In the past couple months I built out scraping for Android apps which downloads, decompiles, scrapes the `AndroidManifest.xml` then analyzes the Android app for known 3rd party ad networks or trackers.
I enjoyed this a lot, but the other half of the equation, iOS remained elusive. I was surprised how much more difficult this turned out so I’ll document a bit of what I did in case it helps anyone else.
How to tell which 3rd party ad networks or trackers are in Apple iOS apps?
First, what is the most analogous file I could find to AndroidManifest? Turns out this is the Info.plist but the similarities with AndroidManifest don’t go far. In terms of 3rd party integrations, it does not seem like most make an appearance in the Info.plist so I guess I might need to dig further.
Next, my challenge was where to download files from. In the end, I decided to go ahead and try downloading from the iTunes store directly. The downside of this is that I will be using a personal iTunes account, though I don’t use Apple as a daily driver, it’s still a risk that they block/ban the account. I tried searching for whether this was possible, but didn’t find too much.
Downloading ipa files
After some trial and error with other tools, I found the open source ipatool which has a CLI interface. It requires authenticating with the email and password of your account, as well as some 2FA text messages to the related phone number.
The first issue I hit was that despite having entered an email, a phone number AND a credit card already for this account (#ApplePrivacy) I still needed to accept a license agreement via iTunes. Luckily, I was able to find this blog article for how to download IPA files for Windows by using an old version of iTunes (because of course Apple now blocks this in the newer versions). In the end I was able to get that older version of iTunes working on Linux with Wine and was able to accept the license agreement and download IPAs. This then made it so I could also use the CLI ipatool as well.
Now that CLI ipatool is working I am able to download IPA files and start doing more investigation