Yes, It is possible to do a penetration Test on iOS Application security refers to the strategies used to protect mobile applications, online apps, and APIs (Application Programming Interfaces) from hackers. In the mobile device market, iOS is the most popular operating system. Because of their popularity, a variety of apps have been developed, making them excellent targets for attackers.
There are two types of penetration testing we generally do on Mobile Applications:-
- Static Analysis
- Dynamic Testing
iOS Application Security – Static Analysis
Jailbreaking your iOS device
In General, Apple doesn’t let you run unrecognized softwares that are not officially allowed by the organization. Jailbreaking your iPhone removes all the restrictions on your device and lets you do whatever you want. Actually, Jailbreaking requires you to install an application that will let you run jailbreak apps, tweaks, etc. After jailbreak you can install third-party apps from third-party app stores like Cydia, you can also customize your UI and functionality of the iPhone according to your need.
Safety Warning/ Prerequisites
- Backup your data before starting the jailbreaking process.
- This process is safe but can brick your device that means you device could go completely dead.
- Jailbreaking your device can void your device warranty/guarantee.
Step 1: If you’re using a Windows PC, ensure that you have the most recent version of iTunes downloaded and installed.
Step 2: Connect your iPhone to your Mac or PC using a USB-to-Lightning cable.
Step 3: Download and install 3u tools from 3u.com
Step 4: Open 3u Application by launching it from Finder or the Windows Start menu.
Step 5: Find Jailbreak service on 3uTools Toolbox.
Step 6: Select the jailbreak method which is available there for your device. Unc0ver works best with most of the devices.
Step 7: Enter your Apple ID and password when requested, click install.
Step 8: When the jailbreak process is completed, go to your profile section in your device settings and trust the profile.
Step 9. After that, open Unc0ver app from your device and Click on “ Jailbreak “ button and wait for the process to be completed.
Step 10:- Reboot your device and Boom , your device is now jailbreaked successfully , install cydia and Enjoy.
Extracting the IPA file from any iOS Device
You can use Imazing to extract the IPA file of any application installed on your iPhone, whether your device is jailbroken or not.
Install the application in your iOS device now go to Imazing , connect your device to your mac/windows and go to manage apps . There you will see a list of all the applications installed on your device and in the front of all app names you will see a download button as shown in the image below. Now Click on that button and the ipa of that application will be downloaded on your Pc.Â
MobSF
Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.
Plist
Plist stands for Property List. It is a flexible and easy format for storing application data. It’s what we’d refer to as an iOS app’s manifest. Sometimes you can find sensitive data in these files like Gmap api keys etc.
You can see Plist files in MobSf also or you can use the Objection Framework command.
Objection Command → ios plist cat Info.plist
Keychain Dump
Keychain is a secure storage container on an iOS device that is used to store sensitive information such as usernames, passwords, network passwords, and auth tokens.
It allows you to save account names, passwords, and credit card data safely and securely.
Insecure Transport Layer ( App Transport Security )
If App Transport Security is disabled on the domain i.e:- {‘NSAllowsArbitraryLoads’: True}’, While ATS safeguards are maintained everywhere in your programme, disabling ATS might allow unsafe contact with specific servers or unsecured loads for web views or media.
NsUserdefault File
It is also a simple plist file in your app package which can be used to set and get data very easily. Its structure resembles that of a dictionary, and the user defaults are sometimes referred to as a key-value store.
Hardcoded API Keys
Most of the apps need private/sensitive values, such as secrets, passwords & API Keys which are stored in the application’s source code to setup third-party SDKs or backend api’s.
During the build process or while using developer tools, such as interacting with an Apple Developer account, some secrets may be required.
Binary Analysis using otool
You can use otool (object file displaying tool) for further binary analysis of the application. The otool command displays sections of object files or libraries that you specify. You can check using otool that if the application is using weak hashing algorithms, Banned/deprecated api’s, malloc functions or insecure random number generators.
Commands to check these are given below:-
To Check for weak hashing algorithms:-
- Open the terminal and take the ssh of your Iphone.
- Command:- ssh root@<IP>
- cd /var/containers/Bundle/Application/<APP_ID>/<app>
- otool -Iv <app> | grep -w _CC_MD5
- otool -Iv <app> | grep -w _CC_SHA1
To Check for Banned/Deprecated Api’s :-
- Open the terminal and take the ssh of your Iphone.
- Command:- ssh root@<IP>
- cd /var/containers/Bundle/Application/<APP_ID>/<app>
- otool -Iv <app> | grep -w _stat
- otool -Iv <app> | grep -w _sscanf
- otool -Iv <app> | grep -w _strncpy
- otool -Iv <app> | grep -w _strle
Similarly is for malloc function and Insecure random number generator.
iOS Application Security – Dynamic Testing
Bypassing SSL Pinning on iOS Device
The technique of linking a host with its certificate/public key is known as SSL Certificate Pinning. You pin a certificate or public key to a host after you have it. In other words, you set the app to refuse any certificates or public keys save one or a few predetermined ones.
Bypassing SSL Pinning using Frida:-
Frida:- Frida is a Dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers that allows you to inject JavaScript snippets or your own libraries into native Windows, macOS, iOS, Android, and QNX programmes.
Install Frida from Github:- https://github.com/frida/frida
Install Frida on your Jailbroken iOS Device also through Cydia.
Step 1:- Run command frida-ps -Uia to list all the running app’s on the device.
Great. That is all the info you require.
Step 2:- Now Run the command frida –codeshare federicodotta/ios13-pinning-bypass -f <identifier> -U –no-pause.
Here, Identifier is the bundle id of the application for which you want to bypass SSL Pinning. So to get the identifier run the command in step 1.
Step 3:- After the process is completed successfully. Configure your iOS device with burp suite and try to intercept the traffic of the app for which you bypassed SSL Pinning.
Now you can just intercept the traffic of the application and start doing dynamic testing.