Our blog

We are here because we love talking about cybersecurity and you are because you love reading about it.
So let’s dive in!

Pentesting Of IOS Mobile Application
Posted in Penetration TestingTagged , , , ,

How to Perform Static Pentesting of iOS Mobile Application

Application security refers to the strategies used to protect mobile applications, online apps, and APIs (Application Programming Interfaces) from hackers. In the mobile device market, iOS is the most popular operating system. Because of their popularity, a variety of apps have been developed, making them excellent targets for attackers.

Today, we’ll look at how to perform static security pentesting on iOS apps, starting with bypassing SSL pinning and a few potential security flaws.

Bypassing SSL Pinning on iOS Device

The technique of linking a host with its certificate/public key is known as SSL Certificate Pinning. You pin a certificate or public key to a host after you have it. In other words, you set the app to refuse any certificates or public keys save one or a few predetermined ones.

Bypassing SSL Pinning using Frida :-

Frida:- Frida is a Dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers that allows you to inject JavaScript snippets or your own libraries into native Windows, macOS, iOS, Android, and QNX programmes.

Install Frida from Github :- https://github.com/frida/frida

Install Frida on your Jailbroken iOS Device also through Cydia.

Step 1:- Run command frida-ps -Uia to list all the running app’s on the device.

Great. That is all the info you require.

Step 2:- Now Run the command frida –codeshare federicodotta/ios13-pinning-bypass -f <identifier> -U –no-pause.

Here, Identifier is the bundle id of the application for which you want to bypass SSL Pinning. So to get the identifier run the command in step 1 .

Step 3:- After the process is completed successfully. Configure your iOS device with burp suite and try to intercept the traffic of the app for which you bypassed SSL Pinning.

Below is the example of amazon application:-

Extracting the ipa file from any iOS Device

You can use Imazing to extract the ipa file of any application installed on your iphone , whether your device is jailbroken or not.

Also Read  How to Perform Security Testing of Mobile Apps in 2022

Install the application in your iOS device now go to Imazing , connect your device to your mac/windows and go to manage apps . There you will see a list of all the applications installed on your device and in the front of all app names you will see a download button as shown in the image below. Now Click on that button and the ipa of that application will be downloaded on your Pc.

MobSF

Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.

Plist

Plist stands for Property List. It is a flexible and easy format for storing application data. It’s what we’d refer to as an iOS app’s manifest. Sometimes you can find sensitive data in these files like Gmap api keys etc.

You can see Plist files in MobSf also or you can use the Objection Framework command.

Objection Command → ios plist cat Info.plist

Keychain Dump

Keychain is a secure storage container on an iOS device that is used to store sensitive information such as usernames, passwords, network passwords, and auth tokens.

It allows you to save account names, passwords, and credit card data safely and securely.

Insecure Transport Layer ( App Transport Security )

If App Transport Security is disabled on the domain i.e :- {‘NSAllowsArbitraryLoads’: True}’,While ATS safeguards are maintained everywhere in your programme, disabling ATS might allow unsafe contact with specific servers or unsecured loads for web views or media.

NsUserdefault File

It is also a simple plist file in your app package which can be used to set and get data very easily. Its structure resembles that of a dictionary, and the user defaults are sometimes referred to as a key-value store.

Hardcoded Api Keys

Most of the apps need private/sensitive values, such as secrets , passwords & Api Keys which are stored in the application’s source code to setup third party SDKs or backend api’s.

Also Read  What are the 3 Phases of Penetration Testing in 2022

During the build process or while using developer tools, such as interacting with an Apple Developer account, some secrets may be required.

Binary Analysis using otool

You can use otool (object file displaying tool) for further binary analysis of the application. The otool command displays sections of object files or libraries that you specify. You can check using otool that if the application is using weak hashing algorithms ,Banned/deprecated api’s, malloc function or insecure random number generators.

Commands to check these are given below:-

To Check for weak hashing algorithms:-

  • Open the terminal and take the ssh of your Iphone.
  • Command:- ssh root@<IP>
  • cd /var/containers/Bundle/Application/<APP_ID>/<app>
  • otool -Iv <app> | grep -w _CC_MD5
  • otool -Iv <app> | grep -w _CC_SHA1

To Check for Banned/Deprecated Api’s :-

  • Open the terminal and take the ssh of your Iphone.
  • Command:- ssh root@<IP>
  • cd /var/containers/Bundle/Application/<APP_ID>/<app>
  • otool -Iv <app> | grep -w _stat
  • otool -Iv <app> | grep -w _sscanf
  • otool -Iv <app> | grep -w _strncpy
  • otool -Iv <app> | grep -w _strle

Similarly is for malloc function and Insecure random number generator.

Read More Articles About Cyber Security

How Detox Can Assist?

Detox Technologies has experienced security specialists to swiftly and easily identify assets that are affected by the Spring4Shell vulnerability, remediate them, and track the issue.

 

Aashirvad Kumar

Leave a Reply

Your email address will not be published.

Related Posts

© Copyright 2021 Detox Technologies