MASTG-TECH-0082: Get Shared Libraries
To effectively identify and analyze shared libraries within an iOS application, it's important to distinguish between the app's bundled libraries and the system libraries provided by iOS. This distinction helps focus on the components that are unique to the app, thereby reducing noise during security assessments.
- System Libraries: Part of the iOS SDK, located in directories such as
/System/Library/Frameworks
or/usr/lib
. These libraries are standard for all iOS applications and generally don't require detailed analysis unless there is a specific reason. - App-Bundled Libraries: Included in the app bundle, often found in the
Frameworks
directory (YourApp.app/Frameworks
). They include both first-party (custom) and third-party libraries that the developer intentionally incorporated into the app. They are the primary focus for security assessments. However, note that some system libraries may be also bundled with the app to ensure compatibility with specific versions of the iOS SDK so you'd need to filter them out.
Note that we're not considering static libraries, which, unlike dynamic libraries that are loaded at runtime, become part of the app's binary, resulting in a single executable file.
Strategy: Use one of the methods below, or a combination of them, to identify shared libraries, and then filter out system libraries to focus on those that are bundled with the app.
Inspecting the Application Binary¶
Navigate to the Frameworks
directory within the application bundle to find the shared libraries. The shared libraries are usually in the form of .framework
or .dylib
files.
ls -1 Frameworks
App.framework
Flutter.framework
libswiftCore.dylib
libswiftCoreAudio.dylib
...
otool¶
You can use the otool -L
command to list the shared libraries.
otool -L MASTestApp
MASTestApp:
/System/Library/Frameworks/Foundation.framework/Foundation (compatibility version 300.0.0, current version 2503.1.0)
/usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current version 228.0.0)
/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1345.120.2)
/System/Library/Frameworks/CryptoKit.framework/CryptoKit (compatibility version 1.0.0, current version 1.0.0)
...
radare2 for iOS¶
In radare2, you can list the linked libraries using the il
command.
r2 MASTestApp
[0x100006e9c]> il
[Linked libraries]
/System/Library/Frameworks/Foundation.framework/Foundation
/usr/lib/libobjc.A.dylib
/usr/lib/libSystem.B.dylib
/System/Library/Frameworks/CryptoKit.framework/CryptoKit
...
objection for iOS¶
You can use Objection's command list_frameworks
to list all the app's bundles that represent Frameworks.
...itudehacks.DVIAswiftv2.develop on (iPhone: 13.2.3) [usb] # ios bundles list_frameworks
Executable Bundle Version Path
-------------- ----------------------------------------- --------- -------------------------------------------
Bolts org.cocoapods.Bolts 1.9.0 ...8/DVIA-v2.app/Frameworks/Bolts.framework
RealmSwift org.cocoapods.RealmSwift 4.1.1 ...A-v2.app/Frameworks/RealmSwift.framework
...ystem/Library/Frameworks/IOKit.framework
...
Frida for iOS¶
The Process.enumerateModules()
function in Frida's REPL allows enumeration of modules loaded into memory during runtime.
[iPhone::com.iOweApp]-> Process.enumerateModules()
[
{
"base": "0x10008c000",
"name": "iOweApp",
"path": "/private/var/containers/Bundle/Application/F390A491-3524-40EA-B3F8-6C1FA105A23A/iOweApp.app/iOweApp",
"size": 49152
},
{
"base": "0x1a1c82000",
"name": "Foundation",
"path": "/System/Library/Frameworks/Foundation.framework/Foundation",
"size": 2859008
},
{
"base": "0x1a16f4000",
"name": "libobjc.A.dylib",
"path": "/usr/lib/libobjc.A.dylib",
"size": 200704
},
...