# iOS App Extensions

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}

App extensions enhance the functionality of apps by allowing them to interact with other apps or the system, providing custom features or content. These extensions include:

- **Custom Keyboard**: Offers a unique keyboard across all apps, replacing the default iOS keyboard.
- **Share**: Enables sharing to social networks or with others directly.
- **Today (Widgets)**: Delivers content or performs tasks quickly from the Notification Center's Today view.

When a user engages with these extensions, such as sharing text from a host app, the extension processes this input within its context, leveraging the shared information to perform its task, as detailed in Apple's documentation.

### **Security Considerations**

Key security aspects include:

- Extensions and their containing apps communicate via inter-process communication, not directly.
- The **Today widget** is unique in that it can request its app to open via a specific method.
- Shared data access is allowed within a private container, but direct access is restricted.
- Certain APIs, including HealthKit, are off-limits to app extensions, which also cannot start long-running tasks, access the camera, or microphone, except for iMessage extensions.

### Static Analysis

#### **Identifying App Extensions**

To find app extensions in source code, search for `NSExtensionPointIdentifier` in Xcode or inspect the app bundle for `.appex` files indicating extensions. Without source code, use grep or SSH to locate these identifiers within the app bundle.

#### **Supported Data Types**

Check the `Info.plist` file of an extension for `NSExtensionActivationRule` to identify supported data types. This setup ensures only compatible data types trigger the extension in host apps.

#### **Data Sharing**

Data sharing between an app and its extension requires a shared container, set up via "App Groups" and accessed through `NSUserDefaults`. This shared space is necessary for background transfers initiated by extensions.

#### **Restricting Extensions**

Apps can restrict certain extension types, particularly custom keyboards, ensuring sensitive data handling aligns with security protocols.

### Dynamic Analysis

Dynamic analysis involves:

- **Inspecting Shared Items**: Hook into `NSExtensionContext - inputItems` to see shared data types and origins.
- **Identifying Extensions**: Discover which extensions process your data by observing internal mechanisms, like `NSXPCConnection`.

Tools like `frida-trace` can aid in understanding the underlying processes, especially for those interested in the technical details of inter-process communication.

## References
* [https://mas.owasp.org/MASTG/iOS/0x06h-Testing-Platform-Interaction/](https://mas.owasp.org/MASTG/iOS/0x06h-Testing-Platform-Interaction/)
* [https://mas.owasp.org/MASTG/tests/ios/MASVS-PLATFORM/MASTG-TEST-0072/](https://mas.owasp.org/MASTG/tests/ios/MASVS-PLATFORM/MASTG-TEST-0072/)

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}