PenTest Playbook
  • Welcome!
  • Web App Pentesting
    • SQL Injection
    • NoSQL Injection
    • XSS
    • CSRF
    • SSRF
    • XXE
    • IDOR
    • SSTI
    • Broken Access Control/Privilege Escalation
    • Open Redirect
    • File Inclusion
    • File Upload
    • Insecure Deserialization
      • XMLDecoder
    • LDAP Injection
    • XPath Injection
    • JWT
    • Parameter Pollution
    • Prototype Pollution
    • Race Conditions
    • CRLF Injection
    • LaTeX Injection
    • CORS Misconfiguration
    • Handy Commands & Payloads
  • Active Directory Pentest
    • Domain Enumeration
      • User Enumeration
      • Group Enumeration
      • GPO & OU Enumeration
      • ACLs
      • Trusts
      • User Hunting
    • Domain Privilege Escalation
      • Kerberoast
        • AS-REP Roast (Kerberoasting)
        • CRTP Lab 14
      • Targeted Kerberoasting
        • AS-REP Roast
        • Set SPN
      • Kerberos Delegation
        • Unconstrained Delegation
          • CRTP Lab 15
        • Constrained Delegation
          • CRTP Lab 16
        • Resource Based Constrained Delegation (RBCD)
          • CRTP Lab 17
      • Across Trusts
        • Child to Parent (Cross Domain)
          • Using Trust Tickets
            • CRTP Lab 18
          • Using KRBTGT Hash
            • CRTP Lab 19
        • Cross Forest
          • Lab 20
        • AD CS (Across Domain Trusts)
          • ESC1
            • CRTP Lab 21
        • Trust Abuse - MSSQL Servers
          • CRTP Lab 22
    • Lateral Movement
      • PowerShell Remoting
      • Extracting Creds, Hashes, Tickets
      • Over-PassTheHash
      • DCSync
    • Evasion
      • Evasion Cheetsheet
    • Persistence
      • Golden Ticket
        • CRTP Lab 8
      • Silver Ticket
        • CRTP Lab 9
      • Diamond Ticket
        • CRTP Lab 10
      • Skeleton Key
      • DSRM
        • CRTP Lab 11
      • Custom SSP
      • Using ACLs
        • AdminSDHolder
        • Rights Abuse
          • CRTP Lab 12
        • Security Descriptors
          • CRTP Lab 13
    • Tools
    • PowerShell
  • AI Security
    • LLM Security Checklist
    • GenAI Vision Security Checklist
    • Questionnaire for AI/ML/GenAI Engineering Teams
  • Network Pentesting
    • Information Gathering
    • Scanning
    • Port/Service Enumeration
      • 21 FTP
      • 22 SSH
      • 25, 465, 587 SMTP
      • 53 DNS
      • 80, 443 HTTP/s
      • 88 Kerberos
      • 135, 593 MSRPC
      • 137, 138, 139 NetBios
      • 139, 445 SMB
      • 161, 162, 10161, 10162/udp SNMP
      • 389, 636, 3268, 3269 LDAP
      • Untitled
      • Page 14
      • Page 15
      • Page 16
      • Page 17
      • Page 18
      • Page 19
      • Page 20
    • Nessus
    • Checklist
  • Mobile Pentesting
    • Android
      • Android PenTest Setup
      • Tools
    • iOS
  • DevSecOps
    • Building CI Pipeline
    • Threat Modeling
    • Secure Coding
      • Code Review Examples
        • Broken Access Control
        • Broken Authentication
        • Command Injection
        • SQLi
        • XSS
        • XXE
        • SSRF
        • SSTI
        • CSRF
        • Insecure Deserialization
        • XPath Injection
        • LDAP Injection
        • Insecure File Uploads
        • Path Traversal
        • LFI
        • RFI
        • Prototype Pollution
        • Connection String Injection
        • Sensitive Data Exposure
        • Security Misconfigurations
        • Buffer Overflow
        • Integer Overflow
        • Symlink Attack
        • Use After Free
        • Out of Bounds
      • C/C++ Secure Coding
      • Java/JS Secure Coding
      • Python Secure Coding
  • Malware Dev
    • Basics - Get detected!
    • Not so easy to stage!
    • Base64 Encode Shellcode
    • Caesar Cipher (ROT 13) Encrypt Shellcode
    • XOR Encrypt Shellcode
    • AES Encrypt Shellcode
  • Handy
    • Reverse Shells
    • Pivoting
    • File Transfers
    • Tmux
  • Wifi Pentesting
    • Monitoring
    • Cracking
  • Buffer Overflows
  • Cloud Security
    • AWS
    • GCP
    • Azure
  • Container Security
  • Todo
Powered by GitBook
On this page
  • iOS Security Architecture
  • Static Analysis for iOS
  • AnyTrans
  • Other Emulating Tools
  • Manual Static Analysis
  • Automated Static Analysis using MobSF
  • Dynamic Analysis
  • Breaking SSL Pinning for iOS
  • Patching iPA using Objection
  • Jailbreaking
  • checkra1n
  • Cydia
  • SSL Kill Switch for bypassing SSL Pinning
  1. Mobile Pentesting

iOS

  • iOS devices are naturally limited compared to Android

  • Apple keeps a "walled garden" of apps you can install and utilize

    • Can be bypassed using Jailbreaking

  • xCode is the supported development for iOS

  • Many iOS devices have a hardware security components, and in certain cases even replacing physical part can cause the phone to error.

iOS Security Architecture

  • Hardware and Software layer

  • Apps run in Sandbox environment.

    • Similar to Android, it is based on Unix.

    • All apps are signed by Apple

    • We need developer profile and pay yearly fee to put apps on App Store.

    • (Free Developer account allows Sideloading)

  • Two patitions in the file system. Hardware and Software.

  • Each iOS Device has two keys created and put into the device during manufacturing.

Static Analysis for iOS

  • Apps are developed using Swift.

  • Apps are in a .iPA format

  • .ipa is signed bundle of folders and assets

    • /Payload/Application.app - the application itself.

    • /Payload/iTunesMetadata.plist - Info about the app developer.

    • /Payload/Application.app/Info.plist - Where important app info is stored (Similar to AndroidManifest.xml). This is a key-value type file.

    • Various .json files, assets or resources unique to the app

Use Xcode for development, and static analysis of iPA file.

Check system.log for any sensitive information.

AnyTrans

Tool to pull iPA files from AppStore.

Connect iPhone to AnyTrans and download App on device. Now, we can download the same iPA using AnyTrans.

Other Emulating Tools

Corellium and Appetize.io

Manual Static Analysis

Rename the iPA file to .zip

Unzip the file. We can now check .app file using the "Show package contents"

We can now see all the files such as Info.plist

Automated Static Analysis using MobSF

Dynamic Analysis

Setup Burp and import Certificate/Profile and install the certificate.

Goto About/Certificate Settings and enable Trust for Burp certificate.

Breaking SSL Pinning for iOS

  • We can use Objection to patch the iPA and disable SSL Pinning.

    • Requires physical device to receive a provisioning profile.

    • May not work in all cases.

  • The last kill resort will be to utilize a jailbroken iOS device and use tools like SSL KillChain to break SSL Pinning.

Patching iPA using Objection

Install objection.

pip3 install frida-tools
pip3 install objection

Patch with code signed signature from Xcode via Developer profile.

Goto any project in Xcode and export the profile to device. Trust the developer profile on device.

# Get code signed signature
security find-identity


objection patchipa --source app.ipa -c 67213423A423EDFADSFG23423423ASDFDF

Jailbreaking

checkra1n

  • Download checkra1n for macOS.

  • Allow untested iOS in checkra1n

  • Follow instructions on checkra1n

  • If we see Cydia installed, it means Jailbreak is successful.

Cydia

We can install apps using Cydia.

SSL Kill Switch for bypassing SSL Pinning

Install via Jailbreak and download on macbook and push on device to break SSL Pinning.

  • Open Cydia and install wget

  • SSH into jailbroken device and download the package in /tmp folder using wget.

  • dpkg -i com.nablac0d3.sslkillswitch_0.14.deb

  • If you get an error, run apt --fix-broken install

  • Open iOS settings app, locate SSL Kill Switch 2.

  • Open it and enable "Disable Certificate Validation".

PreviousToolsNextDevSecOps

Last updated 10 months ago