GitBook: [master] one page modified

2021-05-12 15:13:00 +00:00 · 2021-05-12 15:13:00 +00:00 · 2732bac7c0
commit 2732bac7c0
parent f8fa20fd32
1 changed files with 11 additions and 0 deletions
--- a/ios-pentesting/README.md
+++ b/ios-pentesting/README.md
@ -412,5 +412,16 @@ For the pentester this file is very interesting as it **discloses paths**. It ca
  * **`iTunesMetadata.plist`**: Info of the app used in the App Store
  * **`/Library/*`**: Contains the preferences and cache. In **`/Library/Cache/Snapshots/*`** you can find the snapshot performed to the application before sending it to the background.

+### Third Party SDKs

+One problem of 3rd party SDKs is that there is **no granular control over the features offered by the SDK**. You could sue the SDK and have all features \(including diagnostic leaks and insecure HTTP connections\), or not use it. Also, usually it's no possible for the applications developers to **patch a vulnerability** on the SDK.  
+Moreover some SDKs start **containing malware once they are very trusted** by the community.
+
+You can find the **libraries used by an application** by running **`otool`** against the app \(and **running** it **against** **each** shared **library** to find more shared libraries used\).
+
+### Hot Patching
+
+The developers can remotely **patch all installations of their app instantly** without having to resubmit the application to the App store and wait until it's approved.  
+For this purpose it's usually use [**JSPatch**](https://github.com/bang590/JSPatch)**.  
+This is a dangerous mechanism that could be abused by malicious third party SDKs.**