MASTG-TECH-0082: Get Shared Libraries
To effectively identify and analyze shared libraries within an iOS application, it's important to distinguish between the app's bundled libraries and the system libraries provided by iOS. This distinction helps focus on the components that are unique to the app, thereby reducing noise during security assessments.
- System Libraries: Part of the iOS SDK, located in directories such as
/System/Library/Frameworksor/usr/lib. These libraries are standard for all iOS applications and generally don't require detailed analysis unless there is a specific reason. - App-Bundled Libraries: Included in the app bundle, often found in the
Frameworksdirectory (YourApp.app/Frameworks). They include both first-party (custom) and third-party libraries that the developer intentionally incorporated into the app. They are the primary focus for security assessments. However, note that somesystem libraries may be also bundled with the app to ensure compatibility with specific versions of the iOS SDK so you'd need to filter them out.
Note that we're not considering static libraries, which, unlike dynamic libraries that are loaded at runtime, become part of the app's binary, resulting in a single executable file.
Strategy: Use one of the methods below, or a combination of them, to identify shared libraries, and then filter out system libraries to focus on those that are bundled with the app.
Inspecting the Application Binary¶
Navigate to theFrameworks directory within the application bundle to find the shared libraries. The shared libraries are usually in the form of.framework or.dylib files.
ls-1FrameworksApp.frameworkFlutter.frameworklibswiftCore.dyliblibswiftCoreAudio.dylib...otool¶
You can use theotool -L command to list the shared libraries.
otool-LMASTestAppMASTestApp:/System/Library/Frameworks/Foundation.framework/Foundation(compatibilityversion300.0.0,currentversion2503.1.0)/usr/lib/libobjc.A.dylib(compatibilityversion1.0.0,currentversion228.0.0)/usr/lib/libSystem.B.dylib(compatibilityversion1.0.0,currentversion1345.120.2)/System/Library/Frameworks/CryptoKit.framework/CryptoKit(compatibilityversion1.0.0,currentversion1.0.0)...radare2 for iOS¶
In radare2, you can list the linked libraries using theil command.
r2MASTestApp[0x100006e9c]>il[Linkedlibraries]/System/Library/Frameworks/Foundation.framework/Foundation/usr/lib/libobjc.A.dylib/usr/lib/libSystem.B.dylib/System/Library/Frameworks/CryptoKit.framework/CryptoKit...objection for iOS¶
You can use Objection's commandlist_frameworks to list all the app's bundles that represent Frameworks.
...itudehacks.DVIAswiftv2.developon(iPhone:13.2.3)[usb]# ios bundles list_frameworksExecutableBundleVersionPath-----------------------------------------------------------------------------------------------------------Boltsorg.cocoapods.Bolts1.9.0...8/DVIA-v2.app/Frameworks/Bolts.frameworkRealmSwiftorg.cocoapods.RealmSwift4.1.1...A-v2.app/Frameworks/RealmSwift.framework...ystem/Library/Frameworks/IOKit.framework...Thelist_bundles command lists all of the application's bundlesthat are not related to frameworks. The output contains the executable name, bundle id, version of the library and path to the library.
...itudehacks.DVIAswiftv2.developon(iPhone:13.2.3)[usb]# ios bundles list_bundlesExecutableBundleVersionPath---------------------------------------------------------------------------------------------------------DVIA-v2com.highaltitudehacks.DVIAswiftv2.develop2...-1F0C-4DB1-8C39-04ACBFFEE7C8/DVIA-v2.appCoreGlyphscom.apple.CoreGlyphs1...m/Library/CoreServices/CoreGlyphs.bundleFrida for iOS¶
TheProcess.enumerateModules() function in Frida's REPL allows enumeration of modules loaded into memory during runtime.
[iPhone::com.iOweApp]->Process.enumerateModules()[{"base":"0x10008c000","name":"iOweApp","path":"/private/var/containers/Bundle/Application/F390A491-3524-40EA-B3F8-6C1FA105A23A/iOweApp.app/iOweApp","size":49152},{"base":"0x1a1c82000","name":"Foundation","path":"/System/Library/Frameworks/Foundation.framework/Foundation","size":2859008},{"base":"0x1a16f4000","name":"libobjc.A.dylib","path":"/usr/lib/libobjc.A.dylib","size":200704},...