Unlocking-iOS-A-Hackers-Guide-to-App-Testing.pptx
- 1. Unlocking iOS: A Hacker's Guide to Application Testing By Abida Shariff Lead Security Engineer
- 2. Table of contents Who Am I? Types of Jailbreaks Jailbroken Devices and iOS Versions Setting Up the iOS Pentesting Environment & Tools IPA File Structure iOS Application Sandbox Architecture Install IPA Files on Jailbroken Devices Task 1: Install DVIA IPA on Jailbroken device Extract IPA File Task 2: Practically Extract an IPA File Jailbreak Detection and SSL Pinning Bypass Static and Dynamic Analysis Insecure Data Storage and Data Leaks Task 3: Conduct local storage analysis on iOS References
- 3. Who Am I? I’m Abida Shariff Lead Security Engineer at Redsentry Web Application, iOS & Android Researcher OSCP, eJPT, CEH Certified Just a curious geek
- 4. Types of Jailbreaks Types of Jailbreak Description Persists After Restart? Examples Untethered Jailbreak Permanent jailbreak that remains active even after a device restart. Yes Evasi0n, Pangu Tethered Jailbreak Requires a computer to reapply the jailbreak every time the device is restarted. No Redsn0w Semi-Tethered Jailbreak Device can reboot, but jailbreak features are disabled until re-applied. No Checkra1n, Palera1n Semi-Untethered Jailbreak Re-jailbreaking after a restart can be done using an app on the device itself. No Unc0ver, Chimera Rootless Jailbreak Does not modify the root file system, offering a safer but more limited jailbreak. No Dopamine, XinaA15
- 5. Jailbroken Devices and iOS Versions Jailbreaking Software Checkra1n Palera1n Dopamine iOS Version Support Up to iOS 14.8.1 iOS 15.0 to iOS 17.4 iOS 15.0 to iOS 16.6.1 Supported Devices iPhone 5s to iPhone X(A11 chip and older) A11 chips and older A12 to A16 and M1 to M2 chips Notes Uses checkm8 exploit Based on checkm8 exploit Focuses on newer devices, does not support latest versions beyond iOS 16.6.1 Emulators: Tools like Corellium offer cloud-based iOS environments for security testing without needing physical devices.
- 6. Setting Up the iOS Pentesting Environment & Tools ● Jailbroken device or Corellium ● Cydia/Sileo: App stores for jailbroken devices to install pentesting tools and tweaks. ● Frida: A dynamic instrumentation toolkit for analyzing and modifying the runtime behavior of iOS apps. ● Objection: Built on Frida, it simplifies the pentesting of iOS applications. ● Otool: Examining the structure, contents, dependencies, and linked frameworks of executable files and libraries.
- 7. IPA File Structure iOS applications are distributed as IPA (iOS App Store Package) files, which are essentially ZIP archives with a specific structure. The main components include the app binary, resources, and metadata. ● Payload directory: Contains the app bundle (.app) with the executable binary and resources ● Info.plist: Defines app configuration, permissions, and capabilities ● iTunesArtwork is a 512×512 pixel PNG image used as the application’s icon. ● iTunesMetadata.plist contains various bits of information, including the developer’s name and ID, the bundle identifier, copyright information, genre, the name of the app, release date, purchase date, etc.
- 8. iOS Application Sandbox Architecture ● iOS apps operate in isolated sandboxes to ensure privacy, security, and system stability. ● Sandboxes include MyApp.app (files), Documents (data), Library (support files), and tmp (temporary files). ● Apps are restricted from accessing data outside their sandbox.
- 9. Install IPA Files on Jailbroken Devices To install IPA files on iOS devices, several tools can be used: ● TrollStore: Install apps permanently on your device without re-signing or revokes. ● 3uTools: Manage iOS devices and install apps using a versatile tool for Windows and Mac. ● Sideloadly: Sideload apps not on the App Store using your Apple ID on Windows or Mac. ● AltStore: Install the application using Windows in iOS devices by signing the IPA file using apple ID. ● Install on Air: Install On Air enables over-the-air app installation via shareable links. Always verify the source of your IPA files and ensure compatibility with your iOS versions.
- 10. Task 1: Install DVIA IPA on Jailbroken device DVIA (Damn Vulnerable iOS App) is an intentionally vulnerable iOS application designed for security testing and learning iOS penetration testing concepts. 1. Download the DVIA IPA file from the official GitHub repository (https://github.com/prateek147/DVIA-v2) 2. Transfer the IPA file to your jailbroken iOS device.
- 11. Extract IPA File IPA (iOS App Store Package) files contain all the resources needed to run an iOS application, making them essential for security testing. Here's how to extract them: ● IMazing: Extract IPA files seamlessly from iOS devices for analysis and backups. ● AppIndex: Index and retrieve installed apps for security inspection and reverse engineering. ● IPAtool: Simplify IPA extraction with a dedicated tool for quick and efficient app analysis. ● Filza on Jailbroken Devices: Access /var/containers/Bundle/Application/ to extract IPA files directly. Once extracted, the IPA file can be unzipped to access the app's binary, resources, and configuration files for further analysis.
- 12. Task 2: Practically Extract an IPA File
- 13. Jailbreak Detection and SSL Pinning Bypass When testing iOS applications, you'll encounter two sophisticated security barriers: jailbreak detection that guards against modified devices and SSL certificate pinning that protects network traffic Bypassing Jailbreak Detection ● Hook into the app's code to bypass jailbreak checks. ● Disable or alter mechanisms detecting unauthorized tools or file paths. ● Tweaks: Shadow (Sileo), Choicy, vnodebypass, Hestia (Cydia) Bypassing SSL Pinning ● Intercept and manipulate encrypted traffic using MITM techniques. ● Hook into the app’s SSL routines with tools like Frida, objection or SSL Kill Switch. .
- 14. Static and Dynamic Analysis 1 Static Analysis Examining the application's code, resources, and configurations without executing it to identify potential vulnerabilities. 2 Dynamic Analysis Observing the application's behavior and interactions during runtime to uncover security flaws and data leaks.
- 15. Insecure Data Storage and Data Leaks NSUserDefaults Identifying risks when applications store sensitive data like tokens or personal information in NSUserDefaults. Learn how attackers can easily access this unencrypted storage to extract credentials and configuration data from the app's preferences. Core Data and SQLite Examining vulnerabilities in database implementations, including unencrypted Core Data stores and SQLite databases. Discover common pitfalls like storing passwords in plaintext, missing file protection flags, and database injection risks. Keychain Evaluating proper and improper implementations of iOS Keychain Services. While designed for secure credential storage, misconfigurations like incorrect access groups or protection classes can expose sensitive keys and authentication data.
- 16. Task 3: Conduct local storage analysis on iOS.