osquery icon indicating copy to clipboard operation
osquery copied to clipboard
verified publisher icon osquery

macOS apps table does not include iOS and iPad apps

Open directionless opened this issue 4 years ago • 5 comments

Bug report

The new m1 macs can install iOS and iPad apps. But, these don't appear in our apps table.

I suspect this because they don't appear in the LaunchServices api calls we use to enumerate them. Not sure if that will change.

https://github.com/osquery/osquery/blob/master/osquery/tables/system/darwin/apps.mm#L220-L250

directionless avatar Jul 08 '21 14:07 directionless

This is actually kind of interesting to me and kind of cool. I assumed that osquery just enumerated common App paths and parsed the info.plist files. Thats cool theres an api. Though it looks like this api is not reliable or consistent(?) there is an old issue #2868 that is kind of similar to this bug.
I know osquery prefers(?) to use the system apis for alot of its data, perhaps in this case a hybrid approach could be better?

Ex: manually enumerate common app paths, and then use the api to try to get the rest. Though even that wont be perfect i think? I was also researching/playing around with LaunchServices/lsregister and it looks like its kind of easy to hide apps from osquery? ex:

osquery> select name,path from apps where name = 'Wireshark.app';
+---------------+-----------------------------+
| name          | path                        |
+---------------+-----------------------------+
| Wireshark.app | /Applications/Wireshark.app |
+---------------+-----------------------------+

it looks like a user can hide apps from osquery by simply using lsregister and removing it from launchservices?

/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/LaunchServices.framework/Versions/A/Support/lsregister -R -f -u /Applications/Wireshark.app
osquery> select name,path from apps where name = 'Wireshark.app';
osquery>

Although in the wireshark example, launching the app seems to add it back to launchservices, but im not sure if thats a feature of the wireshark app, finder, or macos or something. Is it possible for malicious/PUA apps not to register to launchservices? (i dont know im not a mac expert)

Again i thought this was kind of cool and an interesting bug, i didnt realize that the osquery was using launchservices. I dont have a M1 mac, but some quick searches it seems ios apps are installed to /Applications?

puffyCid avatar Jul 09 '21 01:07 puffyCid

it looks like a user can hide apps from osquery by simply using lsregister and removing it from launchservices?

Worth noting that crawling disk won't help unhide that. Applications are commonly in a handful of known paths, but they can live anywhere. And osquery should not crawl all of disk.

Thinking about it, it starts to be semantic... If an application isn't registered with launch services, is it still an application? Or just a binary?

directionless avatar Jul 09 '21 01:07 directionless

It feels like this and #2868 are due to apps which are present in a path that osquery doesn't scan. (This is what I am assuming from the data I have until now.)

Let me check if there are paths where other than what osquery scans for apps that we are missing. I don't think that there could be but let's be 100% sure of this.

JodhwaniMadhur avatar Jan 02 '25 19:01 JodhwaniMadhur

It feels like this and #2868 are due to apps which are present in a path that osquery doesn't scan. (This is what I am assuming from the data I have until now.)

Let me check if there are paths where other than what osquery scans for apps that we are missing. I don't think that there could be but let's be 100% sure of this.

As discussed, osquery is not scanning a path. It's using the underlying system API

directionless avatar Jan 04 '25 01:01 directionless

I updated the other issue with my theory on this table: that because it relies on the LaunchServices API to quickly deliver a list of apps, it only includes apps registered to the Launch Services database for that user and thus might produce different results depending on whether it's run by root or by the standard user. Could osquery list iOS apps when running as root, or when running as standard user, or neither?

@directionless from my understanding, you can only install iOS and iPad apps using the macOS App Store? And it installs things to /Applications owned by root? Which then might not appear in the user's Launch Services database until they've run those apps, or maybe they just never get registered to the LaunchServices database because they are not native macOS apps, and have to be run through the subsystem called RunningBoard. If osquery doesn't get the iOS apps in its table, what about /System/Library/Frameworks/CoreServices.framework/Frameworks/LaunchServices.framework/Support/lsregister -dump, that's a more complete dump of the LaunchServices database. Does that list them?

in the wireshark example, launching the app seems to add it back to launchservices, but im not sure if thats a feature of the wireshark app, finder, or macos or something.

That's a feature of macOS and LaunchServices.

Is it possible for malicious/PUA apps not to register to launchservices? (i dont know im not a mac expert)

Hypothetically speaking, they could probably unregister themselves from LaunchServices every time they run. LaunchServices's database of registered applications is similar to a MRU list, protected at the same security level as user-owned files.

michael-myers avatar Jan 04 '25 07:01 michael-myers