iOS Application Security | Part 5 | Understanding the structure of an iOS application

MalBot · March 31, 2019, 9:15pm

Introduction

This article gives a basic understanding of the structure of a typical iOS application inside the file system of an iPhone. We will try to dive deep into the “Bundle” as well as “Data” directory of an iOS application. No prerequisite knowledge is required to understand this article but walk-through of the previous articles in this series is recommended. So let’s get started.

iOS System Architecture

The iOS components that support iOS applications together with the application layer make up the architecture of an iOS application.

Source: https://intellipaat.com/tutorial/ios-tutorial/ios-architecture/

As shown above, the Core OS and Core Services make up the base and very strongly support the iOS application. On top of that comes the Media and Cocoa Touch which are again very essential for supporting an iOS application. All of these reside on top of the Kernel and device drivers.

Source: https://www.dotnettricks.com/learn/xamarin/understanding-xamarin-ios-build-native-ios-app

Cocoa has a very important role to play for supporting an iOS application. It provides UIKit for the application to work which is essentially the USP of an iOS application.

iOS Application Architecture (.ipa)

There are three types of iOS applications:

Native applications uses Objective C/Swift for building the application
Hybrid applications use frameworks like Xamarin, Cordova etc. along with Objective C/Swift.
Web based applications are responsive versions of websites built for working on mobile device.

We would be currently focusing on native iOS applications. A native iOS application can use Objective C or Swift code along with any of their native libraries or frameworks available of use in iOS applications. We have learnt how to extract the IPA file of an iOS application from a jailbroken device. Let us analyse what an IPA file consists of.

Source: https://developer.apple.com/library/archive/documentation/FileManagement/Conceptual/FileSystemProgrammingGuide/FileSystemOverview/FileSystemOverview.html

The Bundle Container

The Bundle directory or the IPA container consists of all the files that come along with the application when installed from Apple’s App Store or any other source. So, the files in this directory will remain same throughout in a particular version of an application.

The structure of this directory for ‘Facebook’ application is depicted in the following screenshot.

Many important information can be obtained about the application from the files in these directories. All the possible components of the Bundle Directory of a native iOS application are explained below:

Resource Name	Resource Type	Description
iTunesMetadata.plist	File	This file is used to provide information to iTunes about an iOS application using Ad Hoc distribution for either testing or Enterprise deployment.
iTunesArtWork	File	This file contains the image that is used to represent the application in iTunes
META-INF	Directory	It contains two files which hold the metadata about the IPA file.
.app Directory	Directory	This directory holds all the components of the IPA file.
Application Binary	File	This file contains the application’s executable code. It’s name is the same as that of the name of .app Directory excluding the extension ‘.app’.
Info.plist	File	This file is the manifest of the iOS application. It contains information about - Supported Devices, Bundle ID, Display Name, Application Transport Security etc.
Application Icon	File	These are the icon files of the application. There are multiple icon files (Icon.png, [email protected]) for representation of the application on devices with different resolution like iPhone, iPad etc.
Launch Images	File	These files (Default.png, Default-portrait.png) are used as launch screen images before the application launches. They are removed as soon as the application is ready to display the UI.
Storyboard/nib files	File / Directory	These files contain the encrypted information about the storyboard of an application.
Settings.bundle	File	This file contains the information that can be tweaked for the application by using the menu in the settings of the device.
Subdirectories for localized resources	Directory	These are the language-specific project directories (en.lproj, fr.lproj etc.) that help in switching the language of the application from the available languages as desired by the user of the application.
Non Localized resource files	File	These files include things like images, sound files, movies, and custom data files that the application uses. All these files must be placed within the .app directory.
_CodeSignature	Directory	This directory contains the file CodeResources which is used to store the signature of all files in the bundle that are signed.
embedded.mobileprovision	File	This plist file contains the provisioning profile for an application. In simple words, provisioning profile acts as a link between the device and the developer account. This file contains information such as application creation date, keychain access groups etc.
Frameworks	Directory	This directory holds the information about the frameworks that an application uses.
SC_Info	Directory	This directory contains keys which are used for decrypting the app's executable. The files in this directory help in integrity checks of the application
Assets.car	File	This file contains images which the app might use to display once opened. The images are stored in an optimized format, and be only taken out using specialized tools such as the Asset Catalog Tinkerer.
PkgInfo	File	This file is an alternate way to specify the type and creator codes of the application or bundle. This file is not required, but is sometimes used to improve performance for code that accesses this information.

The Data Container

The “Data” directory or the Local Data Storage container consists of the files that the developer wishes to store for the application during the time in which the application is installed on the device. The files may be used for caching information for quick access or storing offline information as a backup for resuming the application from the point at intended by the developer. So, the files in this directory and also the information in the files will keep on changing while the application is in use as coded by the developers.

The structure of this directory for ‘Facebook’ application is depicted in the following screenshot.

Very critical information about the user or the application might be obtained from these files depending on what information is intended to be stored by the developer in this directory. Some of the possible components of the “Data” directory of an iOS application are explained below:

Parent Directory	Component Name	Description
Documents	NA	This directory is used to store the data that the user needs to access from the application and the files such as pdfs downloaded at the runtime. This may also be used to store crash logs that the user gets access to at the time of giving a feedback
Library	Application Support	This directory is used to store all app data files except those associated with the user’s documents. Sometimes it may also be used to store a modifiable copy of resources contained initially in the app’s bundle. The contents of this directory are backed up by iTunes and iCloud
Caches	This directory is used to write any app-specific support files that the application can recreate easily. The data in this directory is mostly the cache for the analytics that can be sent when required and also the server’s responses for delivering quick responses to the user’s queries. This directory also stores the screenshot of the application in the Snapshots directory when it moves to the background in order to improve user experience.
Preferences	This directory contains app-specific preference files. The main file in this directory is the file named <Bundle_ID>.plist which is used by the developers to store information using NSUserDefaults class.
tmp		This directory usually contains the backup data for an application or some other data that is intended to be deleted after a process gets over. The NSTemporaryDirectory function helps the developers write temporary data to this directory.
Storekit		This directory is important only for business perspective. It provides the access to the following: In-App Purchase - Offers and promotes in-app purchases for content and services. Apple Music - Checks a user's Apple Music capabilities and offers a subscription. Recommendations and reviews - Provide recommendations for third-party content and enable users to rate and review your app.

The iCloud Container

Source: https://developer.apple.com/library/archive/documentation/General/Conceptual/iCloudDesignGuide/Chapters/iCloudFundametals.html

This directory contains data that iCloud enabled iOS applications use. The files in this directory are meant to stored and updated by the sources where a user decides to update the file from.

It consists of usually two parts:

Documents- The files in this directory are meant to be read and updated directly by the user. These files are backed up to iCloud regularly to keep in sync.
Data- These files are not meant to be edited or added directly by the user. Data may be kept in different directories as desired by the developer.

Conclusion

In this article, we have laid a basic foundation about the architecture of an iOS application. We are now familiar with the structure of the “Bundle” directory, the “Data” directory as well as the iCloud directory of an iOS application. In the next article, we will use this knowledge and analyze what we can get from an IPA file.

Article Link: https://blog.lucideus.com/2019/04/ios-application-security-part-5.html