Moving on to the Second part of iOS Pentesting series…
IPA file Anatomy
Rename the IPA to ZIP and extract it. Let’s analyze some of the important the components.
Frameworks:
This is one of the important directories that we can take a look. This folder may contain external frameworks that are implemented within the application (Eg: Frameworks for Jailbreak detection, SSL pinning, etc)
DVIA-2 — The application’s executable file
example.der — CA Certificate that may use for the SSL Pinning process or any other purposes.
Info.plist -The Info. plist file contains critical information about the configuration of an iOS mobile app
Test Cases:
1: Check for App Transport Security misconfiguration.
i)Read the Info.plist file using 3uTools or any other plist readers.
The Boolean value is set TRUE for the “NSAllowArbitraryLoads” property, indicates that the App Transport Policy (ATS) is globally disabled. That means the app allows insecure HTTP communication.
Note: If Exception domains are defined, in that case, The insecure HTTP loads will applicable only for that domain.
In this example, the app is allowed to communicate with “example.com” using insecure HTTP connections, despite the general ATS requirements.
2: Check for hardcoded secrets/URLs from the IPA file using Grep or ack commands.
i) Change the file extension from .ipa to .zip
ii) Extract the zip
iii) Get inside the app package
Find the hardcoded secrets.
Obtain the secret from that particular file:
Installing the IOS Application
Install the IPA on the iPhone using 3UTools or manually (The Cyndia tweak AppSync Unified must be installed on the iOS device for bypassing the signature checks.).
Note: If the testing IOS application is shared through TestFlight, then we can directly install from it.
Insecure Storage
Checking the sensitive data in local storage
1: Shared Preference file
i) Connect to the target application using Objection and obtain its working directory using the below command.
ii) Navigate to the application’s Library folder
iii) Get into the Shared Preference folder
iv) Read the Preference file using below command.
2: Local DB files
i) Connect the target application with objection
ii) Find the application path in which the cache files get stored sing the below command and navigate to that path
iii) Copy the “Cache.db” to your local machine with the scp command
iv) Explore the db. file using any DB browsers and look for the sensitive data
3: Background screen caching
(Lol I guess I don’t want to spit out a deep explanation for this, It’s just the thing when the app being sent to the background state. If the app screen is visible, then it is vulnerable)
4: Checking sensitive data in Heap memory
sensitive data such as login credentials / OTP/ security PIN codes/ Session Tokens / PII data
Tool: Fridummp
GitHub — Nightbringer21/fridump: A universal memory dumper using Frida
i) Make sure the frida tweak is installed and running in your Cydia/Sileo
ii) Execute the fridump command as follows:
python3 fridump.py -U -s “App name”
iii) By executing the previous step, the command will create a folder in the current directory called dump and a file named ‘strings.txt’, which contains all the memory strings. Open the ‘strings.txt’ file and it is observed that user-sensitive data are not cleared or replaced from memory.
5: Sensitive Data in the Keychain
Keychain services provide APIs (Application Programming Interfaces) that allow developers to securely store, retrieve, and manage sensitive data in a way that’s isolated from the rest of the app’s data. And some applications may store this data in plaintext format.
After Login process, Attach the target application with the objection and execute the following command:
6: Insecure logging of Sensitive data
There are some dev dudes who logs everything including user data during the app development process and some of them would forget to remove the log functions during the app releasing process. So, in those cases, we gotta grab those snacks.
i) Identify the sensitive input fields in the target application.
ii) Submit the data via the input fields
iii) Collect the App logs and obtain the data (You can use “Real Time logger” utility provided by 3uTools
Side Channel Leakage
1: Clipboard buffer cache
i) Find the sensitive input fields in the target application
ii) Try to copy the sensitive data
iii) Now attach the target application with Objection and execute the command “iOS pasteboard monitor”
We can see the objection could retrieve the copied card data from clipboard cache.
And that’s a wrap for today, folks! But hey, don’t fret, there’s still a bunch of exciting stuff in our toolkit waiting to be unleashed — you know, the whole shebang like setting up proxies, bypassing Jailbreak detection and SSL pinning, Bypassing biometrics and more. Buckle up, because in my next installment, I’ll dive into all of these juicy topics.
Oh, the exhaustion is real! I’m starting to think the next part might just have to come with its very own YouTube video… I mean, who needs all that typing, am I right?
Bella Ciao.
