Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-23 13:13:41 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/mobile-pentesting/ios-pentesting-checklist.md

146 lines
9.6 KiB
Markdown
Raw Blame History

# Orodha ya Ukaguzi wa iOS Pentesting
<figure><img src="../.gitbook/assets/image (45).png" alt=""><figcaption></figcaption></figure>
\
Tumia [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) kujenga na **kutumia workflows** kwa urahisi zinazotumia zana za **jamii ya juu zaidi** duniani.\
Pata Ufikiaji Leo:
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
**Kikundi cha Usalama cha Kujitahidi**
<figure><img src="../.gitbook/assets/telegram-cloud-document-1-5159108904864449420.jpg" alt=""><figcaption></figcaption></figure>
{% embed url="https://discord.gg/tryhardsecurity" %}
***
### Maandalizi
* [ ] Soma [**Misingi ya iOS**](ios-pentesting/ios-basics.md)
* [ ] Andaa mazingira yako kwa kusoma [**Mazingira ya Majaribio ya iOS**](ios-pentesting/ios-testing-environment.md)
* [ ] Soma sehemu zote za [**Uchambuzi wa Awali wa iOS**](ios-pentesting/#initial-analysis) kujifunza hatua za kawaida za kudukua programu ya iOS
### Uhifadhi wa Data
* [ ] [**Faili za Plist**](ios-pentesting/#plist) zinaweza kutumika kuhifadhi habari nyeti.
* [ ] [**Core Data**](ios-pentesting/#core-data) (database ya SQLite) inaweza kuhifadhi habari nyeti.
* [ ] [**YapDatabases**](ios-pentesting/#yapdatabase) (database ya SQLite) inaweza kuhifadhi habari nyeti.
* [ ] [**Firebase**](ios-pentesting/#firebase-real-time-databases) usio sahihi.
* [ ] [**Databases za Realm**](ios-pentesting/#realm-databases) zinaweza kuhifadhi habari nyeti.
* [ ] [**Databases za Couchbase Lite**](ios-pentesting/#couchbase-lite-databases) zinaweza kuhifadhi habari nyeti.
* [ ] [**Cookies za Binary**](ios-pentesting/#cookies) zinaweza kuhifadhi habari nyeti
* [ ] [**Data za Cache**](ios-pentesting/#cache) zinaweza kuhifadhi habari nyeti
* [ ] [**Snapshots za Kiotomatiki**](ios-pentesting/#snapshots) zinaweza kuhifadhi habari nyeti za kuona
* [ ] [**Keychain**](ios-pentesting/#keychain) kawaida hutumika kuhifadhi habari nyeti ambayo inaweza kubaki wakati wa kuuza simu.
* [ ] Kwa muhtasari, tu **angalia habari nyeti iliyohifadhiwa na programu kwenye mfumo wa faili**
### Vibodi
* [ ] Je! programu inaruhusu kutumia [**vibodi za desturi**](ios-pentesting/#custom-keyboards-keyboard-cache)?
* [ ] Angalia ikiwa habari nyeti imesave kwenye [**faili za vibodi**](ios-pentesting/#custom-keyboards-keyboard-cache)
### **Vichapishi**
* [ ] Angalia ikiwa [**habari nyeti inalogwa**](ios-pentesting/#logs)
### Nakala za Akiba
* [ ] [**Nakala za Akiba**](ios-pentesting/#backups) zinaweza kutumika kwa **kupata habari nyeti** iliyohifadhiwa kwenye mfumo wa faili (angalia hatua ya kwanza ya orodha hii)
* [ ] Pia, [**nakala za akiba**](ios-pentesting/#backups) zinaweza kutumika kubadilisha baadhi ya mipangilio ya programu, kisha **kurejesha** nakala ya akiba kwenye simu, na kwa kuwa **mipangilio iliyobadilishwa** ina **pakia** baadhi ya (usalama) **kazi** inaweza **kipuuzwa**
### **Kumbukumbu za Programu**
* [ ] Angalia habari nyeti ndani ya [**kumbukumbu za programu**](ios-pentesting/#testing-memory-for-sensitive-data)
### **Ufichaji wa Kriptografia**
* [ ] Angalia ikiwa unaweza kupata [**nywila zilizotumiwa kwa kriptografia**](ios-pentesting/#broken-cryptography)
* [ ] Angalia matumizi ya [**algorithms zilizopitwa/zwafu**](ios-pentesting/#broken-cryptography) kutuma/kuhifadhi data nyeti
* [ ] [**Kaa na fuatilia kazi za kriptografia**](ios-pentesting/#broken-cryptography)
### **Uthibitishaji wa Kienyeji**
* [ ] Ikiwa [**uthibitishaji wa kienyeji**](ios-pentesting/#local-authentication) unatumika kwenye programu, unapaswa kuangalia jinsi uthibitishaji unavyofanya kazi.
* [ ] Ikiwa inatumia [**Itifaki ya Uthibitishaji wa Kienyeji**](ios-pentesting/#local-authentication-framework) inaweza kudukuliwa kwa urahisi
* [ ] Ikiwa inatumia [**kazi ambayo inaweza kudukuliwa kwa muda**](ios-pentesting/#local-authentication-using-keychain) unaweza kuunda script ya frida ya desturi
### Ufunuo wa Kazi Nyeti Kupitia IPC
* [**Wakala wa URI wa Desturi / Viungo vya Kina / Mbinu za Desturi**](ios-pentesting/#custom-uri-handlers-deeplinks-custom-schemes)
* [ ] Angalia ikiwa programu ina **kujiandikisha itifaki/mbinu**
* [ ] Angalia ikiwa programu ina **kujiandikisha kutumia** itifaki/mbinu yoyote
* [ ] Angalia ikiwa programu ina **tarajia kupokea aina yoyote ya habari nyeti** kutoka kwa mbinu ya desturi ambayo inaweza **kutekwa** na programu nyingine inayojiandikisha itifaki sawa
* [ ] Angalia ikiwa programu **haichunguzi na kusafisha** matokeo ya mtumiaji kupitia mbinu ya desturi na baadhi ya **hitilafu inaweza kutumika**
* [ ] Angalia ikiwa programu **inafunua hatua yoyote nyeti** inayoweza kuitwa kutoka mahali popote kupitia mbinu ya desturi
* [**Viungo vya Kina**](ios-pentesting/#universal-links)
* [ ] Angalia ikiwa programu ina **kujiandikisha itifaki/mbinu za kina**
* [ ] Angalia faili ya `apple-app-site-association`
* [ ] Angalia ikiwa programu **haichunguzi na kusafisha** matokeo ya mtumiaji kupitia mbinu ya desturi na baadhi ya **hitilafu inaweza kutumika**
* [ ] Angalia ikiwa programu **inafunua hatua yoyote nyeti** inayoweza kuitwa kutoka mahali popote kupitia mbinu ya desturi
* [**Kushiriki Kupitia UIActivity**](ios-pentesting/ios-uiactivity-sharing.md)
* [ ] Angalia ikiwa programu inaweza kupokea UIActivities na ikiwa inawezekana kutumia hitilafu yoyote na shughuli iliyoundwa kwa umakini
* [**UIPasteboard**](ios-pentesting/ios-uipasteboard.md)
* [ ] Angalia ikiwa programu ina **kukopi chochote kwenye ubao wa kawaida**
* [ ] Angalia ikiwa programu ina **tumia data kutoka kwa ubao wa kawaida kwa chochote**
* [ ] Fuatilia ubao wa kunakili kuona ikiwa kuna **data nyeti inayokopiwa**
* [**Vifaa vya Programu**](ios-pentesting/ios-app-extensions.md)
* [ ] Je! programu inatumia **nyongeza yoyote**?
* [**WebViews**](ios-pentesting/ios-webviews.md)
* [ ] Angalia aina gani ya webviews inatumika
* [ ] Angalia hali ya **`javaScriptEnabled`**, **`JavaScriptCanOpenWindowsAutomatically`**, **`hasOnlySecureContent`**
* [ ] Angalia ikiwa webview inaweza **kufikia faili za ndani** kwa itifaki ya **file://** **(**`allowFileAccessFromFileURLs`, `allowUniversalAccessFromFileURLs`)
* [ ] Angalia ikiwa Javascript inaweza kufikia **njia za Asili** (`JSContext`, `postMessage`)
### Mawasiliano ya Mtandao
* [ ] Fanya [**MitM kwa mawasiliano**](ios-pentesting/#network-communication) na utafute mapungufu kwenye wavuti.
* [ ] Angalia ikiwa [**jina la mwenyeji wa cheti**](ios-pentesting/#hostname-check) limehakikiwa
* [ ] Angalia/Pitisha [**Certificate Pinning**](ios-pentesting/#certificate-pinning)
### **Mbalimbali**
* [ ] Angalia [**njia za kiotomatiki za kusasisha**](ios-pentesting/#hot-patching-enforced-updateing)
* [ ] Angalia [**maktaba za tatu zenye nia mbaya**](ios-pentesting/#third-parties)
**Kikundi cha Usalama cha Kujitahidi**
<figure><img src="../.gitbook/assets/telegram-cloud-document-1-5159108904864449420.jpg" alt=""><figcaption></figcaption></figure>
{% embed url="https://discord.gg/tryhardsecurity" %}
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
<figure><img src="../.gitbook/assets/image (45).png" alt=""><figcaption></figcaption></figure>
\
Tumia [**Trickest**](https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks) kujenga na **kutumia kiotomatiki** mifumo ya kazi iliyopewa nguvu na zana za jamii za **juu zaidi** duniani.\
Pata Ufikiaji Leo:
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
Reference in a new issue View git blame Copy permalink