iOS Pentesting Series Part 2- Into The Battlefield..

Kishor balan
6 min readAug 14, 2023

--

Hola Peeps,

Recently, much to my surprise, I’ve managed to wrap up the Part-2 section of my iOS Pentesting series, all thanks to my incredibly efficient and intelligent self. Please note, just a heads up, I’ve kept the theory parts brief; if you’re craving more in-depth knowledge, feel free to consult dear ChatGPT. xD

Btw, If you haven’t gone through the Part-1 yet, here it is

Start your first iOS Application Pentest with me.. (Part- 1) | by Kishor balan | Medium

IPA file Anatomy

Rename the IPA to ZIP and extract it. Let’s analyze some of the important the components.

Frameworks: This is one of the important directory that we can take a look. This folder may contains extrernal frameworks that are implemented within the application (Eg: Frameworks for Jailbreak detection, SSL pinning ,etc)

DVIA-2 — The application’s executable file
example.der — CA Certificate that may use for the SSL Pinning process or any other purposes.
Info.plist -The Info. plist file contains critical information about the configuration of an iOS mobile app

Test Cases:

1: Check for App Transport Security misconfiguration.

i)Read the Info.plist file using 3uTools or any other plist readers.

The boolean value is set TRUE for the “NSAllowArbitraryLoads” property, indicates that the App Transport Policy (ATS) is globally disabled. That means the app allows insecure HTTP communication.

Note: If Exception domains are defined, in that case, The insecure HTTP loads will applicable only for that domains.

In this example, the app is allowed to communicate with “example.com” using insecure HTTP connections, despite the general ATS requirements.

2: Check for hardcoded secrets/URLs from the IPA file using Grep or ack commands.

i) Change the file extension from .ipa to .zip
ii) Extract the zip
iii) Get inside the app package

Find the hardcoded secrets.

Obatin the secret from that particular file:

Installing the IOS Application

1: Install the IPA on the iPhone using 3UTools or manually(The cydia tweak AppSync Unified must be installed on the iOS device for bypassing the signature checks.).

Note: If the testing IOS application is shared through Testflight, then we can directly install from it.

Insecure Storage

Checking the sensitive data in local storage

1: SharedPreference file

i) Connect to the target application using Objection and obtain its working directory using the below command.

ii) Navigate to the application’s Library folder

iii) Get into the SharedPreference folder

iv) Read the Prefernce file using below command.

(Sorry, No sensitive data is found in my current target application)

2: Local DB files
i) Connect the target application with objection
ii) Find the application path in which the cache files gets stored sing the below command and navigate to that path

iii) Copy the “Cache.db” to your local machine with the scp command

iv) Explore the db file using any DB browsers and look for the sensitive data

3: Background screencaching: (Lol i guess i dont wanna spit out a deep explanation for this, Its just the thing when the app being sent to the background state. If the app screen is visible, then it is vulnerable)

4: Checking sensitive data in Heap memory:
sensitive data such as login credentials / OTP/ security PIN codes/ Session Tokens / PII data

Tool: Fridummp
GitHub — Nightbringer21/fridump: A universal memory dumper using Frida

i) Make sure the frida tweak is installed and running in your Cydia/Sileo

ii) Execute the fridump command as follows:

python3 fridump.py -U -s “App name”

iii) By executing the previous step, the command will create a folder in the current directory called dump and a file named ‘strings.txt’, which contains all the memory strings. Open the ‘strings.txt’ file and it is observed that user-sensitive data are not cleared or replaced from memory.

5: Sensitive Data in the Keychain:

Keychain services provide APIs (Application Programming Interfaces) that allow developers to securely store, retrieve, and manage sensitive data in a way that’s isolated from the rest of the app’s data. And some applications may store this data in plaintext format.

i) After Login process, Attach the target application with the objection and execute the following command:

6) Insecure logging of Sensitive data: There are some dev dudes who logs everything including user data during the app developement process and some of them would forget to remove the log functions during the app releasing process. So in that cases, We gotta grab those snacks ; )

i) Identify the sensitive input fields in the target application.
ii) Submit the data via the input fields
iii) Collect the App logs and obatin the data (You can use “Real Time logger” utility provided by 3uTools

Side Channel Leakage:

1: Clipboard buffer cache

i) Find the sensitive input fields in the target application
ii) Try to copy the sensitive data

iii) Now attach the target application with Objection and execute the command “ios pasteboard monitor

We can see the objection could retrieve the copied card data from clipboard cache.

And that’s a wrap for today, folks! But hey, don’t fret, there’s still a bunch of exciting stuff in our toolkit waiting to be unleashed — you know, the whole shebang like setting up proxies, bypassing JailBreak detection and SSL pinning, Bypassing biometrics and more. Buckle up, because in my next installment, I’ll dive into all of these juicy topics.

Oh, the exhaustion is real! I’m starting to think the next part might just have to come with its very own YouTube video… I mean, who needs all that typing, am I right?

Bella Ciao..

--

--

Kishor balan
Kishor balan

Written by Kishor balan

Security Analyst || eWPTXv2 || eJPT

Responses (2)