iOS

Mobile Application Penetration Testing Notes

iOS IPA

Tools

class-dump: Extract class information from Objective-C binaries.
Cycript: Tool for exploring and modifying running iOS apps.
Frida: Dynamic instrumentation toolkit.
MobSF: Mobile Security Framework for automated pen-testing.
Burp Suite: Proxy tool for intercepting HTTP/HTTPS traffic.

IPA Analysis

Static Analysis:
- Extract IPA: unzip <app.ipa>
- Analyze binary: class-dump -H <app_binary>
- Inspect Info.plist for permissions and configurations.
- Review source code for hardcoded secrets and vulnerabilities.
Dynamic Analysis:
- Set up a jailbroken device.
- Intercept network traffic using Burp Suite.
- Use Frida or Cycript to manipulate app behavior at runtime.

Common Findings in Dynamic Analysis (MobSF)

Insecure Network Communication: Lack of SSL/TLS implementation or improper configuration.
Data Leakage: Sensitive data being logged or transmitted insecurely.
Weak Cryptography: Usage of weak encryption algorithms.
Insecure Authentication: Lack of proper authentication mechanisms.
Unintended Permissions: Excessive permissions granted to the app.
Improper Error Handling: Exposing sensitive information through error messages.

SSL Pinning

Bypassing SSL Pinning:

Use tools like Frida or Objection to bypass SSL pinning.

Example Frida script for bypassing SSL pinning:

Java.perform(function () {
    var TrustManagerImpl = Java.use('com.android.org.conscrypt.TrustManagerImpl');
    TrustManagerImpl.verifyChain.implementation = function (untrustedChain, trustAnchorChain, hostname, session, response) {
        return untrustedChain;
    };
});

Common Vulnerabilities

Insecure Data Storage: Check for sensitive data in NSUserDefaults, Keychain, and files.
Insecure Communication: Ensure SSL/TLS is properly implemented.
Insufficient Authentication/Authorization: Verify the app correctly handles user authentication and authorization.
Client-Side Code Execution: Look for potential code injection points.
Reverse Engineering: Check for hardcoded secrets and obfuscate code.

Testing Steps

Setup Environment: Jailbroken device, proxy (Burp Suite), tools (class-dump, Cycript, Frida).
Static Analysis: Extract IPA, analyze binary and Info.plist.
Dynamic Analysis: Intercept traffic, perform runtime analysis with Frida or Cycript.
Report Findings: Document vulnerabilities, provide remediation suggestions.

PreviousBypass WAF NextInstall Tools

Last updated 9 months ago

Mobile Application Penetration Testing Notes

iOS IPA

Tools

class-dump: Extract class information from Objective-C binaries.

Cycript: Tool for exploring and modifying running iOS apps.

Frida: Dynamic instrumentation toolkit.

MobSF: Mobile Security Framework for automated pen-testing.

Burp Suite: Proxy tool for intercepting HTTP/HTTPS traffic.

IPA Analysis

Static Analysis:

Extract IPA: unzip <app.ipa>
Analyze binary: class-dump -H <app_binary>
Inspect Info.plist for permissions and configurations.
Review source code for hardcoded secrets and vulnerabilities.

Dynamic Analysis:

Set up a jailbroken device.
Intercept network traffic using Burp Suite.
Use Frida or Cycript to manipulate app behavior at runtime.

Common Findings in Dynamic Analysis (MobSF)

Insecure Network Communication: Lack of SSL/TLS implementation or improper configuration.

Data Leakage: Sensitive data being logged or transmitted insecurely.

Weak Cryptography: Usage of weak encryption algorithms.

Insecure Authentication: Lack of proper authentication mechanisms.

Unintended Permissions: Excessive permissions granted to the app.

Improper Error Handling: Exposing sensitive information through error messages.

SSL Pinning

Bypassing SSL Pinning:

Use tools like Frida or Objection to bypass SSL pinning.

Example Frida script for bypassing SSL pinning:

Java.perform(function () {
    var TrustManagerImpl = Java.use('com.android.org.conscrypt.TrustManagerImpl');
    TrustManagerImpl.verifyChain.implementation = function (untrustedChain, trustAnchorChain, hostname, session, response) {
        return untrustedChain;
    };
});

Common Vulnerabilities

Insecure Data Storage: Check for sensitive data in NSUserDefaults, Keychain, and files.

Insecure Communication: Ensure SSL/TLS is properly implemented.

Insufficient Authentication/Authorization: Verify the app correctly handles user authentication and authorization.

Client-Side Code Execution: Look for potential code injection points.

Reverse Engineering: Check for hardcoded secrets and obfuscate code.

Testing Steps

Setup Environment: Jailbroken device, proxy (Burp Suite), tools (class-dump, Cycript, Frida).

Static Analysis: Extract IPA, analyze binary and Info.plist.

Dynamic Analysis: Intercept traffic, perform runtime analysis with Frida or Cycript.

Report Findings: Document vulnerabilities, provide remediation suggestions.