Static Testing of iOS Applications

Greetings fellow hackers, my name is Sandy, Security Analyst and Bug bounty hunter.

As I’m presently engaged in iOS penetration testing, I’d like to relay my experiences with you, as they may prove beneficial in addressing some of the inquiries. I had difficulty getting started on resolving answers without any more introductions.

This guide is an extensive guide that will take you through the entire process, as well as providing an outline of what Mobile Security Framework or MobSF is and how it may be used to automatically analyses an IPA file and the process of how we might hand evaluate a sample IPA file on a jailbroken iPhone. Sticking with examination, it also embraces some routine checks: The trial balances of the Info and its subsidiaries as of 31 December are as follows: Accountants checks from the Info. plist file according to various applications needs and security measures.

Based on the above points, one is left with no option than to agree that there is need for better understanding of the IPA file structure.

IPA is as of now the common form used in supplying iOS applications referring to iOS App Store Package. It is azagzipped set of files that holds all the information needed by an application to run on an iPhone. Here’s a detailed breakdown of the components found within an IPA file:Below are the features you are likely to stumble upon as you work with an IPA file:

It includes the following parts:

1. .app Directory:

This is the main directory inclusive of the executable and all materials required to run the app.

To get a glimpse of the contents, modify the ‘. ’The files with ipa file extension should now be saved with . zip and decompress it.

2. Info. plist:

This file has important property constraints which include the app’s bundle ID, version number, and capabilities of the device as well as the permissions of the app.

3. _CodeSignature/:

A list that contains the code signature of the app, to guaranteeing the identity of the program.

4. Assets. car:

A compressed file with all the graphical components included in the app (for example, icons, images).

5. Frameworks/:

Includes dynamic libraries (dylib) and frameworks (framework) that the app uses.

6. PlugIns/:

This directory may contain app extensions, packaged as . appex files. It is not necessarily in all IPA files.

7. Core Data:

For storing other data and the data that synchronizes itself across the devices using iCloud.

8. PkgInfo:

Offices another method to define the type and creator codes for the app.

9. Localization Files (e.g., en.lproj, fr.lproj, Base.lproj):

These files contain the language modules and a default set of modules in the event a certain language is not recognized.

Procedure of Performing Static Analysis on Mobile Applications using Mobile Security Framework (MobSF)

MobSF is yet another tool that helps the user in performing static analysis on mobile applications. undefined

Using MobSF

Run the MobSF Web Interface:

1. Setting up MobSF starts the server and allows you to proceed to the next steps. Connect to the web interface by going online with the help of the browser.

2. Upload the IPA File:

3. Upload the IPA file into the MobSF and after loading, proceed with the static analysis.

4. Review the Analysis Results:

Look for misconfigurations and vulnerabilities, such as:

Insecure URL schemesImproper permissions and App Transport Security (ATS) misconfigurationsUnsafe binary optionsHardcoded sensitive information (e.g., Firebase keys, email addresses)Other potential security issues

Some of the advantages of manual static analysis include increased accuracy, a detailed view of the application, and the ability to analyze a jailbroken iOS device.

That is why manual analysis of a static type helps to gain more detailed information regarding the app’s security. This process is possible only on an iOS device unlocked from its manufacturer restrictions.

Obtaining the App Path

1. SSH into the iOS Device:SSH into the iOS Device:

I would like to add the connection to the jailbroken device by SSH as the first step.

2. Locate the App:

Use the find command to locate the app’s plist files:Use the find command to locate the app’s plist files:

3. Identify App Locations:

System applications are located in /Applications

User-installed apps are located in /private/var/containers/

Bundled apps directory: /var/containers/Bundle/Application/

Data directory: /var/mobile/Containers/Data/Application/

Checking the Binary with otool

1. Check for Position Independent Executable (PIE):

Ensures the app loads into a random memory address, enhancing security.

2. Verify Stack Canaries:

Protects against stack overflow attacks by validating stack integrity.

3. Check for Automatic Reference Counting (ARC):

Prevents memory corruption by automatically managing memory

4. Ensure the Binary is Encrypted:

Confirms the binary is encrypted, protecting the app from tampering.

5. Identify Sensitive/Insecure Functions:

Weak Hashing Algorithms:Insecure Random Functions:Insecure Memory Functions:Vulnerable Functions:

Some of the usual checks employed in the Info can be discussed and highlighted in the following manner: plist File

The Info. plist file is a fundamental part of the application and the configuration of an iOS app, hence, configuring the plist settings properly and securely are crucial concerns for an app. Here are the common checks to perform:Here are the common checks to perform:

1. Bundle Identifier

Purpose:

The Bundle Identifier is a string that helps to define the specific App within the iOS operating system. It is employed with the operating system and the App Store to separate your app from competitors.

Why It Matters:

Uniqueness: Awards or IDs are given to a bundle to ensure that other applications will not conflict and this is important for app delivery and installation.

App Store Identification: It is used by the Apple App store to identify app versions and updates for the applications that are installed on the devices.

Entitlements and Permissions: Some of the entitlements and permissions for your app are provided based on the bundle identifier.

How to Check:

Make sure the bundle identifier adheres to reverse DNS naming convention (such as com.yourcompany.appname) and then makes sure it will not be the same as other apps.

2. Bundle Version

Purpose:

The scientific name for this is ‘CFBundleVersion’ and it refers to the build version of the app. It’s employed by the App Store and the system for following updates as well as organizing the installation of applications.

Why It Matters:

Update Management: It is very relevant because proper versioning ensures the App Store and the users to easily determine which updates are to be installed.

Bug Tracking: Knowing the versions can be pivotal for cost of failures, bugs, and other errors that may occur in between.

How to Check:

Make sure that the bundle version specified at each build includes the version number in numeric notation and is higher than in the previous version.

3. Supported Device Types

Purpose:

This key (UIDeviceFamily) specifies the types of devices on which the app can be installed and run, such as iPhone, iPad, or both.

Why It Matters:

Compatibility: Ensures that the app runs only on devices it is designed and tested for.

User Experience: Prevents users from installing the app on unsupported devices, which could lead to poor user experiences or crashes.

How to Check:

Ensure the supported device types are correctly specified.

4. Required Permissions

Purpose:

This includes various keys that specify the permissions your app requires to access device features like the camera, microphone, location, etc.

Why It Matters:

User Privacy: Ensures the app requests only the permissions it needs, respecting user privacy.

App Store Compliance: Over-requesting permissions can lead to app rejection during the App Store review process.

How to Check:

Review and list only the necessary permissions in the Info.plist.

5. URL Schemes

Purpose:

URL Schemes are found under CFBundleURLTypes — these enable other applications or specific web browsers to open your application with the use of certain URLs.

Why It Matters:

Deep Linking: Helps with implementing link deep into your app, the user-experience factor.

Security: Using URL schemes not properly configured then another person may hijack a URL or get unauthorized access.

How to Check:

Specifically check that URL schemes are unique and use secure identifiers.

6. NSAppTransportSecurity

Purpose:

The NSAppTransportSecurity key defines the network security requirements for your app, such as enforcing HTTPS connections.

Why It Matters:

Data Security: Ensures that data transmitted over the network is encrypted, protecting against eavesdropping and man-in-the-middle attacks.

App Store Compliance: The App Store requires apps to use secure connections, and improper configurations can lead to rejection.

How to Check:

Ensure that your app’s transport security settings are correctly configured.

Conclusion

Making sure an iOS app is secure and error-free through static analysis is a multi-step process that involves using tools like MobSF, checking things manually on jailbroken devices, and thoroughly validating configuration files like Info.plist. By following these guidelines and doing these checks, developers can reduce security risks, meet App Store requirements, and provide users with a safer and more reliable experience. It’s important to regularly review and update these practices to keep up with changing security standards and threats.