A guide to iOS Pentesting (Part 1)

Mobile applications have emerged as a primary source of target for cyberattacks in the current digital era. These attacks have enabled the attacker to get user credentials or install malware that results in the loss of user funds. It's critical for businesses to closely monitor and evaluate the security of their mobile environment in order to prevent these kinds of thefts.

According to HackerPowered Security Report provided by HackerOne in 2023, only 17% security researchers are aware of IOS Security which makes them susceptible to cyber attacks due to lack of skill, expertise and enough resources for learning. As a result, we'll start by publishing a few blog posts that go over the most recent resources and testing procedures for iOS.

Setup Guide for IOS Pentest

Before getting started with our tests, we must ensure the right set of toolkits are installed in order to conduct our assessment. Typically mobile application security is covered in 2 parts:

• Static Assessment: It involves scanning of mobile application source code to find vulnerabilities using tools like Mobsf.
• Dynamic Assessment: It involves running and executing mobile binary to uncover vulnerabilities within the application with help of tools like Objection, Frida, Burpsuite.

JailBreak

Jailbreak is the process of providing root access to IOS Device which unlocks restricted device functionalities that are implemented by device manufacturers.The most common software used to jailbreak IOS Devices is known as Palera1n. Palera1n is available for download in Linux and MacOs devices as mentioned within its documentation.

Note: Only devices which uses A11 Chipset (eg. IPhoneX) or lower and minimum IOS Version as 15.0 or above can be jailbroken for IOS using Palera1n.

Prerequisite: Jailbroken Device IOS

Jailbroken Device

Further to confirm our analysis, whether the device has been jailbroken. Please check, if the Palera1n App has been installed on your IOS Device. If the application has been installed which confirms that our IOS Device has been jailbroken and now we can use Silieo to Install/Manage our tweaks which would be helpful during our lab setup.

Static Assessment Toolkit:

Static Security Assessment involves source code review of the apps which allows the attacker to determine the attack surface and help them uncover sensitive information such as hard coded secrets, api endpoints, tokens, api keys, exported components, permission models and list of binary checks being applied on the ios app. For this blog, we will talk about the most common Static Assessment Tool called Mobsf which allows the researcher to upload a target iOS app and provide a comprehensive report with a list of potential vulnerabilities.

Mobile Security Framework (MobSF)

Mobile Security Framework (MobSF) is a security research platform for Android, iOS, and Windows Mobile platforms. Numerous use cases, including virus analysis, penetration testing, mobile application security, and privacy analysis, may be addressed by MobSF. Common mobile app binaries including APK, IPA, APPX, and source code may be analysed using the Static Analyzer. Meanwhile, runtime data, network traffic analysis, and interactive instrumented testing are all made possible via the Dynamic Analyzer. MobSF easily enhances your security process by integrating with your DevSecOps or CI/CD pipeline with REST APIs and CLI tools.

MobSF Docker Setup:

Dynamic Assessment Toolkit

The dynamic assessment involves running an app with the intention of hooking the application logic which could either alter the application logic or execute unauthorised operations. The most common tools used for dynamic testing are as follows:

1. Frida
2. Objection
3. Burpsuite
4. AppStore++
5. TrollStore

Frida

Frida is a dynamic instrumentation toolkit designed for security researchers, reverse engineers, and developers. Dynamic instrumentation is the process of altering the instructions of a binary program during its execution.

Your own scripts may be injected into application processes to hook any function, intercept confidential application code, and snoop on cryptocurrency APIs. This enables you to alter your injecting script and view the outcomes right now. We can avoid certificate pinning, root detection, memory dumps, and other security measures with Frida's assistance.

Frida Client Installation (Local Device):

Frida Setup on IOS Device

Steps to install Frida on a Jailbroken device:

1- Open Sileo App. 2- Navigate to Manage -> Sources -> Edit -> Add. 3- Enter "https://build.frida.re" as the URL

4- Go to the newly added Frida source. 5- Install the Frida package.

Burpsuite

An integrated platform/graphical tool called Burpsuite is used to evaluate web applications for security. Its many tools function in sync to facilitate every step of the testing process, from the first mapping and analysis of the attack surface of an application to the identification and exploitation of security flaws. In Kali Linux, Burp Suite is installed by default.

The software was created by PortSwigger Web Security and is written in Java. There are three editions of the tool available: the Community Edition, which is available for free download, the Professional Edition and the Enterprise Edition, which has to be purchased following a trial period. There is a major reduction in functionality with the Community edition.

Burpsuite Installation:

1- Visit the given URL 2- Now, Click on Download and select Windows X64 host. 3- Finally, search for Burpsuite and create a New Project.

Tweaks

These are third-party applications made for devices that have been jailbroken. They can add new features, tweak current functionality, or circumvent Apple's constraints.

Tweaks can be used in the context of iOS pentesting for a number of reasons, including:

- Around Jailbreak Detection: Certain applications limit their functionality or won't launch on smartphones that have been jailbroken. Testers can use tweaks to get around these security measures and use the app for testing. - Examining App Files: iOS devices often prevent users from accessing an application's internal files. Testers can check how the app saves data or operates by making changes to the file manager that give access to these files. - Monitoring Network Traffic: By allowing the data to be intercepted between an application and the internet, tweaks can assist find communication flaws in the programme. - Changing App Behaviour: A few adjustments make it possible to change an application's behaviour while it's being tested.

List of Common Tweaks:

1- Filza 2- Openssh 3- Frida 4- SSLBypass & SSL KillSwitch 5- AppStore++

Conclusion

Fantastic! Just now, you created your own playground for iOS pentesting. With the help of this personalised environment, you may analyse apps, find security holes, and eventually improve mobile security. But keep in mind that iOS security is a dynamic field. Updates to tools are made, new jailbreaks appear, and testing techniques continue to improve. Being at the top of your game is so crucial!

Here are some next steps to consider:

• Familiarise yourself with popular iOS pen testing tools like Frida, Objection, and Burp Suite.
• Explore resources for practice applications with known vulnerabilities like DVIA or iGoat.
• Stay updated on the latest iOS exploits and jailbreaks by following reputable security blogs and communities.

References

• https://kishorbalan.medium.com/start-your-first-ios-application-pentest-with-me-part-1-1692311f1902
• https://book.hacktricks.xyz/mobile-pentesting/ios-pentesting
• https://github.com/ivan-sincek/ios-penetration-testing-cheat-sheet
• https://www.yeswehack.com/learn-bug-bounty/getting-started-ios-penetration-testing-part-1
• https://www.yeswehack.com/learn-bug-bounty/getting-started-ios-penetration-testing-part-2