Home > iOS Pentesting

Understanding IPA Files

IPA files are the core of iOS application pentesting. An IPA contains the actual app bundle, executable binary, resources, configuration files and metadata. Understanding how an IPA is structured, extracted and analyzed is the foundation for static analysis, reverse engineering, dynamic instrumentation and finding client-side vulnerabilities. This chapter provides a full, practical, hands-on workflow for working with IPA files.

What an IPA Actually Is

An IPA is simply a ZIP archive with a specific internal structure. Inside it you will find:

  • Payload/ directory containing the .app bundle

  • Info.plist with metadata, permissions and capabilities

  • Embedded.mobileprovision containing entitlements and signing info

  • Executable binary for reverse engineering

  • Resources such as images, configuration files, JSON files and strings

Understanding this structure helps you locate sensitive files, hidden API endpoints, authentication logic and misconfigurations.

Step 1: Extracting an IPA

Rename the IPA to zip:

mv app.ipa app.zip
unzip app.zip -d extracted/

The extracted folder contains:

extracted/Payload/AppName.app/

Enter the directory:

cd extracted/Payload/AppName.app/

You should now see the binary, Info.plist and other resources.

Step 2: Inspecting the IPA Contents

View structure

tree extracted/Payload/AppName.app/

Look for:

  • .plist files

  • .json configs

  • .framework bundles

  • Encrypted databases (.sqlite)

  • Sensitive files (tokens, credentials, API URLs)

Common sensitive locations:

Resources/
Config/
Bundle/

Step 3: Checking the App’s Metadata (Info.plist)

Convert binary plist to XML:

plutil -convert xml1 Info.plist

Now inspect:

cat Info.plist

Important keys to look at:

  • CFBundleDisplayName

  • CFBundleIdentifier

  • UIBackgroundModes

  • NSCameraUsageDescription

  • NSLocationWhenInUseUsageDescription

  • NSAppTransportSecurity

  • LSApplicationQueriesSchemes

Security findings often include:

  • Insecure ATS exceptions

  • Excessive permissions

  • Custom URL schemes vulnerable to hijacking

  • Background execution that leaks data

Step 4: Extracting Entitlements

Entitlements determine capabilities such as keychain groups, push notifications and access to private APIs.

Extract them:

codesign -d --entitlements :- extracted/Payload/AppName.app/AppName

Look for dangerous entitlements:

  • get-task-allow (enables debugging)

  • keychain-access-groups

  • application-identifier mismatches

  • private entitlements

These often lead to privilege escalation or data leakage.

Step 5: Checking if the IPA Is Encrypted

App Store apps always have encrypted binaries. You must check before reverse engineering.

otool -l AppName | grep -A2 crypt

Look for:

cryptid 1  (means encrypted)
cryptid 0  (means decrypted)

If encrypted, you need a jailbroken device + bagbak or frida-ios-dump to decrypt it.

Step 6: Decrypting App Store IPAs (Practical)

On your computer:

bagbak com.example.app

or using frida-ios-dump:

frida-ios-dump com.example.app

This generates a decrypted IPA:

dumped/com.example.app.ipa

Extract it the same way:

unzip decrypted.ipa

Now you can reverse engineer it.

Step 7: Identifying Hardcoded Secrets

Search for tokens, API keys, backend URLs:

grep -R "api" -n extracted/
grep -R "token" -n extracted/
grep -R "key" -n extracted/

Common findings include:

  • Hardcoded API base URLs

  • JWT signing keys

  • Environment variables

  • Firebase API keys

  • Analytics endpoints

These are critical for mapping backend attack surface.

Step 8: Inspecting Strings Inside the Binary

Extract useful strings:

strings AppName > strings.txt

Search:

grep -i "http" strings.txt
grep -i "auth" strings.txt
grep -i "secret" strings.txt
grep -i "password" strings.txt

Even a small hint in binary strings often reveals hidden API methods.

Step 9: Checking App Frameworks

List frameworks:

ls -1 | grep .framework

Inspect:

  • Custom frameworks for internal APIs

  • Third-party frameworks that may contain vulnerabilities

  • Obsolete versions of networking libraries

Some apps store sensitive logic in their frameworks.

Step 10: Repackaging and Re-signing IPAs (For Testing)

If you modify the IPA or add debugging files, you need to repackage.

Rebuild:

cd extracted
zip -r newapp.ipa Payload/

Sign using developer certificate or a signing utility on macOS.

Step 11: IPA Analysis Workflow

A basic static analysis checklist:

  1. Extract IPA

  2. Inspect Info.plist

  3. Extract entitlements

  4. Check ATS configuration

  5. Search for sensitive strings and configs

  6. Check inside frameworks

  7. Identify network endpoints

  8. Look for embedded credentials

  9. Inspect binary for suspicious logic

  10. Prepare binary for reverse engineering

Step 12: Using GUI Tools for IPA Analysis

iOS App Signer (macOS)

Useful for repackaging IPAs.

Hopper / Ghidra

Reverse engineer the binary after decryption.

IPA Installer / ios-deploy

Install modified IPAs quickly.

Intel Dump

  • IPA is a ZIP archive containing the .app bundle

  • Extract it using unzip and inspect directories

  • Info.plist reveals permissions, ATS rules and metadata

  • Entitlements show keychain groups and sensitive capabilities

  • cryptid flag shows whether the app is encrypted

  • Decrypt using bagbak or frida-ios-dump

  • Search for hardcoded secrets in configs and binary strings

  • Inspect frameworks for internal APIs

  • Repack and resign IPAs for testing

  • Static IPA analysis is the foundation of deeper reverse engineering

HOME LEARN COMMUNITY DASHBOARD