How to Start iOS Penetration Testing

How to Start iOS Penetration Testing

Mobile app databases receive a massive flow of network traffic and sensitive information daily, making them catchy targets for hackers. That’s why most companies apply for application security testing to avoid security breaches, data leakage, and other similar safety scenarios. And iOS Penetration Testing is one of its subdivisions.

So let’s go on and see what iOS penetration testing is and how it’s performed.

IOS Application Security Testing: Features and Techniques

The following are some crucial security features and techniques that Apple provides to protect data and keep mobile devices safe. 

Jailbreak 

For pentesting IOS applications, one of the fundamental things you need is a jailbroken device. Jailbreaking is a popular term used among Apple users. It generally means removing restrictions from an IOS device like an iPad or iPhone. Through jailbreaking, one can access features and services not allowed by Apple and its file system, such as downloading music from non-approved sources, installing third-party apps aside from the IOS App Store, bypassing security controls, or customizing the device according to user preferences. 

Several types of jailbreaking exist, so let’s review each in detail. 

  1. Tethered Jailbreak: It is also known as Temporary Jailbreak, as after rebooting, the device will return to its normal state. 
  2. Untethered Jailbreak: It refers to permanent jailbreak, as the device will no longer go back to its normal state, even after rebooting.
  3. Semi-Tethered Jailbreak: In the case of Semi-tethered jailbreak, the phone can start up on its own. However, it will no longer own a patched kernel and can’t run the modified source code. 
  4. Semi-Untethered Jailbreak: It’s similar to semi-tethered jailbreak in terms of rebooting: the device startup sequence remains the same and can go back to its original state. However, users can re-jailbreak their phone through an app running on the device.

The jailbreak process is typically not complicated and takes several minutes. Moreover, multiple jailbreak tools are designed especially for the IOS platform like Home Depot, Phoenix, uncOver, etc.

App Sandbox

Generally, IOS assigns the apps running on the Apple platform individual sandboxes. The primary function of an app sandboxing is to protect the user’s app from other apps attempting to gain unauthorized access to the data stored, including payment information, passwords, or personal data (photos, videos, etc.). As a result, your IOS apps and confidential data are safe and secure from any other intervention or modification. 

Data Protection API 

One of the ways IOS protects the sensitive data stored on the device is the Data Protection API. Users can build apps with encryption through this option, which helps safeguard information even if the app is not running. 

IOS Application Testing Methodologies

While testing iOS applications, there are several components and elements you will need to use. The complete penetration testing is performed through multiple stages that include the following:

  • Conducting a static analysis through manual tools and techniques like MobSF;
  • Bypassing specific scenarios and gaining access to sensitive information by Runtime exploitation;
  • Testing the API calls through dynamic analysis generated from the application;
  • Securing apps through address space layout randomization;

So, without further ado, let’s move on to the primary IOS penetration testing and development process.

Extracting the IPA

The first and most crucial step of the security testing is the IPA extraction, which can be done in several ways. Here we will use SSH.

Extraction steps to follow:

  1. Connect to your device via SSH:
  2. Go to the data directory using the following: /var/containers/Bundle/Application
  3. Search for the app;
  4. Move to the folder that contains your application: cd <app_directory>
  5. Make a Payload directory: mkdir Payload
  6. Copy the information into the directory of Payload: <yourappname.app>/Payload/
  7. Zip the directory format into IPA: zip -r /var/root/<yourappname>.ipa Payload/

Performing Static Analysis 

After extracting the IPA file, run the static analysis with the help of MobSF. 

Steps to run the Static Analysis:

  1. Open the Web Interface of MobSF;
  2. Run Static Analysis by dropping the IPA file;
  3. Look for misconfigurations after the analysis is complete: Insecure URL Schemes, Insecure Binary Options, and Insecure Permissions.

Setting Up the Proxy

Proxy set-up is relatively easy with Burp Suite: it uses an iOS simulator. Here is what you need to do:

  1. Choose the Manual Proxy option in the wireless setting and fill in the proxy details.
  2. Go to the “Proxy Settings” section in Burp Suite and enable the listener to access All interfaces.
  3. After that, open “HTTP. burp” on your device and install the CA certificate.
  4. Go to Certificate Trust Settings and choose Portswigger CA Certificate.

Bypass Jailbreak Detection

First of all, ensure that your device is successfully jailbroken.

For the next step, we will use Frida:

  1. Fill the command below:frida_codshare rodnt/ios-jailbreak-bypass-f DVIA-v2
  2. Navigate to native apps, click on the button Jailbreak 1 and ensure the jailbreak detection is bypassed.

SSL Pinning Bypass

For bypassing SSL pinning, we will use Objection:

  1. Fill in the command line with the following:
  • objection -g DVIA-V2 explore
  • ios sslpinning disabled
  1. Go to the app, click on Network Layer Security and enable Send Using Certificate Pinning.
  2. Ensure that data is interceptable.

Checking for the Possibilities of Sensitive Data Exposure 

Generally, there are various places where sensitive information from multiple devices can be stored in the local storage. To find the valuable data and perform an attack, you must install the DIVA-V2 app and go to Local Data Storage.

Sensitive Data in Plist

Steps for reproducing:

  1. Fill in the following command line into your system:
  • objection -g DVIA-V2 explore
  • env
  • cd
  • /var/mobile/Containers/Data/Application/<mobileapp-id>/Docs

         ios plist userinfo.plist

  1. The sensitive information will be stored in plain text format on the SQLite database.

Sensitive Data in Keychain

Steps for reproducing:

  1. Fill in the following command line into your system:
  2. objection -g DVIA-V2 explore
  3. ios keychain dump
  4. You will find the sensitive information stored on SQLite databases in plain text format.

What is IOS Penetration Testing?

IOS is one of the leading operating systems in the mobile computing industry. Due to this fact, the number of new iOS applications conquering the mobile market is constantly growing. As a result, you can see Apple devices being widely used in different ways to improve business solutions’ effectiveness and functionality. However, the popularity of these applications has also successfully caught the cybercriminals’ attention leading to numerous risks of security issues. And this is precisely where iOS penetration testing comes to help. 

In general, application security testing defines the methodology and techniques by which APIs, web apps, mobile apps, and other apps are protected from attackers’ virtual or physical access. Thus, IOS penetration testing covers discovering and exploiting the vulnerabilities in the IOS operating system. 

IOS pentesting method can include decompiling the mobile application to identify existing defects that may lead to bugs and errors. Penetration testing is built upon different tests designed to exploit IOS app and network security vulnerabilities. 

IOS Application Architecture

Before we dive into the primary penetration testing itself, let’s first understand the IOS system’s default security features and components. Below we will review the main layers:

  • Core OS: This layer offers multiple low-level features used for building various services, including Directory Services, OpenCL, Accelerate Framework, etc.
  • Core Services: The abstraction of the services offered by the Core OS is possible with the help of the Core Services layer. These include Security, Social, Website, Address Book, etc.
  • Cocoa Touch: The primary function of Cocoa Touch is to expose different APIs that are used for programming iOS devices. Additionally, the IPA file is the extension that the iOS apps use.
  • Media: This is another essential layer mainly responsible for providing different media services that can be utilized in the physical device, such as audio-visual technologies: the functions of the Media layer cover Core Audio, Core Image, and Core Text.
  • Keychain: A Keychain is an encrypted container where apps can store sensitive data such as the application’s source code, encryption keys, and database files which can be retrieved only by an authorized application. 
  • Info.plist: This file uses a list of different properties to describe the app to the operating system. The Info.plist file is constantly checked while conducting mobile security assessments as it may help the testers to find some misconfigurations.

FAQ Section

What is IOS security testing?

Most companies perform IOS pentesting to identify the security system’s vulnerabilities and protect confidential data from hackers. 

How long does the testing process take?

The duration of the pen-test mainly depends on the scope and number of applications being tested. Generally, it can vary from several hours to several weeks.

How much does IOS Application Testing cost?

It depends primarily on the complexity and size of the project: the average range is between $3000 – $80.000.