mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-26 06:30:37 +00:00
98 lines
7.5 KiB
Markdown
98 lines
7.5 KiB
Markdown
# iOS Pentesting Checklist
|
|
|
|
{% hint style="danger" %}
|
|
Do you use **Hacktricks every day**? Did you find the book **very** **useful**? Would you like to **receive extra help** with cybersecurity questions? Would you like to **find more and higher quality content on Hacktricks**?
|
|
[**Support Hacktricks through github sponsors**](https://github.com/sponsors/carlospolop) **so we can dedicate more time to it and also get access to the Hacktricks private group where you will get the help you need and much more!**
|
|
{% endhint %}
|
|
|
|
If you want to know about my **latest modifications**/**additions** or you have **any suggestion for HackTricks** or **PEASS**, **join the** [**💬**](https://emojipedia.org/speech-balloon/)[**telegram group**](https://t.me/peass), or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
|
If you want to **share some tricks with the community** you can also submit **pull requests** to [**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) that will be reflected in this book and don't forget to **give ⭐** on **github** to **motivate** **me** to continue developing this book.
|
|
|
|
### Preparation
|
|
|
|
* [ ] Read [**iOS Basics**](ios-pentesting/ios-basics.md)\*\*\*\*
|
|
* [ ] Prepare your environment reading ****[**iOS Testing Environment**](ios-pentesting/ios-testing-environment.md)\*\*\*\*
|
|
* [ ] Read all the sections of ****[**iOS Initial Analysis**](ios-pentesting/#initial-analysis) ****to learn common actions to pentest an iOS application
|
|
|
|
### Data Storage
|
|
|
|
* [ ] [**Plist files**](ios-pentesting/#plist) can be used to store sensitive information.
|
|
* [ ] \*\*\*\*[**Core Data**](ios-pentesting/#core-data) \(SQLite database\) can store sensitive information.
|
|
* [ ] \*\*\*\*[**YapDatabases**](ios-pentesting/#yapdatabase) \(SQLite database\) can store sensitive information.
|
|
* [ ] \*\*\*\*[**Firebase**](ios-pentesting/#firebase-real-time-databases) miss-configuration.
|
|
* [ ] \*\*\*\*[**Realm databases**](ios-pentesting/#realm-databases) can store sensitive information.
|
|
* [ ] \*\*\*\*[**Couchbase Lite databases**](ios-pentesting/#couchbase-lite-databases) can store sensitive information.
|
|
* [ ] \*\*\*\*[**Binary cookies**](ios-pentesting/#cookies) can store sensitive information
|
|
* [ ] \*\*\*\*[**Cache data**](ios-pentesting/#cache) can store sensitive information
|
|
* [ ] \*\*\*\*[**Automatic snapshots**](ios-pentesting/#snapshots) can save visual sensitive information
|
|
* [ ] \*\*\*\*[**Keychain**](ios-pentesting/#keychain) is usually used to store sensitive information that can be left when reselling the phone.
|
|
* [ ] In summary, just **check for sensitive information saved by the application in the filesystem**
|
|
|
|
### Keyboards
|
|
|
|
* [ ] Does the application [**allow to use custom keyboards**](ios-pentesting/#custom-keyboards-keyboard-cache)?
|
|
* [ ] Check if sensitive information is saved in the [**keyboards cache files**](ios-pentesting/#custom-keyboards-keyboard-cache)\*\*\*\*
|
|
|
|
### **Logs**
|
|
|
|
* [ ] Check if [**sensitive information is being logged**](ios-pentesting/#logs)\*\*\*\*
|
|
|
|
### Backups
|
|
|
|
* [ ] \*\*\*\*[**Backups**](ios-pentesting/#backups) can be used to **access the sensitive information** saved in the file system \(check the initial point of this checklist\)
|
|
* [ ] Also, [**backups**](ios-pentesting/#backups) can be used to **modify some configurations of the application**, then **restore** the backup on the phone, and the as the **modified configuration** is **loaded** some \(security\) **functionality** may be **bypassed**
|
|
|
|
### **Applications Memory**
|
|
|
|
* [ ] Check for sensitive information inside the [**application's memory**](ios-pentesting/#testing-memory-for-sensitive-data)\*\*\*\*
|
|
|
|
### **Broken Cryptography**
|
|
|
|
* [ ] Check if yo can find [**passwords used for cryptography**](ios-pentesting/#broken-cryptography)\*\*\*\*
|
|
* [ ] Check for the use of [**deprecated/weak algorithms**](ios-pentesting/#broken-cryptography) to send/store sensitive data
|
|
* [ ] \*\*\*\*[**Hook and monitor cryptography functions**](ios-pentesting/#broken-cryptography)\*\*\*\*
|
|
|
|
### **Local Authentication**
|
|
|
|
* [ ] If a [**local authentication**](ios-pentesting/#local-authentication) is used in the application, you should check how the authentication is working.
|
|
* [ ] If it's using the [**Local Authentication Framework**](ios-pentesting/#local-authentication-framework) it could be easily bypassed
|
|
* [ ] If it's using a [**function that can dynamically bypassed**](ios-pentesting/#local-authentication-using-keychain) you could create a custom frida script
|
|
|
|
### Sensitive Functionality Exposure Through IPC
|
|
|
|
* \*\*\*\*[**Custom URI Handlers / Deeplinks / Custom Schemes**](ios-pentesting/#custom-uri-handlers-deeplinks-custom-schemes)\*\*\*\*
|
|
* [ ] Check if the application is **registering any protocol/scheme**
|
|
* [ ] Check if the application is **registering to use** any protocol/scheme
|
|
* [ ] Check if the application **expects to receive any kind of sensitive information** from the custom scheme that can be **intercepted** by the another application registering the same scheme
|
|
* [ ] Check if the application **isn't checking and sanitizing** users input via the custom scheme and some **vulnerability can be exploited**
|
|
* [ ] Check if the application **exposes any sensitive action** that can be called from anywhere via the custom scheme
|
|
* \*\*\*\*[**Universal Links**](ios-pentesting/#universal-links)\*\*\*\*
|
|
* [ ] Check if the application is **registering any universal protocol/scheme**
|
|
* [ ] Check the **`apple-app-site-association`** file
|
|
* [ ] Check if the application **isn't checking and sanitizing** users input via the custom scheme and some **vulnerability can be exploited**
|
|
* [ ] Check if the application **exposes any sensitive action** that can be called from anywhere via the custom scheme
|
|
* \*\*\*\*[**UIActivity Sharing**](ios-pentesting/ios-uiactivity-sharing.md)\*\*\*\*
|
|
* [ ] Check if the application can receive UIActivities and if it's possible to exploit any vulnerability with specially crafted activity
|
|
* \*\*\*\*[**UIPasteboard**](ios-pentesting/ios-uipasteboard.md)\*\*\*\*
|
|
* [ ] Check if the application if **copying anything to the general pasteboard**
|
|
* [ ] Check if the application if **using the data from the general pasteboard for anything**
|
|
* [ ] Monitor the pasteboard to see if any **sensitive data is copied**
|
|
* \*\*\*\*[**App Extensions**](ios-pentesting/ios-app-extensions.md)\*\*\*\*
|
|
* [ ] Is the application **using any extension**?
|
|
* [**WebViews**](ios-pentesting/ios-webviews.md)\*\*\*\*
|
|
* [ ] Check which kind of webviews are being used
|
|
* [ ] Check the status of **`javaScriptEnabled`**, **`JavaScriptCanOpenWindowsAutomatically`**, **`hasOnlySecureContent`**
|
|
* [ ] Check if the webview can **access local files** with the protocol **file://** **\(**`allowFileAccessFromFileURLs`, `allowUniversalAccessFromFileURLs`\)
|
|
* [ ] Check if Javascript can access **Native** **methods** \(`JSContext`, `postMessage`\)
|
|
|
|
### Network Communication
|
|
|
|
* [ ] Perform a [**MitM to the communication**](ios-pentesting/#network-communication) and search for web vulnerabilities.
|
|
* [ ] Check if the [**hostname of the certificate**](ios-pentesting/#hostname-check) is checked
|
|
* [ ] Check/Bypass [**Certificate Pinning**](ios-pentesting/#certificate-pinning)\*\*\*\*
|
|
|
|
### **Misc**
|
|
|
|
* [ ] Check for [**automatic patching/updating**](ios-pentesting/#hot-patching-enforced-updateing) mechanisms
|
|
* [ ] Check for [**malicious third party libraries**](ios-pentesting/#third-parties)\*\*\*\*
|
|
|