iOS App Security Testing :: Session 1
Set up iOS pen-testing platform
Understanding the iOS filesystem
- System Apps Path: /Applications
- Store Apps Path: /var/mobile/Containers/Bundle/Application/
iOS Assessment - Overview
Insecure Data Storage
- Core data (Sqlite)
- Webkit Caching
- Couchbase Lite
Basics of Cycript
Why is it required for Security Testing?
- To identify methods used in the app
- To modify the values of variable during runtime
- Method Swizzling
How does it work?
- Install Cycript from cydia
- SSH the device and find the app's process using this command: ps -u <<user>> | grep "<<app_name>>
- Hook into the process using this command: cycript -p <<PID>
Client Side Injection
Data injection attacks are as real in mobile apps as they are in web apps, although the attack scenarios tend to differ (e.g., exploiting URL schemes to send premium text messages or toll phone calls).
- URL Schemes Injection: Refer to http://wiki.akosma.com/IPhone_URL_Schemes#TikiSurf
- SQL Injection
SQL Injection Example
Tools & Commands Info
|Class-dump-z Installation||1. Go to https://code.google.com/p/networkpx/wiki/class_dump_z and copy the download link
2. SSH into device and run this command: wget <<class-dump-z download link>>
3. Once this is done, go inside the folder iphone_armv6 and copy the class-dump-z executable into /usr/bin directory
|Keychain||1. SSH your device and run this command: wget https://github.com/ptoomey3/Keychain-Dumper/archive --no-check-certificate
2. Navigate inside Keychain_Dumper directory and run the executable by using the command ./keychain_dumper
|Cycript||1. Go to http://www.cycript.org/debs/ and download the latest deb file
2. Copy the package to your device and install it using dpkg with this command: dpkg -i <<deb_package_name>>
3. Once the package is installed run cycript in terminal
|Copy over Shell||scp <<source_path>> root@<<device_ip_address>><<destination_path>>
|Convert plist to xml||plutil -convert xml1 <<plist_file>>|
|Find application PID||a. ps aux | grep "app_name"
b. ps -u mobile | grep "app_name"
|Extract .tar files||tar -xvzf <<tar_file>>|
iOS Application Security - Part 1
By Yogesh Sharma