hacktricks/ios-pentesting/README.md
2021-04-27 09:44:49 +00:00

5.2 KiB

iOS Pentesting

Privilege Separation and Sandbox

Applications the user can access run as the mobile user while critical system processes run as root.
However, the sandbox allows better control over actions that processes and applications can perform.

For example, even if two processes run as the same user mobile, they are not allowed to access or modify each other's data.

Each application is installed under private/var/mobile/Applications/{random ID}
Once installed, applications have limited read access to some system areas and functions SMS, phone call.... If an application wants to access a protected area, a pop-up requesting permission appears.

Jailbreaking

Apple strictly requires that the code running on the iPhone must be signed by a certificate issued by Apple. Jailbreaking is the process of actively circumventing such restrictions and other security controls put in places by the OS. Therefore, once the device is jailbroken, the integrity check which is responsible for checking apps being installed is patched so it is bypassed.

{% hint style="info" %} Unlike Android, you cannot switch to "Developer Mode" in iOS to run unsigned/untrusted code on the device. {% endhint %}

The most important side effect of Jailbreaking is that it removes any sandboxing put in place by the OS. Therefore, any app on the device can read any file on the filesystem, including other apps files, cookies and keychain.

A jailbroken device allows users to install unapproved apps and leverage more APIs, which otherwise aren't accessible.

There are 2 types of jailbreaks:

  • Tethered: Temporary jailbreak that requires the device to be connected to a computer every-time the device needs a restart. The jailbreak is reversed otherwise.
  • Untethered: Rebooting the device does not reset the jailbreak.

For regular users it's not recommended to jailbreak the mobile.
Note also that updating the OS removes the effect of jailbreaking.

Simulator

All the tools required to build and support an iOS app are only officially supported on Mac OS.
Apple's de facto tool for creating/debugging/instrumenting iOS applications is Xcode. It can be used to download other components such as simulators and different SDK versions required to build and test your app.
It's highly recommended to download Xcode from the official app store. Other versions may be carrying malware.

The simulator files can be found in /Users/<username>/Library/Developer/CoreSimulator/Devices

To open the simulator, run Xcode, then press in the Xcode tab --> Open Developer tools --> Simulator
In the following image clicking in "iPod touch [...]" you can select other device to test in:

Apple Developer Program

A provisioning identity is a collection of public and private keys that are associated an Apple developer account. In order to sign apps you need to pay 99$/year to register in the Apple Developer Program to get your provisioning identity. Without this you won't be able to run applications from the source code in a physical device. Another option to do this is to use a jailbroken device.

Starting in Xcode 7.2 Apple has provided an option to create a free iOS development provisioning profile that allows to write and test your application on a real iPhone. Go to Xcode --> Preferences --> Accounts --> + Add new Appli ID you your credentials --> Click on the Apple ID created --> Manage Certificates --> + Apple Development --> Done
Then, in order to run your application in your iPhone you need first to indicate the iPhone to trust the computer. Then, you can try to run the application in the mobile from Xcode, but and error will appear. So go to Settings --> General --> Profiles and Device Management --> Select the untrusted profile and click "Trust".

Note that applications signed by the same signing certificate can share resources on a secure manner, like keychain items.

Obfuscation

Unlike an Android Application, the binary of an iOS app can only be disassembled and not decompiled.
When an application is submitted to the app store, Apple first verifies the app conduct and before releasing it to the app-store, Apple encrypts the binary. So the binary download from the app store is encrypted complicating ting the reverse-engineering tasks.

However, note that there are other third party software that can be used to obfuscate the resulting binaries.

Testing

Storage Access

You can use iFunBox to access the all the storage inside an application sandbox/folder

{% hint style="info" %} Starting in iOS version 8.4, Apple has restricted the third-party managers to access to the application sandbox, so tools like iFunbox and iExplorer no longer display/retrieve files from apps installed on the device if the device isn't jailbroken. {% endhint %}

Burp Proxy Configuration

{% page-ref page="burp-configuration-for-ios.md" %}