# iOS Pentesting ![](../.gitbook/assets/image%20\(9\)%20\(1\)%20\(2\).png) \ Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ Get Access Today: {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %} ## iOS Pentesting
☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥 * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.** * **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
## iOS Basics {% content-ref url="ios-basics.md" %} [ios-basics.md](ios-basics.md) {% endcontent-ref %} ## Testing Environment In this page you can find information about the **iOS simulator**, **emulators** and **jailbreaking:** {% content-ref url="ios-testing-environment.md" %} [ios-testing-environment.md](ios-testing-environment.md) {% endcontent-ref %} ## Initial Analysis ### Basic iOS Testing Operations During the testing **several operations are going to be suggested** (connect to the device, read/write/upload/download files, use some tools...). Therefore, if you don't know how to perform any of these actions please, **start reading the page**: {% content-ref url="basic-ios-testing-operations.md" %} [basic-ios-testing-operations.md](basic-ios-testing-operations.md) {% endcontent-ref %} {% hint style="info" %} For the following steps **the app should be installed** in the device and should have already obtained the **IPA file** of the application.\ Read the [Basic iOS Testing Operations](basic-ios-testing-operations.md) page to learn how to do this. {% endhint %} ### Basic Static Analysis It's recommended to use the tool [**MobSF**](https://github.com/MobSF/Mobile-Security-Framework-MobSF) to perform an automatic Static Analysis to the IPA file. Identification of **protections are present in the binary**: * **PIE (Position Independent Executable)**: When enabled, the application loads into a random memory address every-time it launches, making it harder to predict its initial memory address. ``` otool -hv | grep PIE # It should include the PIE flag ``` * **Stack Canaries**: To validate the integrity of the stack, a ‘canary’ value is placed on the stack before calling a function and is validated again once the function ends. ``` otool -I -v | grep stack_chk # It should include the symbols: stack_chk_guard and stack_chk_fail ``` * **ARC (Automatic Reference Counting)**: To prevent common memory corruption flaws ``` otool -I -v | grep objc_release # It should include the _objc_release symbol ``` * **Encrypted Binary**: The binary should be encrypted ``` otool -arch all -Vl | grep -A5 LC_ENCRYPT # The cryptid should be 1 ``` **Identification of Sensitive/Insecure Funcions** * **Weak Hashing Algorithms** ``` # On the iOS device otool -Iv | grep -w "_CC_MD5" otool -Iv | grep -w "_CC_SHA1" # On linux grep -iER "_CC_MD5" grep -iER "_CC_SHA1" ``` * **Insecure Random Functions** ``` # On the iOS device otool -Iv | grep -w "_random" otool -Iv | grep -w "_srand" otool -Iv | grep -w "_rand" # On linux grep -iER "_random" grep -iER "_srand" grep -iER "_rand" ``` * **Insecure ‘Malloc’ Function** ``` # On the iOS device otool -Iv | grep -w "_malloc" # On linux grep -iER "_malloc" ``` * **Insecure and Vulnerable Functions** ``` # On the iOS device otool -Iv | grep -w "_gets" otool -Iv | grep -w "_memcpy" otool -Iv | grep -w "_strncpy" otool -Iv | grep -w "_strlen" otool -Iv | grep -w "_vsnprintf" otool -Iv | grep -w "_sscanf" otool -Iv | grep -w "_strtok" otool -Iv | grep -w "_alloca" otool -Iv | grep -w "_sprintf" otool -Iv | grep -w "_printf" otool -Iv | grep -w "_vsprintf" # On linux grep -R "_gets" grep -iER "_memcpy" grep -iER "_strncpy" grep -iER "_strlen" grep -iER "_vsnprintf" grep -iER "_sscanf" grep -iER "_strtok" grep -iER "_alloca" grep -iER "_sprintf" grep -iER "_printf" grep -iER "_vsprintf" ``` ### Basic Dynamic Analysis Check out the dynamic analysis that [**MobSF**](https://github.com/MobSF/Mobile-Security-Framework-MobSF) perform. You will need to navigate through the different views and interact with them but it will be hooking several classes on doing other things and will prepare a report once you are done. ### Listing Installed Apps When targeting apps that are installed on the device, you'll first have to figure out the correct bundle identifier of the application you want to analyze. You can use `frida-ps -Uai` to get all apps (`-a`) currently installed (`-i`) on the connected USB device (`-U`): ```bash $ frida-ps -Uai PID Name Identifier ---- ------------------- ----------------------------------------- 6847 Calendar com.apple.mobilecal 6815 Mail com.apple.mobilemail - App Store com.apple.AppStore - Apple Store com.apple.store.Jolly - Calculator com.apple.calculator - Camera com.apple.camera - iGoat-Swift OWASP.iGoat-Swift ``` ### Basic Enumeration & Hooking Learn how to **enumerate the components of the application** and how to easily **hook methods and classes** with objection: {% content-ref url="ios-hooking-with-objection.md" %} [ios-hooking-with-objection.md](ios-hooking-with-objection.md) {% endcontent-ref %} ### IPA Structure `.ipa` files are **zipped** **packages**, so you can change the extension to `.zip` and **decompress** them. A **complete** **packaged** app ready to be installed is commonly referred to as a **Bundle**.\ After decompressing them you should see `.app` , a zipped archive that contains the rest of the resources. * `Info.plist`: A file that contains some of the application specific configurations. * `_CodeSignature/` contains a plist file with a signature over all files in the bundle. * `Assets.car`: Another zipped archive that contains assets (icons). * `Frameworks/` contains the app native libraries as .dylib or .framework files. * `PlugIns/` may contain app extensions as .appex files (not present in the example). * [`Core Data`](https://developer.apple.com/documentation/coredata): It is used to save your application’s permanent data for offline use, to cache temporary data, and to add undo functionality to your app on a single device. To sync data across multiple devices in a single iCloud account, Core Data automatically mirrors your schema to a CloudKit container. * [`PkgInfo`](https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPRuntimeConfig/Articles/ConfigApplications.html): The `PkgInfo` file is an alternate way to specify the type and creator codes of your application or bundle. * **en.lproj, fr.proj, Base.lproj**: Are the language packs that contains resources for those specific languages, and a default resource in case a language isn' t supported. There are multiple ways to define the UI in an iOS application: _storyboard_, _nib_ or _xib_ files. **Info.plist** The information property list or `Info.plist` is the main source of information for an iOS app. It consists of a structured file containing **key-value** pairs describing essential configuration information about the app. Actually, all bundled executables (app extensions, frameworks and apps) are **expected to have** an `Info.plist` file. You can find all possible keys in the [**Apple Developer Documentation**](https://developer.apple.com/documentation/bundleresources/information\_property\_list?language=objc). The file might be formatted in **XML or binary (bplist)**. You can **convert it to XML** format with one simple command: * On macOS with `plutil`, which is a tool that comes natively with macOS 10.2 and above versions (no official online documentation is currently available): ```bash $ plutil -convert xml1 Info.plist ``` * On Linux: ```bash $ apt install libplist-utils $ plistutil -i Info.plist -o Info_xml.plist ``` Here's a non-exhaustive list of some info and the corresponding keywords that you can easily search for in the `Info.plist` file by just inspecting the file or by using `grep -i Info.plist`: * App permissions Purpose Strings: `UsageDescription` * Custom URL schemes: `CFBundleURLTypes` * Exported/imported _custom document types_: `UTExportedTypeDeclarations` / `UTImportedTypeDeclarations` * App Transport Security (ATS) configuration: `NSAppTransportSecurity` Please refer to the mentioned chapters to learn more about how to test each of these points. **Data Paths** On iOS, **system applications can be found in the `/Applications`** directory while **user-installed** apps are available under **`/private/var/containers/`**. However, finding the right folder just by navigating the file system is not a trivial task as **every app gets a random 128-bit UUID** (Universal Unique Identifier) assigned for its directory names. In order to easily obtain the installation directory information for user-installed apps you can use **objection's command `env`** will also show you all the directory information of the app: ```bash OWASP.iGoat-Swift on (iPhone: 11.1.2) [usb] # env Name Path ----------------- ------------------------------------------------------------------------------------------- BundlePath /var/containers/Bundle/Application/3ADAF47D-A734-49FA-B274-FBCA66589E67/iGoat-Swift.app CachesDirectory /var/mobile/Containers/Data/Application/8C8E7EB0-BC9B-435B-8EF8-8F5560EB0693/Library/Caches DocumentDirectory /var/mobile/Containers/Data/Application/8C8E7EB0-BC9B-435B-8EF8-8F5560EB0693/Documents LibraryDirectory /var/mobile/Containers/Data/Application/8C8E7EB0-BC9B-435B-8EF8-8F5560EB0693/Library ``` As you can see, apps have two main locations: * The **Bundle** **directory** (`/var/containers/Bundle/Application/3ADAF47D-A734-49FA-B274-FBCA66589E67/`). * The **Data directory** (`/var/mobile/Containers/Data/Application/8C8E7EB0-BC9B-435B-8EF8-8F5560EB0693/`). These folders contain information that must be examined closely during application security assessments (for example when analyzing the stored data for sensitive data). **Bundle directory:** * **AppName.app** * This is the Application Bundle as seen before in the IPA, it contains essential application data, static content as well as the application's compiled binary. * This directory is visible to users, but **users can't write to it**. * Content in this directory is **not backed up**. * The contents of this folder are used to **validate the code signature**. **Data directory:** * **Documents/** * Contains all the user-generated data. The application end user initiates the creation of this data. * Visible to users and **users can write to it**. * Content in this directory is **backed up**. * The app can disable paths by setting `NSURLIsExcludedFromBackupKey`. * **Library/** * Contains all **files that aren't user-specific**, such as **caches**, **preferences**, **cookies**, and property list (plist) configuration files. * iOS apps usually use the `Application Support` and `Caches` subdirectories, but the app can create custom subdirectories. * **Library/Caches/** * Contains **semi-persistent cached files.** * Invisible to users and **users can't write to it**. * Content in this directory is **not backed up**. * The OS may delete this directory's files automatically when the app is not running and storage space is running low. * **Library/Application Support/** * Contains **persistent** **files** necessary for running the app. * **Invisible** **to** **users** and users can't write to it. * Content in this directory is **backed** **up**. * The app can disable paths by setting `NSURLIsExcludedFromBackupKey`. * **Library/Preferences/** * Used for storing properties that can **persist even after an application is restarted**. * Information is saved, unencrypted, inside the application sandbox in a plist file called \[BUNDLE\_ID].plist. * All the key/value pairs stored using `NSUserDefaults` can be found in this file. * **tmp/** * Use this directory to write **temporary files** that do not need to persist between app launches. * Contains non-persistent cached files. * **Invisible** to users. * Content in this directory is not backed up. * The OS may delete this directory's files automatically when the app is not running and storage space is running low. Let's take a closer look at iGoat-Swift's Application Bundle (.app) directory inside the Bundle directory (`/var/containers/Bundle/Application/3ADAF47D-A734-49FA-B274-FBCA66589E67/iGoat-Swift.app`): ```bash OWASP.iGoat-Swift on (iPhone: 11.1.2) [usb] # ls NSFileType Perms NSFileProtection ... Name ------------ ------- ------------------ ... -------------------------------------- Regular 420 None ... rutger.html Regular 420 None ... mansi.html Regular 420 None ... splash.html Regular 420 None ... about.html Regular 420 None ... LICENSE.txt Regular 420 None ... Sentinel.txt Regular 420 None ... README.txt ``` ### Binary Reversing Inside the `.app` folder you will find a binary file called ``. This is the file that will be **executed**. You can perform a basic inspection of the binary with the tool **`otool`**: ```bash otool -Vh DVIA-v2 #Check some compilation attributes magic cputype cpusubtype caps filetype ncmds sizeofcmds flags MH_MAGIC_64 ARM64 ALL 0x00 EXECUTE 65 7112 NOUNDEFS DYLDLINK TWOLEVEL WEAK_DEFINES BINDS_TO_WEAK PIE otool -L DVIA-v2 #Get third party libraries DVIA-v2: /usr/lib/libc++.1.dylib (compatibility version 1.0.0, current version 400.9.1) /usr/lib/libsqlite3.dylib (compatibility version 9.0.0, current version 274.6.0) /usr/lib/libz.1.dylib (compatibility version 1.0.0, current version 1.2.11) @rpath/Bolts.framework/Bolts (compatibility version 1.0.0, current version 1.0.0) [...] ``` **Check if the app is encrypted** See if there is any output for: ```bash otool -l | grep -A 4 LC_ENCRYPTION_INFO ``` **Disassembling the binary** Disassemble the text section: ```bash otool -tV DVIA-v2 DVIA-v2: (__TEXT,__text) section +[DDLog initialize]: 0000000100004ab8 sub sp, sp, #0x60 0000000100004abc stp x29, x30, [sp, #0x50] ; Latency: 6 0000000100004ac0 add x29, sp, #0x50 0000000100004ac4 sub x8, x29, #0x10 0000000100004ac8 mov x9, #0x0 0000000100004acc adrp x10, 1098 ; 0x10044e000 0000000100004ad0 add x10, x10, #0x268 ``` To print the **Objective-C segment** of the sample application one can use: ```bash otool -oV DVIA-v2 DVIA-v2: Contents of (__DATA,__objc_classlist) section 00000001003dd5b8 0x1004423d0 _OBJC_CLASS_$_DDLog isa 0x1004423a8 _OBJC_METACLASS_$_DDLog superclass 0x0 _OBJC_CLASS_$_NSObject cache 0x0 __objc_empty_cache vtable 0x0 data 0x1003de748 flags 0x80 instanceStart 8 ``` In order to obtain a more compact Objective-C code you can use [**class-dump**](http://stevenygard.com/projects/class-dump/): ```bash class-dump some-app // // Generated by class-dump 3.5 (64 bit). // // class-dump is Copyright (C) 1997-1998, 2000-2001, 2004-2013 by Steve Nygard. // #pragma mark Named Structures struct CGPoint { double _field1; double _field2; }; struct CGRect { struct CGPoint _field1; struct CGSize _field2; }; struct CGSize { double _field1; double _field2; }; ``` However, the best options to disassemble the binary are: [**Hopper**](https://www.hopperapp.com/download.html?) and [**IDA**](https://www.hex-rays.com/products/ida/support/download\_freeware/). ![](../.gitbook/assets/image%20\(9\)%20\(1\)%20\(2\).png) \ Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ Get Access Today: {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %} ## Data Storage To learn about how iOS stores data in the device read this page: {% content-ref url="ios-basics.md" %} [ios-basics.md](ios-basics.md) {% endcontent-ref %} {% hint style="warning" %} The following places to store information should be checked **right after installing the application**, **after checking all the functionalities** of the application and even after **login out from one user and login into a different one**.\ The goal is to find **unprotected sensitive information** of the application (passwords, tokens), of the current user and of previously logged users. {% endhint %} ### Plist **plist** files are structured XML files that **contains key-value pairs**. It's a way to store persistent data, so sometimes you may find **sensitive information in these files**. It's recommended to check these files after installing the app and after using intensively it to see if new data is written. The most common way to persist data in plist files is through the usage of **NSUserDefaults**. This plist file is saved inside the app sandbox in **`Library/Preferences/.plist`** The [`NSUserDefaults`](https://developer.apple.com/documentation/foundation/nsuserdefaults) class provides a programmatic interface for interacting with the default system. The default system allows an application to customize its behaviour according to **user preferences**. Data saved by `NSUserDefaults` can be viewed in the application bundle. This class stores **data** in a **plist** **file**, but it's meant to be used with small amounts of data. This data cannot be longer accessed directly via a trusted computer, but can be accessed performing a **backup**. You can **dump** the information saved using **`NSUserDefaults`** using objection's `ios nsuserdefaults get` To find all the plist of used by the application you can access to `/private/var/mobile/Containers/Data/Application/{APPID}` and run: ```bash find ./ -name "*.plist" ``` The file might be formatted in **XML or binary (bplist)**. You can **convert it to XML** format with one simple command: * On macOS with `plutil`, which is a tool that comes natively with macOS 10.2 and above versions (no official online documentation is currently available): ```bash $ plutil -convert xml1 Info.plist ``` * On Linux: ```bash $ apt install libplist-utils $ plistutil -i Info.plist -o Info_xml.plist ``` * On an objection's session: ```bash ios plist cat /private/var/mobile/Containers/Data/Application/AF1F534B-1B8F-0825-ACB21-C0301AB7E56D/Library/Preferences/com.some.package.app.plist ``` ### Core Data [`Core Data`](https://developer.apple.com/library/content/documentation/Cocoa/Conceptual/CoreData/nsfetchedresultscontroller.html#//apple\_ref/doc/uid/TP40001075-CH8-SW1) is a framework for managing the model layer of objects in your application. [Core Data can use SQLite as its persistent store](https://cocoacasts.com/what-is-the-difference-between-core-data-and-sqlite/), but the framework itself is not a database.\ CoreData does not encrypt it's data by default. However, an additional encryption layer can be added to CoreData. See the [GitHub Repo](https://github.com/project-imas/encrypted-core-data) for more details. You can find the SQLite Core Data information of an application in the path `/private/var/mobile/Containers/Data/Application/{APPID}/Library/Application Support` **If you can open the SQLite and access sensitive information, then you found a miss-configuration.** {% code title="Code from iGoat" %} ```objectivec -(void)storeDetails { AppDelegate * appDelegate = (AppDelegate *)(UIApplication.sharedApplication.delegate); NSManagedObjectContext *context =[appDelegate managedObjectContext]; User *user = [self fetchUser]; if (user) { return; } user = [NSEntityDescription insertNewObjectForEntityForName:@"User" inManagedObjectContext:context]; user.email = CoreDataEmail; user.password = CoreDataPassword; NSError *error; if (![context save:&error]) { NSLog(@"Error in saving data: %@", [error localizedDescription]); }else{ NSLog(@"data stored in core data"); } } ``` {% endcode %} ### YapDatabase [YapDatabase](https://github.com/yapstudios/YapDatabase) is a key/value store built on top of SQLite.\ As the Yap databases are sqlite databases you can find them using the purposed commend in the previous section. ### Other SQLite Databases It's common for applications to create their own sqlite database. They may be **storing** **sensitive** **data** on them and leaving it unencrypted. Therefore, it's always interesting to check every database inside the applications directory. Therefore go to the application directory where the data is saved (`/private/var/mobile/Containers/Data/Application/{APPID}`) ```bash find ./ -name "*.sqlite" -or -name "*.db" ``` ### Firebase Real-Time Databases It can be leveraged by application developers to s**tore and sync data with a NoSQL cloud-hosted database**. The data is stored as JSON and is synchronized in real-time to every connected client and also remains available even when the application goes offline. You can find how to check for misconfigured Firebase databases here: {% content-ref url="../../network-services-pentesting/pentesting-web/buckets/firebase-database.md" %} [firebase-database.md](../../network-services-pentesting/pentesting-web/buckets/firebase-database.md) {% endcontent-ref %} ### Realm databases [Realm Objective-C](https://realm.io/docs/objc/latest/) and [Realm Swift](https://realm.io/docs/swift/latest/) aren't supplied by Apple, but they are still worth noting. They **store everything unencrypted, unless the configuration has encryption enabled**. You can find this databases in `/private/var/mobile/Containers/Data/Application/{APPID}` ```bash iPhone:/private/var/mobile/Containers/Data/Application/A079DF84-726C-4AEA-A194-805B97B3684A/Documents root# ls default.realm default.realm.lock default.realm.management/ default.realm.note| $ find ./ -name "*.realm*" ``` You can use the tool [**Realm Studio**](https://github.com/realm/realm-studio) to open this database files. The following example demonstrates how to use encryption with a Realm database: ```swift // Open the encrypted Realm file where getKey() is a method to obtain a key from the Keychain or a server let config = Realm.Configuration(encryptionKey: getKey()) do { let realm = try Realm(configuration: config) // Use the Realm as normal } catch let error as NSError { // If the encryption key is wrong, `error` will say that it's an invalid database fatalError("Error opening realm: \(error)") } ``` ### Couchbase Lite Databases [Couchbase Lite](https://github.com/couchbase/couchbase-lite-ios) is a lightweight, embedded, document-oriented (NoSQL) database engine that can be synced. It compiles natively for iOS and macOS. Check for possible couchbase databases in `/private/var/mobile/Containers/Data/Application/{APPID}/Library/Application Support/` ### Cookies iOS store the cookies of the apps in the **`Library/Cookies/cookies.binarycookies`** inside each apps folder. However, developers sometimes decide to save them in the **keychain** as the mentioned **cookie file can be accessed in backups**. To inspect the cookies file you can use [**this python script**](https://github.com/mdegrazia/Safari-Binary-Cookie-Parser) or use\*\* objection's **`ios cookies get`.**\ **You can also use objection to** convert these files to a JSON\*\* format and inspect the data. ```bash ...itudehacks.DVIAswiftv2.develop on (iPhone: 13.2.3) [usb] # ios cookies get --json [ { "domain": "highaltitudehacks.com", "expiresDate": "2051-09-15 07:46:43 +0000", "isHTTPOnly": "false", "isSecure": "false", "name": "username", "path": "/", "value": "admin123", "version": "0" } ] ``` ### Cache By default NSURLSession stores data, such as **HTTP requests and responses in the Cache.db** database. This database can contain **sensitive data**, if tokens, usernames or any other sensitive information has been cached. To find the cached information open the data directory of the app (`/var/mobile/Containers/Data/Application/`) and go to `/Library/Caches/`. The **WebKit cache is also being stored in the Cache.db** file. **Objection** can open and interact with the database with the command `sqlite connect Cache.db`, as it is a n**ormal SQLite database**. It is **recommended to disable Caching this data**, as it may contain sensitive information in the request or response. The following list below shows different ways of achieving this: 1. It is recommended to remove Cached responses after logout. This can be done with the provided method by Apple called [`removeAllCachedResponses`](https://developer.apple.com/documentation/foundation/urlcache/1417802-removeallcachedresponses) You can call this method as follows: `URLCache.shared.removeAllCachedResponses()` This method will remove all cached requests and responses from Cache.db file. 2. If you don't need to use the advantage of cookies it would be recommended to just use the [.ephemeral](https://developer.apple.com/documentation/foundation/urlsessionconfiguration/1410529-ephemeral) configuration property of URLSession, which will disable saving cookies and Caches. [Apple documentation](https://developer.apple.com/documentation/foundation/urlsessionconfiguration/1410529-ephemeral): `An ephemeral session configuration object is similar to a default session configuration (see default), except that the corresponding session object doesn’t store caches, credential stores, or any session-related data to disk. Instead, session-related data is stored in RAM. The only time an ephemeral session writes data to disk is when you tell it to write the contents of a URL to a file.` 3. Cache can be also disabled by setting the Cache Policy to [.notAllowed](https://developer.apple.com/documentation/foundation/urlcache/storagepolicy/notallowed). It will disable storing Cache in any fashion, either in memory or on disk. ### Snapshots Whenever you press the home button, iOS **takes a snapshot of the current screen** to be able to do the transition to the application on a much smoother way. However, if **sensitive** **data** is present in the current screen, it will be **saved** in the **image** (which **persists** **across** **reboots**). These are the snapshots that you can also access double tapping the home screen to switch between apps. Unless the iPhone is jailbroken, the **attacker** needs to have **access** to the **device** **unblocked** to see these screenshots. By default the last snapshot is stored in the application's sandbox in `Library/Caches/Snapshots/` or `Library/SplashBoard/Snapshots` folder (the trusted computers can' t access the filesystem from iOX 7.0). Once way to prevent this bad behaviour is to put a blank screen or remove the sensitive data before taking the snapshot using the `ApplicationDidEnterBackground()` function. The following is a sample remediation method that will set a default screenshot. Swift: ```swift private var backgroundImage: UIImageView? func applicationDidEnterBackground(_ application: UIApplication) { let myBanner = UIImageView(image: #imageLiteral(resourceName: "overlayImage")) myBanner.frame = UIScreen.main.bounds backgroundImage = myBanner window?.addSubview(myBanner) } func applicationWillEnterForeground(_ application: UIApplication) { backgroundImage?.removeFromSuperview() } ``` Objective-C: ``` @property (UIImageView *)backgroundImage; - (void)applicationDidEnterBackground:(UIApplication *)application { UIImageView *myBanner = [[UIImageView alloc] initWithImage:@"overlayImage.png"]; self.backgroundImage = myBanner; self.backgroundImage.bounds = UIScreen.mainScreen.bounds; [self.window addSubview:myBanner]; } - (void)applicationWillEnterForeground:(UIApplication *)application { [self.backgroundImage removeFromSuperview]; } ``` This sets the background image to `overlayImage.png` whenever the application is backgrounded. It prevents sensitive data leaks because `overlayImage.png` will always override the current view. ### Keychain Tools like [**Keychain-Dumper**](https://github.com/ptoomey3/Keychain-Dumper) can be used to dump the keychain (the dive must be jailbroken).\ You can also use `ios keychain dump` from [**Objection**](https://github.com/sensepost/objection)**.** **NSURLCredential** **NSURLCredential** is the perfect class to **store username and password in the keychain**. No need to bother with NSUserDefaults nor any keychain wrapper.\ Once the user is logged in, you can\*\* store\*\* his username and password to the keychain: ```swift NSURLCredential *credential; credential = [NSURLCredential credentialWithUser:username password:password persistence:NSURLCredentialPersistencePermanent]; [[NSURLCredentialStorage sharedCredentialStorage] setCredential:credential forProtectionSpace:self.loginProtectionSpace]; ``` You can use **Objection's** `ios nsurlcredentialstorage dump` to dump these secrets. ## Custom Keyboards/Keyboard Cache From iOS 8.0 Apple allows to install custom extensions for iOS like custom keyboards.\ The installed keyboards can be managed via **Settings** > **General** > **Keyboard** > **Keyboards**\ Custom keyboards can be used to **sniff** the **keystrokes** and send them to the attacker server. However, note that **custom keyboards requiring networking connectivity will be notified to the user.**\ Also, the **user can switch to a different** (more trusted) **keyboard** for introducing the credentials. Moreover, **applications can prevent its users from using custom keyboards** within the app (or at least for sensitive parts of the app). {% hint style="warning" %} It's recommended to not allow third party keyboards if you consider the users won't need them {% endhint %} Note that because of auto-correct and auto-suggestions, the default iOS keyboard will capture and store each non-standard word word in a cache file if the attribute **securetTextEntry** is not set to **true** or if **autoCorrectionType** is not set to **UITextAutoCorrectionTypeNo.** By default the keyboards **store this cache** inside the applications sandbox in `Library/Keyboard/{locale}-dynamic-text.dat` file or in `/private/var/mobile/Library/Keyboard/dynamic-text.dat`. However, it might be saving the dateaelsewhere.\ It's possible to reset the cache in _**Settings**_ > _**General**_ > _**Reset**_ > _**Reset Keyboard Dictionary**_ {% hint style="info" %} Therefore, **check always these files** and search for possible **sensitive** **information**.\ **Intercepting the network traffic** is another way to check if the custom keyboard is sending keystroked to a remote server. {% endhint %} The [UITextInputTraits protocol](https://developer.apple.com/reference/uikit/uitextinputtraits) is used for keyboard caching. The UITextField, UITextView, and UISearchBar classes automatically support this protocol and it offers the following properties: * `var autocorrectionType: UITextAutocorrectionType` determines whether autocorrection is enabled during typing. When autocorrection is enabled, the text object tracks unknown words and suggests suitable replacements, replacing the typed text automatically unless the user overrides the replacement. The default value of this property is `UITextAutocorrectionTypeDefault`, which for most input methods enables autocorrection. * `var secureTextEntry: BOOL` determines whether text copying and text caching are disabled and hides the text being entered for `UITextField`. The default value of this property is `NO`. **To identify this behaviour in the code:** * Search through the source code for similar implementations, such as ```objectivec textObject.autocorrectionType = UITextAutocorrectionTypeNo; textObject.secureTextEntry = YES; ``` * Open xib and storyboard files in the `Interface Builder` of Xcode and verify the states of `Secure Text Entry` and `Correction` in the `Attributes Inspector` for the appropriate object. The application must prevent the caching of sensitive information entered into text fields. You can prevent caching by disabling it programmatically, using the `textObject.autocorrectionType = UITextAutocorrectionTypeNo` directive in the desired UITextFields, UITextViews, and UISearchBars. For data that should be masked, such as PINs and passwords, set `textObject.secureTextEntry` to `YES`. ```objectivec UITextField *textField = [ [ UITextField alloc ] initWithFrame: frame ]; textField.autocorrectionType = UITextAutocorrectionTypeNo; ``` ## **Logs** The most common ways to debug code is using logging, and the application **may print sensitive information inside the logs**.\ In iOS version 6 and below, logs were world readable (a malicious app could read logs from other apps and extract sensitive information from there). **Nowadays, apps can only access their own logs**. However, an **attacker** with **physical** **access** to an **unlocked** device can connect it to a computer and **read the logs** (note that the logs written to disk by an app aren't removed if the app ins uninstalled). It's recommended to **navigate through all the screens** of the app and **interact** with **every** UI element and **functionality** of and provide input text in all text fields and **review the logs** looking for **sensitive** **information** exposed. Use the following keywords to check the app's source code for predefined and custom logging statements: * For predefined and built-in functions: * NSLog * NSAssert * NSCAssert * fprintf * For custom functions: * Logging * Logfile **Monitoring System Logs** Many apps log informative (and potentially sensitive) messages to the console log. The log also contains crash reports and other useful information. You can use these tools: ```bash idevice_id --list # To find the device ID idevicesyslog -u (| grep ) # To get the device logs ``` You can collect console logs through the Xcode **Devices** window as follows: 1. Launch Xcode. 2. Connect your device to your host computer. 3. Choose **Window** -> **Devices and Simulators**. 4. Click on your connected iOS device in the left section of the Devices window. 5. Reproduce the problem. 6. Click on the **Open Console** button located in the upper right-hand area of the Devices window to view the console logs on a separate window. ![](<../../.gitbook/assets/image (466) (2) (2) (2) (2) (2) (2) (2) (3) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (15).png>) You can also connect to the device shell as explained in Accessing the Device Shell, install **socat** via **apt-get** and run the following command: ```bash iPhone:~ root# socat - UNIX-CONNECT:/var/run/lockdown/syslog.sock ======================== ASL is here to serve you > watch OK Jun 7 13:42:14 iPhone chmod[9705] : MS:Notice: Injecting: (null) [chmod] (1556.00) Jun 7 13:42:14 iPhone readlink[9706] : MS:Notice: Injecting: (null) [readlink] (1556.00) Jun 7 13:42:14 iPhone rm[9707] : MS:Notice: Injecting: (null) [rm] (1556.00) Jun 7 13:42:14 iPhone touch[9708] : MS:Notice: Injecting: (null) [touch] (1556.00) ... ``` ![](../.gitbook/assets/image%20\(9\)%20\(1\)%20\(2\).png) \ Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ Get Access Today: {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %} ## Backups iOS includes auto-backup features that create copies of the data stored on the device. You can **make iOS backups** from your host computer by using iTunes (till macOS Catalina) or Finder (from macOS Catalina onwards), or via the iCloud backup feature. In both cases, the backup includes nearly all data stored on the iOS device except highly sensitive data such as Apple Pay information and Touch ID settings. Since iOS backs up installed apps and their data, an obvious concern is whether **sensitive user data** stored by the app might **unintentionally leak through the backup**. Another concern, though less obvious, is whether **sensitive configuration settings used to protect data or restrict app functionality could be tampered to change app behaviour after restoring a modified backup**. Both concerns are valid and these vulnerabilities have proven to exist in a vast number of apps today. A backup of a device on which a mobile application has been installed will include all subdirectories (except for `Library/Caches/`) and files in the [app's private directory](https://developer.apple.com/library/content/documentation/FileManagement/Conceptual/FileSystemProgrammingGuide/FileSystemOverview/FileSystemOverview.html#//apple\_ref/doc/uid/TP40010672-CH2-SW12).\ Therefore, **avoid storing sensitive data in plaintext within any of the files or folders that are in the app's private directory or subdirectories**. Although all the files in `Documents/` and `Library/Application Support/` are always backed up by default, you can [exclude files from the backup](https://developer.apple.com/library/content/documentation/FileManagement/Conceptual/FileSystemProgrammingGuide/FileSystemOverview/FileSystemOverview.html#//apple\_ref/doc/uid/TP40010672-CH2-SW28) by calling `NSURL setResourceValue:forKey:error:` with the `NSURLIsExcludedFromBackupKey` key.\ You can use the [NSURLIsExcludedFromBackupKey](https://developer.apple.com/reference/foundation/nsurl#//apple\_ref/c/data/NSURLIsExcludedFromBackupKey) and [CFURLIsExcludedFromBackupKey](https://developer.apple.com/reference/corefoundation/cfurl-rd7#//apple\_ref/c/data/kCFURLIsExcludedFromBackupKey) file system properties to exclude files and directories from backups. {% hint style="warning" %} Therefore when checking the backup of an application you should check if **any sensitive information** is accessible and if you can **modify any sensitive behaviour** of the application by **modifying some setting of the backup** and restoring the backup {% endhint %} **How to test** Start by **creating a backup of the device** (you can do it using Finder) and finding where is the backup stored. The official Apple documentation will help you to [locate backups of your iPhone, iPad, and iPod touch](https://support.apple.com/en-us/HT204215). Once you have found the backup of the device (`/Users/carlos.martin/Library/Application Support/MobileSync/Backup/{deviceID}`) you can start looking for sensitive information using grep for example, or using tools like [iMazing](https://imazing.com)). To identify if a backup is encrypted, you can check the key named "IsEncrypted" from the file "Manifest.plist", located at the root of the backup directory. The following example shows a configuration indicating that the backup is encrypted: ```markup ... Date 2021-03-12T17:43:33Z IsEncrypted ... ``` In case you need to work with an encrypted backup, there are some Python scripts in [DinoSec's GitHub repo](https://github.com/dinosec/iphone-dataprotection/tree/master/python\_scripts), such as **backup\_tool.py** and **backup\_passwd.py**, that will serve as a good starting point. However, note that they might not work with the latest iTunes/Finder versions and might need to be tweaked. You can also use the tool [**iOSbackup**](https://pypi.org/project/iOSbackup/) to easily read and extract files from a password-encrypted iOS backup. **How to modify the behaviour** In the open source bitcoin wallet app, [Bither](https://github.com/bither/bither-ios), you'll see that it's possible to configure a PIN to lock the UI.\ This is PIN is stored in the file `net.bither.plist` inside the **pin\_code** **key**.\ If you clear this key from that plist in the backup and restores the backup, you will be able to access the wallet. ## Testing Memory for Sensitive Data At some point sensitive information is going to be stored in memory. The objective is to make sure that this info is exposed as briefly as possible. To investigate an application's memory, first create a **memory dump**. Alternatively, you can **analyze the memory in real time** with, for example, a debugger. Regardless of the method you use, this is a very error-prone process because dumps provide the data left by executed functions and you might miss executing critical steps. In addition, overlooking data during analysis is quite easy to do unless you know the footprint of the data you're looking for (either its exact value or its format). For example, if the app encrypts according to a randomly generated symmetric key, you're very unlikely to spot the key in memory unless you find its value by other means. **Retrieving and Analyzing a Memory Dump** Wether you are using a jailbroken or a non-jailbroken device, you can dump the app's process memory with [objection](https://github.com/sensepost/objection) and [Fridump](https://github.com/Nightbringer21/fridump). After the memory has been dumped (e.g. to a file called "memory"), depending on the nature of the data you're looking for, you'll need a set of different tools to process and analyze that memory dump. For instance, if you're focusing on strings, it might be sufficient for you to execute the command `strings` or `rabin2 -zz` to extract those strings. ```bash # using strings $ strings memory > strings.txt # using rabin2 $ rabin2 -ZZ memory > strings.txt ``` Open `strings.txt` in your favorite editor and dig through it to identify sensitive information. However if you'd like to inspect other kind of data, you'd rather want to use radare2 and its search capabilities. See radare2's help on the search command (`/?`) for more information and a list of options. The following shows only a subset of them: ```bash $ r2 [0x00000000]> /? Usage: /[!bf] [arg] Search stuff (see 'e??search' for options) |Use io.va for searching in non virtual addressing spaces | / foo\x00 search for string 'foo\0' | /c[ar] search for crypto materials | /e /E.F/i match regular expression | /i foo search for string 'foo' ignoring case | /m[?][ebm] magicfile search for magic, filesystems or binary headers | /v[1248] value look for an `cfg.bigendian` 32bit value | /w foo search for wide string 'f\0o\0o\0' | /x ff0033 search for hex string | /z min max search for strings of given size ... ``` **Runtime Memory Analysis** By using [**r2frida**](https://github.com/nowsecure/r2frida) you can analyze and inspect the app's memory while running and without needing to dump it. For example, you may run the previous search commands from r2frida and search the memory for a string, hexadecimal values, etc. When doing so, remember to prepend the search command (and any other r2frida specific commands) with a backslash `\` after starting the session with `r2 frida://usb//`. ## Broken Cryptography ### Poor Key Management Processes Some developers save sensitive data in the local storage and encrypt it with a key hardcoded/predictable in the code. This shouldn't be done as some reversing could allow attackers to extract the confidential information. ### Use of Insecure and/or Deprecated Algorithms Developers shouldn't use **deprecated algorithms** to perform authorisation **checks**, **store** or **send** data. Some of these algorithms are: RC4, MD4, MD5, SHA1... If **hashes** are used to store passwords for example, hashes brute-force **resistant** should be used with salt. ### Check The main checks to perform if to find if you can find **hardcoded** passwords/secrets in the code, or if those are **predictable**, and if the code is using some king of **weak** **cryptography** algorithms. It's interesting to know that you can **monitor** some **crypto** **libraries** automatically using **objection** with: ```swift ios monitor crypt ``` For **more information** about iOS cryptographic APIs and libraries access [https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06e-testing-cryptography](https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06e-testing-cryptography) ## Local Authentication The tester should be aware that **local authentication should always be enforced at a remote endpoint** or based on a cryptographic primitive. Attackers can easily bypass local authentication if no data returns from the authentication process. The [**Local Authentication framework**](https://developer.apple.com/documentation/localauthentication) \_\*\*\_provides a set of APIs for developers to extend an authentication dialog to a user. In the context of connecting to a remote service, it is possible (and recommended) to leverage the [keychain](https://developer.apple.com/library/content/documentation/Security/Conceptual/keychainServConcepts/01introduction/introduction.html) for implementing local authentication. The **fingerprint ID** sensor is operated by the [SecureEnclave security coprocessor](https://www.blackhat.com/docs/us-16/materials/us-16-Mandt-Demystifying-The-Secure-Enclave-Processor.pdf) and does not expose fingerprint data to any other parts of the system. Next to Touch ID, Apple introduced _Face ID_: which allows authentication based on facial recognition. Developers have two options for incorporating Touch ID/Face ID authentication: * `LocalAuthentication.framework` is a high-level API that can be used to **authenticate the user via Touch ID**. The app can't access any data associated with the enrolled fingerprint and is notified only whether authentication was successful. * `Security.framework` is a lower level API to access [keychain services](https://developer.apple.com/documentation/security/keychain\_services). This is a secure option if your app needs to **protect some secret data with biometric authentication**, since the access control is managed on a system-level and can not easily be bypassed. `Security.framework` has a C API, but there are several [open source wrappers available](https://www.raywenderlich.com/147308/secure-ios-user-data-keychain-touch-id), making access to the keychain as simple as to NSUserDefaults. {% hint style="danger" %} Please be aware that using either the `LocalAuthentication.framework` or the `Security.framework`, will be a control that can be bypassed by an attacker as it does only return a boolean and no data to proceed with. See [Don't touch me that way, by David Lindner et al](https://www.youtube.com/watch?v=XhXIHVGCFFM) for more details. {% endhint %} ### Local Authentication Framework Developers can display an **authentication prompt** by utilizing the function **`evaluatePolicy`** of the **`LAContext`** class. Two available policies define acceptable forms of authentication: * `deviceOwnerAuthentication`(Swift) or `LAPolicyDeviceOwnerAuthentication`(Objective-C): When available, the user is prompted to perform Touch ID authentication. If Touch ID is not activated, the device passcode is requested instead. If the device passcode is not enabled, policy evaluation fails. * `deviceOwnerAuthenticationWithBiometrics` (Swift) or `LAPolicyDeviceOwnerAuthenticationWithBiometrics`(Objective-C): Authentication is restricted to biometrics where the user is prompted for Touch ID. The **`evaluatePolicy` function returns a boolean** value indicating whether the user has authenticated successfully. Which means that it can be easily bypassed (see below) ### Local Authentication using Keychain The **iOS keychain APIs can (and should) be used to implement local authentication**. During this process, the app stores either a secret authentication token or another piece of secret data identifying the user in the keychain. In order to authenticate to a remote service, the user must unlock the keychain using their passphrase or fingerprint to obtain the secret data. The keychain allows saving items with the special `SecAccessControl` attribute, which will allow access to the item from the keychain only after the user has passed Touch ID authentication (or passcode, if such a fallback is allowed by attribute parameters). In the following example we will save the string "test\_strong\_password" to the keychain. The string can be accessed only on the current device while the passcode is set (`kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly` parameter) and after Touch ID authentication for the currently enrolled fingers only (`SecAccessControlCreateFlags.biometryCurrentSet` parameter): {% tabs %} {% tab title="Swift" %} ```swift // 1. create AccessControl object that will represent authentication settings var error: Unmanaged? guard let accessControl = SecAccessControlCreateWithFlags(kCFAllocatorDefault, kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly, SecAccessControlCreateFlags.biometryCurrentSet, &error) else { // failed to create AccessControl object return } // 2. define keychain services query. Pay attention that kSecAttrAccessControl is mutually exclusive with kSecAttrAccessible attribute var query: [String: Any] = [:] query[kSecClass as String] = kSecClassGenericPassword query[kSecAttrLabel as String] = "com.me.myapp.password" as CFString query[kSecAttrAccount as String] = "OWASP Account" as CFString query[kSecValueData as String] = "test_strong_password".data(using: .utf8)! as CFData query[kSecAttrAccessControl as String] = accessControl // 3. save item let status = SecItemAdd(query as CFDictionary, nil) if status == noErr { // successfully saved } else { // error while saving } ``` {% endtab %} {% tab title="Objective-C" %} ```objectivec // 1. create AccessControl object that will represent authentication settings CFErrorRef *err = nil; SecAccessControlRef sacRef = SecAccessControlCreateWithFlags(kCFAllocatorDefault, kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly, kSecAccessControlUserPresence, err); // 2. define keychain services query. Pay attention that kSecAttrAccessControl is mutually exclusive with kSecAttrAccessible attribute NSDictionary* query = @{ (_ _bridge id)kSecClass: (__bridge id)kSecClassGenericPassword, (__bridge id)kSecAttrLabel: @"com.me.myapp.password", (__bridge id)kSecAttrAccount: @"OWASP Account", (__bridge id)kSecValueData: [@"test_strong_password" dataUsingEncoding:NSUTF8StringEncoding], (__bridge id)kSecAttrAccessControl: (__bridge_transfer id)sacRef }; // 3. save item OSStatus status = SecItemAdd((__bridge CFDictionaryRef)query, nil); if (status == noErr) { // successfully saved } else { // error while saving } ``` {% endtab %} {% endtabs %} Now we can request the saved item from the keychain. Keychain services will present the authentication dialog to the user and return data or nil depending on whether a suitable fingerprint was provided or not. {% tabs %} {% tab title="Swift" %} ```swift // 1. define query var query = [String: Any]() query[kSecClass as String] = kSecClassGenericPassword query[kSecReturnData as String] = kCFBooleanTrue query[kSecAttrAccount as String] = "My Name" as CFString query[kSecAttrLabel as String] = "com.me.myapp.password" as CFString query[kSecUseOperationPrompt as String] = "Please, pass authorisation to enter this area" as CFString // 2. get item var queryResult: AnyObject? let status = withUnsafeMutablePointer(to: &queryResult) { SecItemCopyMatching(query as CFDictionary, UnsafeMutablePointer($0)) } if status == noErr { let password = String(data: queryResult as! Data, encoding: .utf8)! // successfully received password } else { // authorization not passed } ``` {% endtab %} {% tab title="Objective-C" %} ```objectivec // 1. define query NSDictionary *query = @{(__bridge id)kSecClass: (__bridge id)kSecClassGenericPassword, (__bridge id)kSecReturnData: @YES, (__bridge id)kSecAttrAccount: @"My Name1", (__bridge id)kSecAttrLabel: @"com.me.myapp.password", (__bridge id)kSecUseOperationPrompt: @"Please, pass authorisation to enter this area" }; // 2. get item CFTypeRef queryResult = NULL; OSStatus status = SecItemCopyMatching((__bridge CFDictionaryRef)query, &queryResult); if (status == noErr){ NSData* resultData = ( __bridge_transfer NSData* )queryResult; NSString* password = [[NSString alloc] initWithData:resultData encoding:NSUTF8StringEncoding]; NSLog(@"%@", password); } else { NSLog(@"Something went wrong"); } ``` {% endtab %} {% endtabs %} ### Detection Usage of frameworks in an app can also be detected by analyzing the app binary's list of shared dynamic libraries. This can be done by using `otool`: ```bash $ otool -L .app/ ``` If `LocalAuthentication.framework` is used in an app, the output will contain both of the following lines (remember that `LocalAuthentication.framework` uses `Security.framework` under the hood): ```bash /System/Library/Frameworks/LocalAuthentication.framework/LocalAuthentication /System/Library/Frameworks/Security.framework/Security ``` If `Security.framework` is used, only the second one will be shown. ### Local Authentication Framework Bypass #### Objection \*\*\*\*[**Objection Biometrics Bypass**](https://github.com/sensepost/objection/wiki/Understanding-the-iOS-Biometrics-Bypass) \*\*\*\* can be used to bypass LocalAuthentication. Objection **uses Frida to instrument the `evaluatePolicy` function so that it returns `True`** even if authentication was not successfully performed. Use the `ios ui biometrics_bypass` command to bypass the insecure biometric authentication. Objection will register a job, which will replace the `evaluatePolicy` result. It will work in both, Swift and Objective-C implementations. ```bash ...itudehacks.DVIAswiftv2.develop on (iPhone: 13.2.3) [usb] # ios ui biometrics_bypass (agent) Registering job 3mhtws9x47q. Type: ios-biometrics-disable ...itudehacks.DVIAswiftv2.develop on (iPhone: 13.2.3) [usb] # (agent) [3mhtws9x47q] Localized Reason for auth requirement: Please authenticate yourself (agent) [3mhtws9x47q] OS authentication response: false (agent) [3mhtws9x47q] Marking OS response as True instead (agent) [3mhtws9x47q] Biometrics bypass hook complete ``` If vulnerable, the module will automatically bypass the login form. #### Frida An example of a use of **`evaluatePolicy`** from [DVIA-v2 application](https://github.com/prateek147/DVIA-v2): ```swift +(void)authenticateWithTouchID { LAContext *myContext = [[LAContext alloc] init]; NSError *authError = nil; NSString *myLocalizedReasonString = @"Please authenticate yourself"; if ([myContext canEvaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics error:&authError]) { [myContext evaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics localizedReason:myLocalizedReasonString reply:^(BOOL success, NSError *error) { if (success) { dispatch_async(dispatch_get_main_queue(), ^{ [TouchIDAuthentication showAlert:@"Authentication Successful" withTitle:@"Success"]; }); } else { dispatch_async(dispatch_get_main_queue(), ^{ [TouchIDAuthentication showAlert:@"Authentication Failed !" withTitle:@"Error"]; }); } }]; } else { dispatch_async(dispatch_get_main_queue(), ^{ [TouchIDAuthentication showAlert:@"Your device doesn't support Touch ID or you haven't configured Touch ID authentication on your device" withTitle:@"Error"]; }); } } ``` To bypass the Local Authentication, we have to write a Frida script that **bypasses** the aforementioned _**evaluatePolicy** \_ check. As you can see in the above-pasted code snippet, the **evaluatePolicy** uses a **callback** that determines the **result**. So, the easiest way to achieve the hack is to intercept that callback and make sure it \*\*always returns the \*\*_**success=1**\_. ```swift // from https://securitycafe.ro/2022/09/05/mobile-pentesting-101-bypassing-biometric-authentication/ if(ObjC.available) { console.log("Injecting..."); var hook = ObjC.classes.LAContext["- evaluatePolicy:localizedReason:reply:"]; Interceptor.attach(hook.implementation, { onEnter: function(args) { var block = new ObjC.Block(args[4]); const callback = block.implementation; block.implementation = function (error, value) { console.log("Changing the result value to true") const result = callback(1, null); return result; }; }, }); } else { console.log("Objective-C Runtime is not available!"); } ``` ``` frida -U -f com.highaltitudehacks.DVIAswiftv2 --no-pause -l fingerprint-bypass-ios.js ``` ## Sensitive Functionality Exposure Through IPC ### Custom URI Handlers / Deeplinks / Custom Schemes {% content-ref url="ios-custom-uri-handlers-deeplinks-custom-schemes.md" %} [ios-custom-uri-handlers-deeplinks-custom-schemes.md](ios-custom-uri-handlers-deeplinks-custom-schemes.md) {% endcontent-ref %} ### Universal Links {% content-ref url="ios-universal-links.md" %} [ios-universal-links.md](ios-universal-links.md) {% endcontent-ref %} ### UIActivity Sharing {% content-ref url="ios-uiactivity-sharing.md" %} [ios-uiactivity-sharing.md](ios-uiactivity-sharing.md) {% endcontent-ref %} ### UIPasteboard {% content-ref url="ios-uipasteboard.md" %} [ios-uipasteboard.md](ios-uipasteboard.md) {% endcontent-ref %} ### App Extensions {% content-ref url="ios-app-extensions.md" %} [ios-app-extensions.md](ios-app-extensions.md) {% endcontent-ref %} ### WebViews {% content-ref url="ios-webviews.md" %} [ios-webviews.md](ios-webviews.md) {% endcontent-ref %} ### Serialisation and Encoding {% content-ref url="ios-serialisation-and-encoding.md" %} [ios-serialisation-and-encoding.md](ios-serialisation-and-encoding.md) {% endcontent-ref %} ## Network Communication It's important to check that no communication is occurring **without encryption** and also that the application is correctly **validating the TLS certificate** of the server.\ To check these kind of issues you can use a proxy like **Burp**: {% content-ref url="burp-configuration-for-ios.md" %} [burp-configuration-for-ios.md](burp-configuration-for-ios.md) {% endcontent-ref %} ### Hostname check One common issue validating the TLS certificate is to check that the certificate was signed by a **trusted** **CA**, but **not check** if **the hostname** of the certificate is the hostname being accessed.\ In order to check this issue using Burp, after trusting Burp CA in the iPhone, you can **create a new certificate with Burp for a different hostname** and use it. If the application still works, then, something it's vulnerable. ### Certificate Pinning If an application is correctly using SSL Pinning, then the application will only works if the certificate is the once expected to be. When testing an application **this might be a problem as Burp will serve it's own certificate.**\ In order to bypass this protection inside a jailbroken device, you can install the application [**SSL Kill Switch**](https://github.com/nabla-c0d3/ssl-kill-switch2) or install \[**Burp Mobile Assistant\_\*]\(\_**[**https://portswigger.net/burp/documentation/desktop/tools/mobile-assistant/installing)\\**](https://portswigger.net/burp/documentation/desktop/tools/mobile-assistant/installing\)/)\* You can also use **objection's** `ios sslpinning disable` ## Misc * In **`/System/Library`** you can find the frameworks installed in the phone used by system applications * The applications installed by the user from the App Store are located inside **`/User/Applications`** * And the **`/User/Library`** contains data saved by the user level applications * You can access **`/User/Library/Notes/notes.sqlite`** to read the notes saved inside the application. * Inside the folder of an installed application (**`/User/Applications//`**) you can find some interesting files: * **`iTunesArtwork`**: The icon used by the app * **`iTunesMetadata.plist`**: Info of the app used in the App Store * **`/Library/*`**: Contains the preferences and cache. In **`/Library/Cache/Snapshots/*`** you can find the snapshot performed to the application before sending it to the background. ### Hot Patching/Enforced Updateing The developers can remotely **patch all installations of their app instantly** without having to resubmit the application to the App store and wait until it's approved.\ For this purpose it's usually use [**JSPatch**](https://github.com/bang590/JSPatch)**.** But there are other options also such as [Siren](https://github.com/ArtSabintsev/Siren) and [react-native-appstore-version-checker](https://www.npmjs.com/package/react-native-appstore-version-checker).\ **This is a dangerous mechanism that could be abused by malicious third party SDKs therefore it's recommended to check which method is used to automatic updating (if any) and test it.** You could try to download a previous version of the app for this purpose. ### Third Parties One problem of 3rd party SDKs is that there is **no granular control over the features offered by the SDK**. You could sue the SDK and have all features (including diagnostic leaks and insecure HTTP connections), or not use it. Also, usually it's no possible for the applications developers to **patch a vulnerability** on the SDK.\ Moreover some SDKs start **containing malware once they are very trusted** by the community. Besides, the features these services provide can involve t**racking services to monitor the user's behaviour** while using the app, selling banner advertisements, or improving the user experience. The downside to third-party services is that developers don't know the details of the code executed via third-party libraries. Consequently, no more information than is necessary should be sent to a service, and no sensitive information should be disclosed. The downside is that a **developer doesn’t know in detail what code is executed via 3rd party libraries** and therefore giving up visibility. Consequently it should be ensured that not more than the information needed is sent to the service and that no sensitive information is disclosed. Most third-party services are implemented in two ways: * with a standalone library * with a full SDK All data that's sent to third-party services should be anonymized to prevent exposure of PII (Personal Identifiable Information) that would allow the third party to identify the user account. You can find the **libraries used by an application** by running **`otool`** against the app (and **running** it **against** **each** shared **library** to find more shared libraries used). ## **References** * [https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06b-basic-security-testing#information-gathering](https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06b-basic-security-testing#information-gathering) * [iOS & Mobile App Pentesting - INE](https://my.ine.com/CyberSecurity/courses/089d060b/ios-mobile-app-pentesting) ## More Information * [https://github.com/ivRodriguezCA/RE-iOS-Apps/](https://github.com/ivRodriguezCA/RE-iOS-Apps/) IOS free course([https://syrion.me/blog/ios-swift-antijailbreak-bypass-frida/](https://syrion.me/blog/ios-swift-antijailbreak-bypass-frida/)) * [https://www.sans.org/reading-room/whitepapers/testing/ipwn-apps-pentesting-ios-applications-34577](https://www.sans.org/reading-room/whitepapers/testing/ipwn-apps-pentesting-ios-applications-34577) * [https://www.slideshare.net/RyanISI/ios-appsecurityminicourse](https://www.slideshare.net/RyanISI/ios-appsecurityminicourse) * [https://github.com/prateek147/DVIA](https://github.com/prateek147/DVIA) * [https://github.com/prateek147/DVIA-v2](https://github.com/prateek147/DVIA-v2) * [https://github.com/OWASP/MSTG-Hacking-Playground%20](https://github.com/OWASP/MSTG-Hacking-Playground) * OWASP iGoat [_https://github.com/OWASP/igoat_](https://github.com/OWASP/igoat) <<< Objective-C version [_https://github.com/OWASP/iGoat-Swift_](https://github.com/OWASP/iGoat-Swift) <<< Swift version * [https://github.com/authenticationfailure/WheresMyBrowser.iOS](https://github.com/authenticationfailure/WheresMyBrowser.iOS) * [https://github.com/nabla-c0d3/ssl-kill-switch2](https://github.com/nabla-c0d3/ssl-kill-switch2) ![](../.gitbook/assets/image%20\(9\)%20\(1\)%20\(2\).png) \ Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ Get Access Today: {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥 * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.** * **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).