mirror of
https://github.com/carlospolop/hacktricks
synced 2024-12-22 02:53:28 +00:00
80 lines
5 KiB
Markdown
80 lines
5 KiB
Markdown
|
# iOS App Extensions
|
||
|
|
||
|
{% hint style="success" %}
|
||
|
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
||
|
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||
|
|
||
|
<details>
|
||
|
|
||
|
<summary>Support HackTricks</summary>
|
||
|
|
||
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||
|
|
||
|
</details>
|
||
|
{% endhint %}
|
||
|
|
||
|
App extensions enhance the functionality of apps by allowing them to interact with other apps or the system, providing custom features or content. These extensions include:
|
||
|
|
||
|
- **Custom Keyboard**: Offers a unique keyboard across all apps, replacing the default iOS keyboard.
|
||
|
- **Share**: Enables sharing to social networks or with others directly.
|
||
|
- **Today (Widgets)**: Delivers content or performs tasks quickly from the Notification Center's Today view.
|
||
|
|
||
|
When a user engages with these extensions, such as sharing text from a host app, the extension processes this input within its context, leveraging the shared information to perform its task, as detailed in Apple's documentation.
|
||
|
|
||
|
### **Security Considerations**
|
||
|
|
||
|
Key security aspects include:
|
||
|
|
||
|
- Extensions and their containing apps communicate via inter-process communication, not directly.
|
||
|
- The **Today widget** is unique in that it can request its app to open via a specific method.
|
||
|
- Shared data access is allowed within a private container, but direct access is restricted.
|
||
|
- Certain APIs, including HealthKit, are off-limits to app extensions, which also cannot start long-running tasks, access the camera, or microphone, except for iMessage extensions.
|
||
|
|
||
|
### Static Analysis
|
||
|
|
||
|
#### **Identifying App Extensions**
|
||
|
|
||
|
To find app extensions in source code, search for `NSExtensionPointIdentifier` in Xcode or inspect the app bundle for `.appex` files indicating extensions. Without source code, use grep or SSH to locate these identifiers within the app bundle.
|
||
|
|
||
|
#### **Supported Data Types**
|
||
|
|
||
|
Check the `Info.plist` file of an extension for `NSExtensionActivationRule` to identify supported data types. This setup ensures only compatible data types trigger the extension in host apps.
|
||
|
|
||
|
#### **Data Sharing**
|
||
|
|
||
|
Data sharing between an app and its extension requires a shared container, set up via "App Groups" and accessed through `NSUserDefaults`. This shared space is necessary for background transfers initiated by extensions.
|
||
|
|
||
|
#### **Restricting Extensions**
|
||
|
|
||
|
Apps can restrict certain extension types, particularly custom keyboards, ensuring sensitive data handling aligns with security protocols.
|
||
|
|
||
|
### Dynamic Analysis
|
||
|
|
||
|
Dynamic analysis involves:
|
||
|
|
||
|
- **Inspecting Shared Items**: Hook into `NSExtensionContext - inputItems` to see shared data types and origins.
|
||
|
- **Identifying Extensions**: Discover which extensions process your data by observing internal mechanisms, like `NSXPCConnection`.
|
||
|
|
||
|
Tools like `frida-trace` can aid in understanding the underlying processes, especially for those interested in the technical details of inter-process communication.
|
||
|
|
||
|
## References
|
||
|
* [https://mas.owasp.org/MASTG/iOS/0x06h-Testing-Platform-Interaction/](https://mas.owasp.org/MASTG/iOS/0x06h-Testing-Platform-Interaction/)
|
||
|
* [https://mas.owasp.org/MASTG/tests/ios/MASVS-PLATFORM/MASTG-TEST-0072/](https://mas.owasp.org/MASTG/tests/ios/MASVS-PLATFORM/MASTG-TEST-0072/)
|
||
|
|
||
|
{% hint style="success" %}
|
||
|
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
||
|
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||
|
|
||
|
<details>
|
||
|
|
||
|
<summary>Support HackTricks</summary>
|
||
|
|
||
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||
|
|
||
|
</details>
|
||
|
{% endhint %}
|