PLIST files are scattered all over your Mac, but it's entirely possible you'll never see them. This is bad, since PLIST files, in fact, provide one of the most direct routes to hacking. By following the guidelines in this recipe, you will master the power of these files.

PLIST is short for "property list" and editing files with this name extension is the primary method of modifying Mac OS X (as well as some other operating systems). With this method, you can organize the data so that it can be accessed by programs, while also being structured so that users can create their own files of this type if needed. it short description, of course, says almost nothing, but describing the PLIST files in detail is a complex and time-consuming task. If you are really interested in the functionality of PLIST files, please read the following documentation carefully: http://developer.apple.com/documentation/Darwin/Reference/Manpages/man_/plist._.html or launch the Terminal program and enter the following command: man plist. When customizing your computer to suit your personal needs, the most common thing you'll need to do is customize PLIST files, which store default values ​​for various program settings, from default colors to how programs react to certain actions. Typically, these files are located in the Library/Preferences folder in your home directory. In most cases, modifying these files is harmless, and in doing so, it allows you to unlock some rather unexpected functionality. If you accidentally damage a file while editing, you can simply move it to the Trash, and the next time you run the application, a new file will be generated to replace the deleted file. Of course, in doing so, you will lose all the individual settings created for this program, so The best way(as in all cases of hacking, if possible) is to create a backup copy of this file in order to restore later in case of problems.

There are many ways to access PLIST files. The fastest of these is from the Terminal program using the default command. Let's consider a simple example. Some programs can be configured to display the Debug menu (most iCal users know how useful this menu can be). Let's look at how iCal can be configured to add a Debug command to the menu bar:

1. Close the iCal app if necessary.
2. Launch the Terminal program (Applications/Utilities/Terminal).
3. When the prompt ($ symbol) appears on the screen, enter the following command: defaults write com.apple.iCal IncludeDebugMenu
4. Restart the iCal app.

After the application window appears, you will see that a new Debug menu has appeared in it (Fig. 1.15).

The Terminal app is great when you know what needs to be changed. However, if you don't know this and are just looking to find out which settings to change, it won't be as useful. You will need a property list for this purpose. As mentioned at the beginning of this section, most PLIST files are usually found in the Library folder in your home directory. For a PLIST file containing iCal preferences, the path would be ~/Library/Preferences/com.apple.ical.plist. Once you find the file you want, open it with the Property List Editor. As mentioned, this editor is included with Xcode Tools and is installed in the /Developer/Applications folder. In addition, you can simply double-click on the desired file and it will be opened for editing (Fig. 1.16).

Once the file is open, you can edit any of its lines. Most of the lines have little practical value, but some of them have a clear meaning and allow you to edit the functionality of the application. For example, changing the numeric value in the delete todos after line from 30 to 60 will cause tasks accepted for execution to be kept for 60 days.

So, now you are armed with a command line and a program that allows you to edit PLIST files, experimenting with their settings. In addition, PLIST files can be edited with a regular text editor. In versions of Mac OS X earlier than Tiger, PLIST files could be directly opened by text editors, but these files are now stored in a binary format. To open a PLIST file with a text editor, you will need to convert it first. Which of the PLIST file conversion methods is the easiest? The Terminal application will come to the rescue again.

The PLIST file of the iCal application has already been studied well enough, so now let's try to modify the bookmarks of the Safari browser. The full path to the PLIST file with Safari settings looks like this: ~/Library/Safari/Bookmarks.plist. First of all, let's create a backup copy of it (as it is recommended to do in most cases). To do this, move the mouse cursor over the file, right-click and select the Duplicate command from the context menu. Now convert this file using the following command line: $ plutil -convert xml1 ~/Library/Safari/Bookmarks copy.plist

In this case, the plutil command runs a property list transformation procedure. The -convert xml1 switch tells plutil to convert the PLIST file to XML format, and the rest of the command line specifies the path to the file to be converted. After the command has completed, navigate to the desired folder using the Finder, hover over the desired file, right-click and select Open With → Other from the context menu, and then select the Text Edit option. The PLIST file converted to XML format looks quite readable (Figure 1.17).

Of course, PLIST files deserve much more careful study, but the necessary minimum information provided here will already allow you to start exploring them and experimenting with settings.

Probably every advanced user of Mac OS X has encountered plist files at least once in their life. Today I will tell readers about a very interesting and simple application for working with them called PlistEdit Pro.

For starters, a very short educational program. A .plist (Property List) file is a simple XML file with application settings. This format is good because it is convenient and fast to use. Many application settings in such files are located in /Home/Library/Preferences, and their names usually consist of 4 parts: prefix.company.app.plist (for example, com.apple.iTunes.plist).

Most of these files can be opened in any text editor, but modifying them can be tricky. In this case, the PlistEdit Pro utility can be useful to us, which displays the “raw” text of the file as a list with three parameters: variable name (Key), data type (Class) and value (Value).

The application supports drag-n-drop, so individual variables or entire sections can be dragged with the mouse, without the need to manually rewrite the contents of the file. By the way, by choosing one of the types of displaying its content (binary, ASCII or XML), you can automatically view the changes in the lower part of the window. And if you add the code there "by hand", then it is synchronized with the upper XML tree.

I really liked the built-in file browser, with which viewing and editing a large number settings of other applications becomes almost elementary. The program scans system directories and displays found plist files in a special window.

Also, PlistEdit Pro provides an advanced search with the ability to replace the found elements. You can narrow and expand the search range using a variety of criteria.

Other benefits of this app include:

• Full history of changes.
• Support for keyboard shortcuts for quick access to some features.
• Integration with Xcode.
• AppleScript support.

The only thing that, in my opinion, overshadows the impression of PlistEdit Pro is its price of $30.

Developer site: Fat Cat Software
Price: 29.95$

The basis of any stability operating system- this is restricting access to important files, on which the operation of a computer depends, or simply "protection from a fool." In Mac OS X, as in all other *nix systems, this protection is implemented through permissions, groups, and object owners. You can read about all this in the Mac OS X Terminal, and today we will talk not so much about protection, but about ways to overcome it.

Why is this needed? Sooner or later, any Mac user is faced with the need to edit something in the system settings or individual programs. Well, hackintosh owners face this need almost every day. How to get around the cunning system of assigning access rights in order to change something in the system solely for a good purpose?

The standard format for Mac OS X settings and programs for it is PLIST. This is a plain text file that will open in TextEdit by default. Now imagine that you have opened such a file, made all the necessary changes and now want to save it. But it was not there! You will see this error:

You have only one option - save the file somewhere else. But this is a very, very bad option. First, you will not be able to copy this file to its original folder later. The system will simply not let you overwrite the existing file (and it will be right). Well, if you delete the old file and only then copy the edited copy to the same folder, it will be copied, but access rights will be violated. And this threatens you with the most mysterious and unpredictable glitches.

That is why we will consider several other options.

1) Editing via Terminal

The terminal gives the user the ability to perform actions on behalf of the root administrator. And this means that every file on the computer will be subject to you. Hopefully there is no point in warning you about the dangers of having such power ;)

The Terminal itself has several built-in editing tools, such as the commands nano and vi. Using them is easy. First you need to acquire root administrator rights. Enter the command:

Then blindly enter the password and press Enter.

Now it is enough to enter:

nano file path

For example:

nano /Library/Preferences/SystemConfiguration/com.apple.Boot.plist

Or you can type nano followed by a space, and then drag and drop the edited file into the Terminal window. It remains to press Enter. Working with the vi command is carried out in exactly the same way.

But editing a file in this mode is not a pleasant pleasure. Judge for yourself: no mouse control is expected here, and even the cursor will have to be moved from the keyboard.

Helpful Hint: To exit nano, close the Terminal or press Ctrl+X on your keyboard.

2) Launching a text editor with administrator rights

The second way is more elegant. It will allow you to use the usual Mac programs OS X to edit text, but run as administrator. In this case, no access rights errors will occur.

Launch Terminal, type sudo -s and password. Then you will need to introduce a cumbersome construction like:

/Applications/TextEdit.app/Contents/MacOS/TextEdit

Note: through the Terminal, you need to run not the program itself (i.e. the TextEdit.app file), but its binary, hidden inside the program, in the subfolder Contents/MacOS.

After that, TextEdit will be able to work perfectly with any files, but only until the program is closed for the first time.

3) Third party specialized programs

We can't help but recommend the text editor. This is an advanced version of TextMate that was made with programmers in mind, but will be useful on every Mac (and even more so on a hackintosh). At your service - visual text formatting, work with a variety of encodings, and most importantly - support for working with protected files without additional fraud in the Terminal.

When you save a protected file, TextMate will prompt you to enter a password, and will save all changes without any problems.

However, the price is clearly not the advantage of TextMate. After the end of the 30-day trial, you will be asked 39 euro. Developers justify themselves by pointing to a huge number of built-in modules for processing various scripts and programming languages:

But why are they an ordinary user? If the price does not scare you away, then you can download TextMate from the link below.

You did a good job and here is your app in the App Store!

• Store user accounts?
• Do you use in-app purchases?
• Don't want to show off your know-how?

An occasion to think about code and data security! We will look for vulnerabilities in the test application. In this article we will talk about data security, and in the next one we will move on to the code.

Disclaimer

Target this lesson- not to make you a hacker, but to show how attackers can cheat you around their finger. The article omitted some information needed to hack a real application on a device. We will torment the simulator (by the way, it seems to be even legal ).

Disclaimer from the translator: a lot of "water" and references to Hollywood have been removed from the original text (and so long). A number of key clarifications have been added.

So

No application is safe! If someone really wants to find vulnerabilities in you, they will find them. There is no guaranteed way to prevent an attack. Unless, do not release the application. But there are great ways to thwart burglars. (According to the author, they will get bored, and they will go to sleep looking for easier prey, yeah. - Note. per.)

Let's get started

We will need:
1. class-dump-z utility;
2. Proxy for debugging over the network, for example, Charles (the trial version has annoying messages and works for a maximum of 30 minutes in 1 session). In the comments to the source of the article, an alternative to Charles is advised - Burpsuite.

In order for you to be creative in the process, I offer you a script. Imagine: there is a new application for the iPad - "Meme Collector" (Meme Collector). Everyone likes. But you've been whispered in your ear that in-app purchases will drain you of a significant amount of money.

In general, you decided to get paid content (memes) for free. There are several directions where you can move, we will talk about them - and about the corresponding methods of protection.

A little simplification

Due to the length of this tutorial, we initially made some simplifications in the test project. For example, "purchasing" game currency is not a real in-app purchase, but a fake request to StoreKit (everything happens locally on the device).

What is what? "Map" of the application (application mapping)

Let's take a bird's eye view of the app! What does it do, from the user's point of view? What is its main structure?

A bunch of keys "ups the stakes" for a hacker. Attackers will not be able to steal anything if the device is locked.

However, don't rely entirely on Keychain Access alone! And that's why. Keychain Access is supported by Apple. (Well, you already understood everything, right?) The information in it is encrypted with the user's password, which is usually a simple 4-digit numeric code. This means that a brute force attack will take about twenty minutes. Having learned the password, it is easy to dump the entire bunch of keys.

• Encrypt your data! The keychain seems to be secure, but it is a priority target for hackers, so it is broken in the first place. (There is nothing to say about jailbroken devices at all - there are utilities for them that show the contents of the Keychain.) Make life difficult for hackers at least a little: encrypt data with CommonCrypto API, which is part of the standard Security Framework (example).
• Do not write the encryption key in the application. A long string in the data section is of potential interest to a hacker. And in general: if the private key is registered in the application, an attacker can put it on the network, compromising the data of all users of the application! Be sure to generate a unique encryption key on each device.
• Control the code! Specifically, watch out for a hacker's ability to use your code for their own purposes. Your encryption/decryption method may be the best solution. But hackers will take the debugger and apply your decryption method to your encrypted data. You will see it in the second part of this tutorial (next post).
• Does it really need to be stored? Since an attacker can search, modify and execute your binaries - just ask yourself: does this information really need to be stored on the device?

Network: penetration testing

Hackers also like to watch how an application interacts with the network. The dumbest way to see if any networking is happening on a device is to look for URLs in a binary.

In the bundle folder (Meme Collector.app), type in the terminal:

Strings "Meme Collector"
Wait, so many! The strings command walks through the sections of the binary and outputs all string-like data items. Let's filter out the noise:

Strings "Meme Collector" | grep http
Well, here's one line:

http://version1.api.memegenerator.net/Generator_Select_ByUrlNameOrGeneratorID
It seems that at some point the application accesses the meme generator using this url. As a hacker, you'd like to investigate this matter further by examining the application's network traffic. To do this, we need a network monitor that intercepts all incoming and outgoing requests.

Charles mentioned at the beginning of the article - a good option for such research. Download it if you haven't already. Install and run.

Check that Charles is catching network interaction from the iOS simulator (by launching Maps, or in Safari typing the URL). You will see how network requests run in Charles. If it doesn't, make sure the menu Proxy > Mac OS X Proxy the checkbox is checked.

By the way, Charles is great at intercepting SSL traffic.

We won't do that because we didn't see the HTTPS URLs in the output of the strings command. But this step will be required for other applications that can use HTTPS. On the menu Proxy > Proxy Settings… > SSL you need to enable SSL proxy and add domains for which you want to intercept (and decrypt) HTTPS traffic. Until you do this, SSL will look something like this:

With Charles running, restart Meme Collector. Upon launch, you should see three requests to version1.api.memegenerator.net by clicking on the triangle to the left of the url (see below). Three requests will be opened, differing in GET parameters. For example, the first one has one GET parameter: urlName=Foul-Bachelor-Frog - this can be seen on the Request tab.

Select the Response tab and then JSON at the bottom. The server response, decoded from JSON, is presented in the form of a beautiful table:

We see here a lot of key-value lines: title (displayName), description (description), image URL (imageUrl) - in general, some information on this type of Four Bachelor Frog meme from the GET parameter.

It looks like what we saw in the app, right? The other two images were less fortunate this time, they never waited for a response from the server (Charles reports this on the Overview tab) and therefore did not appear in the application.

And I don't see pictures being requested at all!

When restarting, pictures can be taken from the simulator's cache, Charles does not know this. Clear the cache and restart the app.

Rm -R Library/Caches/

So, with a certain degree of probability, we conclude: the application takes memes from this API and presents them as paid content. But what if you try to change the URL in order to acquire some new content other than these three memes? It doesn't look like there's a check to see if the application is really getting what the developer expected from the server!

Are you tired of these three memes? Let's see if it's possible to display and "buy" something new, say "Success Kid".

Select Charles from the menu: Tools > Rewrite. This function allows you to intercept incoming / outgoing requests and modify them according to the rules that you set. Turn on the checkbox Enable Rewrite. Rules are grouped into "sets" (Sets). Under the Sets list, click Add to add a new set of rules. Optionally, rename (Name). We have created a set of rules, but it is still empty. Let's add a rule - in the section rules there is a button Add, press it.

The Rewrite Rule window opens. Change type to "Modify Query Param" and fill in the two fields:

• Match > Name: urlName
• Replace > Value: success-kid

Click OK, OK. Restart the application... Success! We may purchase content that was not previously available.

Interesting: There is a specific price for this new meme. Where? The application had to somehow determine the cost based on the JSON response.

Open the Response tab and look at the JSON returned by the server. What can determine the value of a price?

Try to find JSON keys that can determine the cost of the meme in the application. Maybe it's generatorID, totalVotesScore, instancesCount, templatesCount, or ranking. As an exercise for you: find the key that influences the value of the meme.

To do this, go to Proxy > Breakpoints. Click Enable Breakpoints and press Add to add a new breakpoint. The Edit breakpoint window will appear, enter the following data in it:

• protocol: http
• Host: version1.api.memegenerator.net
• Response option enabled

Now restart the application. As soon as we receive a response from the server, a breakpoint will be triggered. When it does, click on the Edit Response tab, select JSON at the bottom:

Here you can manually modify the JSON response that will go to the application. Play around with these options and try to determine which keys affect the price displayed in the app. After modifying the JSON response, click Execute to submit the response. The application makes three requests to the API, so you will need to press Execute three times.

Important: act quickly! AFNetworking has a timeout of 30 seconds. If you intercepted the response but didn't have time to make changes, AFNetworking will return a request timeout error and execute the appropriate handler in the code (which in this case does nothing). If you run out of time, restart the app and try again.

What's next?

You discovered your hacking abilities and performed the simplest penetration tests on the example of the file system and networking of a particular application. You've beaten simple plists and can even modify server responses.

Perhaps this knowledge will increase the security of your iOS application ... a little. In the next part, we will delve much further into the bowels of the application, we will change its functionality! In the meantime, while you wait for me to post the translation (until next Friday), there are many things you can try on the topic of storing data in the application:

Comments about the translation or non-working examples can be sent to the mail [email protected].

I want to edit Info.plist for TextEdit. (Here's why.) I'm using OS 10.7 and I have Xcode installed. But every time I try to edit the file it gets blocked and I can't save my changes.

If I try to save it using XCode, XCode asks if I want to unlock it. I say "Unlock" but then the error message comes up The file "Info.plist" could not be unlocked." It says it's because I don't own it.

If I open Info.plist with vi in ​​the Terminal (vi Info.plist), I can't save the changes, even using :w! , Error E212: Can't open file for writing .

How can I make changes to the Info.plist of a TextEdit file?

Answers

Jan S.

Before doing this, make sure there are no instances of TextEdit running on your system.

Using Finder

Select the plist file in Finder and do File > Get Info. At the bottom of the file information window, you will see a section " Sharing and Permissions ». You want to make sure you're on that list and have Read & Write access to the file.

Before you can add yourself to the permissions of a file, you will need to unlock it. Click on the little padlock icon (1) in the bottom right corner and enter your password. If you are not an administrator of this computer, you will not be able to complete this step.

Once the file is unlocked, you can change the permissions to Read & Write . If you are not shown in the list of people who can access the file, click the + button below the list and look for the Users & Groups pop-up list.

Changes are applied to the file as soon as you make them in the File Info window.

You should now be able to open, edit and save these changes to a file.

Using the command line

Open a terminal window.

Navigate to the location where the plist file is located:

cd ~/Library/Preferences/

Change the owner and permissions of the file so you can read and write it:

sudo chown $USER aomDSP.plist sudo chmod u+w aomDSP.plist

You probably don't need sudo during the second call, but it can't hurt. To do this, you will need administrator access to the machine.

KatieK

The "Finder" instruction worked for me - thanks!

user495470

TextEdit and other applications that use autosave also need permissions to write to the directory where the file is located.

jzadra

The search instructions didn't work for me - when I went to add a user or edit permissions for everyone, it said "The operation cannot be completed because you don't have the required permissions." My administrator account. The command line also states that the operation is not allowed.

Jan S. ♦

@jzadra if it's greyed out it assumes the account you're trying to do this with is not has administrator rights.

Before

If you want to edit a file (as you described above), you don't have to unlock it. If you're good with the command line, you can edit the file using the command line tools provided by Apple. Add commands with sudo to get the necessary permissions to modify the file (you will need to enter the administrator password).

Namely, these are the defaults and PlistBuddy programs (run as sudo /usr/libexec/PlistBuddy). While defaults is a more direct way to modify a file, PlistBuddy has an interactive mode that allows you to preview changes before saving.