This document provides an overview of pentesting iOS apps. It discusses setting up an environment for analysis, including installing tools. It then covers static analysis techniques like inspecting app binaries and local data storage. Dynamic analysis techniques are also covered, like monitoring API calls, the filesystem, and network traffic. The document provides tips on bypassing protections like certificate pinning and resources for further learning.

1. Pentesting iOS Apps
Herman Duarte <hd@integrity.pt>

2. About me
Security Consultant @ INTEGRITY S.A. - www.integrity.pt
Penetration testing:
Web Apps
Mobile Apps
Infrastructure / Wireless
BSc in Information Systems and Computer Engineering
OSCP, CISSP Associate, ISO27001LA, CCNA

3. Roadmap
Environment setup
Client component
Static Analysis
Dynamic Analysis
Network component
Backend component

4. Environment Setup

5. Environment Setup

6. Environment Setup
Install OpenSSH
Change default password
for users:
root
mobile

7. Environment Setup
Advanced Packaging Tool:
apt-get install
apt-get update
apt-get upgrade
apt-cache search

8. Environment Setup
Tools of trade (just to name a few):
*nix tools: tcpdump, ps, file, vim, wget, tar, …
otool, plutil, sqlite3, gdb, installipa, class-
dump-z, cycript, ldid, keychain_dumper,
dumpdecrypted, …
iRET, Snoop-It, Introspy, iNalyzer, …

9. Environment Setup
Tips and Tricks #1:
Use TCP over USB with usbmux
One such client is libusbmuxd from libmobiledevice
with a python based implementation
python tcprelay.py -t 22:2222 8080:8080
ssh root@localhost -p 2222
Its a more stable connection
No need to have a wifi connection at all

10. Components
Network
BackendClient

11. Client component
Static analysis
Runtime/Dynamic analysis

12. Static Analysis
Binary protections
Inspecting the binary
Local data storage
Caches

13. Binary protections
The bundle of an iOS app is a zip file with the "ipa" extension
Checks:
Is the binary compiled with the PIE flag (Position Independent
Executable aka ASLR) ?
Is the binary compiled with stack smashing protection ?
What about ARC (Automatic Reference Counting) ?
Is the binary encrypted ?
otool can be used to obtain the answers for the above questions.
iRET is a tool that uses otool and presents the info in a web page.

14. Binary protections
Demo Video
http://youtu.be/efPrQ8_v6Qc

15. Inspecting the binary
When the binary is encrypted, it is decrypted in memory upon
execution.
How can I do that ?
By using gdb to dump the memory after decryption
Dumpdecrypted
Clutch
(put your decryption tool/script here)

16. Inspecting the binary
What can I do after decryption ?
Use class-dump-z to extract the __OBJC segment, that
provides information about internal classes, methods, method
arguments and variables that are used in the app
Use your favourite disassembler, run strings and have fun :)

17. Inspecting the binary
Demo Video
http://youtu.be/XUgebKj6vA0

18. Local Data Storage
NSUserDefaults
Plist (xml/binary)
Core Data Services
SQLite
Keychain

19. NSUserDefaults
Where?
<app dir>/Library/Preferences/
How ?
Data is normally stored as a plist file, but it
can be stored as a sqlite file as well.

20. NSUserDefaults
Demo Video
http://youtu.be/Wv_uyDz81hU

21. NSUserDefaults
Recommendation:
Don’t use NSUserDefaults to store
sensitive data;
Use the keychain instead.

22. Core Data Services
Where?
<app dir>/Documents/
How ?
Data is currently stored as a sqlite file.
Tables are normally prefixed with a “Z"
Z_METADATA
Z_PRIMARYKEY
Z_…

23. Core Data Services
Demo Video
http://youtu.be/p-nbb6PeD-c

24. Core Data Services
Recommendation:
Stop saving sensitive data using the core
data services framework;
Use the keychain instead.

25. Keychain
Keychain services provides secure storage of passwords,
keys, certificates, and notes, etc
kSecAttrAccessible constants:
kSecAttrAccessibleAlways
kSecAttrAccessibleWhenUnlocked
kSecAttrAccessibleAfterFirstUnlock
kSecAttrAccessibleAlwaysThisDeviceOnly
kSecAttrAccessibleWhenUnlockedThisDeviceOnly
kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly

26. Caches
Cached Data:
Background screenshot
UIPasteboard
Keyboard cache

27. Background screenshot
What ?
Every time an app is put on the
background a screenshot is taken. This
screenshot is used by iOS when the app
returns to foreground
Where ?
<app dir>/Library/Caches/Snapshots/<app id>/
Main/

28. Background screenshot
Demo Video
http://youtu.be/JvERKQ7Jv74

29. Background screenshot
Recommendation:
Change the screen content as soon as the
app is about to lose focus, with a generic
image;

30. Dynamic Analysis
API calls
Filesystem
Keychain
Methods, variables …

31. API calls
Data Storage
Crypto
Network
IPC
XML

32. Introspy
Tracer:
Used to hook and log security-sensitive iOS APIs
called by applications running on the device
The calls can also sent to the Console for real-time
analysis
Analyzer:
A tool to turn a database generated by Introspy
into an HTML report

33. Introspy
Demo Video
http://youtu.be/B7043AcmKtY

34. Filesystem
While executing an application interacts with
the filesystem, and files are created, deleted,
read, moved, etc
!
Introspy, Snoop-It and fileMon are some of
the applications that allows for file system
monitoring in real time

35. Keychain
While executing an application interacts with
the keychain, and items are created, deleted,
read, updated, etc
!
Introspy and Snoop-It are some of the
applications that allows for keychain
monitoring in real time

36. Methods, variables …
Using Cycript one can interact with this
Objective-C runtime environment and call
methods, change methods implementation,
change variables value, etc
Snoop-It implements part o Cycript
functionality, and it’s simpler to use

37. Snoop-It
Demo Video
http://youtu.be/O-PAz7XN47o

38. Network
There are 2 types of apps, from the network
perspective:
Those that respect the HTTP proxy
configuration for network interactions;
Tools: A proxy like Burp Suite or ZAP.
and those that don’t!
Tools: A proxy like Mallory.

39. Proxy

40. MiTM
!
BackendClient
!
Network

41. Tips and Tricks #2:
Instead of exposing your proxy on the network
SSH remote port forwarding
ssh root@localhost -p 2222 -R 8080:localhost:
8080
Configure HTTP proxy to point to localhost:8080
Proxy

42. Proxy (Remote Port Fwd)

43. Network
What to look for:
Does the app use SSL ?
Does the app accept any certificate ?
Remove any root CA installed on the phone
What about certificate pinning?
Install burp root CA before testing

44. SSL
Demo Video
http://youtu.be/VmBbb47aOOk

45. What if the app uses Pinning ?

46. Pinning
If an application uses pinning what can you do:
You can use a tool that patches low-level SSL
functions to bypass any certificate validation
based on iOS API’s

47. Pinning
Demo Video
http://youtu.be/rn2ud3s7Z3I

48. Backend
Infrastructure and web app backend tests apply
to this component:
Data validation flaws
Business logic flaws
Authentication flaws
Authorisation flaws
…

49. Thank You!
!
Q&A
!
!
@hdontwit
https://www.linkedin.com/in/hcoduarte