Here at Synack, our global team of ethical hackers, the Synack Red Team (SRT) is often asked to analyze our customer’s mobile applications for security vulnerabilities and possible exploitation. To make the SRT more effective and enhance the overall SRT experience, Synack performs initial processing of such applications, allowing the SRT to focus their efforts more on vulnerability detection/testing and less on monotonous tasks. For example, providing a decrypted dump of an application from the iOS App Store allows an SRT member to perform static analysis without having to own a jailbroken iDevice. Neat!
Of course, in order to automatically perform such pre-processing, the application first has to be downloaded. How can this be programmatically accomplished? For iOS apps, we had to figure out how to interface with Apple’s iOS App Store. As always, there are many ways to “skin the proverbial cat”. Here, we’ll briefly discuss various approaches such as “talking” to the App Store directly, controlling iTunes via AppleScript, and instrumenting iTunes via native (injected) code.
//talking directly to the app store.
As always, there are many ways to “skin the proverbial cat”, and in order to talk directly with the iOS App Store, one needs to understand the protocol that iTunes “speaks” when downloading an application — Let’s start here.
Sniffing iTunes.app as an iOS application is downloaded (here, using ‘Charles Proxy’ ), provides some insight into this protocol:
dumps without pin cvv carding forums