OWASP Mobile TOP 10
Dynamic Analysis
Advanced Application Runtime Analysis
Exploiting iOS Applications etc.,
iOS_Architecture
Device_Jailbreaking
Setting_up_the_Test_Environment
References
When an iOS device is turned on, its application processor immediately executes code from read-only memory known as the Boot ROM.
The boot ROM contains the firmware that is permanently installed by Apple on every iOS and cannot be altered, once manufactured.
It also contains the Apple Root CA public key, which is used to verify that the Low-Level Bootloader (LLB) is signed by Apple before allowing it to load.
Each step ensures that the next step is signed by Apple.
Low-level boot loader :
iBoot :
For More Info visit :
If one step of this boot process is unable to load or verify the next process, startup is stopped and the device displays the “Connect to iTunes” screen.
This is called recovery mode. If the Boot ROM is not able to load or verify LLB, it enters DFU (Device Firmware Upgrade) mode.
In both cases, the device must be connected to iTunes via USB and restored to factory default settings.
For more information on manually entering recovery mode, see https://support.apple.com/kb/HT1808.
On every Apple device that has an A7 and later processor, there exists a special processor, otherwise known as secure Enclave.
Every device has a unique and non-iterable (non-repeatable) ID, that is fused into the Secure Enclave at the time of the device manufacturing.
The Secure Enclave implements device passcode verification, file encryption, Touch ID fingerprint processing and matching , Apple Pay, and enforces security restrictions such as the escalating delays applied after excessive incorrect passcode attempts.
Touch ID is the fingerprint sensor that was first introduced by Apple on the iPhone 5S. It is a seamless way to use your fingerprint as your passcode.
The touch ID is also responsible for encrypting keys generated in the device's secure enclave.Such keys are then, in turn, used to encrypt the device's lock-screen pass code or iOS app store account credentials, amongst other things.
After 5 consecutive failed unlock attempts, using a fingerprint, the keys are deleted from the secure enclave.
This secures the encrypted passcode/credentials from being decrypted(since the key that is required to decrypt the passcode, is now deleted) and forces the attacker to provide the actual pass-code/credentials in order to unlock the device/get access to iTunes account.
In general, all iOS apps must be signed by a signing certificate that was issued by Apple(this process is known as code signing) and must be distributed via the Apple app store.
Create an iOS development Signing Identity and hit Done.
goo.gl/pE9gMG
This allows user to;
On a high level, there are two types of jailbreaks:
Jailbreaking removes any sandboxing put in place by the operating system.
By removing the sandbox protection, any app on the device has the potential to read any file on the filesystem, including other application's private files, tokens/cookies stored in plist files or keychain.
Jailbreak patches the integrity check, which is responsible for checking apps being installed and thus skips the code signing check(verifying that the app was signed by a certificate issued by Apple).
No need to pay $99 yearly fee for maintaining developer certificate as anyone can publish apps on Cydia for free.
Few applications check for signs of a jailbreak during the installation of the app or during normal usage.
When a jailbreak is detected, the apps may choose to cease operating, in order to prevent other apps from sniffing out sensitive data from this application.
Hardware Requirements :
Software Requirements :
Other useful tools : Otool,Cycript,Class-dump-z,Snoop-it,RET,Clutch,Filezilla - SFTP/Winscp,SQLite browser,Installipa,Veency etc.,
For More Visit : goo.gl/mgJZ6Q
Note: Starting iOS version 8.4, Apple has decided to restrict the third-party managers access to the application sandbox.
This tool allows you to retrieve sandbox files off the device for further inspection.
Note: Starting iOS version 8.4, Apple has decided to restrict the third-party managers access to the application sandbox.
This tool is available as an app within the Cydia app store.
Once installed on the device, this will allows a user to SSH into the device, inspect the app sandbox & push/pull files on the filesystem etc.,
Connect the iPhone/iPad to Wi-Fi and check the IP address of the device.
Now, from our PC connect to this IP address Over SSH using any SSH Client.
Default Username : root
Password : alpine
Note: Change the default password as anyone in the same WiFi N/W can connect to our device using default credentials.
Burp Suite is an HTTP proxy tool which comes in handy by inspecting an application's HTTP traffic, flowing through the device.
Cheat Sheet:
Books:
Testing Guide:
https://www.owasp.org/index.php/IOS_Application_Security_Testing_Cheat_Sheet
https://www.owasp.org/index.php/OWASP_Mobile_Security_Testing_Guide#tab=Main