hacktricks/ios-pentesting/README.md
2021-04-26 13:45:04 +00:00

3.4 KiB

iOS Pentesting

Privilege Separation and Sandbox

Applications the user can access run as the mobile user while critical system processes run as root.
However, the sandbox allows better control over actions that processes and applications can perform.

For example, even if two processes run as the same user mobile, they are not allowed to access or modify each other's data.

Each application is installed under private/var/mobile/Applications/{random ID}
Once installed, applications have limited read access to some system areas and functions SMS, phone call.... If an application wants to access a protected area, a pop-up requesting permission appears.

Jailbreaking

Apple strictly requires that the code running on the iPhone must be signed by a certificate issued by Apple. Jailbreaking is the process of actively circumventing such restrictions and other security controls put in places by the OS. Therefore, once the device is jailbroken, the integrity check which is responsible for checking apps being installed is patched so it is bypassed.

{% hint style="info" %} Unlike Android, you cannot switch to "Developer Mode" in iOS to run unsigned/untrusted code on the device. {% endhint %}

The most important side effect of Jailbreaking is that it removes any sandboxing put in place by the OS. Therefore, any app on the device can read any file on the filesystem, including other apps files, cookies and keychain.

A jailbroken device allows users to install unapproved apps and leverage more APIs, which otherwise aren't accessible.

There are 2 types of jailbreaks:

  • Tethered: Temporary jailbreak that requires the device to be connected to a computer every-time the device needs a restart. The jailbreak is reversed otherwise.
  • Untethered: Rebooting the device does not reset the jailbreak.

For regular users it's not recommended to jailbreak the mobile.
Note also that updating the OS removes the effect of jailbreaking.

Simulator

All the tools required to build and support an iOS app are only officially supported on Mac OS.
Apple's de facto tool for creating/debugging/instrumenting iOS applications is Xcode. It can be used to download other components such as simulators and different SDK versions required to build and test your app.
It's highly recommended to download Xcode from the official app store. Other versions may be carrying malware.

The simulator files can be found in /Users/<username>/Library/Developer/CoreSimulator/Devices

To open the simulator, run Xcode, then press in the Xcode tab --> Open Developer tools --> Simulator
In the following image clicking in "iPod touch [...]" you can select other device to test in:

Testing

Storage Access

You can use iFunBox to access the all the storage inside an application sandbox/folder

{% hint style="info" %} Starting in iOS version 8.4, Apple has restricted the third-party managers to access to the application sandbox, so tools like iFunbox and iExplorer no longer display/retrieve files from apps installed on the device if the device isn't jailbroken. {% endhint %}

Burp Proxy Configuration

{% page-ref page="burp-configuration-for-ios.md" %}