54 lines
3.1 KiB
Markdown
54 lines
3.1 KiB
Markdown
# iOS Pentesting
|
|
|
|
## Privilege Separation and Sandbox
|
|
|
|
Applications the user can access run as the **mobile** user while critical system processes run as **root**.
|
|
However, the sandbox allows better control over actions that processes and applications can perform.
|
|
|
|
For example, even if two processes run as the same user \(mobile\), they are **not allowed to access or modify each other's data**.
|
|
|
|
Each application is installed under **`private/var/mobile/Applications/{random ID}`**
|
|
Once installed, applications have limited read access to some system areas and functions \(SMS, phone call...\). If an application wants to access a **protected area,** a **pop-up requesting permission** appears.
|
|
|
|
## Jailbreaking
|
|
|
|
Apple strictly requires that the code running on the iPhone must be **signed by a certificate issued by Apple**. **Jailbreaking** is the process of actively **circumventing such restrictions** and other security controls put in places by the OS. Therefore, once the device is jailbroken, the **integrity check** which is responsible for checking apps being installed is patched so it is **bypassed**.
|
|
|
|
{% hint style="info" %}
|
|
Unlike Android, **you cannot switch to "Developer Mode"** in iOS to run unsigned/untrusted code on the device.
|
|
{% endhint %}
|
|
|
|
The most important side effect of Jailbreaking is that it **removes any sandboxing put in place by the OS**. Therefore, any **app on the device can read any file** on the filesystem, including other apps files, cookies and keychain.
|
|
|
|
A jailbroken device allows users to **install unapproved apps** and leverage **more APIs**, which otherwise aren't accessible.
|
|
|
|
There are 2 types of jailbreaks:
|
|
|
|
* **Tethered**: Temporary jailbreak that requires the device to be connected to a computer every-time the device needs a restart. The jailbreak is reversed otherwise.
|
|
* **Untethered**: Rebooting the device does not reset the jailbreak.
|
|
|
|
**For regular users it's not recommended to jailbreak the mobile.
|
|
Note also that updating the OS removes the effect of jailbreaking.**
|
|
|
|
## **Simulator**
|
|
|
|
All the tools required to build and support an iOS app are **only officially supported on Mac OS**.
|
|
Apple's de facto tool for creating/debugging/instrumenting iOS applications is **Xcode**. It can be used to download other components such as **simulators** and different **SDK** **versions** required to build and **test** your app.
|
|
It's highly recommended to **download** Xcode from the **official app store**. Other versions may be carrying malware.
|
|
|
|
The simulator files can be found in `/Users/<username>/Library/Developer/CoreSimulator/Devices`
|
|
|
|
To open the simulator, run Xcode, then press in the _Xcode tab_ --> _Open Developer tools_ --> _Simulator_
|
|
In the following image clicking in "iPod touch \[...\]" you can select other device to test in:
|
|
|
|
|
|
|
|
|
|
|
|
## Testing
|
|
|
|
{% hint style="info" %}
|
|
Starting in iOS version 8.4, Apple has **restricted the third-party managers to access to the application sandbox**, so tools like iFunbox and iExplorer no longer display/retrieve files from apps installed on the device.
|
|
{% endhint %}
|
|
|