iOS

Mobile Application Penetration Testing Notes

iOS IPA

Tools

  • class-dump: Extract class information from Objective-C binaries.

  • Cycript: Tool for exploring and modifying running iOS apps.

  • Frida: Dynamic instrumentation toolkit.

  • MobSF: Mobile Security Framework for automated pen-testing.

  • Burp Suite: Proxy tool for intercepting HTTP/HTTPS traffic.

IPA Analysis

  • Static Analysis:

    • Extract IPA: unzip <app.ipa>

    • Analyze binary: class-dump -H <app_binary>

    • Inspect Info.plist for permissions and configurations.

    • Review source code for hardcoded secrets and vulnerabilities.

  • Dynamic Analysis:

    • Set up a jailbroken device.

    • Intercept network traffic using Burp Suite.

    • Use Frida or Cycript to manipulate app behavior at runtime.

Common Findings in Dynamic Analysis (MobSF)

  • Insecure Network Communication: Lack of SSL/TLS implementation or improper configuration.

  • Data Leakage: Sensitive data being logged or transmitted insecurely.

  • Weak Cryptography: Usage of weak encryption algorithms.

  • Insecure Authentication: Lack of proper authentication mechanisms.

  • Unintended Permissions: Excessive permissions granted to the app.

  • Improper Error Handling: Exposing sensitive information through error messages.

SSL Pinning

  • Bypassing SSL Pinning:

    • Use tools like Frida or Objection to bypass SSL pinning.

    • Example Frida script for bypassing SSL pinning:

      Java.perform(function () {
    var TrustManagerImpl = Java.use('com.android.org.conscrypt.TrustManagerImpl');
    TrustManagerImpl.verifyChain.implementation = function (untrustedChain, trustAnchorChain, hostname, session, response) {
        return untrustedChain;
    };
});

Common Vulnerabilities

  • Insecure Data Storage: Check for sensitive data in NSUserDefaults, Keychain, and files.

  • Insecure Communication: Ensure SSL/TLS is properly implemented.

  • Insufficient Authentication/Authorization: Verify the app correctly handles user authentication and authorization.

  • Client-Side Code Execution: Look for potential code injection points.

  • Reverse Engineering: Check for hardcoded secrets and obfuscate code.

Testing Steps

  1. Setup Environment: Jailbroken device, proxy (Burp Suite), tools (class-dump, Cycript, Frida).

  2. Static Analysis: Extract IPA, analyze binary and Info.plist.

  3. Dynamic Analysis: Intercept traffic, perform runtime analysis with Frida or Cycript.

  4. Report Findings: Document vulnerabilities, provide remediation suggestions.

PreviousBypass WAFNextInstall Tools

Last updated