Getting Started with iOS Penetration Testing (Part 1)

January 19, 2022

Penetration testing of the mobile application involves two major market player platforms, i.e. Android & iOS. Both of the operating systems are quite popular and have their own features.

In the article, we are going to look at the iOS platform and how to start performing pentest on an iOS application. We will start with the basics of the iOS application & some of the important know-how followed by required tools and lab setup & some basic attacks to start with.

While testing the API calls that are getting originated from the iOS application is similar to the general API pentesting practices, however, the major difference lies in the Static & Dynamic Functionality Analysis, Bypassing the implemented restrictions, Manipulating functions and some magically interesting stuff.

Basics of iOS Application

Before diving right into the iOS application penetration testing, it is important to understand the iOS platform, the default security features it has to offer and other important terminology. For this article, I will explain important terms in a simple and short way possible & provide further reading to explore them in depth.

Architecture of iOS

The below diagram explains and talks about the basic architecture of the iOS system where different layers are used between the Application and Hardware level to establish communication & perform different tasks.

Source: https://www.dotnettricks.com/learn/xamarin/understanding-xamarin-ios-build-native-ios-app

Let’s discuss some of these layers in brief:

Core OS: The Core OS layer provides various low-level features upon which different services are built. These include Accelerate Framework, Directory Services, System Configuration, OpenCL, etc.

Core Services: The core services layer provides an abstraction over the services that are provided in the Core OS layer. These services generally include Address Book, Social, Security, Webkit, etc.

Media: The media layer provides various media services that can be utilized in the device, i.e. it basically enables all the audio-visual technologies. It provides various functions such as Core Image, Core Audio, Core Text, etc.

Cocoa Touch (Application): The cocoa touch layer is also known as the Application Layer. It is the topmost layer in the architecture and exposes various APIs for programming the iPhone devices.

The iOS Applications uses .IPA as their file extension.

You can read more about IPA File here: https://en.wikipedia.org/wiki/.ipa

Info.plist: The info.plist file describes the application to the operating system using a list of various properties. This file is often checked while performing security assessments as it may contain interesting information or help us find some misconfigurations.

Keychain: A keychain is referred to as an encrypted container where an application can store sensitive information and only the authorized application can retrieve the data from it. Read More: https://developer.apple.com/documentation/security/keychain_services

Application Sandboxing

The application sandboxing in iOS allows applications to set up a local database on the device and separately segment from the other applications. To ensure there are no conflicts between the application, the iOS assigns each app its own sandbox.

You can read more about application sandboxing here: https://theapplady.net/getting-started/ios-application-sandbox/

Setting up the Environment

In this section, we are going to look at the various tools, scripts and applications required in order to start learning iOS applications. Please note that there are many tools & scripts, however, this article may not explain all of them but it is recommended to explore all the tools & scripts on your own.

Note that it is recommended to use a physical device for testing iOS applications. I am using multiple devices that are iPhone 7 and iPhone 12 mini. Also, make sure the auto-updates are turned off to avoid getting the latest version & waiting for a jailbreak.

There is an option to get a virtual device usinghttps://www.corellium.com/ but I haven’t tried it myself.

Vulnerable Application

Use the below vulnerable applications and install them using the given instruction in the specific repositories:

DVIA-v2: https://github.com/prateek147/DVIA-v2

iGOAT: https://github.com/OWASP/igoat

For this article demonstrates, we will be using the DVIA-v2 application.

Testing Methodology

There are multiple components involved while performing penetration testing on an iOS application. One component is to perform a static analysis using manual techniques and tools such as MobSF. Another component involves runtime exploitation and hooking different methods & objects to bypass certain scenarios and gain access to sensitive information. Lastly, testing the dynamic API calls that are getting generated from the application such as login API calls, etc.

In this article, we will first start with performing a static analysis on the iOS application for which we will first need to extract the IPA, performing static analysis using MobSF and later we will look at the different bypass techniques such as Jailbreak Detection Bypass, SSL Pinning Bypass, Local Authentication Bypass, etc.

Extracting the IPA

There are multiple methods to extract the IPA file, however, in this article, we will use SSH to extract the IPA file.

Steps to Extract:

  1. Connect to your iphone via SSH: ssh root@ip (Default Password is Alpine)
  2. Navigate to the following directory: /var/containers/Bundle/Application
  3. Now search for the application: find | grep “app_name”
  4. Navigate to the folder containing your app: cd <app_directory>
  5. Create a directory with the name Payload: mkdir Payload
  6. Copy the data into the Payload directory: cp -r <appname.app>/ Payload/
  7. Zip the Payload directory into IPA format: zip -r /var/root/<appname>.ipa Payload/

Running Static Analysis with MobSF

Once you have extracted the IPA file, the next step is to perform static analysis using MobSF. I will be using the MobSF docker option but you can use an install as well as any other installation option provided.

MobSF: https://github.com/MobSF/Mobile-Security-Framework-MobSF
MobSF Documentation: https://mobsf.github.io/docs/#/

Steps to perform the static analysis:

  1. Run the MobSF Web Interface
  2. Drop the IPA file and run static analysis
  3. Once the static analysis is finished look for misconfigurations such as:
  • Insecure URL Schemes
  • Insecure Permissions & ATS Misconfiguration
  • Insecure Binary Options
  • Firebase Database, Emails & Hardcoded Information
  • Other Interesting Files

Setting Up Proxy

Setting up proxy in the Burp Suite is a pretty simple and straightforward process.

Steps to Perform:

  1. Enable manual proxy in the wireless setting and add proxy details.
  1. In the Burp Suite, go to “Proxy Settings” and set the listener to All Interfaces.
  1. Now, on the iPhone, open “http://burp” and download the CA certificate.
  2. Install the CA certificate.
  3. Now, Navigate to SettingsGeneralAboutCertificate Trust Settings and enable Portswigger CA Certificate.

Jailbreak

Before diving into performing a jailbreak, let’s under what a jailbreak is:

Different types of jailbreak

  1. Untethered Jailbreak: The untethered jailbreak is a permanent type of jailbreak where even after rebooting the device, it will be in jailbreak state only.
  2. Tethered Jailbreak: This is a temporary jailbreak type. Once the device is rebooted, the device no longer remains in the jailbreak state.
  3. Semi-tethered Jailbreak: A semi-tethered jailbreak is one where the device can start up on its own, but it will no longer have a patched kernel, and therefore will not be able to run modified code.
  4. Semi-untethered Jailbreak: A semi-untethered jailbreak is similar to an untethered jailbreak in that it allows the device to boot up on its own. The device startup sequence is unaltered on each boot, and it boots into its original, non-jailbroken state. However, rather than using a computer to jailbreak, as in a tethered or semi-tethered case, the user can re-jailbreak their device using an app that runs on their device.

Bypassing Jailbreak Detection

For this demonstration, we will be looking at multiple options such as:

Observe that the device status is returned as Jailbroken.

Using Frida

  1. Run the following command on your system: frida — codeshare rodnt/ios-jailbreak-bypass -f DVIA-v2
  2. Now navigate to the application and click on Jailbreak 1 and observe that the jailbreak detection is bypassed:

Using Objection

  1. Run the following commands on your system:
  • objection -g DVIA-v2 explore
  • ios jailbreak disable

2. Now navigate to the application and click on Jailbreak 1 and observe that the jailbreak detection is bypassed:

There are different tools that can be used to bypass jailbreak detection as listed below:

Bypassing SSL Pinning

Using Objection

  1. Run the following command on your system:
  • objection -g DVIA-v2 explore
  • ios sslpinning disable
  1. Now navigate to the application and click on Network Layer Security > Send Using Certificate Pinning.
  2. Observe that the data is interceptable by bypassing the SSL Pinning.

There are different tools that can be used to bypass jailbreak detection as listed below:

Bypassing Biometric (Local) Authentication

Using Objection

  1. Run the following command on your system:
  • objection -g DVIA-v2 explore
  • ios ui biometrics_bypass exit

Once the application prompts with Face Not Recognized, Click on Cancel and observe that the authentication is bypassed.

Checking for Sensitive Data Exposure in Local

There are multiple places where the sensitive data can be found stored in the local storage. Below are the various places to find the sensitive data and steps to perform the attack:

Launch the DVIA-v2 application and navigate to Local Data Storage. Save some information in all the given options.

Sensitive Data in Plist

Steps to Reproduce

  1. Run the following commands:
  • objection -g DVIA-v2 explore
  • env
  • cd /var/mobile/Containers/Data/Application/<app-id>/Documents
  • ios plist cat userInfo.plist

2. Observe that the sensitive information is found stored in plain text.

Sensitive Data in Keychain

Steps to Reproduce

  1. Run the following commands:
  • objection -g DVIA-v2 explore
  • ios keychain dump

2. Observe that the sensitive information (password) is found stored in the plain-text (Super Secure Password).

For the rest of the attacks, we will be using a tool called Grapefruit (https://github.com/ChiChou/grapefruit). Install the tool, launch it and connect to the iPhone.

Sensitive Data in Core Data

Steps to Reproduce

  1. Load the DVIA-v2 application with Grapefruit & navigate to the following: Data > Library > Application Support
  2. Open Model.sqlite
  3. Observe that the sensitive data is accessible.

Sensitive Data in Couchbase Lite

Steps to Reproduce

  1. Load the DVIA-v2 application with Grapefruit & navigate to the following: Data > Library > Application Support > CouchbaseLite > dvcouchbasedb.cblite2
  2. Download db.sqlite3, open it & you will be able to see the sensitive information.

Sensitive Data in YapDatabase

Steps to Reproduce

  1. Load the DVIA-v2 application with Grapefruit & navigate to the following: Data > Library > Application Support
  2. Download YapDatabase.sqlite and open with SQLite Viewer
  3. You will be able to sensitive data.

End Notes

In this article, we looked at the basics of iOS penetration testing and learned a few techniques around SSL Pinning Bypass, Jailbreak Detection Bypass, Biometrics Bypass and Sensitive Data Exposure in the Local Storage. In the next part of this article, we will explore more concepts of the iOS pen- and dig deep into more advanced concepts.