Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2025-02-16 22:18:27 +00:00
Code Issues Projects Releases Packages Wiki Activity

GitBook: [master] 3 pages modified

Browse source
This commit is contained in:
CPol 2021-05-21 17:12:21 +00:00 committed by gitbook-bot
parent 6c9a0f3975
commit 2f22c14f27
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
3 changed files with 58 additions and 16 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
SUMMARY.md
View file

@ -507,20 +507,20 @@
* [Online Platforms with API](online-platforms-with-api.md)
* [Stealing Sensitive Information Disclosure from a Web](stealing-sensitive-information-disclosure-from-a-web.md)
* [iOS Pentesting](ios-pentesting/README.md)
* [iOS Custom URI Handlers / Deeplinks / Custom Schemes](ios-pentesting/ios-custom-uri-handlers-deeplinks-custom-schemes.md)
* [iOS Universal Links](ios-pentesting/ios-universal-links.md)
* [iOS UIPasteboard](ios-pentesting/ios-uipasteboard.md)
* [iOS Serialisation and Encoding](ios-pentesting/ios-serialisation-and-encoding.md)
* [iOS Protocol Handlers](ios-pentesting/ios-protocol-handlers.md)
* [iOS WebViews](ios-pentesting/ios-webviews.md)
* [Basic iOS Testing Operations](ios-pentesting/basic-ios-testing-operations.md)
* [Burp Suite Configuration for iOS](ios-pentesting/burp-configuration-for-ios.md)
* [Extracting Entitlements From Compiled Application](ios-pentesting/extracting-entitlements-from-compiled-application.md)
* [Frida Configuration in iOS](ios-pentesting/frida-configuration-in-ios.md)
* [iOS App Extensions](ios-pentesting/ios-app-extensions.md)
* [iOS Basics](ios-pentesting/ios-basics.md)
* [iOS Custom URI Handlers / Deeplinks / Custom Schemes](ios-pentesting/ios-custom-uri-handlers-deeplinks-custom-schemes.md)
* [iOS Hooking With Objection](ios-pentesting/ios-hooking-with-objection.md)
* [iOS Pentesting Checklist](ios-pentesting/ios-pentesting-checklist.md)
* [iOS Protocol Handlers](ios-pentesting/ios-protocol-handlers.md)
* [iOS Serialisation and Encoding](ios-pentesting/ios-serialisation-and-encoding.md)
* [iOS Testing Environment](ios-pentesting/ios-testing-environment.md)
* [iOS UIActivity Sharing](ios-pentesting/ios-uiactivity-sharing.md)
* [iOS Universal Links](ios-pentesting/ios-universal-links.md)
* [iOS UIPasteboard](ios-pentesting/ios-uipasteboard.md)
* [iOS WebViews](ios-pentesting/ios-webviews.md)

8
ios-pentesting/README.md
View file

@ -27,6 +27,10 @@ Read the [Basic iOS Testing Operations](basic-ios-testing-operations.md) page to
It's recommended to use the tool [**MobSF**](https://github.com/MobSF/Mobile-Security-Framework-MobSF) to perform an automatic Static Analysis to the IPA file.
### Basic Dynamic Analysis
Check out the dynamic analysis that [**MobSF**](https://github.com/MobSF/Mobile-Security-Framework-MobSF) perform. You will need to navigate through the different views and interact with them but it will be hooking several classes on doing other things and will prepare a report once you are done.
### Listing Installed Apps
When targeting apps that are installed on the device, you'll first have to figure out the correct bundle identifier of the application you want to analyze. You can use `frida-ps -Uai` to get all apps \(`-a`\) currently installed \(`-i`\) on the connected USB device \(`-U`\):
@ -994,10 +998,6 @@ All data that's sent to third-party services should be anonymized to prevent exp
You can find the **libraries used by an application** by running **`otool`** against the app \(and **running** it **against** **each** shared **library** to find more shared libraries used\).
## **Automatic Tools**
\*\*\*\*
## **References**
* [https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06b-basic-security-testing\#information-gathering](https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06b-basic-security-testing#information-gathering)

54
ios-pentesting/ios-pentesting-checklist.md
View file

@ -1,5 +1,11 @@
# iOS Pentesting Checklist
### Preparation
* [ ] Read [**iOS Basics**](ios-basics.md)\*\*\*\*
* [ ] Prepare your environment reading ****[**iOS Testing Environment**](ios-testing-environment.md)\*\*\*\*
* [ ] Read all the sections of ****[**iOS Initial Analysis**](./#initial-analysis) ****to learn common actions to pentest an iOS application
### Data Storage
* [ ] [**Plist files**](./#plist) can be used to store sensitive information.
@ -23,12 +29,6 @@
* [ ] Check if [**sensitive information is being logged**](./#logs)\*\*\*\*
### **Clipboard**
* [ ] If using the keyboard the application should use [**private clipboards**](./#clipboard)
* [ ] Is the app using the info from the [**global clipboard**](./#clipboard) for anything?
* [ ] Does the app allow to copy [**sensitive information to the clipboard**](./#clipboard)?
### Backups
* [ ] \*\*\*\*[**Backups**](./#backups) can be used to **access the sensitive information** saved in the file system \(check the initial point of this checklist\)
@ -38,11 +38,53 @@
* [ ] Check for sensitive information inside the [**application's memory**](./#testing-memory-for-sensitive-data)\*\*\*\*
### **Broken Cryptography**
* [ ] Check if yo can find [**passwords used for cryptography**](./#broken-cryptography)\*\*\*\*
* [ ] Check for the use of [**deprecated/weak algorithms**](./#broken-cryptography) to send/store sensitive data
* [ ] \*\*\*\*[**Hook and monitor cryptography functions**](./#broken-cryptography)\*\*\*\*
### **Local Authentication**
* [ ] If a [**local authentication**](./#local-authentication) is used in the application, you should check how the authentication is working.
* [ ] If it's using the [**Local Authentication Framework**](./#local-authentication-framework) it could be easily bypassed
* [ ] If it's using a [**function that can dynamically bypassed**](./#local-authentication-using-keychain) you could create a custom frida script
### Sensitive Functionality Exposure Through IPC
* \*\*\*\*[**Custom URI Handlers / Deeplinks / Custom Schemes**](./#custom-uri-handlers-deeplinks-custom-schemes)\*\*\*\*
* [ ] Check if the application is **registering any protocol/scheme**
* [ ] Check if the application is **registering to use** any protocol/scheme
* [ ] Check if the application **expects to receive any kind of sensitive information** from the custom scheme that can be **intercepted** by the another application registering the same scheme
* [ ] Check if the application **isn't checking and sanitizing** users input via the custom scheme and some **vulnerability can be exploited**
* [ ] Check if the application **exposes any sensitive action** that can be called from anywhere via the custom scheme
* \*\*\*\*[**Universal Links**](./#universal-links)\*\*\*\*
* [ ] Check if the application is **registering any universal protocol/scheme**
* [ ] Check the **`apple-app-site-association`** file
* [ ] Check if the application **isn't checking and sanitizing** users input via the custom scheme and some **vulnerability can be exploited**
* [ ] Check if the application **exposes any sensitive action** that can be called from anywhere via the custom scheme
* \*\*\*\*[**UIActivity Sharing**](ios-uiactivity-sharing.md)\*\*\*\*
* [ ] Check if the application can receive UIActivities and if it's possible to exploit any vulnerability with specially crafted activity
* \*\*\*\*[**UIPasteboard**](ios-uipasteboard.md)\*\*\*\*
* [ ] Check if the application if **copying anything to the general pasteboard**
* [ ] Check if the application if **using the data from the general pasteboard for anything**
* [ ] Monitor the pasteboard to see if any **sensitive data is copied**
* \*\*\*\*[**App Extensions**](ios-app-extensions.md)\*\*\*\*
* [ ] Is the application **using any extension**?
* [**WebViews**](ios-webviews.md)\*\*\*\*
* [ ] Check which kind of webviews are being used
* [ ] Check the status of **`javaScriptEnabled`**, **`JavaScriptCanOpenWindowsAutomatically`**, **`hasOnlySecureContent`**
* [ ] Check if the webview can **access local files** with the protocol **file://** **\(**`allowFileAccessFromFileURLs`, `allowUniversalAccessFromFileURLs`\)
* [ ] Check if Javascript can access **Native** **methods** \(`JSContext`, `postMessage`\)
### Network Communication
* [ ] Perform a [**MitM to the communication**](./#network-communication) and search for web vulnerabilities.
* [ ] Check if the [**hostname of the certificate**](./#hostname-check) is checked
* [ ] Check/Bypass [**Certificate Pinning**](./#certificate-pinning)\*\*\*\*
### **Misc**
* [ ] Check for [**automatic patching/updating**](./#hot-patching-enforced-updateing) mechanisms
* [ ] Check for [**malicious third party libraries**](./#third-parties)\*\*\*\*