# Orodha ya Uchunguzi wa iOS Pentesting

<figure><img src="../.gitbook/assets/image (48).png" alt=""><figcaption></figcaption></figure>

\
Tumia [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) kujenga na **kutumia mifumo ya kazi** kwa urahisi ikiwa na zana za **jamii ya juu zaidi** duniani.\
Pata Ufikiaji Leo:

{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}

<details>

<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>

Njia nyingine za kusaidia HackTricks:

* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.

</details>

**Kikundi cha Usalama cha Kujaribu Kwa Bidii**

<figure><img src="../.gitbook/assets/telegram-cloud-document-1-5159108904864449420.jpg" alt=""><figcaption></figcaption></figure>

{% embed url="https://discord.gg/tryhardsecurity" %}

***

### Maandalizi

* [ ] Soma [**Misingi ya iOS**](ios-pentesting/ios-basics.md)
* [ ] Andaa mazingira yako kwa kusoma [**Mazingira ya Majaribio ya iOS**](ios-pentesting/ios-testing-environment.md)
* [ ] Soma sehemu zote za [**Uchambuzi wa Awali wa iOS**](ios-pentesting/#initial-analysis) kujifunza hatua za kawaida za kudukua programu ya iOS

### Uhifadhi wa Data

* [ ] [**Faili za Plist**](ios-pentesting/#plist) zinaweza kutumika kuhifadhi habari nyeti.
* [ ] [**Core Data**](ios-pentesting/#core-data) (database ya SQLite) inaweza kuhifadhi habari nyeti.
* [ ] [**YapDatabases**](ios-pentesting/#yapdatabase) (database ya SQLite) inaweza kuhifadhi habari nyeti.
* [ ] [**Firebase**](ios-pentesting/#firebase-real-time-databases) usio sahihi.
* [ ] [**Databases za Realm**](ios-pentesting/#realm-databases) zinaweza kuhifadhi habari nyeti.
* [ ] [**Databases za Couchbase Lite**](ios-pentesting/#couchbase-lite-databases) zinaweza kuhifadhi habari nyeti.
* [ ] [**Vidakuzi vya Binary**](ios-pentesting/#cookies) vinaweza kuhifadhi habari nyeti
* [ ] [**Data ya Cache**](ios-pentesting/#cache) inaweza kuhifadhi habari nyeti
* [ ] [**Vipande vya moja kwa moja**](ios-pentesting/#snapshots) vinaweza kuokoa habari nyeti ya kuona
* [ ] [**Keychain**](ios-pentesting/#keychain) kawaida hutumika kuhifadhi habari nyeti ambayo inaweza kuachwa wakati wa kuuza simu.
* [ ] Kwa muhtasari, tu **angalia habari nyeti iliyohifadhiwa na programu kwenye mfumo wa faili**

### Vibodi

* [ ] Je! Programu inaruhusu kutumia [**vibodi vya desturi**](ios-pentesting/#custom-keyboards-keyboard-cache)?
* [ ] Angalia ikiwa habari nyeti imesave katika [**faili za vibodi**](ios-pentesting/#custom-keyboards-keyboard-cache)

### **Kumbukumbu**

* [ ] Angalia ikiwa [**habari nyeti inalogwa**](ios-pentesting/#logs)

### Nakala za Akiba

* [ ] [**Nakala za Akiba**](ios-pentesting/#backups) zinaweza kutumika kwa **kupata habari nyeti** iliyohifadhiwa kwenye mfumo wa faili (angalia hatua ya awali ya orodha hii)
* [ ] Pia, [**nakala za akiba**](ios-pentesting/#backups) zinaweza kutumika kubadilisha baadhi ya mipangilio ya programu, kisha **kurejesha** nakala ya akiba kwenye simu, na kwa hivyo **mipangilio iliyobadilishwa** inapobebwa, baadhi ya (usalama) **kazi** inaweza **kipuuzwa**

### **Kumbukumbu za Programu**

* [ ] Angalia habari nyeti ndani ya [**kumbukumbu za programu**](ios-pentesting/#testing-memory-for-sensitive-data)

### **Kudukua Kriptografia**

* [ ] Angalia ikiwa unaweza kupata [**nywila zilizotumiwa kwa kriptografia**](ios-pentesting/#broken-cryptography)
* [ ] Angalia matumizi ya [**algorithms zilizopitwa/zwafu**](ios-pentesting/#broken-cryptography) kutuma/kuhifadhi data nyeti
* [ ] [**Kufunga na kufuatilia kazi za kriptografia**](ios-pentesting/#broken-cryptography)

### **Uthibitishaji wa Kienyeji**

* [ ] Ikiwa [**uthibitishaji wa kienyeji**](ios-pentesting/#local-authentication) unatumika kwenye programu, unapaswa kuangalia jinsi uthibitishaji unavyofanya kazi.
* [ ] Ikiwa inatumia [**Itifaki ya Uthibitishaji wa Kienyeji**](ios-pentesting/#local-authentication-framework) inaweza kudukuliwa kwa urahisi
* [ ] Ikiwa inatumia [**kazi inayoweza kudukuliwa kwa kienyeji**](ios-pentesting/#local-authentication-using-keychain) unaweza kuunda skripti ya frida ya desturi

### Kufichua Kazi Nyeti Kupitia IPC

* [**Wakala wa URI wa Desturi / Viungo vya Kina / Mipango ya Desturi**](ios-pentesting/#custom-uri-handlers-deeplinks-custom-schemes)
* [ ] Angalia ikiwa programu ina **kujiandikisha itifaki/itifaki**
* [ ] Angalia ikiwa programu ina **kujiandikisha kutumia** itifaki/itifaki yoyote
* [ ] Angalia ikiwa programu ina **tarajia kupokea aina yoyote ya habari nyeti** kutoka kwa mpango wa desturi ambao unaweza **kutekwa** na programu nyingine inayojiandikisha itifaki sawa
* [ ] Angalia ikiwa programu **haichunguzi na kusafisha** matokeo ya mtumiaji kupitia mpango wa desturi na baadhi ya **udhaifu unaweza kutumiwa**
* [ ] Angalia ikiwa programu **inafichua hatua yoyote nyeti** inayoweza kuitwa kutoka mahali popote kupitia mpango wa desturi
* [**Viungo vya Kila mahali**](ios-pentesting/#universal-links)
* [ ] Angalia ikiwa programu ina **kujiandikisha itifaki/itifaki ya kila mahali**
* [ ] Angalia faili ya `apple-app-site-association`
* [ ] Angalia ikiwa programu **haichunguzi na kusafisha** matokeo ya mtumiaji kupitia mpango wa desturi na baadhi ya **udhaifu unaweza kutumiwa**
* [ ] Angalia ikiwa programu **inafichua hatua yoyote nyeti** inayoweza kuitwa kutoka mahali popote kupitia mpango wa desturi
* [**Kushiriki Kupitia UIActivity**](ios-pentesting/ios-uiactivity-sharing.md)
* [ ] Angalia ikiwa programu inaweza kupokea UIActivities na ikiwa ni rahisi kutumia udhaifu wowote na shughuli iliyoundwa kwa umakini
* [**UIPasteboard**](ios-pentesting/ios-uipasteboard.md)
* [ ] Angalia ikiwa programu ina **kuchapisha kitu chochote kwenye ubao wa kawaida**
* [ ] Angalia ikiwa programu ina **tumia data kutoka kwa ubao wa kawaida kwa kitu chochote**
* [ ] Fuatilia ubao wa kubandika kuona ikiwa kuna **data nyeti inayochapishwa**
* [**Vipanuzi vya Programu**](ios-pentesting/ios-app-extensions.md)
* [ ] Je! Programu inatumia **kipanuzi chochote**?
* [**WebViews**](ios-pentesting/ios-webviews.md)
* [ ] Angalia aina gani ya webviews inatumika
* [ ] Angalia hali ya **`javaScriptEnabled`**, **`JavaScriptCanOpenWindowsAutomatically`**, **`hasOnlySecureContent`**
* [ ] Angalia ikiwa webview inaweza **kufikia faili za ndani** kwa itifaki **file://** **(**`allowFileAccessFromFileURLs`, `allowUniversalAccessFromFileURLs`)
* [ ] Angalia ikiwa Javascript inaweza kufikia **njia za Asili** (`JSContext`, `postMessage`)
### Mawasiliano ya Mtandao

* [ ] Fanya [**MitM kwa mawasiliano**](ios-pentesting/#network-communication) na utafute mapungufu ya wavuti.
* [ ] Angalia kama [**jina la mwenyeji wa cheti**](ios-pentesting/#hostname-check) limehakikiwa
* [ ] Angalia/Pitisha [**Certificate Pinning**](ios-pentesting/#certificate-pinning)

### **Mbalimbali**

* [ ] Angalia [**njia za kiotomatiki za kusasisha**](ios-pentesting/#hot-patching-enforced-updateing)
* [ ] Angalia [**maktaba za tatu zenye nia mbaya**](ios-pentesting/#third-parties)

**Kikundi cha Usalama cha Try Hard**

<figure><img src="../.gitbook/assets/telegram-cloud-document-1-5159108904864449420.jpg" alt=""><figcaption></figcaption></figure>

{% embed url="https://discord.gg/tryhardsecurity" %}

<details>

<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>

Njia nyingine za kusaidia HackTricks:

* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.

</details>

<figure><img src="../.gitbook/assets/image (48).png" alt=""><figcaption></figcaption></figure>

\
Tumia [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) kujenga na **kutumia kiotomatiki** zana za jamii za **juu zaidi** duniani.\
Pata Ufikiaji Leo:

{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}