# Extracting Entitlements from Compiled Application

<details>

<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Other ways to support HackTricks:

* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>


Summary of the page [https://mas.owasp.org/MASTG/tests/ios/MASVS-PLATFORM/MASTG-TEST-0069/#review-entitlements-embedded-in-the-compiled-app-binary](https://mas.owasp.org/MASTG/tests/ios/MASVS-PLATFORM/MASTG-TEST-0069/#review-entitlements-embedded-in-the-compiled-app-binary)

### **Extracting Entitlements and Mobile Provision Files**

When dealing with an app's IPA or an installed app on a jailbroken device, finding `.entitlements` files or the `embedded.mobileprovision` file directly may not be possible. However, entitlements property lists can still be extracted from the app binary, following the procedures outlined in the "iOS Basic Security Testing" chapter, particularly the "Acquiring the App Binary" section.

Even with encrypted binaries, certain steps can be employed to extract these files. Should these steps fail, tools such as Clutch (if compatible with the iOS version), frida-ios-dump, or similar utilities may be required to decrypt and extract the app.

#### **Extracting the Entitlements Plist from the App Binary**

With the app binary accessible on a computer, **binwalk** can be utilized to extract all XML files. The command below demonstrates how to do so:

```bash
$ binwalk -e -y=xml ./Telegram\ X

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
1430180       0x15D2A4        XML document, version: "1.0"
1458814       0x16427E        XML document, version: "1.0"
```

Alternatively, **radare2** can be used to quietly run a command and exit, searching for all strings in the app binary that contain "PropertyList":

```bash
$ r2 -qc 'izz~PropertyList' ./Telegram\ X

0x0015d2a4 ascii <?xml version="1.0" encoding="UTF-8" standalone="yes"?>...
0x0016427d ascii H<?xml version="1.0" encoding="UTF-8"?>...
```

Both methods, binwalk and radare2, enable the extraction of `plist` files, with an inspection of the first one (0x0015d2a4) revealing a successful recovery of the [original entitlements file from Telegram](https://github.com/peter-iakovlev/Telegram-iOS/blob/77ee5c4dabdd6eb5f1e2ff76219edf7e18b45c00/Telegram-iOS/Telegram-iOS-AppStoreLLC.entitlements).

For app binaries accessed on jailbroken devices (e.g., via SSH), the **grep** command with the `-a, --text` flag can be used to treat all files as ASCII text:

```bash
$ grep -a -A 5 'PropertyList' /var/containers/Bundle/Application/...
```

Adjusting the `-A num, --after-context=num` flag allows for the display of more or fewer lines. This method is viable even for encrypted app binaries and has been verified against multiple App Store apps. Tools mentioned earlier may also be employed on jailbroken iOS devices for similar purposes.

**Note**: Direct use of the `strings` command is not recommended for this task due to its limitations in finding relevant information. Instead, employing grep with the `-a` flag on the binary or utilizing radare2 (`izz`)/rabin2 (`-zz`) is advisable for more effective results.

<details>

<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Other ways to support HackTricks:

* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>