#!/bin/bash
#
# check-privacy-manifest.sh
#
# Downloads an iOS app from the App Store and shows you exactly what's inside:
# the privacy manifest, the bundled frameworks, and the permission strings.
# No interpretation, no magic. Just the raw data so you can decide for yourself.
#
# Usage: ./check-privacy-manifest.sh <bundle-id>
# Example: ./check-privacy-manifest.sh gov.whitehouse.app
#
# Requires: ipatool (brew install ipatool)
#
# Written by atomic.computer
# https://www.atomic.computer/blog/verify-white-house-app-privacy-manifest/

set -euo pipefail

BLUE='\033[1;34m'
BOLD='\033[1m'
DIM='\033[2m'
RED='\033[1;31m'
RESET='\033[0m'

step() {
    echo ""
    echo -e "${BLUE}===${RESET} ${BOLD}$1${RESET}"
    echo ""
}

run() {
    echo -e "  ${DIM}\$ $1${RESET}"
    eval "$1"
    echo ""
}

fail() {
    echo -e "  ${RED}ERROR:${RESET} $1"
    exit 1
}

if [ $# -lt 1 ]; then
    echo "Usage: $0 <bundle-id>"
    echo "Example: $0 gov.whitehouse.app"
    exit 1
fi

BUNDLE_ID="$1"
WORK_DIR=$(mktemp -d)

# ---

step "1. Checking for ipatool"

if ! command -v ipatool &> /dev/null; then
    fail "ipatool not found. Install it with: brew install ipatool"
fi
run "which ipatool"

step "2. Checking authentication"

if ! ipatool auth info &> /dev/null; then
    echo "  Not logged in. Run:"
    echo "    ipatool auth login -e your@apple-id.com"
    echo ""
    echo "  Note: ipatool will ask for your password twice. This is normal."
    exit 1
fi
echo "  Authenticated with the App Store."

step "3. Downloading $BUNDLE_ID"

cd "$WORK_DIR"
if ! ipatool download -b "$BUNDLE_ID" --purchase 2>&1; then
    fail "Download failed. Make sure the bundle ID is correct and the app is free or purchased."
fi

IPA_FILE=$(ls *.ipa 2>/dev/null | head -1)
if [ -z "$IPA_FILE" ]; then
    fail "No IPA file found after download."
fi

step "4. Extracting the IPA (it's just a zip file)"

run "unzip -q \"$IPA_FILE\" -d extracted"

APP_DIR=$(find extracted/Payload -name "*.app" -maxdepth 1 | head -1)
if [ -z "$APP_DIR" ]; then
    fail "No .app bundle found inside the IPA."
fi

step "5. What does the privacy manifest say?"

echo "  This is what Apple uses to populate the App Privacy label on the App Store."
echo "  Look at NSPrivacyCollectedDataTypes and NSPrivacyTracking."
echo ""

PRIVACY_FILE="$APP_DIR/PrivacyInfo.xcprivacy"
if [ -f "$PRIVACY_FILE" ]; then
    run "plutil -p \"$PRIVACY_FILE\""
else
    echo "  No PrivacyInfo.xcprivacy found in the app bundle."
fi

step "6. What frameworks shipped with the app?"

run "ls \"$APP_DIR/Frameworks/\""

step "7. Any location-related frameworks? What symbols do they export?"

FRAMEWORKS_DIR="$APP_DIR/Frameworks"
LOCATION_FW=$(find "$FRAMEWORKS_DIR" -name "*ocation*" -type d 2>/dev/null || true)
if [ -n "$LOCATION_FW" ]; then
    for fw in $LOCATION_FW; do
        fw_name=$(basename "$fw" .framework)
        BINARY="$fw/$fw_name"
        if [ -f "$BINARY" ]; then
            run "nm \"$BINARY\" 2>/dev/null | grep -i location | head -20"
        fi
    done
else
    echo "  No location-related frameworks found."
fi

step "8. What does Info.plist say about location permissions?"

PLIST="$APP_DIR/Info.plist"
if [ -f "$PLIST" ]; then
    run "plutil -p \"$PLIST\" | grep -i location"
else
    echo "  No Info.plist found."
fi

step "Done. Trust but verify."

echo "  Everything above came from the app binary you just downloaded."
echo "  The extracted files are in: $WORK_DIR"
echo "  We left them there so you can re-run the commands and investigate."
echo "  When you're done: rm -rf $WORK_DIR"
echo ""
echo -e "  ${BOLD}Script by atomic.computer${RESET}"
echo "  https://www.atomic.computer"
echo ""