit the available actions to those that do not risk the user’s data. For example, do not allow universal links to directly delete content or access sensitive information about the user. When testing your URL-handling code, make sure your test cases include improperly formatted URLs.
As stated in the Apple Developer Documentation, when iOS opens an app as the result of a universal link, the app receives an NSUserActivity object with an activityType value of NSUserActivityTypeBrowsingWeb. The activity object’s webpageURL property contains the HTTP or HTTPS URL that the user accesses. The following example in Swift verifies exactly this before opening the URL:
1
func application(_ application: UIApplication, continue userActivity: NSUserActivity,
2
                 restorationHandler: @escaping ([UIUserActivityRestoring]?) -> Void) -> Bool {
3
    // ...
4
    if userActivity.activityType == NSUserActivityTypeBrowsingWeb, let url = userActivity.webpageURL {
5
        application.open(url, options: [:], completionHandler: nil)
6
    }
7
​
8
    return true
9
}
Copied!
In addition, remember that if the URL includes parameters, they should not be trusted before being carefully sanitized and validated (even when coming from trusted domain). For example, they might have been spoofed by an attacker or might include malformed data. If that is the case, the whole URL and therefore the universal link request must be discarded.
The NSURLComponents API can be used to parse and manipulate the components of the URL. This can be also part of the method application:continueUserActivity:restorationHandler: itself or might occur on a separate method being called from it. The following example demonstrates this:
1
func application(_ application: UIApplication,
2
                 continue userActivity: NSUserActivity,
3
                 restorationHandler: @escaping ([Any]?) -> Void) -> Bool {
4
    guard userActivity.activityType == NSUserActivityTypeBrowsingWeb,
5
        let incomingURL = userActivity.webpageURL,
6
        let components = NSURLComponents(url: incomingURL, resolvingAgainstBaseURL: true),
7
        let path = components.path,
8
        let params = components.queryItems else {
9
        return false
10
    }
11
​
12
    if let albumName = params.first(where: { $0.name == "albumname" })?.value,
13
        let photoIndex = params.first(where: { $0.name == "index" })?.value {
14
        // Interact with album name and photo index
15
​
16
        return true
17
​
18
    } else {
19
        // Handle when album and/or album name or photo index missing
20
​
21
        return false
22
    }
23
}
Copied!
Finally, as stated above, be sure to verify that the actions triggered by the URL do not expose sensitive information or risk the user’s data on any way.
Checking if the App is Calling Other App's Universal Links
An app might be calling other apps via universal links in order to simply trigger some actions or to transfer information, in that case, it should be verified that it is not leaking sensitive information.
If you have the original source code, you can search it for the openURL:options: completionHandler: method and check the data being handled.
Note that the openURL:options:completionHandler: method is not only used to open universal links but also to call custom URL schemes.
This is an example from the Telegram app:
1
}, openUniversalUrl: { url, completion in
2
    if #available(iOS 10.0, *) {
3
        var parsedUrl = URL(string: url)
4
        if let parsed = parsedUrl {
5
            if parsed.scheme == nil || parsed.scheme!.isEmpty {
6
                parsedUrl = URL(string: "https://\(url)")
7
            }
8
        }
9
​
10
        if let parsedUrl = parsedUrl {
11
            return UIApplication.shared.open(parsedUrl,
12
                        options: [UIApplicationOpenURLOptionUniversalLinksOnly: true as NSNumber],
13
                        completionHandler: { value in completion.completion(value)}
14
            )
Copied!
Note how the app adapts the scheme to "https" before opening it and how it uses the option UIApplicationOpenURLOptionUniversalLinksOnly: true that opens the URL only if the URL is a valid universal link and there is an installed app capable of opening that URL.
If you don't have the original source code, search in the symbols and in the strings of the app binary. For example, we will search for Objective-C methods that contain "openURL":
1
$ rabin2 -zq Telegram\ X.app/Telegram\ X | grep openURL
2
​
3
0x1000dee3f 50 49 application:openURL:sourceApplication:annotation:
4
0x1000dee71 29 28 application:openURL:options:
5
0x1000df2c9 9 8 openURL:
6
0x1000df772 35 34 openURL:options:completionHandler:
Copied!
As expected, openURL:options:completionHandler: is among the ones found (remember that it might be also present because the app opens custom URL schemes). Next, to ensure that no sensitive information is being leaked you'll have to perform dynamic analysis and inspect the data being transmitted. Please refer to "Identifying and Hooking the URL Handler Method" in the "Dynamic Analysis" of "Testing Custom URL Schemes" section for some examples on hooking and tracing this method.
Dynamic Analysis
If an app is implementing universal links, you should have the following outputs from the static analysis:
the associated domains
the Apple App Site Association file
the link receiver method
the data handler method
You can use this now to dynamically test them:
Triggering universal links
Identifying valid universal links
Tracing the link receiver method
Checking how the links are opened
Triggering Universal Links
Unlike custom URL schemes, unfortunately you cannot test universal links from Safari just by typing them in the search bar directly as this is not allowed by Apple. But you can test them anytime using other apps like the Notes app:
Open the Notes app and create a new note.
Write the links including the domain.
Leave the editing mode in the Notes app.
Long press the links to open them (remember that a standard click triggers the default option).
To do it from Safari you will have to find an existing link on a website that once clicked, it will be recognized as a Universal Link. This can be a bit time consuming.
Alternatively you can also use Frida for this, see the section "Performing URL Requests" for more details.
Identifying Valid Universal Links
First of all we will see the difference between opening an allowed Universal Link and one that shouldn't be allowed.
From the apple-app-site-association of apple.com we have seen above we chose the following paths:
1
"paths": [
2
    "NOT /shop/buy-iphone/*",
3
    ...
4
    "/today",
Copied!
One of them should offer the "Open in app" option and the other should not.
If we long press on the first one (http://www.apple.com/shop/buy-iphone/iphone-xr) it only offers the option to open it (in the browser).
​
 \
If we long press on the second (http://www.apple.com/today) it shows options to open it in Safari and in "Apple Store":
​
 \
Note that there is a difference between a click and a long press. Once we long press a link and select an option, e.g. "Open in Safari", this will become the default option for all future clicks until we long press again and select another option.
If we repeat the process on the method application:continueUserActivity: restorationHandler: by either hooking or tracing, we will see how it gets called as soon as we open the allowed universal link. For this you can use for example frida-trace:
1
$ frida-trace -U "Apple Store" -m "*[* *restorationHandler*]"
Copied!
Tracing the Link Receiver Method
This section explains how to trace the link receiver method and how to extract additional information. For this example, we will use Telegram, as there are no restrictions in its apple-app-site-association file:
1
{
2
    "applinks": {
3
        "apps": [],
4
        "details": [
5
            {
6
                "appID": "X834Q8SBVP.org.telegram.TelegramEnterprise",
7
                "paths": [
8
                    "*"
9
                ]
10
            },
11
            {
12
                "appID": "C67CF9S4VU.ph.telegra.Telegraph",
13
                "paths": [
14
                    "*"
15
                ]
16
            },
17
            {
18
                "appID": "X834Q8SBVP.org.telegram.Telegram-iOS",
19
                "paths": [
20
                    "*"
21
                ]
22
            }
23
        ]
24
    }
25
}
Copied!
In order to open the links we will also use the Notes app and frida-trace with the following pattern:
1
$ frida-trace -U Telegram -m "*[* *restorationHandler*]"
Copied!
Write https://t.me/addstickers/radare (found through a quick Internet research) and open it from the Notes app.
​
 \
First we let frida-trace generate the stubs in __handlers__/:
1
$ frida-trace -U Telegram -m "*[* *restorationHandler*]"
2
Instrumenting functions...
3
-[AppDelegate application:continueUserActivity:restorationHandler:]
Copied!
You can see that only one function was found and is being instrumented. Trigger now the universal link and observe the traces.
1
298382 ms  -[AppDelegate application:0x10556b3c0 continueUserActivity:0x1c4237780
2
                restorationHandler:0x16f27a898]
Copied!
You can observe that the function is in fact being called. You can now add code to the stubs in __handlers__/ to obtain more details:
1
// __handlers__/__AppDelegate_application_contin_8e36bbb1.js
2
​
3
  onEnter: function (log, args, state) {
4
    log("-[AppDelegate application: " + args[2] + " continueUserActivity: " + args[3] +
5
                     " restorationHandler: " + args[4] + "]");
6
    log("\tapplication: " + ObjC.Object(args[2]).toString());
7
    log("\tcontinueUserActivity: " + ObjC.Object(args[3]).toString());
8
    log("\t\twebpageURL: " + ObjC.Object(args[3]).webpageURL().toString());
9
    log("\t\tactivityType: " + ObjC.Object(args[3]).activityType().toString());
10
    log("\t\tuserInfo: " + ObjC.Object(args[3]).userInfo().toString());
11
    log("\trestorationHandler: " +ObjC.Object(args[4]).toString());
12
  },
Copied!
The new output is:
1
298382 ms  -[AppDelegate application:0x10556b3c0 continueUserActivity:0x1c4237780
2
                restorationHandler:0x16f27a898]
3
298382 ms  application:<Application: 0x10556b3c0>
4
298382 ms  continueUserActivity:<NSUserActivity: 0x1c4237780>
5
298382 ms       webpageURL:http://t.me/addstickers/radare
6
298382 ms       activityType:NSUserActivityTypeBrowsingWeb
7
298382 ms       userInfo:{
8
}
9
298382 ms  restorationHandler:<__NSStackBlock__: 0x16f27a898>
Copied!
Apart from the function parameters we have added more information by calling some methods from them to get more details, in this case about the NSUserActivity. If we look in the Apple Developer Documentation we can see what else we can call from this object.
Checking How the Links Are Opened
If you want to know more about which function actually opens the URL and how the data is actually being handled you should keep investigating.
Extend the previous command in order to find out if there are any other functions involved into opening the URL.
1
$ frida-trace -U Telegram -m "*[* *restorationHandler*]" -i "*open*Url*"
Copied!
-i includes any method. You can also use a glob pattern here (e.g. -i "*open*Url*" means "include any function containing 'open', then 'Url' and something else")
Again, we first let frida-trace generate the stubs in __handlers__/:
1
$ frida-trace -U Telegram -m "*[* *restorationHandler*]" -i "*open*Url*"
2
Instrumenting functions...
3
-[AppDelegate application:continueUserActivity:restorationHandler:]
4
$S10TelegramUI0A19ApplicationBindingsC16openUniversalUrlyySS_AA0ac4OpenG10Completion...
5
$S10TelegramUI15openExternalUrl7account7context3url05forceD016presentationData18application...
6
$S10TelegramUI31AuthorizationSequenceControllerC7account7strings7openUrl5apiId0J4HashAC0A4Core19...
7
...
Copied!
Now you can see a long list of functions but we still don't know which ones will be called. Trigger the universal link again and observe the traces.
1
           /* TID 0x303 */
2
298382 ms  -[AppDelegate application:0x10556b3c0 continueUserActivity:0x1c4237780
3
                restorationHandler:0x16f27a898]
4
298619 ms     | $S10TelegramUI15openExternalUrl7account7context3url05forceD016presentationData
5
                18applicationContext20navigationController12dismissInputy0A4Core7AccountC_AA
6
                14OpenURLContextOSSSbAA012PresentationK0CAA0a11ApplicationM0C7Display0
7
                10NavigationO0CSgyyctF()
Copied!
Apart from the Objective-C method, now there is one Swift function that is also of your interest.
There is probably no documentation for that Swift function but you can just demangle its symbol using swift-demangle via xcrun:
xcrun can be used invoke Xcode developer tools from the command-line, without having them in the path. In this case it will locate and run swift-demangle, an Xcode tool that demangles Swift symbols.
1
$ xcrun swift-demangle S10TelegramUI15openExternalUrl7account7context3url05forceD016presentationData
2
18applicationContext20navigationController12dismissInputy0A4Core7AccountC_AA14OpenURLContextOSSSbAA0
3
12PresentationK0CAA0a11ApplicationM0C7Display010NavigationO0CSgyyctF
Copied!
Resulting in:
1
---> TelegramUI.openExternalUrl(
2
    account: TelegramCore.Account, context: TelegramUI.OpenURLContext, url: Swift.String,
3
    forceExternal: Swift.Bool, presentationData: TelegramUI.PresentationData,
4
    applicationContext: TelegramUI.TelegramApplicationContext,
5
    navigationController: Display.NavigationController?, dismissInput: () -> ()) -> ()
Copied!
This not only gives you the class (or module) of the method, its name and the parameters but also reveals the parameter types and return type, so in case you need to dive deeper now you know where to start.
For now we will use this information to properly print the parameters by editing the stub file:
1
// __handlers__/TelegramUI/_S10TelegramUI15openExternalUrl7_b1a3234e.js
2
​
3
  onEnter: function (log, args, state) {
4
​
5
    log("TelegramUI.openExternalUrl(account: TelegramCore.Account,
6
        context: TelegramUI.OpenURLContext, url: Swift.String, forceExternal: Swift.Bool,
7
        presentationData: TelegramUI.PresentationData,
8
        applicationContext: TelegramUI.TelegramApplicationContext,
9
        navigationController: Display.NavigationController?, dismissInput: () -> ()) -> ()");
10
    log("\taccount: " + ObjC.Object(args[0]).toString());
11
    log("\tcontext: " + ObjC.Object(args[1]).toString());
12
    log("\turl: " + ObjC.Object(args[2]).toString());
13
    log("\tpresentationData: " + args[3]);
14
    log("\tapplicationContext: " + ObjC.Object(args[4]).toString());
15
    log("\tnavigationController: " + ObjC.Object(args[5]).toString());
16
  },
Copied!
This way, the next time we run it we get a much more detailed output:
1
298382 ms  -[AppDelegate application:0x10556b3c0 continueUserActivity:0x1c4237780
2
                restorationHandler:0x16f27a898]
3
298382 ms  application:<Application: 0x10556b3c0>
4
298382 ms  continueUserActivity:<NSUserActivity: 0x1c4237780>
5
298382 ms       webpageURL:http://t.me/addstickers/radare
6
298382 ms       activityType:NSUserActivityTypeBrowsingWeb
7
298382 ms       userInfo:{
8
}
9
298382 ms  restorationHandler:<__NSStackBlock__: 0x16f27a898>
10
​
11
298619 ms     | TelegramUI.openExternalUrl(account: TelegramCore.Account,
12
context: TelegramUI.OpenURLContext, url: Swift.String, forceExternal: Swift.Bool,
13
presentationData: TelegramUI.PresentationData, applicationContext:
14
TelegramUI.TelegramApplicationContext, navigationController: Display.NavigationController?,
15
dismissInput: () -> ()) -> ()
16
298619 ms     |     account: TelegramCore.Account
17
298619 ms     |     context: nil
18
298619 ms     |     url: http://t.me/addstickers/radare
19
298619 ms     |     presentationData: 0x1c4e40fd1
20
298619 ms     |     applicationContext: nil
21
298619 ms     |     navigationController: TelegramUI.PresentationData
Copied!
There you can observe the following:
It calls application:continueUserActivity:restorationHandler: from the app delegate as expected.
application:continueUserActivity:restorationHandler: handles the URL but does not open it, it calls TelegramUI.openExternalUrl for that.
The URL being opened is https://t.me/addstickers/radare.
You can now keep going and try to trace and verify how the data is being validated. For example, if you have two apps that communicate via universal links you can use this to see if the sending app is leaking sensitive data by hooking these methods in the receiving app. This is especially useful when you don't have the source code as you will be able to retrieve the full URL that you wouldn't see other way as it might be the result of clicking some button or triggering some functionality.
In some cases, you might find data in userInfo of the NSUserActivity object. In the previous case there was no data being transferred but it might be the case for other scenarios. To see this, be sure to hook the userInfo property or access it directly from the continueUserActivity object in your hook (e.g. by adding a line like this log("userInfo:" + ObjC.Object(args[3]).userInfo().toString());).
Final Notes about Universal Links and Handoff
Universal links and Apple's Handoff feature are related:
Both rely on the same method when receiving data:
1
application:continueUserActivity:restorationHandler:
Copied!
Like universal links, the Handoff's Activity Continuation must be declared in the com.apple.developer.associated-domains entitlement and in the server's apple-app-site-association file (in both cases via the keyword "activitycontinuation":). See "Retrieving the Apple App Site Association File" above for an example.
Actually, the previous example in "Checking How the Links Are Opened" is very similar to the "Web Browser-to-Native App Handoff" scenario described in the "Handoff Programming Guide":
If the user is using a web browser on the originating device, and the receiving device is an iOS device with a native app that claims the domain portion of the webpageURL property, then iOS launches the native app and sends it an NSUserActivity object with an activityType value of NSUserActivityTypeBrowsingWeb. The webpageURL property contains the URL the user was visiting, while the userInfo dictionary is empty.
In the detailed output above you can see that NSUserActivity object we've received meets exactly the mentioned points:
1
298382 ms  -[AppDelegate application:0x10556b3c0 continueUserActivity:0x1c4237780
2
                restorationHandler:0x16f27a898]
3
298382 ms  application:<Application: 0x10556b3c0>
4
298382 ms  continueUserActivity:<NSUserActivity: 0x1c4237780>
5
298382 ms       webpageURL:http://t.me/addstickers/radare
6
298382 ms       activityType:NSUserActivityTypeBrowsingWeb
7
298382 ms       userInfo:{
8
}
9
298382 ms  restorationHandler:<__NSStackBlock__: 0x16f27a898>
Copied!
This knowledge should help you when testing apps supporting Handoff.
UIActivity Sharing
Overview
Starting on iOS 6 it is possible for third-party apps to share data (items) via specific mechanisms like AirDrop, for example. From a user perspective, this feature is the well-known system-wide share activity sheet that appears after clicking on the "Share" button.
​
 \
The available built-in sharing mechanisms (aka. Activity Types) include:
airDrop
assignToContact
copyToPasteboard
mail
message
postToFacebook
postToTwitter
A full list can be found in UIActivity.ActivityType. If not considered appropriate for the app, the developers have the possibility to exclude some of these sharing mechanisms.
Static Analysis
Sending Items
When testing UIActivity Sharing you should pay special attention to:
the data (items) being shared,
the custom activities,
the excluded activity types.
Data sharing via UIActivity works by creating a UIActivityViewController and passing it the desired items (URLs, text, a picture) on init(activityItems: applicationActivities:).
As we mentioned before, it is possible to exclude some of the sharing mechanisms via the controller's excludedActivityTypes property. It is highly recommended to do the tests using the latest versions of iOS as the number of activity types that can be excluded can increase. The developers have to be aware of this and explicitly exclude the ones that are not appropriate for the app data. Some activity types might not be even documented like "Create Watch Face".
If having the source code, you should take a look at the UIActivityViewController:
Inspect the activities passed to the init(activityItems:applicationActivities:) method.
Check if it defines custom activities (also being passed to the previous method).
Verify the excludedActivityTypes, if any.
If you only have the compiled/installed app, try searching for the previous method and property, for example:
1
$ rabin2 -zq Telegram\ X.app/Telegram\ X | grep -i activityItems
2
0x1000df034 45 44 initWithActivityItems:applicationActivities:
Copied!
Receiving Items
When receiving items, you should check:
if the app declares custom document types by looking into Exported/Imported UTIs ("Info" tab of the Xcode project). The list of all system declared UTIs (Uniform Type Identifiers) can be found in the archived Apple Developer Documentation.
if the app specifies any document types that it can open by looking into Document Types ("Info" tab of the Xcode project). If present, they consist of name and one or more UTIs that represent the data type (e.g. "public.png" for PNG files). iOS uses this to determine if the app is eligible to open a given document (specifying Exported/Imported UTIs is not enough).
if the app properly verifies the received data by looking into the implementation of application:openURL:options: (or its deprecated version UIApplicationDelegate application:openURL:sourceApplication:annotation:) in the app delegate.
If not having the source code you can still take a look into the Info.plist file and search for:
UTExportedTypeDeclarations/UTImportedTypeDeclarations if the app declares exported/imported custom document types.
CFBundleDocumentTypes to see if the app specifies any document types that it can open.
A very complete explanation about the use of these keys can be found on Stackoverflow.
Let's see a real-world example. We will take a File Manager app and take a look at these keys. We used objection here to read the Info.plist file.
1
objection --gadget SomeFileManager run ios plist cat Info.plist
Copied!
Note that this is the same as if we would retrieve the IPA from the phone or accessed via e.g. SSH and navigated to the corresponding folder in the IPA / app sandbox. However, with objection we are just one command away from our goal and this can be still considered static analysis.
The first thing we noticed is that app does not declare any imported custom document types but we could find a couple of exported ones:
1
UTExportedTypeDeclarations =     (
2
            {
3
        UTTypeConformsTo =             (
4
            "public.data"
5
        );
6
        UTTypeDescription = "SomeFileManager Files";
7
        UTTypeIdentifier = "com.some.filemanager.custom";
8
        UTTypeTagSpecification =             {
9
            "public.filename-extension" =                 (
10
                ipa,
11
                deb,
12
                zip,
13
                rar,