# iOS Pentesting Checklist
\ Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ Get Access Today: {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %} {% hint style="success" %} Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks * Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! * **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** * **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %} ### Preparation * [ ] Read [**iOS Basics**](ios-pentesting/ios-basics.md) * [ ] Prepare your environment reading [**iOS Testing Environment**](ios-pentesting/ios-testing-environment.md) * [ ] Read all the sections of [**iOS Initial Analysis**](ios-pentesting/#initial-analysis) to learn common actions to pentest an iOS application ### Data Storage * [ ] [**Plist files**](ios-pentesting/#plist) can be used to store sensitive information. * [ ] [**Core Data**](ios-pentesting/#core-data) (SQLite database) can store sensitive information. * [ ] [**YapDatabases**](ios-pentesting/#yapdatabase) (SQLite database) can store sensitive information. * [ ] [**Firebase**](ios-pentesting/#firebase-real-time-databases) miss-configuration. * [ ] [**Realm databases**](ios-pentesting/#realm-databases) can store sensitive information. * [ ] [**Couchbase Lite databases**](ios-pentesting/#couchbase-lite-databases) can store sensitive information. * [ ] [**Binary cookies**](ios-pentesting/#cookies) can store sensitive information * [ ] [**Cache data**](ios-pentesting/#cache) can store sensitive information * [ ] [**Automatic snapshots**](ios-pentesting/#snapshots) can save visual sensitive information * [ ] [**Keychain**](ios-pentesting/#keychain) is usually used to store sensitive information that can be left when reselling the phone. * [ ] In summary, just **check for sensitive information saved by the application in the filesystem** ### Keyboards * [ ] Does the application [**allow to use custom keyboards**](ios-pentesting/#custom-keyboards-keyboard-cache)? * [ ] Check if sensitive information is saved in the [**keyboards cache files**](ios-pentesting/#custom-keyboards-keyboard-cache) ### **Logs** * [ ] Check if [**sensitive information is being logged**](ios-pentesting/#logs) ### Backups * [ ] [**Backups**](ios-pentesting/#backups) can be used to **access the sensitive information** saved in the file system (check the initial point of this checklist) * [ ] Also, [**backups**](ios-pentesting/#backups) can be used to **modify some configurations of the application**, then **restore** the backup on the phone, and the as the **modified configuration** is **loaded** some (security) **functionality** may be **bypassed** ### **Applications Memory** * [ ] Check for sensitive information inside the [**application's memory**](ios-pentesting/#testing-memory-for-sensitive-data) ### **Broken Cryptography** * [ ] Check if yo can find [**passwords used for cryptography**](ios-pentesting/#broken-cryptography) * [ ] Check for the use of [**deprecated/weak algorithms**](ios-pentesting/#broken-cryptography) to send/store sensitive data * [ ] [**Hook and monitor cryptography functions**](ios-pentesting/#broken-cryptography) ### **Local Authentication** * [ ] If a [**local authentication**](ios-pentesting/#local-authentication) is used in the application, you should check how the authentication is working. * [ ] If it's using the [**Local Authentication Framework**](ios-pentesting/#local-authentication-framework) it could be easily bypassed * [ ] If it's using a [**function that can dynamically bypassed**](ios-pentesting/#local-authentication-using-keychain) you could create a custom frida script ### Sensitive Functionality Exposure Through IPC * [**Custom URI Handlers / Deeplinks / Custom Schemes**](ios-pentesting/#custom-uri-handlers-deeplinks-custom-schemes) * [ ] Check if the application is **registering any protocol/scheme** * [ ] Check if the application is **registering to use** any protocol/scheme * [ ] Check if the application **expects to receive any kind of sensitive information** from the custom scheme that can be **intercepted** by the another application registering the same scheme * [ ] Check if the application **isn't checking and sanitizing** users input via the custom scheme and some **vulnerability can be exploited** * [ ] Check if the application **exposes any sensitive action** that can be called from anywhere via the custom scheme * [**Universal Links**](ios-pentesting/#universal-links) * [ ] Check if the application is **registering any universal protocol/scheme** * [ ] Check the `apple-app-site-association` file * [ ] Check if the application **isn't checking and sanitizing** users input via the custom scheme and some **vulnerability can be exploited** * [ ] Check if the application **exposes any sensitive action** that can be called from anywhere via the custom scheme * [**UIActivity Sharing**](ios-pentesting/ios-uiactivity-sharing.md) * [ ] Check if the application can receive UIActivities and if it's possible to exploit any vulnerability with specially crafted activity * [**UIPasteboard**](ios-pentesting/ios-uipasteboard.md) * [ ] Check if the application if **copying anything to the general pasteboard** * [ ] Check if the application if **using the data from the general pasteboard for anything** * [ ] Monitor the pasteboard to see if any **sensitive data is copied** * [**App Extensions**](ios-pentesting/ios-app-extensions.md) * [ ] Is the application **using any extension**? * [**WebViews**](ios-pentesting/ios-webviews.md) * [ ] Check which kind of webviews are being used * [ ] Check the status of **`javaScriptEnabled`**, **`JavaScriptCanOpenWindowsAutomatically`**, **`hasOnlySecureContent`** * [ ] Check if the webview can **access local files** with the protocol **file://** **(**`allowFileAccessFromFileURLs`, `allowUniversalAccessFromFileURLs`) * [ ] Check if Javascript can access **Native** **methods** (`JSContext`, `postMessage`) ### Network Communication * [ ] Perform a [**MitM to the communication**](ios-pentesting/#network-communication) and search for web vulnerabilities. * [ ] Check if the [**hostname of the certificate**](ios-pentesting/#hostname-check) is checked * [ ] Check/Bypass [**Certificate Pinning**](ios-pentesting/#certificate-pinning) ### **Misc** * [ ] Check for [**automatic patching/updating**](ios-pentesting/#hot-patching-enforced-updateing) mechanisms * [ ] Check for [**malicious third party libraries**](ios-pentesting/#third-parties) {% hint style="success" %} Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks * Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! * **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** * **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %}
\ Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ Get Access Today: {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}