Is your iOS app safe ? (Extracting bundle resources, images, plist, video, audio, text files, etc from any iOS app .ipa file.)

So basically it is a matter of 3 steps, which require no tools, no cracking, no IDE, nothing. But before I tell you about the steps, I want to make one thing very clear. This post is published with intentions of making the developers aware about the risks and security threat posed by putting sensitive data/resources directly in the app bundle.

Recently I was testing one of the apps I work on for security threats and stumbled upon this troubling situation. While developing apps hardly anyone thinks about the resources like images, plists files, etc being compromised. But the truth is they are already compromised ! Majority of the developers dont know about it.

You should be concerned if you make use of storing files locally in bundle like storing .plist files, .txt files, image files, list of API, etc. All the information you just simple drag and drop in your project bundle can be easily extracted. I tested this on a number of app and since I dont want to reveal their identity for obvious security reasons, I would mention that they were from various domains like search, instant messaging, social networking, etc and I managed to easily get the images they used, their API, audio resources, data present in their .plist files.

All this was done by following the steps below:

Step 1. Download the .ipa for the app you want to test it on.
 
Step 2. Change the extention from .ipa to .zip and extract the zip files.
 
Step 3. Browse the content of the folder and check the resources you find. 

Steps to secure your app:

1. Make sure to use image.assets for storing all the image resources you have. As using image assets prevents your files from being exposed when .ipa is compromised.

2. DO NOT USE .txt file or .plist files to store your tokens, static data, headers, API urls and other sensitive information.

3. Put your API url, tokens, keysecrets, etc in your code file i.e. .swift, .h files, they are not available for when .ipa is extracted.

Try this and see if you find the same issues, and do suggest and comment if you find some other observations as well. Share this if you find it informative.