# iOS Pentesting ## Privilege Separation and Sandbox Applications the user can access run as the **mobile** user while critical system processes run as **root**. However, the sandbox allows better control over actions that processes and applications can perform. For example, even if two processes run as the same user \(mobile\), they are **not allowed to access or modify each other's data**. Each application is installed under **`private/var/mobile/Applications/{random ID}`** Once installed, applications have limited read access to some system areas and functions \(SMS, phone call...\). If an application wants to access a **protected area,** a **pop-up requesting permission** appears. ## Jailbreaking Apple strictly requires that the code running on the iPhone must be **signed by a certificate issued by Apple**. **Jailbreaking** is the process of actively **circumventing such restrictions** and other security controls put in places by the OS. Therefore, once the device is jailbroken, the **integrity check** which is responsible for checking apps being installed is patched so it is **bypassed**. {% hint style="info" %} Unlike Android, **you cannot switch to "Developer Mode"** in iOS to run unsigned/untrusted code on the device. {% endhint %} The most important side effect of Jailbreaking is that it **removes any sandboxing put in place by the OS**. Therefore, any **app on the device can read any file** on the filesystem, including other apps files, cookies and keychain. A jailbroken device allows users to **install unapproved apps** and leverage **more APIs**, which otherwise aren't accessible. There are 2 types of jailbreaks: * **Tethered**: Temporary jailbreak that requires the device to be connected to a computer every-time the device needs a restart. The jailbreak is reversed otherwise. * **Untethered**: Rebooting the device does not reset the jailbreak. **For regular users it's not recommended to jailbreak the mobile. Note also that updating the OS removes the effect of jailbreaking.** ## **Simulator** All the tools required to build and support an iOS app are **only officially supported on Mac OS**. Apple's de facto tool for creating/debugging/instrumenting iOS applications is **Xcode**. It can be used to download other components such as **simulators** and different **SDK** **versions** required to build and **test** your app. It's highly recommended to **download** Xcode from the **official app store**. Other versions may be carrying malware. The simulator files can be found in `/Users//Library/Developer/CoreSimulator/Devices` To open the simulator, run Xcode, then press in the _Xcode tab_ --> _Open Developer tools_ --> _Simulator_ In the following image clicking in "iPod touch \[...\]" you can select other device to test in: ![](../.gitbook/assets/image%20%28459%29.png) ![](../.gitbook/assets/image%20%28460%29.png) ## Apple Developer Program A **provisioning identity** is a collection of public and private keys that are associated an Apple developer account. In order to **sign apps** you need to pay **99$/year** to register in the **Apple Developer Program** to get your provisioning identity. Without this you won't be able to run applications from the source code in a physical device. Another option to do this is to use a **jailbroken device**. Starting in Xcode 7.2 Apple has provided an option to create a **free iOS development provisioning profile** that allows to write and test your application on a real iPhone. Go to _Xcode_ --> _Preferences_ --> _Accounts_ --> _+_ \(Add new Appli ID you your credentials\) --> _Click on the Apple ID created_ --> _Manage Certificates_ --> _+_ \(Apple Development\) --> _Done_ Then, in order to run your application in your iPhone you need first to **indicate the iPhone to trust the computer.** Then, you can try to **run the application in the mobile from Xcode,** but and error will appear. So go to _Settings_ --> _General_ --> _Profiles and Device Management_ --> Select the untrusted profile and click "**Trust**". Note that **applications signed by the same signing certificate can share resources on a secure manner, like keychain items**. ## Obfuscation Unlike an Android Application, the binary of an iOS app **can only be disassembled** and not decompiled. When an application is submitted to the app store, Apple first verifies the app conduct and before releasing it to the app-store, **Apple encrypts the binary**. So the binary download from the app store is encrypted complicating ting the reverse-engineering tasks. However, note that there are other **third party software that can be used to obfuscate** the resulting binaries. ## Testing ### Storage Access You can use [**iFunBox**](https://www.i-funbox.com/en/page-download.html) to access the all the storage inside an application sandbox/folder {% hint style="info" %} Starting in iOS version 8.4, Apple has **restricted the third-party managers to access to the application sandbox**, so tools like iFunbox and iExplorer no longer display/retrieve files from apps installed on the device if the device isn't jailbroken. {% endhint %} ### Burp Proxy Configuration {% page-ref page="burp-configuration-for-ios.md" %}