寻求iOS应用info.plist逆向及敏感数据权限程序化获取方案
Alright, let's walk through how to reverse-engineer an iOS app's Info.plist and programmatically pull out those sensitive permission requests you're after. I've broken this down into actionable steps and tools you can use:
How you get the Info.plist depends on whether the app is encrypted or not:
Unencrypted IPAs (Self-built or non-App Store apps)
IPAs are just zip files—unzip the file, navigate to thePayload/[AppName].appfolder, and you’ll find Info.plist directly inside. To convert it to a readable format, use Apple’s built-inplutilcommand:unzip your_app.ipa plutil -convert xml1 Payload/YourApp.app/Info.plist -o -This will print the XML version of the plist to your terminal.
Encrypted App Store Apps
Most apps downloaded from the App Store are encrypted. You’ll need to first "decrypt" (or "crack") the binary using a tool likefrida-ios-dump(requires a jailbroken device). Here’s how:- Install Frida on your jailbroken device and your computer.
- Run
dump.py -lto list all installed apps on the device. - Use
dump.py com.your.target.appto dump the unencrypted IPA.
Once you have the decrypted IPA, follow the same steps as above to extract Info.plist.
Dynamic Extraction with Frida
If you don’t want to deal with IPAs, you can pull the Info.plist directly from a running app using Frida. Run this script:const mainBundle = ObjC.classes.NSBundle.mainBundle(); const infoDict = mainBundle.infoDictionary(); console.log("Info.plist content:", JSON.stringify(infoDict));Execute it with:
frida -U -n "TargetAppName" -l extract_info_plist.js
iOS requires specific keys in Info.plist for every sensitive permission the app requests. You can automate scanning for these keys with scripts:
Python Script for Local Plist Files
Use Python’s built-inplistlibto parse the plist and extract permission descriptions:import plistlib # Define all relevant permission keys (add more as needed) PERMISSION_KEYS = [ "NSLocationWhenInUseUsageDescription", "NSLocationAlwaysAndWhenInUseUsageDescription", "NSCameraUsageDescription", "NSPhotoLibraryUsageDescription", "NSMicrophoneUsageDescription", "NSContactsUsageDescription", "NSAppleMusicUsageDescription" ] with open("Info.plist", "rb") as plist_file: plist_data = plistlib.load(plist_file) print("Detected permission requests:") for key in PERMISSION_KEYS: if key in plist_data: print(f"- {key}: {plist_data[key]}")Frida Script for On-Device Analysis
Extend the earlier Frida script to filter only permission keys:const permissionKeys = [ "NSLocationWhenInUseUsageDescription", "NSCameraUsageDescription", "NSPhotoLibraryUsageDescription", "NSMicrophoneUsageDescription" ]; const mainBundle = ObjC.classes.NSBundle.mainBundle(); const infoDict = mainBundle.infoDictionary(); console.log("App's permission requests:"); permissionKeys.forEach(key => { const desc = infoDict.objectForKey_(ObjC.classes.NSString.stringWithString_(key)); if (desc) { console.log(`- ${key}: ${desc.toString()}`); } });
If you want to check the current permission status (not just the requested permissions in Info.plist), iOS provides public APIs for each permission type:
- Location: Use
CLLocationManager.authorizationStatus() - Camera/Microphone: Use
AVCaptureDevice.authorizationStatus(for:) - Photos: Use
PHPhotoLibrary.authorizationStatus() - Contacts: Use
CNContactStore.authorizationStatus(for:)
Note: These APIs only work for your own app on non-jailbroken devices. To access other apps’ permission statuses, you’ll need a jailbroken device and access to private frameworks (which is not recommended for production use).
- Encryption: Always remember that App Store apps are encrypted—you’ll need a jailbroken device to decrypt them.
- Sandbox Limits: Non-jailbroken devices block access to other apps’ containers, so you can only analyze your own app or IPAs you’ve obtained.
- Updated Keys: Apple regularly adds new permission keys (e.g.,
NSFaceIDUsageDescription), so keep your key list up-to-date.
内容的提问来源于stack exchange,提问作者Maninder Singh
