search

WithSecureLabs / needle

The iOS Security Testing Framework
https://mobiletools.mwrinfosecurity.com/
Other
1.33k stars 283 forks source link

binary/metadata does not show all URL handlers #68

Closed Deedozz closed 7 years ago

Deedozz commented 7 years ago

Issue

Hi, First of all: good job, I like this tool. I just have a comment/question: I noticed that /binary/metadata module does not show all URL handlers that exist in Info.plist. As it displays only the URL schemes of the first URL Type in Info.pl, is that on purpose?

Expected behaviour

Info.plist of VLC app (VLC for iOS 2.7.8) shows the following URL schemes. Therefore, it is expected to get all of these URL schemes:

<key>CFBundleURLTypes</key>
    <array>
      <dict>
        <key>CFBundleTypeRole</key>
        <string>Viewer</string>
        <key>CFBundleURLName</key>
        <string>RTSP</string>
        **<key>CFBundleURLSchemes</key>
        <array>
          <string>rtsp</string>
        </array>**
      </dict>
      <dict>
        <key>CFBundleTypeRole</key>
        <string>Viewer</string>
        <key>CFBundleURLName</key>
        <string>Multimedia Stream URL</string>
        **<key>CFBundleURLSchemes</key>
        <array>
          <string>mms</string>
          <string>mmsh</string>
        </array>**
      </dict>
      <dict>
        <key>CFBundleTypeRole</key>
        <string>Viewer</string>
        <key>CFBundleURLName</key>
        <string>UDP URL</string>
        **<key>CFBundleURLSchemes</key>
        <array>
          <string>udp</string>
        </array>**
      </dict>
      <dict>
        <key>CFBundleTypeRole</key>
        <string>Viewer</string>
        <key>CFBundleURLName</key>
        <string>RTP URL</string>
        **<key>CFBundleURLSchemes</key>
        <array>
          <string>rtp</string>
        </array>**
      ...

Actual behaviour

Using binary/metadata shows only the first URL scheme:

[+] Target app: org.videolan.vlc-ios
[*] Retrieving app's metadata...
[+] Name                : VLC for iOS.app         
[+] Binary Name         : VLC for iOS                   
[+] Bundle ID           : org.videolan.vlc-ios          
[+] UUID                : 1075B315-8880-42E7-9903-42D0017F33B5
[+] App Version         : 278.1 (2.7.8)                 
[+] Data Directory      : /private/var/mobile/Containers/Data/Application/D2C31BC5-E4FC-48ED-8A5F-119976DC8D55
[+] Bundle Directory    : /private/var/containers/Bundle/Application/1075B315-8880-42E7-9903-42D0017F33B5
[+] Binary Directory    : /private/var/containers/Bundle/Application/1075B315-8880-42E7-9903-42D0017F33B5/VLC for iOS.app
[+] Binary Path         : '/private/var/containers/Bundle/Application/1075B315-8880-42E7-9903-42D0017F33B5/VLC for iOS.app/VLC for iOS'
[+] Architectures       : arm64                         
[+] Platform Version    : 9.3                           
[+] SDK Version         : iphoneos9.3                   
[+] Minimum OS          : 7.0                           
[+] Entitlements        
[+]          com.apple.developer.icloud-container-identifiers: ['iCloud.org.videolan.vlc-ios']
[+]          aps-environment                         : production          
[+]          com.apple.developer.icloud-container-environment: Production          
[+]          com.apple.developer.team-identifier     : 75GAHG3SZQ          
[+]          com.apple.security.application-groups   : ['group.org.videolan.vlc-ios']
[+]          com.apple.developer.ubiquity-kvstore-identifier: 75GAHG3SZQ.org.videolan.vlc-ios
[+]          application-identifier                  : 75GAHG3SZQ.org.videolan.vlc-ios
[+]          com.apple.developer.ubiquity-container-identifiers: ['iCloud.org.videolan.vlc-ios']
[+]          com.apple.developer.icloud-services     : ['CloudDocuments']  
[+]          keychain-access-groups                  : ['75GAHG3SZQ.org.videolan.vlc-ios']
[+] URL Handlers        
[+]          rtsp
[+] Apple Transport Security Settings
[+]          NSAllowsArbitraryLoads                  : 1

I think it has to do with core/device/app/_retreive_metadata() function:

def _retrieve_metadata(self):
        """Parse MobileInstallation.plist and the app's local Info.plist, and extract metadata."""
      ...
        app_version_long  = plist_local['CFBundleVersion']
        app_version_short = plist_local['CFBundleShortVersionString']
        app_version = '{} ({})'.format(app_version_long, app_version_short)
        try:
            url_handlers = plist_local['CFBundleURLTypes'][0]['CFBundleURLSchemes']
        except:
            url_handlers = None

If the try statement changes to something like:

        try:
        for urlType in plist_local['CFBundleURLTypes']:
        url_handlers.append(urlType['CFBundleURLSchemes'])
        except:
            url_handlers = None

Then all URL schemes will be displayed:

[+] URL Handlers        
[+]          ['rtsp']
[+]          ['mms', 'mmsh']
[+]          ['udp']
[+]          ['rtp']
[+]          ['rtmp']
[+]          ['sftp']
[+]          ['ftp']
[+]          ['smb']
[+]          ['db-a60fc6qj9zdg7bw']
[+]          ['vlc']
[+]          ['vlc-x-callback']

I hope this helps

Environment

Workstation Operating System

Python Version

Python 2.7.11

Python Packages (pip freeze)

Device iOS Version

9.3.2

marco-lancini commented 7 years ago

Hi @notEnaf, nice spot! And also thanks for the proposed fix. This has now been fixed in the develop branch