Roman's blog

Blog with my articles about different aspects of secure coding techniques for iOS/Android/React

View on GitHub

How to prevent leaking of data via Files application

Impact

The Files app, introduced in iOS 11 has access to Documents folders of all applications. This feature can be useful if we want to share with user some file from application. Also, this feature can lead to leakage of sensitive data.

Files from app can be shared with iOS application “Documents” if two conditions are met:

How to detect (white box)

If we have access to source code, we can open Xcode and check Info.plist for mentioned above keys. If the keys are set - search in code for Documents folder identifiers. For Swift this is documentDirectory, for Objective-C – NSDocumentDirectory.

How to detect (black box)

First of all we need for keys LSSupportsOpeningDocumentsInPlace and UIFileSharingEnabled in Info.plist file. To do this, let’s ssh to our jailbroken device:

ssh root@192.168.X.Y

Then move go to tested application folder:

cd /var/containers/Bundle/Application/<APP_ID>/<APP_NAME.app>

Inside this folder you can find Info.plist file. We can’t read it right now, because it’s saved by default in binary format. Let’s do following:

  1. Make copy of binary format: 
    cp Info.plist Info.plist_bin
  2. Convert binary to xml format: 
    plutil -convert xml1 Info.plist
  3. Now we can print plist file: 
    cat Info.plist

Unfortunately, if we’re doing black box review of app (aka penetration testing) we can’t check folder that is used for saving of files. All we can (if we found these 2 keys in Info.plist) - make some actions, that can invoke saving of files, then check Files app.

Mitigations

Few options are exist: