hacktricks/mobile-apps-pentesting/ios-pentesting-checklist.md
2021-05-21 17:13:19 +00:00

7 KiB

iOS Pentesting Checklist

If you want to know about my latest modifications/additions or you have any suggestion for HackTricks or PEASS, ****join the 💬 ****PEASS & HackTricks telegram group here, or follow me on Twitter 🐦@carlospolopm.
If you want to share some tricks with the community you can also submit pull requests to ****https://github.com/carlospolop/hacktricks ****that will be reflected in this book.
Don't forget to give on the github to motivate me to continue developing this book.

Preparation

Data Storage

  • Plist files can be used to store sensitive information.
  • ****Core Data SQLite database can store sensitive information.
  • ****YapDatabases SQLite database can store sensitive information.
  • ****Firebase miss-configuration.
  • ****Realm databases can store sensitive information.
  • ****Couchbase Lite databases can store sensitive information.
  • ****Binary cookies can store sensitive information
  • ****Cache data can store sensitive information
  • ****Automatic snapshots can save visual sensitive information
  • ****Keychain is usually used to store sensitive information that can be left when reselling the phone.
  • In summary, just check for sensitive information saved by the application in the filesystem

Keyboards

Logs

Backups

  • ****Backups can be used to access the sensitive information saved in the file system check the initial point of this checklist
  • Also, backups can be used to modify some configurations of the application, then restore the backup on the phone, and the as the modified configuration is loaded some security functionality may be bypassed

Applications Memory

Broken Cryptography

Local Authentication

Sensitive Functionality Exposure Through IPC

  • ****Custom URI Handlers / Deeplinks / Custom Schemes****
    • Check if the application is registering any protocol/scheme
    • Check if the application is registering to use any protocol/scheme
    • Check if the application expects to receive any kind of sensitive information from the custom scheme that can be intercepted by the another application registering the same scheme
    • Check if the application isn't checking and sanitizing users input via the custom scheme and some vulnerability can be exploited
    • Check if the application exposes any sensitive action that can be called from anywhere via the custom scheme
  • ****Universal Links****
    • Check if the application is registering any universal protocol/scheme
    • Check the apple-app-site-association file
    • Check if the application isn't checking and sanitizing users input via the custom scheme and some vulnerability can be exploited
    • Check if the application exposes any sensitive action that can be called from anywhere via the custom scheme
  • ****UIActivity Sharing****
    • Check if the application can receive UIActivities and if it's possible to exploit any vulnerability with specially crafted activity
  • ****UIPasteboard****
    • Check if the application if copying anything to the general pasteboard
    • Check if the application if using the data from the general pasteboard for anything
    • Monitor the pasteboard to see if any sensitive data is copied
  • ****App Extensions****
    • Is the application using any extension?
  • WebViews****
    • Check which kind of webviews are being used
    • Check the status of javaScriptEnabled, JavaScriptCanOpenWindowsAutomatically, hasOnlySecureContent
    • Check if the webview can access local files with the protocol file:// ****`allowFileAccessFromFileURLs`, `allowUniversalAccessFromFileURLs`
    • Check if Javascript can access Native methods `JSContext`, `postMessage`

Network Communication

Misc