2

I'd like to analyze iOS private framework that broke commonly used GitHub project called AppLister. Here's some info about the API:

Framework : MobileCoreServices.framework.
Class: LSApplicationWorkspace.
Method: allApplication.

Starting from iOS11, this call returns empty list unless the following entitlement is added to the application : com.apple.appstored.xpc.request

It seems like this API was closed in iOS11 and you need the following entitlement in order to allow it.

Prior to reversing, I wish to understand the flow of entitlement verification in general and maybe get into some details..

From what I've found out so far, it looks like the App use XPC for remote daemon that perform the actual verification.

but I still have some black holes in this explanation. 

1. Does the policy checker daemon also perform the method itself, or just return allow/block verdict.
2. Does the flow involve kernel verification or just user-space processes. 
3. Is there a way to bypass this flow if I can only control the local process (not the checker or course) by skipping the policy check phase and call the API directly ?

I'd be happy to here some more about how this is working, and if I've missed something.

Zohar81
  • 293
  • 1
  • 10
  • Were you able to get AppLister running on iOS 11 with that entitlement? – newenglander Dec 31 '17 at 11:50
  • No, I actually found an alternative method which doesn't require this entitlement .. The entitlements needed for the specified method are only for apple native apps. if you find out otherwise, please let me know. – Zohar81 Dec 31 '17 at 14:54

1 Answers1

1

Apparently the kernel extension called AppleMobileFileIntegrity (AFMI) is responsible for enforcing the entitlements. Here's a presentation which has some detail of the implementation:

The Apple Sandbox -five years later by Jonathan Levin.

Igor Skochinsky
  • 36,553
  • 7
  • 65
  • 115