IOS Penetration Testing: Guide to Static Analysis

During an iOS application penetration test, a penetration tester utilizes a range of techniques, tools, and methodologies to evaluate the application’s security posture. One such method is static analysis. Static analysis tools assist in identifying security vulnerabilities in the application’s source code or binary without executing it. This process aids in detecting issues like insecure coding practices, improper utilization of cryptographic functions, the presence of backdoors, hardcoded sensitive information, and more.

I will demonstrate the test cases of static analysis using an intentionally vulnerable iOS application (DVIA). For this demonstration, I’ll utilize a jailbroken iPhone running iOS 15.7.1, jailbroke using the Palera1n tool, following the instructions outlined in this article https://ios.cfw.guide/installing-palera1n/#running-palera1n. Depending on the version of your iPhone, alternative tools such as Checkra1n and Unc0ver can be used for jailbreaking.

Jailbreak Detection Bypass

Jailbreak detection refers to the process where an application checks whether it’s running on a jailbroken device or not. To access the application, we must bypass this detection. This can be achieved using various packages available in Sileo or Cydia. In this case, I utilized Hestia.

Install hestia -> Settings -> Select Hestia -> Enabled Applications -> Then select your application

SSL Pinning Bypass

SSL pinning is a technique that enhances security by embedding the public key of an SSL/TLS certificate directly into the app or device. This way, when the app or device communicates with the server, it cross-checks the server’s SSL/TLS certificate’s public key with the one hardcoded in the app or device to prevent Man in the middle. For dynamic analysis we must intercept HTTP traffic. This can be achieved by bypassing SSL pinning, you can use tools like SSL Kill Switch 2 which is nothing but package can be downloaded then select disable certificate validation or you can use Frida and follow steps mention in this blog https://github.com/curtishoughton/Penetration-Testing-Cheat-Sheet/blob/master/iOS/iOS-bypass-ssl-pinning.md.

Hardcoded Credentials

The plist file holds vital configuration details for an iOS mobile app, including supported iOS versions and device compatibility. This information is crucial for the operating system to effectively interact with the app. These .plist files could also contain hardcoded credentials.

With below command, you can find the app identifier

Now we will use objection to find and read .plist files as follows:

To locate all the plist files within an application, you can access a jailbroken iOS device using SSH with the default credentials (root:alpine). Once you have terminal access, run the following command: find . -type f -name "*.plist" This command will list all plist files in the current directory.

Insecure storage in keychain

The iOS keychain is used to securely store sensitive information such as passwords, certificates, keys, and other data. It provides a way for apps to store this information in an encrypted format, ensuring that it is protected from unauthorized access. Apps can access the keychain to retrieve this information when needed, providing a secure storage solution for sensitive data. However, this data can be dumped using various applications. In this case, we will use Objection.

Sensitive data in local databases

Applications often use locally stored databases to store information used by the application. These databases might contain sensitive data. We can search for these databases in the local storage of an iOS device using the find command.

Use SCP to transfer any potentially interesting database file to your local system with scp <username>@<IP>:<PathToFileonRemote <LocalFileLocation>. After transferring the file, you can use SQLite Browser to check if sensitive information is present.

Binary Cookies

Applications sometimes store sensitive cookies in cookies.binarycookies, which we can view using Objection with ios cookies get --json

Cache Data

Application might store sensitive information in a cache like plaintext credentials.

Insecure storage in NSUserDefaults

NSUserDefaults is commonly used to store user preferences and small amounts of data. However, if developers use NSUserDefaults to store sensitive information such as passwords, API keys, or other confidential data without encrypting it, this information can be easily accessed by attackers if they gain access to the device.

Binary Analysis

You can use otool to check if a binary is using any insecure functions are in use.

NSURLCredential Dump

The NSURLCredential class is well-suited for securely storing sensitive information directly in the keychain, eliminating the need for NSUserDefaults or similar wrappers. To retrieve these stored credentials, the command ios nsurlcredentialstorage dumpin Objection is used.

Weak Cryptography

Check for if any weak cryptography algorithms are in use. You can check it with both Otool and the objection

Check Logs

Check if sensitive information is being logged with 3utools

Automate Static Analysis

Automate static analysis using frameworks like MobSF and online tools such as https://www.ostorlab.co/, but don’t rely solely on them. Always complement automated tests with manual testing for thorough security checks.