Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Introduction to

iOS Mobile Application
Penetration Testing
1 Dekade ECHO.OR.ID

@y3dips
MobileSmartphone

www.astanos.ch/img/apple-android-windows-mobile-blackberry-logo.png
http://www.wired.com/gadgetlab/2012/02/meet-the-asus-padfone-the-phone-thats-a-tablet-thats-a-notebook/
Mobile Infrastructure
http://mobile.infostretch.com/images/application-architecture.jpg
http://conwet.fi.upm.es/morfeo-project/mymobileweb_blog/wp-content/uploads/2009/04/mymw_architecture_overview.png
http://www.ipfaces.org/sites/default/files/images/schema.gif
Mobile Infrastructure

Mobile Client/
Application

Communication
Channel

Server Side
Infrastructure
Mobile Infrastructure

Mobile Client/
Application

Communication
Channel

Server Side
Infrastructure
Facteur d'attaque
Attack Vector
Information
Disclosure

Insecure File
Permission

Authentication &
Authorization

Session
Management

Client...
ວiທ$ການ
Methodology

Information
Gathering

Analysis

Exploitation

Report &
QA
http://www.ibroadcastnetwork.org/images/uploads/ios-logo.png
http://cdn3.sbnation.com/entry_photo_images/8958675/iosguide_1020_new_large_verge_super_wide.jpg
Inventory
Jailbroken
Device

Decompiler

Analysis
Tools

Hacker’s
Mind

Security
Tools

Proxy
Cheat Sheet
Applica'on_home

/var/mobile/Applica.ons/[folder]/app_name

Config	
  files

Applica.on_Home/Library/Preferences...
Cycript

Objective-Javascript
www.cycript.org
Hook into a running process of the application
Cycript
Snoop-it
Dynamic Analysis Tools
Runtime Tracing Capabilities
Invoke Arbitrary methods at runtime
Bypass basic Jailbreak de...
Snoop-it
Proof-Of-concept
Proof of concept
Proof of concept
Proof of concept
Proof of concept
Proof of concept
Snoop-it
Reference
IOS Application Security Testing Cheat Sheet - http://
owasp.org
Series of article "Penetration testing of iPhon...
http://sciencetoybox.com/images/Procedures/Raising_hands.jpg
Introduction to IOS Application Penetration Testing
Introduction to IOS Application Penetration Testing
Introduction to IOS Application Penetration Testing
Upcoming SlideShare
Loading in …5
×

Introduction to IOS Application Penetration Testing

3,577 views

Published on

Introduction to IOS Application Penetration Testing - Materi Seminar pada 1 Dekade Echo 1dekade.echo.or.id

Published in: Technology
  • D0WNL0AD FULL ▶ ▶ ▶ ▶ http://1url.pw/KE9mp ◀ ◀ ◀ ◀
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Introduction to IOS Application Penetration Testing

  1. 1. Introduction to iOS Mobile Application Penetration Testing 1 Dekade ECHO.OR.ID @y3dips
  2. 2. MobileSmartphone www.astanos.ch/img/apple-android-windows-mobile-blackberry-logo.png
  3. 3. http://www.wired.com/gadgetlab/2012/02/meet-the-asus-padfone-the-phone-thats-a-tablet-thats-a-notebook/
  4. 4. Mobile Infrastructure
  5. 5. http://mobile.infostretch.com/images/application-architecture.jpg
  6. 6. http://conwet.fi.upm.es/morfeo-project/mymobileweb_blog/wp-content/uploads/2009/04/mymw_architecture_overview.png
  7. 7. http://www.ipfaces.org/sites/default/files/images/schema.gif
  8. 8. Mobile Infrastructure Mobile Client/ Application Communication Channel Server Side Infrastructure
  9. 9. Mobile Infrastructure Mobile Client/ Application Communication Channel Server Side Infrastructure
  10. 10. Facteur d'attaque
  11. 11. Attack Vector Information Disclosure Insecure File Permission Authentication & Authorization Session Management Client Side Injection Logic (Business) Testing Data Protection Decompiling Etc.
  12. 12. ວiທ$ການ
  13. 13. Methodology Information Gathering Analysis Exploitation Report & QA
  14. 14. http://www.ibroadcastnetwork.org/images/uploads/ios-logo.png
  15. 15. http://cdn3.sbnation.com/entry_photo_images/8958675/iosguide_1020_new_large_verge_super_wide.jpg
  16. 16. Inventory Jailbroken Device Decompiler Analysis Tools Hacker’s Mind Security Tools Proxy
  17. 17. Cheat Sheet Applica'on_home /var/mobile/Applica.ons/[folder]/app_name Config  files Applica.on_Home/Library/Preferences/app_name.plist Database .db,  .sqlite,  .sqlite3,  * Cache Applica.on_Home/Library/Caches Cookies cookies.binarycookies  |  copy  read  with  binarycookies.py Logs see  logs  via    iphone  configura.on  u.lity List  Running  Apps ps  -­‐axf Decompiler/Disassembler otool,  class-­‐dump-­‐o,  class-­‐dump-­‐z,  gdb Analysis  Tools/Framework snoop-­‐it  ,  cycript
  18. 18. Cycript Objective-Javascript www.cycript.org Hook into a running process of the application
  19. 19. Cycript
  20. 20. Snoop-it Dynamic Analysis Tools Runtime Tracing Capabilities Invoke Arbitrary methods at runtime Bypass basic Jailbreak detection
  21. 21. Snoop-it
  22. 22. Proof-Of-concept
  23. 23. Proof of concept
  24. 24. Proof of concept
  25. 25. Proof of concept
  26. 26. Proof of concept
  27. 27. Proof of concept
  28. 28. Snoop-it
  29. 29. Reference IOS Application Security Testing Cheat Sheet - http:// owasp.org Series of article "Penetration testing of iPhone applications" - http://securitylearn.net Snoop-it official page https://code.google.com/p/ snoop-it Cycript Tricks http://iphonedevwiki.net/index.php/ Cycript_Tricks
  30. 30. http://sciencetoybox.com/images/Procedures/Raising_hands.jpg

×