Home > iOS Pentesting

Identifying Frameworks, Libraries & APIs

Frameworks, libraries and APIs define how an iOS app communicates internally and externally. They reveal hidden logic, internal layers, cryptographic behavior, networking stacks, authentication flows and private interfaces. Identifying them is essential for static and dynamic analysis because it tells you how the app is built, which third-party dependencies are in use, which APIs can be hooked, and where sensitive logic may be located. This chapter provides a complete, practical, hands-on workflow for discovering and analyzing frameworks, dynamic libraries, external APIs and internal modules within an iOS application.

Step 1: Locate All Frameworks in the App Bundle

Go to the app bundle:

cd extracted/Payload/AppName.app/

List frameworks:

ls -1 | grep .framework

Also check embedded plugins:

ls -1 PlugIns/

Apps often hide logic inside embedded frameworks.

Inspect contents:

ls FrameworkName.framework/

Look for:

  • Executable file

  • Resources

  • Info.plist in each framework

Each framework may contain sensitive logic such as:

  • API request signing

  • Custom encryption

  • Authentication routines

  • Internal SDKs

Step 2: Identify Linked Dynamic Libraries

Use otool to list all linked libraries:

otool -L AppName

Output examples:

@rpath/Alamofire.framework/Alamofire
@rpath/FirebaseCore.framework/FirebaseCore
/System/Library/Frameworks/Security.framework/Security

This tells you which libraries the app depends on.

Important signals:

  • Networking libs (Alamofire, AFNetworking, NSURLSession)

  • Crypto libs (CommonCrypto, CryptoKit)

  • Analytics libs (Firebase, Appsflyer, Mixpanel)

  • Payment libs

  • Custom internal frameworks

These highlight areas to inspect for vulnerabilities.

Step 3: Identify Third-Party SDKs Automatically

Run:

strings AppName | grep -i "firebase"
strings AppName | grep -i "mixpanel"
strings AppName | grep -i "alamo"
strings AppName | grep -i "key"
strings AppName | grep -i "oauth"

Third-party SDKs often leave identifiable strings.

Check for:

  • Payment processing

  • OAuth

  • Crypto libraries

  • Analytics

  • Messaging

  • Push notification SDKs

Each one creates attack surface.

Step 4: Inspect Each Framework for Hardcoded Data

Search strings inside frameworks:

strings FrameworkName.framework/FrameworkName | grep -i "http"
strings FrameworkName.framework/FrameworkName | grep -i "api"
strings FrameworkName.framework/FrameworkName | grep -i "key"
strings FrameworkName.framework/FrameworkName | grep -i "secret"

Frameworks often contain:

  • Internal API endpoints

  • Hidden resource files

  • API keys

  • Debug logs

  • Version identifiers

  • Authentication flows

Inspect Info.plist inside each framework:

plutil -convert xml1 FrameworkName.framework/Info.plist
cat FrameworkName.framework/Info.plist

This reveals metadata such as:

  • Supported devices

  • Embedded capabilities

  • Version numbers

  • Resource bundles

Step 5: Identify Private APIs

Private APIs indicate risky behavior.

Search:

grep -R "private" -n .

Search for Apple private frameworks:

otool -L AppName | grep -i "private"

Examples:

  • PrivateSecurity

  • MobileGestalt

  • SpringBoardServices

  • BackBoardServices

Private APIs often indicate jailbreak detection or anti-debug protections.

Step 6: Identify Networking APIs

Networking libraries reveal how the app communicates with its backend.

Search for URLs:

grep -R "https" -n .

Search inside binary:

strings AppName | grep -i "https"

Check frameworks too:

strings FrameworkName.framework/FrameworkName | grep -i "http"

This identifies:

  • Main API base URLs

  • Staging/development endpoints

  • OAuth callback URLs

  • Analytics endpoints

  • Image CDN URLs

These endpoints form your API attack map.

Step 7: Identify Authentication Mechanisms

Search for auth keywords:

strings AppName | grep -i "auth"
strings AppName | grep -i "jwt"
strings AppName | grep -i "token"

Inspect frameworks for:

  • Token generation

  • JWT signing

  • API signing functions

  • OAuth flows

  • Biometric verification

  • Keychain access

This reveals potential weaknesses in authentication logic.

Step 8: Identify Crypto Libraries and Usage

Crypto libraries indicate where sensitive logic may exist.

Search:

otool -L AppName | grep -i crypto

Common hits:

  • CommonCrypto

  • CryptoKit

  • OpenSSL

  • Sodium

Search for cryptographic functions:

strings AppName | grep -i "AES"
strings AppName | grep -i "RSA"
strings AppName | grep -i "SHA"

Locate custom crypto:

grep -R "encrypt" -n .
grep -R "decrypt" -n .
grep -R "hmac" -n .

Custom cryptography often contains critical weaknesses.

Step 9: Identifying Internal APIs (Hidden Features)

Apps often contain internal endpoints not used in production.

Search:

grep -R "internal" -n .
grep -R "debug" -n .
grep -R "staging" -n .
grep -R "qa" -n .

Look inside JSON and plist configs:

grep -R ".json" -n .

Inspect:

cat Resources/*.json
cat Bundle/*.plist

These commonly reveal:

  • Test endpoints

  • Internal flags

  • Disabled features

  • Developer-only logic

Many bypass vulnerabilities are found here.

Step 10: Use Class-Dump to Enumerate Classes

Install class-dump:

brew install class-dump

Dump classes:

class-dump AppName -H -o headers/

Inspect headers:

grep -R "API" -n headers/

Class-dump gives you:

  • All Objective-C classes

  • Method names

  • Properties

  • Internal classes

  • Hidden APIs

This identifies attack surfaces for dynamic hooking.

Step 11: Identify Swift Modules

Swift metadata exposes structures and functions.

List modules:

otool -oV AppName | grep swift

Dump Swift symbols:

strings AppName | grep "Swift"

Swift modules often contain:

  • Names of internal classes

  • Enum values

  • Protocol names

  • Hidden functionality

Step 12: Using Hopper or Ghidra to Inspect Framework Imports

Load the decrypted binary into Hopper or Ghidra.

Navigate to:

  • Imported symbols

  • Imported frameworks

  • Objective-C selectors

  • Swift method names

Look for:

  • Security-sensitive calls

  • Networking calls

  • File system access

  • Keychain usage

  • Crypto functions

This helps determine which logic to target with Frida hooks.

Step 13: Linking Frameworks to Dynamic Analysis

Once frameworks and APIs are identified:

  • Hook networking frameworks with Frida

  • Watch function calls in runtime

  • Modify authentication logic

  • Override crypto functions

  • Trace internal API calls

  • Dump sensitive data in memory

  • Intercept private API calls

Everything mapped during static analysis becomes a target during dynamic analysis.

Intel Dump

  • Frameworks and libraries reveal internal logic and third-party dependencies

  • Use otool to list linked libraries and private APIs

  • Extract strings to locate URLs, keys and identifiers

  • Inspect embedded frameworks and their Info.plist files

  • Identify networking APIs and authentication mechanisms

  • Dump classes using class-dump for full ObjC class enumeration

  • Analyze Swift modules for hidden structures and logic

  • Use grep and strings for quick scanning of sensitive keywords

  • Framework analysis guides dynamic hooking and exploit development

HOME LEARN COMMUNITY DASHBOARD