[AC-6334] App executable in backup

For one of my application, a company fo a penetration test. They discovered that app Executables is present in Backup. NOTE : the application app name is replace by [APP NAME] +This is the technical detail :+ The backup of the mobile phone contained the apps main executable. An attacker can use this file to reverse-engineer the functionalities of the mobile app. Backups are a common procedure, in order to guarantee the availability of information. It’s not only a critical process in many business-related contexts, but also in private life. Therefore, iOS gives the user the ability to create a local or a cloud based (iCloud) backup of the data present on the mobile phone. Several mechanisms can be applied by an iOS developer, to prevent a user from backing up data from the app’s context. iOS executables are usually delivered encrypted by Apple’s iOS app store. In order to prevent users from reverse-engineering the program flow and other functionalities. Thus, a user without a rooted phone wouldn’t be able to get an unencrypted version of the executable. During the observation of the created backup, several executables were discovered in the Documents folder as can be seen on the following screenshot. (see Figure 13) Figure 13 - Screenshot showing the content of the backed-up Documents folder https://drive.google.com/file/d/1_EDkPB_jfBAwJyHv0L8Hi6BUKmt2yyCP/view?usp=sharing The green marked file on the above screenshot marks the file [APP NAME].fid. This file was identified as a Mach-O 64-bit executable for arm64 processor as can be seen on the following output, issuing the file command:

$ file [APP NAME].fid
[APP NAME].fid: Mach-O 64-bit executable arm64

Since the main executable of the mobile app had a similar name, we performed a SHA message digest calculation in order to check if the files are identical.

$ shasum -a 256 [APP NAME].fid 36c4062bb3918818a87d08616ec742526693079ea40e32946534a387403f488b [APP NAME].fid

$ shasum -a 256 [APP NAME] 36c4062bb3918818a87d08616ec742526693079ea40e32946534a387403f488b [APP NAME]

When comparing the output of the above commands it was observed that indeed the files are identical. That means, that the main executable of the app is present unencrypted in the backup. The following screenshot shows exemplary an extract from Objective-C classes and methods retrieved during analysis of the decompiled binary. (see Figure 14) https://drive.google.com/file/d/1wA9suNKsNN5eIgAjdIYEWyWsOtqif8qU/view?usp=sharing Figure 14 - Exemplary screenshot objective-c classes and methods from decompiled Gluci-Chek.fid binary It is very uncommon that the apps executables are stored in the Documents directory. Therefore, we assumes that the reason is a misconfiguration. As can be seen on the previous example, giving the user the ability to backup the app’s executables, also empowers the user to reverse-engineer the program flow and maybe its secret functionalities and information. Recommendations we recommends checking the configuration in order to prevent the apps executables from being backed-up. + END OF technical detail :+ In native, this behavior is not present. Can we exclude the app executable with some configuration ? If it's not possible because of the way that Titanium works, can you confirm us this the technical detail please ? Thank you.