hacktricks/mobile-apps-pentesting/ios-pentesting-checklist.md

# iOS Pentesting Checklist

{% hint style="warning" %}
**Support HackTricks and get benefits!**

Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**?
Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!

Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)

Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)

**Join the** [**💬**](https://emojipedia.org/speech-balloon/)    [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass)  or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**

**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
{% endhint %}

### Preparation

* [ ] Read [**iOS Basics**](ios-pentesting/ios-basics.md)
* [ ] Prepare your environment reading [**iOS Testing Environment**](ios-pentesting/ios-testing-environment.md)
* [ ] Read all the sections of [**iOS Initial Analysis**](ios-pentesting/#initial-analysis) to learn common actions to pentest an iOS application

### Data Storage

* [ ] [**Plist files**](ios-pentesting/#plist) can be used to store sensitive information.
* [ ] [**Core Data**](ios-pentesting/#core-data) (SQLite database) can store sensitive information.
* [ ] [**YapDatabases**](ios-pentesting/#yapdatabase) (SQLite database) can store sensitive information.
* [ ] [**Firebase**](ios-pentesting/#firebase-real-time-databases) miss-configuration.
* [ ] [**Realm databases**](ios-pentesting/#realm-databases) can store sensitive information.
* [ ] [**Couchbase Lite databases**](ios-pentesting/#couchbase-lite-databases) can store sensitive information.
* [ ] [**Binary cookies**](ios-pentesting/#cookies) can store sensitive information
* [ ] [**Cache data**](ios-pentesting/#cache) can store sensitive information
* [ ] [**Automatic snapshots**](ios-pentesting/#snapshots) can save visual sensitive information
* [ ] [**Keychain**](ios-pentesting/#keychain) is usually used to store sensitive information that can be left when reselling the phone.
* [ ] In summary, just **check for sensitive information saved by the application in the filesystem**

### Keyboards

* [ ] Does the application [**allow to use custom keyboards**](ios-pentesting/#custom-keyboards-keyboard-cache)?
* [ ] Check if sensitive information is saved in the [**keyboards cache files**](ios-pentesting/#custom-keyboards-keyboard-cache)

### **Logs**

* [ ] Check if [**sensitive information is being logged**](ios-pentesting/#logs)

### Backups

* [ ] [**Backups**](ios-pentesting/#backups) can be used to **access the sensitive information** saved in the file system (check the initial point of this checklist)
* [ ] Also, [**backups**](ios-pentesting/#backups) can be used to **modify some configurations of the application**, then **restore** the backup on the phone, and the as the **modified configuration** is **loaded** some (security) **functionality** may be **bypassed**

### **Applications Memory**

* [ ] Check for sensitive information inside the [**application's memory**](ios-pentesting/#testing-memory-for-sensitive-data)

### **Broken Cryptography**

* [ ] Check if yo can find [**passwords used for cryptography**](ios-pentesting/#broken-cryptography)
* [ ] Check for the use of [**deprecated/weak algorithms**](ios-pentesting/#broken-cryptography) to send/store sensitive data
* [ ] [**Hook and monitor cryptography functions**](ios-pentesting/#broken-cryptography)

### **Local Authentication**

* [ ] If a [**local authentication**](ios-pentesting/#local-authentication) is used in the application, you should check how the authentication is working.
  * [ ] If it's using the [**Local Authentication Framework**](ios-pentesting/#local-authentication-framework) it could be easily bypassed
  * [ ] If it's using a [**function that can dynamically bypassed**](ios-pentesting/#local-authentication-using-keychain) you could create a custom frida script

### Sensitive Functionality Exposure Through IPC

* [**Custom URI Handlers / Deeplinks / Custom Schemes**](ios-pentesting/#custom-uri-handlers-deeplinks-custom-schemes)
  * [ ] Check if the application is **registering any protocol/scheme**
  * [ ] Check if the application is **registering to use** any protocol/scheme
  * [ ] Check if the application **expects to receive any kind of sensitive information** from the custom scheme that can be **intercepted** by the another application registering the same scheme
  * [ ] Check if the application **isn't checking and sanitizing** users input via the custom scheme and some **vulnerability can be exploited**
  * [ ] Check if the application **exposes any sensitive action** that can be called from anywhere via the custom scheme
* [**Universal Links**](ios-pentesting/#universal-links)
  * [ ] Check if the application is **registering any universal protocol/scheme**
  * [ ] Check the  `apple-app-site-association` file
  * [ ] Check if the application **isn't checking and sanitizing** users input via the custom scheme and some **vulnerability can be exploited**
  * [ ] Check if the application **exposes any sensitive action** that can be called from anywhere via the custom scheme
* [**UIActivity Sharing**](ios-pentesting/ios-uiactivity-sharing.md)
  * [ ] Check if the application can receive UIActivities and if it's possible to exploit any vulnerability with specially crafted activity
* [**UIPasteboard**](ios-pentesting/ios-uipasteboard.md)
  * [ ] Check if the application if **copying anything to the general pasteboard**
  * [ ] Check if the application if **using the data from the general pasteboard for anything**
  * [ ] Monitor the pasteboard to see if any **sensitive data is copied**
* [**App Extensions**](ios-pentesting/ios-app-extensions.md)
  * [ ] Is the application **using any extension**?
* [**WebViews**](ios-pentesting/ios-webviews.md)
  * [ ] Check which kind of webviews are being used
  * [ ] Check the status of **`javaScriptEnabled`**, **`JavaScriptCanOpenWindowsAutomatically`**, **`hasOnlySecureContent`**
  * [ ] Check if the webview can **access local files** with the protocol **file://** **(**`allowFileAccessFromFileURLs`, `allowUniversalAccessFromFileURLs`)
  * [ ] Check if Javascript can access **Native** **methods** (`JSContext`, `postMessage`)

### Network Communication

* [ ] Perform a [**MitM to the communication**](ios-pentesting/#network-communication) and search for web vulnerabilities.
* [ ] Check if the [**hostname of the certificate**](ios-pentesting/#hostname-check) is checked
* [ ] Check/Bypass [**Certificate Pinning**](ios-pentesting/#certificate-pinning)

### **Misc**

* [ ] Check for [**automatic patching/updating**](ios-pentesting/#hot-patching-enforced-updateing) mechanisms
* [ ] Check for [**malicious third party libraries**](ios-pentesting/#third-parties)
GitBook: [master] 36 pages modified 2021-05-21 17:13:19 +00:00			`# iOS Pentesting Checklist`

GitBook: [#3077] No subject 2022-03-27 21:47:46 +00:00			`{% hint style="warning" %}`
			`Support HackTricks and get benefits!`

advertised 2022-04-06 09:31:08 +00:00			`Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access the latest version of the PEASS or download HackTricks in PDF?`
sponsoring 2022-04-05 22:37:49 +00:00			`Check the [SUBSCRIPTION PLANS](https://github.com/sponsors/carlospolop)!`
GitBook: [#3077] No subject 2022-03-27 21:47:46 +00:00
fix bad chars 2022-04-05 22:24:52 +00:00			`Discover [The PEASS Family](https://opensea.io/collection/the-peass-family), our collection of exclusive [NFTs](https://opensea.io/collection/the-peass-family)`
GitBook: [master] 21 pages modified 2021-05-31 09:39:02 +00:00
fix bad chars 2022-04-05 22:24:52 +00:00			`Get the [official PEASS & HackTricks swag](https://peass.creator-spring.com)`
GitBook: [#3077] No subject 2022-03-27 21:47:46 +00:00
fix bad chars 2022-04-05 22:24:52 +00:00			`Join the [💬](https://emojipedia.org/speech-balloon/) [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow me on Twitter [🐦](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[@carlospolopm](https://twitter.com/carlospolopm).`
GitBook: [#3077] No subject 2022-03-27 21:47:46 +00:00
			`Share your hacking tricks submitting PRs to the [hacktricks github repo](https://github.com/carlospolop/hacktricks).`
			`{% endhint %}`
GitBook: [master] 36 pages modified 2021-05-21 17:13:19 +00:00
			`### Preparation`

GitBook: [#3077] No subject 2022-03-27 21:47:46 +00:00			`* [ ] Read [iOS Basics](ios-pentesting/ios-basics.md)`
			`* [ ] Prepare your environment reading [iOS Testing Environment](ios-pentesting/ios-testing-environment.md)`
remove **** 2022-01-31 14:51:03 +00:00			`* [ ] Read all the sections of [iOS Initial Analysis](ios-pentesting/#initial-analysis) to learn common actions to pentest an iOS application`
GitBook: [master] 36 pages modified 2021-05-21 17:13:19 +00:00
			`### Data Storage`

			`* [ ] [Plist files](ios-pentesting/#plist) can be used to store sensitive information.`
GitBook: [#3077] No subject 2022-03-27 21:47:46 +00:00			`* [ ] [Core Data](ios-pentesting/#core-data) (SQLite database) can store sensitive information.`
			`* [ ] [YapDatabases](ios-pentesting/#yapdatabase) (SQLite database) can store sensitive information.`
			`* [ ] [Firebase](ios-pentesting/#firebase-real-time-databases) miss-configuration.`
			`* [ ] [Realm databases](ios-pentesting/#realm-databases) can store sensitive information.`
			`* [ ] [Couchbase Lite databases](ios-pentesting/#couchbase-lite-databases) can store sensitive information.`
			`* [ ] [Binary cookies](ios-pentesting/#cookies) can store sensitive information`
			`* [ ] [Cache data](ios-pentesting/#cache) can store sensitive information`
			`* [ ] [Automatic snapshots](ios-pentesting/#snapshots) can save visual sensitive information`
			`* [ ] [Keychain](ios-pentesting/#keychain) is usually used to store sensitive information that can be left when reselling the phone.`
GitBook: [master] 36 pages modified 2021-05-21 17:13:19 +00:00			`* [ ] In summary, just check for sensitive information saved by the application in the filesystem`

			`### Keyboards`

			`* [ ] Does the application [allow to use custom keyboards](ios-pentesting/#custom-keyboards-keyboard-cache)?`
GitBook: [#3077] No subject 2022-03-27 21:47:46 +00:00			`* [ ] Check if sensitive information is saved in the [keyboards cache files](ios-pentesting/#custom-keyboards-keyboard-cache)`
GitBook: [master] 36 pages modified 2021-05-21 17:13:19 +00:00
			`### Logs`

GitBook: [#3077] No subject 2022-03-27 21:47:46 +00:00			`* [ ] Check if [sensitive information is being logged](ios-pentesting/#logs)`
GitBook: [master] 36 pages modified 2021-05-21 17:13:19 +00:00
			`### Backups`

GitBook: [#3077] No subject 2022-03-27 21:47:46 +00:00			`* [ ] [Backups](ios-pentesting/#backups) can be used to access the sensitive information saved in the file system (check the initial point of this checklist)`
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			`* [ ] Also, [backups](ios-pentesting/#backups) can be used to modify some configurations of the application, then restore the backup on the phone, and the as the modified configuration is loaded some (security) functionality may be bypassed`
GitBook: [master] 36 pages modified 2021-05-21 17:13:19 +00:00
			`### Applications Memory`

GitBook: [#3077] No subject 2022-03-27 21:47:46 +00:00			`* [ ] Check for sensitive information inside the [application's memory](ios-pentesting/#testing-memory-for-sensitive-data)`
GitBook: [master] 36 pages modified 2021-05-21 17:13:19 +00:00
			`### Broken Cryptography`

GitBook: [#3077] No subject 2022-03-27 21:47:46 +00:00			`* [ ] Check if yo can find [passwords used for cryptography](ios-pentesting/#broken-cryptography)`
GitBook: [master] 36 pages modified 2021-05-21 17:13:19 +00:00			`* [ ] Check for the use of [deprecated/weak algorithms](ios-pentesting/#broken-cryptography) to send/store sensitive data`
GitBook: [#3077] No subject 2022-03-27 21:47:46 +00:00			`* [ ] [Hook and monitor cryptography functions](ios-pentesting/#broken-cryptography)`
GitBook: [master] 36 pages modified 2021-05-21 17:13:19 +00:00
			`### Local Authentication`

			`* [ ] If a [local authentication](ios-pentesting/#local-authentication) is used in the application, you should check how the authentication is working.`
			`* [ ] If it's using the [Local Authentication Framework](ios-pentesting/#local-authentication-framework) it could be easily bypassed`
			`* [ ] If it's using a [function that can dynamically bypassed](ios-pentesting/#local-authentication-using-keychain) you could create a custom frida script`

			`### Sensitive Functionality Exposure Through IPC`

GitBook: [#3077] No subject 2022-03-27 21:47:46 +00:00			`* [Custom URI Handlers / Deeplinks / Custom Schemes](ios-pentesting/#custom-uri-handlers-deeplinks-custom-schemes)`
GitBook: [master] 36 pages modified 2021-05-21 17:13:19 +00:00			`* [ ] Check if the application is registering any protocol/scheme`
GitBook: [#2876] save 2021-11-30 16:46:07 +00:00			`* [ ] Check if the application is registering to use any protocol/scheme`
GitBook: [master] 36 pages modified 2021-05-21 17:13:19 +00:00			`* [ ] Check if the application expects to receive any kind of sensitive information from the custom scheme that can be intercepted by the another application registering the same scheme`
			`* [ ] Check if the application isn't checking and sanitizing users input via the custom scheme and some vulnerability can be exploited`
GitBook: [#2876] save 2021-11-30 16:46:07 +00:00			`* [ ] Check if the application exposes any sensitive action that can be called from anywhere via the custom scheme`
GitBook: [#3077] No subject 2022-03-27 21:47:46 +00:00			`* [Universal Links](ios-pentesting/#universal-links)`
GitBook: [master] 36 pages modified 2021-05-21 17:13:19 +00:00			`* [ ] Check if the application is registering any universal protocol/scheme`
GitBook: [#3077] No subject 2022-03-27 21:47:46 +00:00			* [ ] Check the `apple-app-site-association` file
GitBook: [master] 36 pages modified 2021-05-21 17:13:19 +00:00			`* [ ] Check if the application isn't checking and sanitizing users input via the custom scheme and some vulnerability can be exploited`
GitBook: [#2876] save 2021-11-30 16:46:07 +00:00			`* [ ] Check if the application exposes any sensitive action that can be called from anywhere via the custom scheme`
GitBook: [#3077] No subject 2022-03-27 21:47:46 +00:00			`* [UIActivity Sharing](ios-pentesting/ios-uiactivity-sharing.md)`
GitBook: [master] 36 pages modified 2021-05-21 17:13:19 +00:00			`* [ ] Check if the application can receive UIActivities and if it's possible to exploit any vulnerability with specially crafted activity`
GitBook: [#3077] No subject 2022-03-27 21:47:46 +00:00			`* [UIPasteboard](ios-pentesting/ios-uipasteboard.md)`
GitBook: [master] 36 pages modified 2021-05-21 17:13:19 +00:00			`* [ ] Check if the application if copying anything to the general pasteboard`
			`* [ ] Check if the application if using the data from the general pasteboard for anything`
			`* [ ] Monitor the pasteboard to see if any sensitive data is copied`
GitBook: [#3077] No subject 2022-03-27 21:47:46 +00:00			`* [App Extensions](ios-pentesting/ios-app-extensions.md)`
GitBook: [master] 36 pages modified 2021-05-21 17:13:19 +00:00			`* [ ] Is the application using any extension?`
GitBook: [#3077] No subject 2022-03-27 21:47:46 +00:00			`* [WebViews](ios-pentesting/ios-webviews.md)`
GitBook: [master] 36 pages modified 2021-05-21 17:13:19 +00:00			`* [ ] Check which kind of webviews are being used`
			* [ ] Check the status of `javaScriptEnabled`, `JavaScriptCanOpenWindowsAutomatically`, `hasOnlySecureContent`
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			* [ ] Check if the webview can access local files with the protocol file:// (`allowFileAccessFromFileURLs`, `allowUniversalAccessFromFileURLs`)
			* [ ] Check if Javascript can access Native methods (`JSContext`, `postMessage`)
GitBook: [master] 36 pages modified 2021-05-21 17:13:19 +00:00
			`### Network Communication`

			`* [ ] Perform a [MitM to the communication](ios-pentesting/#network-communication) and search for web vulnerabilities.`
			`* [ ] Check if the [hostname of the certificate](ios-pentesting/#hostname-check) is checked`
GitBook: [#3077] No subject 2022-03-27 21:47:46 +00:00			`* [ ] Check/Bypass [Certificate Pinning](ios-pentesting/#certificate-pinning)`
GitBook: [master] 36 pages modified 2021-05-21 17:13:19 +00:00
			`### Misc`

			`* [ ] Check for [automatic patching/updating](ios-pentesting/#hot-patching-enforced-updateing) mechanisms`
GitBook: [#3077] No subject 2022-03-27 21:47:46 +00:00			`* [ ] Check for [malicious third party libraries](ios-pentesting/#third-parties)`