search

sensepost / objection

📱 objection - runtime mobile exploration
GNU General Public License v3.0
7.33k stars 840 forks source link

iOS: list app group directory paths with env #313

Open igorkulman opened 4 years ago

igorkulman commented 4 years ago

Is your feature request related to a problem? Please describe. iOS app can use app groups for sharing data between the main app and extensions like the share extension. If an app uses an app group, all the data shared via that app group is stored in a separate folder (/private/var/mobile/Containers/Shared/AppGroup/SomeOtherGUIDNotTheAppGuid)

When I run env for an iOS app it does not list app group directories used by the app.

Describe the solution you'd like The solution would be to detect app group directories and list them when using env.

Describe alternatives you've considered An alternative is using tools like cda than list the app group directories.

leonjza commented 4 years ago

Good idea. This feature request is also be an excellent candidate for someone that wants to get their hands dirty on something easier!

leonjza commented 4 years ago

I gave this a quick bash this morning and could not reliably get the app group directory using the enumerated bundle identifier for the application. Help with an objective-c implementation example to use in an app at runtime would be awesome.

miticollo commented 1 year ago

Hi everyone! I hope my comment will be useful even if this is an (old) issue. 

const LSApplicationProxy = ObjC.classes.LSApplicationProxy
const NSBundle = ObjC.classes.NSBundle
const bundleIdentifier = NSBundle.mainBundle().bundleIdentifier().toString()
const appProxy = LSApplicationProxy.applicationProxyForIdentifier_(bundleIdentifier)
const keys = appProxy.groupContainerURLs().allKeys()
const count = keys.count().valueOf();
const appGroups = [];
for (let i = 0; i !== count; i++) {
    let url = appProxy.groupContainerURLs().objectForKey_(keys.objectAtIndex_(i))
    appGroups.push({
        'groupIdentifier': keys.objectAtIndex_(i).toString(),
        'path': url.path().toString()
    })
}
console.log(JSON.stringify(appGroups, null, 2)) // Indented 2 spaces

appGroups is an Array of object. Every object contains two strings: the groupIdentifier and its path.

This work is based on AppData tweak. See also here.

Example

Target app: WhatsApp

[
  {
    "groupIdentifier": "group.net.whatsapp.WhatsApp.private",
    "path": "/private/var/mobile/Containers/Shared/AppGroup/C0D21F7E-236A-410E-B545-C446203BBA4B"
  },
  {
    "groupIdentifier": "group.net.whatsapp.WhatsAppSMB.shared",
    "path": "/private/var/mobile/Containers/Shared/AppGroup/3BB9B11B-D0C5-4438-9F9D-41078980CBC3"
  },
  {
    "groupIdentifier": "group.net.whatsapp.WhatsApp.shared",
    "path": "/private/var/mobile/Containers/Shared/AppGroup/2FD6F1AB-59F3-4453-919C-B2E2571B9973"
  },
  {
    "groupIdentifier": "group.com.facebook.family",
    "path": "/private/var/mobile/Containers/Shared/AppGroup/1BA956C7-2B21-498F-A539-4FE2122AF963"
  },
  {
    "groupIdentifier": "group.net.whatsapp.family",
    "path": "/private/var/mobile/Containers/Shared/AppGroup/6D2FCB8E-56DE-4551-B2D8-FC55AEA8D642"
  }
]