Martian Defense NoteBook
  • Martian Defense Notebook
  • Training and Career
    • Keeping it Real for Beginners
    • Reading and Repos
    • Media
    • Guides
      • Cybersecurity Roadmaps
      • Cybersecurity Training Topics
      • AppSec Training Pathway
      • Interview Checklist
    • Platforms
      • General
      • Offensive Security
      • Defensive Security
      • CTF Sites
      • Live Vulnerable Sites
    • Entrepreneurship Roadmaps
      • Consulting
      • Starting a Business
  • Technical Resources
    • Offensive-Cybersecurity
      • Application Security
      • General
      • Recon + OSINT
      • Infrastructure Pentesting
      • Cloud Pentesting
      • Wordlists
      • Social Engineering
      • Mobile Pentesting
      • Container Security
      • Blockchain
    • Defensive-Cybersecurity
    • General Cybersecurity
      • Cybersecurity Operating Systems
    • Coding/Programming
    • Reverse Engineering
    • AI and ML
  • Notes
    • Product Security Engineering
      • DevSecOps
        • Docker
          • How to Dockerize Applications with Docker Compose (Using SQLite and Flask)
      • SAST/SCA
        • How to setup a GitHub Action for Code Security analysis
        • JavaScript Security Analysis
        • Java Security 101
        • Tools
        • CodeQL for Beginners
      • Product Security Hardening
      • Threat Modeling
      • PHP Security
    • AppSec Testing
      • Checklists
        • WEB APP PENTESTING CHECKLIST
        • API Testing Checklist
        • Android Pentesting Checklist
        • IoS Pentesting Checklist
        • Thick Client Pentesting Checklist
        • Secure Code Review Checklist
      • Targeted Test Cases
        • Part 1
        • Part 2
      • Common Web Attack and Prevention List
      • Ports and associated Vectors
      • DNS
      • Web Tools
      • Command Injection Testing
      • JWTs and JSON
    • Security Research
      • Publishing CVEs
      • Threat Intelligence
      • Shodan Dork Cheatsheet
      • Github Dorks
      • Bug Bounty
        • Bug Bounty Programs
      • Forums
    • Coding/Programming
      • Secure Coding Practices Checklist
      • JavaScript
      • Python
        • Quick Notes
        • Python Basics for Pentesters
        • Python Snippets
        • XML Basics with Python
      • Golang
        • Theory
        • Security
        • Modules
        • Entry Points
        • File Forensics
        • Cryptography and Encoding
        • Golang Snippets
      • PHP
        • Setup
        • Syntax
        • Variables and Data Types
        • Control Structures
        • Arrays
        • Functions
        • OOP Concepts
        • Database Integration
        • Handling HTTP Methods
        • Session Management
        • File Uploads
        • Email Function
        • Error Handling
        • Advanced Topics and Best Practices
    • Network Security
      • Domain Trust Enumeration
      • Bleeding Edge Vulnerabilities
      • Post-Exploitation
      • Access Control Lists and Entries (ACL & ACE)
      • Credentialed Enumeration
      • Password Attacks
        • Internal Password Spraying
        • Remote Password Attacks
        • Linux Local Password Attacks
        • Windows Local Password Attacks
        • Windows Lateral Movement
      • PowerView
      • Pivoting, Tunneling and Forwarding
        • Advanced Tunneling Methods
        • Dynamic Port Forwarding (SSH + Socks)
        • Port Forwarding Tools
        • SoCat
      • Linux Privilege Escalation
      • Windows Privesc
        • OS Attacks
        • Windows User Privileges
        • Windows Group Privileges
        • Manual Enumeration
        • Credential Theft
      • Kerberos Attacks
        • Kerberos Quick Reference Sheet
    • Cloud Security Testing
    • Defensive Security
      • Splunk
        • Basic Queries
        • Dashboards
      • Forensics
        • Volatility
      • WireShark filters
    • Governance, Risk, Compliance
      • Vulnerability Management Lifecycle
    • Capture-the-Flag Training
      • Vulnerable Machine Checklist
      • Reverse Engineering Checklist
      • Mobile Checklist
      • Forensics Checklist
      • Binary Exploitation
      • Cryptography Checklist
    • Reporting
    • PowerShell
    • Linux Basics
    • Basic IT Tasks
  • Digital Privacy and Hygiene
    • Personal Information Removal Services
    • De-Googling Android
    • DNS Services
    • Privacy References
    • Opsec
  • RedPlanet Labs
    • PyGOAT
    • OWASP Juice Shop
Powered by GitBook
On this page
  1. Notes
  2. AppSec Testing
  3. Checklists

IoS Pentesting Checklist

PreviousAndroid Pentesting ChecklistNextThick Client Pentesting Checklist

Last updated 5 months ago

Apple Security Architecture

iOS Overview

  • All applications are signed by Apple

  • These devices have a hardware security component

  • Hardware/Firmware Layer, Software Layer

  • Two partitions

  • Filesystem is Linux based

  • Must have a developer profile on Xcode to test apps (this allows sideloading)

  • Must have apple ID for testing

Jailbreak Tools:

Linux Jailbreak Software Checkra1n Windows version of Checkra1n - iRa1n 3utools.com - iOS device management tool

Testing Tools: - OpenSSH - BurpPro mobile assistant - Emulator such as , - Install for Static Analysis -

git clone https://github.com/MobSF/Mobile-Security-Framework-MobSF.git

Pulling IPA from App Store:

  • Install IPATool on Mac: brew tap majd/repo && brew install ipatool

  • Authenticate to the tool -ipatool auth -e <yourEmail@email.com>

  • Search for an app in the App Store - ipatool search <myKeyword>

  • Download an app based on the bundle ID from search command - dipatool download --bundle-identifier <bundleIDFromSearchCommand>

Application Testing setup

  1. Install iproxy npm install iproxy and BurpSuite application proxy on host

  2. Start Burp suite and add a listener on port 8082 for all interfaces

  3. Go to iOS settings, set a manual proxy using the Burp Suite host's IP and port 8082

  4. Connect host PC to mobile device using SSH through iproxy using

    a. iproxy 2222 22 & ssh -R 8082:localhost:8082 root@localhost -p 2222

  5. On iOS device visit http://burpsuite to verify connectivity and download Burp CA certificate

  6. Go to apple device settings in the "profile downloaded" section and install certificate

  7. Go Settings >General >About > Certificate Trust Settings and activate toggle switch

Methodology

  1. Download app from appstore OR install ipa file from local machine to iphone

  2. Proxy iphone with iproxy this will establish a usb connection

  3. Proxy traffic through burp

  4. Pull ipa off the phone to a local directory by using frida-ios-dump

  5. Make a copy of the file and rename it to Payload.zip

  6. Unzip the file from the command line

  7. From finder go into the Payload folder and into the next payload folder. This is where the example.app is stored

  8. Right click on the example.app and click show package contents

  9. Look at all the files. Some can be opened in xcode

  10. Look more specifically at the info.plist file and open it with xcode

  11. Open and look at json files if any are available.

  12. Run mobsf and drop the example.ipa file in

  13. Run Objection

  14. Do a manual click through and generate some traffic with burp

  15. Run a burp scan

  16. Test app like it’s a web app. (XSS, SQL injection, login bypass etc)

  17. Check IOS logs

Source: \

Official Apple Security Documentation
Palera1n (newer iOS Jailbreak)
Corellium
Appetize.io
MobSF
https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06b-basic-security-testing