MASTG-TECH-0053: Host-Device Data Transfer
There might be various scenarios where you might need to transfer data from the iOS device or app data sandbox to your host computer or vice versa. The following section will show you different ways on how to achieve that.
Copying App Data Files via SSH and SCP¶
As we know now, files from our app are stored in the Data directory. You can now simply archive the Data directory withtar and pull it from the device withscp:
iPhone:~root#tarczvf/tmp/data.tgz/private/var/mobile/Containers/Data/Application/8C8E7EB0-BC9B-435B-8EF8-8F5560EB0693iPhone:~root#exit$scp-P2222root@localhost:/tmp/data.tgz.Grapefruit¶
After starting Grapefruit you can select the app that is in scope for testing. There are various functions available, of which one is called "Finder". When selecting it, you will get a listing of the directories of the app sandbox.
When navigating through the directories and selecting a file, a pop-up will show up and display the data either as hexadecimal or text. When closing this pop-up you have various options available for the file, including:
- Database viewer
- Plist viewer
- Download
Objection¶
When you are starting objection you will find the prompt within the Bundle directory.
org.owasp.MSTGon(iPhone:10.3.3)[usb]# pwd printCurrentdirectory:/var/containers/Bundle/Application/DABF849D-493E-464C-B66B-B8B6C53A4E76/org.owasp.MSTG.appUse theenv command to get the directories of the app and navigate to the Documents directory.
org.owasp.MSTGon(iPhone:10.3.3)[usb]# cd /var/mobile/Containers/Data/Application/72C7AAFB-1D75-4FBA-9D83-D8B4A2D44133/Documents/var/mobile/Containers/Data/Application/72C7AAFB-1D75-4FBA-9D83-D8B4A2D44133/DocumentsWith the commandfilesystem download <filename> you can download a file from the iOS device to your host computer and can analyze it afterwards.
org.owasp.MSTGon(iPhone:10.3.3)[usb]# filesystem download .com.apple.mobile_container_manager.metadata.plistDownloading/var/mobile/Containers/Data/Application/72C7AAFB-1D75-4FBA-9D83-D8B4A2D44133/.com.apple.mobile_container_manager.metadata.plistto.com.apple.mobile_container_manager.metadata.plistStreamingfilefromdevice...Writingbytestodestination...Successfullydownloaded/var/mobile/Containers/Data/Application/72C7AAFB-1D75-4FBA-9D83-D8B4A2D44133/.com.apple.mobile_container_manager.metadata.plistto.com.apple.mobile_container_manager.metadata.plistAs per objection v1.12.0, objection does support downloading folders by using the strict syntaxfilesystem download <remote folder> <local destination> --folder. However this only applies to folders and does not allow specifying multiple individual files directly.
...[usb]# filesystem download Documents tmp/Downloads --folderDownloading/var/mobile/Containers/Data/Application/3577EAF1-A9F2-4049-B6EB-67919F669552/Documentstotmp/DownloadsDoyouwanttodownloadthefulldirectory?[Y/n]:YDownloadingdirectoryrecursively...Successfullydownloaded/var/mobile/Containers/Data/Application/3577EAF1-A9F2-4049-B6EB-67919F669552/Documents/apikey_chacha.enctotmp/Downloads/apikey_chacha.encSuccessfullydownloaded/var/mobile/Containers/Data/Application/3577EAF1-A9F2-4049-B6EB-67919F669552/Documents/secret.txttotmp/Downloads/secret.txtRecursivedownloadfinished.You can also upload files to the iOS device withfile upload <local_file_path>.