iPA is a renamed zip file, therefor we can just unzip the file and retrieve the files.

Once we unzip this files should be inside the zip:

• a Payload folder with all the files
  • A {AppName}.app folder
    • A Executable Binary - usually it will have the name of the app (and will be the biggest file in the folder), it will be in Mach-O format
    • Info.plist - The Information Property List (info.plist), contains configuration related information, bundle information
    • Frameworks Folder - a folder contain all the frameworks that are being used by the application, each framework have it's own info.plist and binary file.
    • Plugins Folder - a folder contains plugins which are part of the application extenstation located, the extenstations are interactions that the OS can use without having the app open - for example open with the app, or share to the app, use with Siri and etc. (https://developer.apple.com/app-extensions/)
    • embedded.mobileprovision - determine if the app can run on the device, it's in a encrypted CMS format, we can decrypt it and view entitlements by running security cms -D -i embedded.mobileprovision > embedded.decrypted

Data

Apps data can be stored in 2 ways:

• Inside the Bundle - Inside the IPA, includes the binaries, assets and etc. This can be static analysis
  • The bundle will be installed on the iOS in: /private/var/Containers/Bundle/Application/
• Outside the Bundle - Data that app generates and stored on the devices
  • Temporary data - stored for limited time
  • Persistence Data - Crucial for the app to run
    • Stored in /var/mobile/Containers/Data/Application/
  • Remote location - Connection that the app does to remote location such as Firebase.

App data storage

• Each app in it's own sandbox, one app can't access the data of another, unless data stored in Keychain.

plist

Architecture