Downloaded 16 times
![[CONFidence 2016] Sławomir Kosowski - Introduction to iOS Application Securit...](https://cdn.slidesharecdn.com/ss_thumbnails/slawomirkosowski-introductiontoiospenetrationtesting-160603095607-thumbnail.jpg?width=640&height=640&fit=bounds)
Mobile App Penetration Testing Bsides312
- 1. Beginners Guide To MobileApplication Penetration Testing Presenter: Whitney Phillips
- 2. Who Am I? 12Years in IT and Information Security • Help Desk • System Administrator • Security Operations • Application Security Analyst (Purple Team) • Mobile Application Penetration Tester
- 4. Why are wehere ?
- 5.
- 6.
- 7.
- 8. Genymotion cont. Screen Shot2023-03-23 at 7.57.25 PM
- 9.
- 10. Unc0ver https://unc0ver.dev/ Screen Shot 2023-03-23at 7.57.25 PM iOS 11.0 – 14.8
- 11. checkra1n https://checkra.in/ Screen Shot 2023-03-23at 7.57.25 PM iOS 12.0 and up
- 12.
- 13. Obtaining the Application ScreenShot 2023-03-23 at 7.57.25 PM Google Play Store Apple App Store
- 14. APK Pure https://apkpure.com Screen Shot2023-03-23 at 7.57.25 PM
- 15.
- 16. iOS IPA https://www.iphonecake.com Screen Shot2023-03-23 at 7.57.25 PM
- 17. iOS IPA https://armconverter.com/decrypted appstore/us Screen Shot2023-03-23 at 7.57.25 PM
- 18. Sideloading the Application •Android – adb install • iOS Filza, Sideloadly, Xcode
- 19.
- 20.
- 21.
- 22. MobSF Screen Shot 2023-03-23at 7.57.25 PM
- 23. MobSF Screen Shot 2023-03-23at 7.57.25 PM
- 24. Burp Suite -https://portswigger.net Screen Shot 2023-03-23 at 7.57.25 PM
- 25. Root Bypass Screen Shot2023-03-23 at 7.57.25 PM Magisk Hide https://magiskmanager.com/ #What_is_Magisk_Hide
- 26. Jailbreak Bypass Screen Shot2023-03-23 at 7.57.25 PM iHide https://github.com/Kc57/iHde
- 27. Jailbreak Bypass Screen Shot2023-03-23 at 7.57.25 PM Liberty Lite https://www.ios-repo-updates.com/repository/ryley-s- repo/package/com.ryleyangus.libertylite.beta/
- 28. iOS Certificate Pinning ScreenShot 2023-03-23 at 7.57.25 PM SSL-Kill-Switch2 https://github.com/nabla- c0d3/ssl-kill-switch2
- 29.
- 30. adb shell -Connect to device adb push - PC to device adb pull - Device to PC adb install - sideload apks adb (Android Debug Bridge)
- 31. The priority isone of the following character values V: Verbose (lowest priority) D: Debug I: Info W: Warning E: Error F: Fatal S: Silent (highest priority, on which nothing is ever printed) Adb logcat
- 32.
- 33. Fridump https://github.com/Nightbringer21/fridu mp Fridump is anopen-source memory dumping tool. It uses the Frida framework to dump accessible memory addresses from any platform supported.
- 34. Fridump - Whatare we looking for? Credentials / Usernames / Passwords / Email addresses Private keys/ IP addresses URLs that the app normally can't talk to
- 35. Frida-ios-dump https://github.com/AloneMonkey/frida- ios-dump Pull a decryptedIPA from a jailbroken device
- 36. •Supports both iOSand Android. •Inspect and interact with container file systems. •Bypass SSL pinning. •Dump keychains. •Perform memory related tasks •Explore and manipulate objects on the heap Objection https://github.com/sensepost/objection
- 37. objection -g "ProcessName" explore Objection Commands
- 38. •android sslpinning disable •androidroot disable •android keystore list •android hooking search classes Objection Commands Android
- 39. •ios nsuserdefaults get •ioshooking list classes •ios hooking search classes <search_term> •ios nsurlcredentialstorage dump •ios keychain dump •ios cookie get Objection Commands iOS
- 40.
- 41. • Pull DecryptedIPA file • Add .zip to file, unzip • Right click the application • Show Package Contents Reverse Engineering iOS
- 42. BundlePath /private/var/containers/Bundle/Application/3CB79 49C-4561-41D9-94F2-5414BF162787/appname.app CachesDirectory /var/mobile/Containers/Data/Application/9655F CD2-1447-4DD6-9423-CFC4FAE82897/Library/Caches DocumentDirectory/var/mobile/Containers/Data/Application/965 5FCD2-1447-4DD6-9423-CFC4FAE82897/Documents LibraryDirectory /var/mobile/Containers/Data/Application/9655F CD2-1447-4DD6-9423-CFC4FAE82897/Library Local Storage iOS
- 43. Original APK -/data/app/<pkg>*/base.apk Application Storage -data/data/package name • Databases/ • lib/: libraries and helpers for the app files • shared_prefs/ • settings cache/ Local Storage Android
- 44. External storage canbe accessed in: • /storage/emulated/0 • /sdcard • /mnt/sdcard External Storage Android
- 45. DB Browser forSQLite https://sqlitebrowser.org/
- 46. Applications can createsqlite databases May store sensitive data on them and often our unencrypted. • find . -type f -exec file '{}' ; | grep 'SQLite 3.x database’ • find ./ -name "*.sqlite" -or -name "*.db" SQLite Databases
- 47. • plist filesare structured XML files that contains key-value pairs. • Way to store persistent data • You may find sensitive information in these files.. Plist iOS
- 48. To find allthe plist of used by the application you can access to /private/var/mobile/Containers/Data/Appl ication/{APPID} and run: Command - find ./ -name "*.plist" Plist iOS
- 49. To find allthe plist of used by the application you can access to /private/var/mobile/Containers/Data/Appl ication/{APPID} and run: Command - find ./ -name "*.plist" Plist iOS
- 50. To convert theplist into a readable format Command - $ plutil -convert xml1 Info.plist Plist iOS
- 51.
- 52. TrustedSec Blog https://www.trustedsec.com/blog/ OWASP MobileSecurity Testing Guide https://mobile-security.gitbook.io/mobile-security- testing-guide/appendix/0x08-testing-tools
- 53.
- 54.
- 55.
- 56.