IoS Pentesting Checklist

Apple Security Architecture

Official Apple Security Documentation

iOS Overview

  • All applications are signed by Apple

  • These devices have a hardware security component

  • Hardware/Firmware Layer, Software Layer

  • Two partitions

  • Filesystem is Linux based

  • Must have a developer profile on Xcode to test apps (this allows sideloading)

  • Must have apple ID for testing

Jailbreak Tools:

Linux Jailbreak Software Checkra1n Palera1n (newer iOS Jailbreak) Windows version of Checkra1n - iRa1n 3utools.com - iOS device management tool

Testing Tools: - OpenSSH - BurpPro mobile assistant - Emulator such as Corellium, Appetize.io - Install MobSF for Static Analysis -

git clone https://github.com/MobSF/Mobile-Security-Framework-MobSF.git

Pulling IPA from App Store:

  • Install IPATool on Mac: brew tap majd/repo && brew install ipatool

  • Authenticate to the tool -ipatool auth -e <yourEmail@email.com>

  • Search for an app in the App Store - ipatool search <myKeyword>

  • Download an app based on the bundle ID from search command - dipatool download --bundle-identifier <bundleIDFromSearchCommand>

Application Testing setup

  1. Install iproxy npm install iproxy and BurpSuite application proxy on host

  2. Start Burp suite and add a listener on port 8082 for all interfaces

  3. Go to iOS settings, set a manual proxy using the Burp Suite host's IP and port 8082

  4. Connect host PC to mobile device using SSH through iproxy using

    a. iproxy 2222 22 & ssh -R 8082:localhost:8082 root@localhost -p 2222

  5. On iOS device visit http://burpsuite to verify connectivity and download Burp CA certificate

  6. Go to apple device settings in the "profile downloaded" section and install certificate

  7. Go Settings >General >About > Certificate Trust Settings and activate toggle switch

Methodology

Source: https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06b-basic-security-testing\

  1. Download app from appstore OR install ipa file from local machine to iphone

  2. Proxy iphone with iproxy this will establish a usb connection

  3. Proxy traffic through burp

  4. Pull ipa off the phone to a local directory by using frida-ios-dump

  5. Make a copy of the file and rename it to Payload.zip

  6. Unzip the file from the command line

  7. From finder go into the Payload folder and into the next payload folder. This is where the example.app is stored

  8. Right click on the example.app and click show package contents

  9. Look at all the files. Some can be opened in xcode

  10. Look more specifically at the info.plist file and open it with xcode

  11. Open and look at json files if any are available.

  12. Run mobsf and drop the example.ipa file in

  13. Run Objection

  14. Do a manual click through and generate some traffic with burp

  15. Run a burp scan

  16. Test app like it’s a web app. (XSS, SQL injection, login bypass etc)

  17. Check IOS logs

Last updated