Table of Contents
- Setting Up iOS Pentest Lab ……………………………………………………………………………………. 5
1.1 Get an iOS Device ……………………………………………………………………………………………………………….. 5
1.2 Jailbreaking an iOS Device……………………………………………………………………………………………………. 7
1.3 Installing Required Software and Utilities ……………………………………………………………………………. 10 - Acquiring iOS Binaries ………………………………………………………………………………………… 13
- Generating iOS Binary (.IPA file) from Xcode Source Code: ……………………………………….. 15
3.1 Method I – With A Valid Paid Developer Account. ………………………………………………………………… 15
3.2 Method II – Without a Valid Paid Developer Account …………………………………………………………….. 18 - Installing iOS Binaries on Physical Devices ……………………………………………………………… 23
4.1 Method I – Using iTunes …………………………………………………………………………………………………….. 23
4.2 Method II – Using Cydia Impactor ……………………………………………………………………………………….. 27
4.3 Method III – Using iOS App Signer ……………………………………………………………………………………….. 27
4.4 Method IV – Installing .app file ……………………………………………………………………………………………. 27
4.5 Method V – Installing Modified Binary …………………………………………………………………………………. 28
4.6 Method VI – Using Installipa Utility ……………………………………………………………………………………… 29
4.7 Method VII – Using iPhone Configuration Utility …………………………………………………………………… 29
4.8 Method VIII – Using iFunBox ………………………………………………………………………………………………. 29 - iOS Binary Package Primer ………………………………………………………………………………….. 30
5.1 Understanding the iOS Binary Package Structure ………………………………………………………………….. 30
5.2 Understanding the Supported Architectures for the Provided Application ………………………………. 31
5.3 Understanding the Architecture Available on the Test Devices ………………………………………………. 32
5.4 Converting Application Binaries from FAT Binary to Specific Architecture Binary ……………………… 34
5.5 Converting Pre-iOS 9 Executables to an iOS 9 Executable ………………………………………………………. 34
5.6 Converting 32 Bit Applications into 64 Bit Applications in Xcode …………………………………………….. 35 - Compiling Customer-Provided Source Code for Pentesting on Latest iOS Using Xcode …… 36
6.1 Download the Source Code ……………………………………………………………………………………………….. 36
6.2 Launch the Workspace ………………………………………………………………………………………………………. 36
6.3 Application Configuration ………………………………………………………………………………………………….. 37 - iOS Security Model Primer ………………………………………………………………………………….. 41
7.1 Security Features ……………………………………………………………………………………………………………… 41
- Exploring iOS File System ……………………………………………………………………………………. 42
8.1 Reading Data Using iExplorer ……………………………………………………………………………………………… 42
8.2 Reading Data Using iFunBox ………………………………………………………………………………………………. 42
8.3 Reading iOS > 8.3 Application SandBox Data Using Backup Method ……………………………………….. 44
8.3.1 Backing Up the iDevice ………………………………………………………………………………………………… 44
8.3.2 Using iBackupBot ……………………………………………………………………………………………………….. 45
8.3.3 Using iExplorer …………………………………………………………………………………………………………… 45
8.4 Reading Application Data Using OpenSSH ……………………………………………………………………………. 47
8.5 Reading Application Data Using SSH Over USB ……………………………………………………………………… 48
8.6 Reading Application Data on the iOS Device ………………………………………………………………………… 49
8.6.1 FileExplorer/iFile …………………………………………………………………………………………………………. 49
8.6.2 Using Mobile Terminals ………………………………………………………………………………………………. 50 - Application Data Encryption ……………………………………………………………………………….. 50
9.1 Understanding Apple Data Protection API……………………………………………………………………………. 50
9.2 Validate the Data Protection Classes Being Used ………………………………………………………………….. 51
9.3 Insecure Local Data Storage ……………………………………………………………………………………………….. 52
9.3.1 PropertyList files …………………………………………………………………………………………………………. 52
9.3.2 NSUserDefaults Class ………………………………………………………………………………………………….. 53
9.3.3 Keychain ……………………………………………………………………………………………………………………. 54
9.3.4 CoreData and SQLite Databases …………………………………………………………………………………… 57
9.4 Broken Cryptography ………………………………………………………………………………………………………… 58 - Binary Analysis ……………………………………………………………………………………………….. 61
10.1 Binary Analysis – Check for Exploit Mitigations – Position Independent Executable (PIE & ASLR) 61
10.2 Binary Analysis – Check for Exploit Mitigations – Automatic Reference Counting (ARC) ………….. 62
10.3 Binary Analysis – Check for Exploit Mitigations – Stack Protectors ………………………………………… 64
10.4 Binary Analysis – List All Libraries Used in the iOS Binary …………………………………………………….. 65
10.5 Simple Reverse Engineering iOS Binaries Using class-dump-z ……………………………………………….. 68 - Decrypting iOS Applications (AppStore Binaries) …………………………………………………… 72
11.1 Manual Method ……………………………………………………………………………………………………………… 72
11.1.1 Using GDB ……………………………………………………………………………………………………………….. 72
11.1.2 Using LLDB ………………………………………………………………………………………………………………. 75
11.2 Automated Method ………………………………………………………………………………………………………… 79
11.2.1 Using dump decrypted ………………………………………………………………………………………………. 79
11.2.2 Using Clutch …………………………………………………………………………………………………………….. 81 - iOS Application Debugging – Runtime Manipulation ………………………………………………. 85
12.1 Cycript on Jailbroken Device …………………………………………………………………………………………….. 85
12.1.1 Using Cycript to Invoke Internal Methods …………………………………………………………………….. 85
12.1.2 Using Cycript to Override Internal Methods …………………………………………………………………. 90
12.2 Debugging iOS Applications Using LLDB …………………………………………………………………………….. 94
- Reverse Engineering Using Hopper ……………………………………………………………………. 100
- Reverse Engineering Using IDA PRO ………………………………………………………………….. 112
- MITM on iOS …………………………………………………………………………………………………. 113
15.1 MITM HTTP Traffic ………………………………………………………………………………………………………… 114
15.2 MITM SSL/TLS Traffic …………………………………………………………………………………………………….. 116
15.3 MITM non HTTP/SSL/TLS Traffic ……………………………………………………………………………………… 118
15.4 MITM using VPN …………………………………………………………………………………………………………… 118
15.5 MITM When iOS Application Accessible Only Via VPN ……………………………………………………….. 119
15.6 MITM Bypassing Certificate Pinning ………………………………………………………………………………… 120
15.7 MITM by DNS Hijacking ………………………………………………………………………………………………….. 123 15.8 MITM Using Network Gateway ……………………………………………………………………………………….. 123 15.9 Monitoring iOS FileSystem Activities ……………………………………………………………………………….. 124 - Side Channel Leakage……………………………………………………………………………………… 127
16.1 iOS Default Screen Shot Caching Mechanism ……………………………………………………………………. 127
16.2 iOS UIPasteboard Caching ………………………………………………………………………………………………. 130
16.3 iOS Cookie Storage ………………………………………………………………………………………………………… 132
16.4 iOS Keyboard Cache Storage …………………………………………………………………………………………… 134
16.5 iOS Device Logging ………………………………………………………………………………………………………… 137
