I played the Belkasoft CTF recently (writeup coming soon) and as part of it, one of the questions involved the app Splitwise. I've used this app in the past for personal usage so I figured now that I have a file system dump from the competition I can take a peek at what we can parse. If you're not familiar with Splitwise it is a free tool for people to track bills and other shared expenses.
The main file of interesting is called database.sqlite (not very unique so careful when analyzing) and can be found at path:
private\var\mobile\Containers\Data\Application\<BUNDLE_GUID>\Library\Application Support\database.sqlite*
The table schema has a handful of useful tables:
Figure 1: Splitwise database.sqlite table schema
The tables of interest include:
- SWBalance - total balances with other friends
- SWExpense - expense added with descriptions and costs, as well as payments
- SWExpenseMember - list of expenses with the shares that a person paid or owes
- SWFriendship - list of friends (just IDs) with some relevant timestamps
- SWGroup - list of groups that the phone owner is part of
- SWGroupMember - list of people (IDs) and the associated groups they are part of
- SWNotification - sort of timeline of activities across groups and expenses
- SWPerson - details about the individual friends including names and email addresses
Figure 2: Splitwise Expense Balances in iLEAPP
Figure 3: Splitwise Expenses in iLEAPP
Figure 4: Splitwise Groups in iLEAPP
Figure 5: Splitwise Notification activity in iLEAPP
Figure 6: Splitwise Total Balances in iLEAPP
Figure 7: Splitwise Users/Friends in iLEAPP
If you're looking for further shady activities and exchanges of money, you may just find some smoking guns here if the culprits are using the app. Kudos to TODO Security for including this activity in the Belkasoft CTF.
Grab the latest code base for iLEAPP now!