Skip to content

MASTG-TECH-0082: Get Shared Libraries

To effectively identify and analyze shared libraries within an iOS application, it's important to distinguish between the app's bundled libraries and the system libraries provided by iOS. This distinction helps focus on the components that are unique to the app, thereby reducing noise during security assessments.

  • System Libraries: Part of the iOS SDK, located in directories such as /System/Library/Frameworks or /usr/lib. These libraries are standard for all iOS applications and generally don't require detailed analysis unless there is a specific reason.
  • App-Bundled Libraries: Included in the app bundle, often found in the Frameworks directory (YourApp.app/Frameworks). They include both first-party (custom) and third-party libraries that the developer intentionally incorporated into the app. They are the primary focus for security assessments. However, note that some system libraries may be also bundled with the app to ensure compatibility with specific versions of the iOS SDK so you'd need to filter them out.

Note that we're not considering static libraries, which, unlike dynamic libraries that are loaded at runtime, become part of the app's binary, resulting in a single executable file.

Strategy: Use one of the methods below, or a combination of them, to identify shared libraries, and then filter out system libraries to focus on those that are bundled with the app.

Inspecting the Application Binary

Navigate to the Frameworks directory within the application bundle to find the shared libraries. The shared libraries are usually in the form of .framework or .dylib files.

ls -1 Frameworks
App.framework
Flutter.framework
libswiftCore.dylib
libswiftCoreAudio.dylib
...

otool

You can use the otool -L command to list the shared libraries.

otool -L MASTestApp
MASTestApp:
        /System/Library/Frameworks/Foundation.framework/Foundation (compatibility version 300.0.0, current version 2503.1.0)
        /usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current version 228.0.0)
        /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1345.120.2)
        /System/Library/Frameworks/CryptoKit.framework/CryptoKit (compatibility version 1.0.0, current version 1.0.0)
        ...

radare2 for iOS

In radare2, you can list the linked libraries using the il command.

r2 MASTestApp
[0x100006e9c]> il
[Linked libraries]
/System/Library/Frameworks/Foundation.framework/Foundation
/usr/lib/libobjc.A.dylib
/usr/lib/libSystem.B.dylib
/System/Library/Frameworks/CryptoKit.framework/CryptoKit
...

objection for iOS

You can use Objection's command list_frameworks to list all the app's bundles that represent Frameworks.

...itudehacks.DVIAswiftv2.develop on (iPhone: 13.2.3) [usb] # ios bundles list_frameworks
Executable      Bundle                                     Version    Path
--------------  -----------------------------------------  ---------  -------------------------------------------
Bolts           org.cocoapods.Bolts                        1.9.0      ...8/DVIA-v2.app/Frameworks/Bolts.framework
RealmSwift      org.cocoapods.RealmSwift                   4.1.1      ...A-v2.app/Frameworks/RealmSwift.framework
                                                                      ...ystem/Library/Frameworks/IOKit.framework
...

Frida for iOS

The Process.enumerateModules() function in Frida's REPL allows enumeration of modules loaded into memory during runtime.

[iPhone::com.iOweApp]-> Process.enumerateModules()
[
    {
        "base": "0x10008c000",
        "name": "iOweApp",
        "path": "/private/var/containers/Bundle/Application/F390A491-3524-40EA-B3F8-6C1FA105A23A/iOweApp.app/iOweApp",
        "size": 49152
    },
    {
        "base": "0x1a1c82000",
        "name": "Foundation",
        "path": "/System/Library/Frameworks/Foundation.framework/Foundation",
        "size": 2859008
    },
    {
        "base": "0x1a16f4000",
        "name": "libobjc.A.dylib",
        "path": "/usr/lib/libobjc.A.dylib",
        "size": 200704
    },

    ...