Hacking ifuse - iExplorer for Linux

April 2014
Su	Mo	Tu	We	Th	Fr	Sa
1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29	_3_0

Sun Apr 8 16:23:57 UTC 2012

Hacking ifuse - iExplorer for Linux

For Windows and OS X, there is a tool named iExplorer that allows to view and modify an iPhone app's file system data.

The tool ifuse by the libimobiledevice project provides similar access.

Let's compare what the two tools show. First of all, iExplorer.

Its general view on a non-jailbroken iPhone is shown on a news article about Facebook and Dropbox apps. Apparently, one can see Media, as well as data views of each app, containing Documents, *.app, Library, tmp, and some iTunes metadata.

When we try with ifuse, we can get the Media folder too, but we will only get the Documents subfolder of apps. How come?

Source code of ifuse quickly tells why:

...
        case KEY_APPID_LONG:
                opts.appid = strdup(arg+7);
                opts.service_name = HOUSE_ARREST_SERVICE_NAME;
                res = 0;
                break;
...
        if (!strcmp(opts.service_name, HOUSE_ARREST_SERVICE_NAME)) {
...
                plist_free(dict);

                fuse_opt_add_arg(&args, "-omodules=subdir");
                fuse_opt_add_arg(&args, "-osubdir=Documents");
        }
...

So the restriction to see only the Documents subfolder (which, by the way, matches iTunes, and also is usually what the end user wants) is simply implemented by loading the subdir module of FUSE, and telling it to restrict the view to Documents.

Now we all know that we can just delete these two lines of code, and recompile ifuse, and be happy. I'll show you a simpler way.

# sed -e 's!-osubdir=Documents!-osubdir=././././.!g' < /usr/bin/ifuse > /usr/local/bin/ifuse-hacked
# chmod 755 /usr/local/bin/ifuse-hacked
# ^D
$ ideviceinstaller -l
...
my.com.pragmatic.My-Apps-Lite - My Apps Lite 1.1
...
$ ifuse-hacked --appid my.com.pragmatic.My-Apps-Lite ~/mnt
$ ls -la ~/mnt
drwxr-xr-x   6 me me   272 Mar 28 22:51 .
drwx------ 121 me me 12288 Apr  8 18:12 ..
drwxr-xr-x   2 me me    68 Mar 28 23:03 Documents
-rw-r--r--   1 me me 39156 Mar 28 22:51 iTunesArtwork
-rw-r--r--   1 me me  2498 Mar 28 22:51 iTunesMetadata.plist
drwxr-xr-x   6 me me   204 Mar 28 22:54 Library
drwxr-xr-x   7 me me  7650 Mar 28 22:51 My Apps Lite.app
drwxr-xr-x   2 me me    68 Apr  6 16:45 tmp

By the way...

There is another way to get at the same data without modifying ifuse:

$ ideviceinstaller -a my.com.pragmatic.My-Apps-Lite -o copy=/tmp -o remove
$ unzip -l /tmp/my.com.pragmatic.My-Apps-Lite.ipa

This article is a preparation for a following article about security of a certain set of iPhone apps. Stay tuned!

Posted by OpBaI | Permanent link | File under: ios

Secure Coding