hacktricks/mobile-pentesting/ios-pentesting-checklist.md

138 lines
9.7 KiB
Markdown
Raw Normal View History

2022-05-01 13:25:53 +00:00
# iOS Pentesting Checklist
2022-04-28 16:01:33 +00:00
2022-08-31 22:35:39 +00:00
{% hint style="danger" %}
<img src="../.gitbook/assets/image (307).png" alt="" data-size="original">
Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**.
{% embed url="https://securityhubs.io/" %}
{% endhint %}
2022-04-28 16:01:33 +00:00
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>
2022-09-09 11:28:04 +00:00
- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
2022-04-28 16:01:33 +00:00
2022-09-09 11:28:04 +00:00
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
2022-04-28 16:01:33 +00:00
2022-09-09 11:28:04 +00:00
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
2022-04-28 16:01:33 +00:00
2022-09-09 11:28:04 +00:00
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
2022-04-28 16:01:33 +00:00
2022-09-09 11:28:04 +00:00
- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
2022-04-28 16:01:33 +00:00
</details>
2022-05-01 13:25:53 +00:00
### Preparation
2021-05-21 17:13:19 +00:00
2022-03-27 21:47:46 +00:00
* [ ] Read [**iOS Basics**](ios-pentesting/ios-basics.md)
* [ ] Prepare your environment reading [**iOS Testing Environment**](ios-pentesting/ios-testing-environment.md)
2022-01-31 14:51:03 +00:00
* [ ] Read all the sections of [**iOS Initial Analysis**](ios-pentesting/#initial-analysis) to learn common actions to pentest an iOS application
2021-05-21 17:13:19 +00:00
2022-05-01 13:25:53 +00:00
### Data Storage
2021-05-21 17:13:19 +00:00
* [ ] [**Plist files**](ios-pentesting/#plist) can be used to store sensitive information.
2022-03-27 21:47:46 +00:00
* [ ] [**Core Data**](ios-pentesting/#core-data) (SQLite database) can store sensitive information.
* [ ] [**YapDatabases**](ios-pentesting/#yapdatabase) (SQLite database) can store sensitive information.
* [ ] [**Firebase**](ios-pentesting/#firebase-real-time-databases) miss-configuration.
* [ ] [**Realm databases**](ios-pentesting/#realm-databases) can store sensitive information.
* [ ] [**Couchbase Lite databases**](ios-pentesting/#couchbase-lite-databases) can store sensitive information.
* [ ] [**Binary cookies**](ios-pentesting/#cookies) can store sensitive information
* [ ] [**Cache data**](ios-pentesting/#cache) can store sensitive information
* [ ] [**Automatic snapshots**](ios-pentesting/#snapshots) can save visual sensitive information
* [ ] [**Keychain**](ios-pentesting/#keychain) is usually used to store sensitive information that can be left when reselling the phone.
2021-05-21 17:13:19 +00:00
* [ ] In summary, just **check for sensitive information saved by the application in the filesystem**
2022-05-01 13:25:53 +00:00
### Keyboards
2021-05-21 17:13:19 +00:00
* [ ] Does the application [**allow to use custom keyboards**](ios-pentesting/#custom-keyboards-keyboard-cache)?
2022-03-27 21:47:46 +00:00
* [ ] Check if sensitive information is saved in the [**keyboards cache files**](ios-pentesting/#custom-keyboards-keyboard-cache)
2021-05-21 17:13:19 +00:00
2022-05-01 13:25:53 +00:00
### **Logs**
2021-05-21 17:13:19 +00:00
2022-03-27 21:47:46 +00:00
* [ ] Check if [**sensitive information is being logged**](ios-pentesting/#logs)
2021-05-21 17:13:19 +00:00
2022-05-01 13:25:53 +00:00
### Backups
2021-05-21 17:13:19 +00:00
2022-03-27 21:47:46 +00:00
* [ ] [**Backups**](ios-pentesting/#backups) can be used to **access the sensitive information** saved in the file system (check the initial point of this checklist)
* [ ] Also, [**backups**](ios-pentesting/#backups) can be used to **modify some configurations of the application**, then **restore** the backup on the phone, and the as the **modified configuration** is **loaded** some (security) **functionality** may be **bypassed**
2021-05-21 17:13:19 +00:00
2022-05-01 13:25:53 +00:00
### **Applications Memory**
2021-05-21 17:13:19 +00:00
2022-03-27 21:47:46 +00:00
* [ ] Check for sensitive information inside the [**application's memory**](ios-pentesting/#testing-memory-for-sensitive-data)
2021-05-21 17:13:19 +00:00
2022-05-01 13:25:53 +00:00
### **Broken Cryptography**
2021-05-21 17:13:19 +00:00
2022-03-27 21:47:46 +00:00
* [ ] Check if yo can find [**passwords used for cryptography**](ios-pentesting/#broken-cryptography)
2021-05-21 17:13:19 +00:00
* [ ] Check for the use of [**deprecated/weak algorithms**](ios-pentesting/#broken-cryptography) to send/store sensitive data
2022-03-27 21:47:46 +00:00
* [ ] [**Hook and monitor cryptography functions**](ios-pentesting/#broken-cryptography)
2021-05-21 17:13:19 +00:00
2022-05-01 13:25:53 +00:00
### **Local Authentication**
2021-05-21 17:13:19 +00:00
* [ ] If a [**local authentication**](ios-pentesting/#local-authentication) is used in the application, you should check how the authentication is working.
* [ ] If it's using the [**Local Authentication Framework**](ios-pentesting/#local-authentication-framework) it could be easily bypassed
* [ ] If it's using a [**function that can dynamically bypassed**](ios-pentesting/#local-authentication-using-keychain) you could create a custom frida script
2022-05-01 13:25:53 +00:00
### Sensitive Functionality Exposure Through IPC
2021-05-21 17:13:19 +00:00
2022-03-27 21:47:46 +00:00
* [**Custom URI Handlers / Deeplinks / Custom Schemes**](ios-pentesting/#custom-uri-handlers-deeplinks-custom-schemes)
2021-05-21 17:13:19 +00:00
* [ ] Check if the application is **registering any protocol/scheme**
2021-11-30 16:46:07 +00:00
* [ ] Check if the application is **registering to use** any protocol/scheme
2021-05-21 17:13:19 +00:00
* [ ] Check if the application **expects to receive any kind of sensitive information** from the custom scheme that can be **intercepted** by the another application registering the same scheme
* [ ] Check if the application **isn't checking and sanitizing** users input via the custom scheme and some **vulnerability can be exploited**
2021-11-30 16:46:07 +00:00
* [ ] Check if the application **exposes any sensitive action** that can be called from anywhere via the custom scheme
2022-03-27 21:47:46 +00:00
* [**Universal Links**](ios-pentesting/#universal-links)
2021-05-21 17:13:19 +00:00
* [ ] Check if the application is **registering any universal protocol/scheme**
2022-05-01 13:25:53 +00:00
* [ ] Check the `apple-app-site-association` file
2021-05-21 17:13:19 +00:00
* [ ] Check if the application **isn't checking and sanitizing** users input via the custom scheme and some **vulnerability can be exploited**
2021-11-30 16:46:07 +00:00
* [ ] Check if the application **exposes any sensitive action** that can be called from anywhere via the custom scheme
2022-03-27 21:47:46 +00:00
* [**UIActivity Sharing**](ios-pentesting/ios-uiactivity-sharing.md)
2021-05-21 17:13:19 +00:00
* [ ] Check if the application can receive UIActivities and if it's possible to exploit any vulnerability with specially crafted activity
2022-03-27 21:47:46 +00:00
* [**UIPasteboard**](ios-pentesting/ios-uipasteboard.md)
2021-05-21 17:13:19 +00:00
* [ ] Check if the application if **copying anything to the general pasteboard**
* [ ] Check if the application if **using the data from the general pasteboard for anything**
* [ ] Monitor the pasteboard to see if any **sensitive data is copied**
2022-03-27 21:47:46 +00:00
* [**App Extensions**](ios-pentesting/ios-app-extensions.md)
2021-05-21 17:13:19 +00:00
* [ ] Is the application **using any extension**?
2022-03-27 21:47:46 +00:00
* [**WebViews**](ios-pentesting/ios-webviews.md)
2021-05-21 17:13:19 +00:00
* [ ] Check which kind of webviews are being used
* [ ] Check the status of **`javaScriptEnabled`**, **`JavaScriptCanOpenWindowsAutomatically`**, **`hasOnlySecureContent`**
* [ ] Check if the webview can **access local files** with the protocol **file://** **(**`allowFileAccessFromFileURLs`, `allowUniversalAccessFromFileURLs`)
* [ ] Check if Javascript can access **Native** **methods** (`JSContext`, `postMessage`)
2021-05-21 17:13:19 +00:00
2022-05-01 13:25:53 +00:00
### Network Communication
2021-05-21 17:13:19 +00:00
* [ ] Perform a [**MitM to the communication**](ios-pentesting/#network-communication) and search for web vulnerabilities.
* [ ] Check if the [**hostname of the certificate**](ios-pentesting/#hostname-check) is checked
2022-03-27 21:47:46 +00:00
* [ ] Check/Bypass [**Certificate Pinning**](ios-pentesting/#certificate-pinning)
2021-05-21 17:13:19 +00:00
2022-05-01 13:25:53 +00:00
### **Misc**
2021-05-21 17:13:19 +00:00
* [ ] Check for [**automatic patching/updating**](ios-pentesting/#hot-patching-enforced-updateing) mechanisms
2022-03-27 21:47:46 +00:00
* [ ] Check for [**malicious third party libraries**](ios-pentesting/#third-parties)
2022-04-28 16:01:33 +00:00
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>
2022-09-09 11:28:04 +00:00
- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
2022-04-28 16:01:33 +00:00
2022-09-09 11:28:04 +00:00
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
2022-04-28 16:01:33 +00:00
2022-09-09 11:28:04 +00:00
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
2022-04-28 16:01:33 +00:00
2022-09-09 11:28:04 +00:00
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
2022-04-28 16:01:33 +00:00
2022-09-09 11:28:04 +00:00
- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
2022-04-28 16:01:33 +00:00
</details>
2022-08-31 22:35:39 +00:00
{% hint style="danger" %}
<img src="../.gitbook/assets/image (307).png" alt="" data-size="original">
Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**.
{% embed url="https://securityhubs.io/" %}
{% endhint %}