9.6 KiB
iOS Pentesting Checklist
{% hint style="danger" %}
Through Security Skills as a Service, we help organizations to defend against the Dark Hacking Arts. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering high-quality penetration testing results. Security Hubs bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a complete assessment of any risks.
{% embed url="https://securityhubs.io/" %} {% endhint %}
Support HackTricks and get benefits!
Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!
Discover The PEASS Family, our collection of exclusive NFTs
Get the official PEASS & HackTricks swag
Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦@carlospolopm.
Share your hacking tricks submitting PRs to the hacktricks github repo.
Preparation
- Read iOS Basics
- Prepare your environment reading iOS Testing Environment
- Read all the sections of iOS Initial Analysis to learn common actions to pentest an iOS application
Data Storage
- Plist files can be used to store sensitive information.
- Core Data (SQLite database) can store sensitive information.
- YapDatabases (SQLite database) can store sensitive information.
- Firebase miss-configuration.
- Realm databases can store sensitive information.
- Couchbase Lite databases can store sensitive information.
- Binary cookies can store sensitive information
- Cache data can store sensitive information
- Automatic snapshots can save visual sensitive information
- Keychain is usually used to store sensitive information that can be left when reselling the phone.
- In summary, just check for sensitive information saved by the application in the filesystem
Keyboards
- Does the application allow to use custom keyboards?
- Check if sensitive information is saved in the keyboards cache files
Logs
Backups
- Backups can be used to access the sensitive information saved in the file system (check the initial point of this checklist)
- Also, backups can be used to modify some configurations of the application, then restore the backup on the phone, and the as the modified configuration is loaded some (security) functionality may be bypassed
Applications Memory
- Check for sensitive information inside the application's memory
Broken Cryptography
- Check if yo can find passwords used for cryptography
- Check for the use of deprecated/weak algorithms to send/store sensitive data
- Hook and monitor cryptography functions
Local Authentication
- If a local authentication is used in the application, you should check how the authentication is working.
- If it's using the Local Authentication Framework it could be easily bypassed
- If it's using a function that can dynamically bypassed you could create a custom frida script
Sensitive Functionality Exposure Through IPC
- Custom URI Handlers / Deeplinks / Custom Schemes
- Check if the application is registering any protocol/scheme
- Check if the application is registering to use any protocol/scheme
- Check if the application expects to receive any kind of sensitive information from the custom scheme that can be intercepted by the another application registering the same scheme
- Check if the application isn't checking and sanitizing users input via the custom scheme and some vulnerability can be exploited
- Check if the application exposes any sensitive action that can be called from anywhere via the custom scheme
- Universal Links
- Check if the application is registering any universal protocol/scheme
- Check the
apple-app-site-association
file - Check if the application isn't checking and sanitizing users input via the custom scheme and some vulnerability can be exploited
- Check if the application exposes any sensitive action that can be called from anywhere via the custom scheme
- UIActivity Sharing
- Check if the application can receive UIActivities and if it's possible to exploit any vulnerability with specially crafted activity
- UIPasteboard
- Check if the application if copying anything to the general pasteboard
- Check if the application if using the data from the general pasteboard for anything
- Monitor the pasteboard to see if any sensitive data is copied
- App Extensions
- Is the application using any extension?
- WebViews
- Check which kind of webviews are being used
- Check the status of
javaScriptEnabled
,JavaScriptCanOpenWindowsAutomatically
,hasOnlySecureContent
- Check if the webview can access local files with the protocol file:// (
allowFileAccessFromFileURLs
,allowUniversalAccessFromFileURLs
) - Check if Javascript can access Native methods (
JSContext
,postMessage
)
Network Communication
- Perform a MitM to the communication and search for web vulnerabilities.
- Check if the hostname of the certificate is checked
- Check/Bypass Certificate Pinning
Misc
- Check for automatic patching/updating mechanisms
- Check for malicious third party libraries
Support HackTricks and get benefits!
Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!
Discover The PEASS Family, our collection of exclusive NFTs
Get the official PEASS & HackTricks swag
Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦@carlospolopm.
Share your hacking tricks submitting PRs to the hacktricks github repo.
{% hint style="danger" %}
Through Security Skills as a Service, we help organizations to defend against the Dark Hacking Arts. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering high-quality penetration testing results. Security Hubs bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a complete assessment of any risks.
{% embed url="https://securityhubs.io/" %} {% endhint %}