This document discusses static analysis techniques for testing iOS applications. It covers analyzing the app manifest file (plist) for sensitive information, checking for insecure data storage in databases and the keychain, verifying code signatures, and dumping runtime memory. The document provides examples of using tools like MobSF, otool, and objection to extract plaintext passwords and other data from test apps.

1. Pen-testing iOS
Applications: Static
Analysis
Deepika Kumari

2. Who Am I ?
 Senior Security Consultant @EY
 Security Researcher
 Bachelor’s Degree from Amity University (2015)
 Certified Red Team professional
Find me on :
https://www.linkedin.com/in/deepika-kumari-740763100/
Blog:
https://medium.com/@deepika-k/
2

3. Agenda
iOS Platform Overview
Web vs Mobile Testing
Pre-requisites
iOS application Static Analysis
3

4. iOS Security Architecture
The iOS security architecture consists of several core features:
 Hardware Security (Secure Enclave)
 Secure Boot
 Code Signing
 Security of runtime process
4

5. Mobile vs Web App
5
Data being stored
on the device
Interaction with the OS
through API’s
Reverse
Engineering
Local
Authentication
(e.g. Fingerprint)

6. Types of Mobile Apps
 Native App
 Web App
 Hybrid App
6

7. Web Vs Mobile
Q1. is XSS a vulnerability that is applicable to
mobile apps?
• a) yes but only reflected
• b) yes but only stored
• c) yes reflected and stored
• d) No
Q2: Do you think its possible to make an app
immune to reverse engg attacks?
• a) yes via obfucstion
• b) yes via encryption
• c) Yes by combining above 2
• d) No reverse engg will always win
7

8. Web vs Mobile
Pentesting
 Be aware of the impact of vulnerabilities in mobile apps
compared to web apps
 You can not blindly map everything you know about
web app testing to mobile apps
 Need to understand the differences and common
pitfalls when implementing mobile apps
8

9. Creating Pentest
Platform
 Jailbreak using Checkra1n or other jailbreak tools
 Launch Cydia
 Install Open SSH server
 Connect to Wi-Fi and SSH over IP
 Install .ipa file using iMazing or Installer IPA.
 Install tools like Otool(reverse enginnering), cycript
(decrypting ipa file), Frida/Objection (bypassing
SSL pinning and dumping keychain)
 MobSF Scanner
9 Tuesday, February 2, 20XX

10. iOS Application
Testing Methodology
Static Analysis : using manual techniques and tools such as
MobSF, otool, etc. to look for certain strings, hardcoded
sensitive information, misconfigures cryptography.
Dynamic Analysis : involves runtime exploitation and
hooking different methods objects to bypass certain
scenarios and gain access to sensitive information, testing
dynamic API calls, business logic flows, parameter tampering,
Injection attacks and so on.
10

11. Finding
Package
Name
11

12. iOS Application
Static Analysis
• Plist file analysis
• Sensitive Data in UserDefaults
• Looking into Insecure Local
Storage
• Verify Signature (Binary
Protection)
• Runtime Memory Dump
• Dumping Keychain
12

13. Plist File
Analysis
1. Run the following commands:
• objection -g <app package name> explore
• ios plist cat userInfo.plist
2. Observe that the sensitive information is stored in plain text.
3. Look for Misconfigured ATS
13

14. Sensitive Data in
NSUserDefaults
1. Run the following commands:
• objection -g <app package name>
explore
• ios nsuserdefaults get
2. Observe that the sensitive information is
stored in the plain-text in DemoValue
parameter.
14

15. Insecure Local
Data Storage
1. Navigate to the application package folder.
2. Search for database file with .db extension or .sqlite.
3. Open it using sqlite3 database command.
4. From the screenshot above we are able to read the database
table and content.
15

16. Verify
Signature of
IPA file
1. Use code signer tool to check the signature of the IPA file
• codesign -dv --verbose=4 /Applications/Utilities/Terminal.app
2. Use open source to check the IPA cert validation
• https://gist.github.com/ronsims2/1b7a8b9e15898f9406788988106b
2f78
• python ipa_cert_checker.py /Users/janedoe/Dcouments/Foobar.ipa
16

17. Run-Time Memory Dump
1. Use FRIDUMP tool to dump sensitive information from the
temporary memory
• Command : https://github.com/Nightbringer21/fridump
• fridump -U Safari - Dump the memory of an iOS device
associated with the Safari app
17

18. Dumping
Keychain
1. Run the following commands:
• objection -g DVIA-v2 explore
• ios keychain dump
2.Observe that the sensitive information (password) is found
stored in the plain-text (Super Secure Password).
18

19. References
• https://www.cobalt.io/blog/ios-pentesting-101
• https://payatu.com/blog/kapil.gurav/ios-penetration-testing
• https://book.hacktricks.xyz/mobile-pentesting/ios-
pentesting-checklist
• https://blog.yeswehack.com/yeswerhackers/getting-started-
ios-penetration-testing-part-1/
• https://mobile-security.gitbook.io/mobile-security-testing-
guide/ios-testing-guide/0x06b-basic-security-testing
19

20. Thank you
Deepika Kumari
deepikakumari778@gmail.com
/in/deepika-kumari-740763100/
20