iOS Mobile Application (i.e. .IPA) Vulnerability Assessment and Penetration Testing Walkthrough.

15 min readMar 17, 2023

Hi Friends, in this blog. I included step-by-step procedures from basics to the execution of test cases for iOS Application Security Testing.

My name is Abhishek.CN, and I am a VAPT analyst and Cyber-Security enthusiast.

Before writing this blog, I studied many articles, and I found that most of them are older and written by considering the old iOS versions. So, in this blog, I tried to add the latest tools and utilities available. And mainly using iOS version 14 or above. (We are using iPhone 8 with iOS version 16.1.1)

As the famous quote of Abraham Lincoln

“If I had six hours to chop down a tree, I’d spend the first four hours sharpening the axe.”

Grate then!! as Abraham Lincoln says, let’s sharpen our iOS basics, before jumping to the practical execution of the test cases.

BASICS OF iOS

As my primary motive is to provide all the necessary resources in one single blog post, I listed the core topics to cover with a relevant reference link.

1) Understanding the Structure of an iOS Application

In this section, your takeout should be the following point

iOS components.

Structure of an IPA file.

Sandboxing

link: https://medium.com/@lucideus/understanding-the-structure-of-an-ios-application-a3144f1140d4

2) Let’s jailbreak your iPhone

As you all know! we are using iPhone8 with the latest iOS version (i.e. 16.1.1) but as a bonus point, I am also leaving the link for jailbreaking older versions of iOS devices.

# Requirement for jailbreaking the iOS 15.0 to iOS 16.2

1) Linux system as your base operating system or mac.

2) Palera1n jailbreak.

Let us begin our setup. Here I am using kali Linux as my base operating system. ** Windows is not supported. Also, using Linux or macOS on a Virtual Machine will not work!**

So, I dual-booted my windows system with kali Linux, please follow the reference link if don’t know how to dual-boot.

link: https://youtu.be/KPjLFG2TSZM

After dual-booting make sure that you installed Python3.

Next, understand what Palera1n is exactly.

Palera1n is a semi-tethered jailbreak that is based on the checkm8 boot-rom exploit.

It supports all devices which can run iOS 15 and iOS 16 with A11 or lower chip!

It includes:

iPhone 6s
iPhone 6s Plus
iPhone SE 1st Generation
iPhone 7
iPhone 7 Plus
iPhone 8
iPhone 8 Plus
iPhone X

And all iPads with A-11 or lower chips running iOS 15.0 to iOS 16.2.

Alert

On A-10 and A-11 devices, you cannot use a passcode, Face ID, and Fingerprint while in jailbroken mode. And an attempt to add a passcode while in jailbroken mode will result in a crash and restart! And if you are running iOS 16 and you ever used a passcode on your device, then just removing the passcode will not work for you. You will have to reset your device either from the settings or by using iTunes.

Now everything is set, let’s start!

Open the terminal on your Mac or Linux PC.

Steps 1 and step 2 mentioned below are only for LINUX. They are not needed on macOS.

Run #sudo systemctl stop usbmuxd

Run usbmuxd -f -p

Now let’s continue the process. The rest of the process is the same for Linux and MacOS!

Clone the repo from Github by pasting the command given below in TERMINAL.

git clone — recursive https://github.com/palera1n/palera1n && cd palera1n

Connect your iPhone to the system and once you are in the palera1n directory paste the command given below to start the process.

For macOS: ./palera1n.sh — tweaks <iOS version you’re on> — semi-tethered

For Linux: sudo ./palera1n.sh — tweaks <iOS version you’re on> — semi-tethered

After you enter the command on your MacBook or Linux PC, the process will start, and you will see the progress on the Terminal.

When the process starts your device will go the debug mode and it asks you to put your device in the “DFU” Mode.

To put your device in DFU mode follow the step shown in the terminal, if face any problems refer to this link to put your device in DFU mode manually https://youtu.be/kBaft0z8ycc

If you see any error, just paste the command, and run again After it finished Phase 1, your device will turn on in Normal mode. Keep it connected, Terminal will boot your device into Recovery Mode automatically.

After that, your device will turn on once the process is finished.

link for iOS 15.0 to 16.2 — -> https://youtu.be/Ck_K4-JFtus

link for an older version of iOS — → https://youtu.be/Ak7yo1P_4lY

What Next?

If you successfully jailbreak your device, you will see the Palera1n app installed on your device. to finish the installation, follow the below-mentioned steps.

Open Palera1n Loader.

Go to settings, and tap on “Do All”

Then return to the main screen and press Install.

After that, press the button to respring your iPhone.

Boom! Now you can use Sileo on your iPhone.

ß — — — — — — -HURREEEEEE WE JAILBROKED OUR DEVICE — — — — — — →

3) Let’s stock our arsenal (TOOL & UTILITIES).

First, let us begin with our iDevices. Remember, we installed an app called “Sileo”?

Sileo is a fast, beautiful, powerful, and efficient APT Package Manager designed for jailbroken devices. The repository on Sileo contains most of the tools required for iOS app security testing.

These are some major repositories from which you can install utilities and tools like “FRIDA”, “SSL KILL SWITCH2,” “LIBERTY LITE,” “FILZA”, and more.

ALERT

There’s no need to stress if you can’t add any of the repositories. I’m here to support you. Palera1n gives you another APT Package Manager, which is known as zebra.

It should work if you install zebra and add the repositories, as seen in the screenshot below.

Installing the repositories mentioned above can help you get around the jailbreak detection error and intercept HTTP requests in Burp-Suite from the app.

The final step in this process is to add the Burp certificate to your device so that it can trust the SSL/TLS certificates generated by Burp. This is essential for using Burp to perform attacks such as man-in-the-middle and proxy penetration, both of which require access to secure websites.

To add the Burp certificate to your iOS device, follow these steps:

Open Burp and go to the Proxy > Options > Proxy Listeners tab.

3. On your iOS device, go to Settings > Wi-Fi and click on the Wi-Fi network you are connected to.

4. Select Configure Proxy, choose Manual, and enter the IP address and port of your laptop (e.g., YOUR HOST MACHINE IP:8080). Save the changes.

Now that we’ve completed the setup of our iDevice, we need to get the following tools to begin our assessment.

MobSF à for static analysis of the application.

Installation Link: https://github.com/MobSF/Mobile-Security-Framework-MobSF

Frida and Objection tools On kali, Win, Mac.

Installation: pip3 install frida-tools, pip3 install objection.

We can use MOBEXLER — A Mobile Application Penetration Testing Platform.

Link: https://mobexler.com/

Mobexler comes with pre-installed tools required for both android and iOS application pentesting.

(Beginners use Mobexler)

!! Now we are ready to GO!!

3) Practical Assessment

In iOS Vulnerability Assessment and Penetration Testing, we perform.

Static Application Testing
Dynamic Application Testing

First, we begin with Static Application Testing

Run the MobSF web interface.

Drag and drop the IPA file (iOS app package file) into the interface and run static analysis

Once the static analysis is complete, review the results for any misconfiguration or vulnerabilities, such as:

Insecure URL schemes
Insecure permissions and ATS misconfiguration
Binary and File analysis
Malware Analysis

Presence of hard-coded sensitive information such as Firebase database or email addresses

Other interesting files may contain security issues or vulnerabilities.

MobSF further provides the scoreboard accompanying the type of vulnerability in addition to the severity for a given app subsequently examination.

For more information on static analysis, please refer to the link below.

Link: https://inesmartins.github.io/mobsf-ipa-binary-analysis-step-by-step/index.html

Dynamic Testing of iOS application

In this section, you will gain knowledge of dynamic analysis techniques for understanding the inner workings of iOS applications. From the process of repackaging your application to using an instrumentation framework (Frida & objection), you’ll be presented with various steps to analyze your application at runtime.

To interact with the target app, just follow these steps:

Connect your jailbroken iOS device to your laptop using a USB cable.

Use the command frida-ps -Uai to get a list of all apps currently installed on the device.

To use Objection just follow these commands:

Use the command ‘objection -g “Target APP” explore’ explore to connect to the application.

Use the env command to view the environment variables for the application, including its path.

As you can see, I’m using iPhone 16.1.1!!!

Well, DVIA is a vulnerable app by design for iOS VAPT and is not supported in 16.1.1 iOS devices yet. So, I’m using a 12.5.5 iOS device for demonstration.

Ø 1st Test case -> Local Data Storage

Insecure Data Storage is a vulnerability that occurs when sensitive data is stored locally on the device without proper protection.

Checking sensitive data in Plist.

Sensitive data in plist file using framework Objection, type env, then ‘data directory’, ‘Documents’ folder and finally navigate to iOS plist userInfo.plist command as shown below to open the plist file Find sensitive data in

# ios plist cat userInfo.plist

Checking sensitive data in User Defaults.

Sensitive Data in UserDefaults- Similarly type ls in Library then cd into Preferences then again ls and then use the command given below.

# ios plist cat com.highaltitudehacks.DVIAswiftv2.plist

Checking sensitive data in Keychain.

Sensitive Data in Keychain- Once the user is logged in, a developer can store his username and password to the keychain to access the application using the keychain.

By using the following command, you can get the keychain Dump.

# ios keychain dump

Checking sensitive data in Core Data.

Sensitive Data in Database- Developer can save sensitive data such as username and password in client side database. Locate the Sqlite database at client side and use the command sqlite connect DatabaseName.sqlitesthen use .tables to enumerate column names then select * from ‘ColumName’ to see the data in columns.

Actually, here I am not able to access the table using objection I am getting 0 rows inset.

But there is one more method to check the core data.

Open the à Filza app à var/mobile/container/Data/Application/DVIA-v2(target app)/Library/Application Support/Model.sqlite

You will get your Data.

Checking sensitive data in yap Database.

v Want to know more about yap database please go through this link : https://medium.com/@mark_koslow/introduction-to-yap-database-478d2f18880c

It like sqlite expect it is yap database, follow the step to execute testcase.

Go to /var/mobile/Containers/Data/Application/0C218B70-F117–44E6–8A40-E9D87109A7D7/Library/Application Supp directory.

Data is stored in Hex format you need to decode it to find the username and password.

I am using cyberchef.com for decoding.

Ø Side Channel Data Leakage

Background Screen Caching or App Screenshot

By design, an iOS app will always take a screenshot when it goes to the background. That screenshot could contain sensitive information about the victim. In iOS, the screenshot gets saved in the below directory.

follow the step to execute the test case.

Go to /var/mobile/Containers/Data/Application/0C218B70-F117–44E6–8A40-E9D87109A7D7/Library/Caches/Snapshots/downscaled directory.

When you access this above-mentioned directory, you will get all the App screenshots.

You open screenshots with a built-in image viewer.

Sensitive Information through Clipboard or Pasteboard.

iOS keeps a buffer of text that has been copied. This data can then be used in different areas of the application as well as other applications on the device. The implication is that clipboard data might be accessible by any application.

To execute the test case follow the steps:

Hook the device to objection, then follow these commands.

# ios pasteboard monitor.

After entering this command, see what happens when you copy and paste data into a user input field. Every time you click the copy-paste command, Objection will monitor the clipboard and capture it.

Sensitive Information through Cookies.

Sensitive Data in Cookies- Sometimes the data can get saved in cookies. We can access it using the command.

# ios cookies get — json

Sensitive Information through keystroke Logging.

iOS by default logs every input that you enter in a text field on the device unless the test field is not set as Secure.

This is done to assist the user in autocorrecting the value once the user enters any input in the text field. It is therefore essential for developers to disable autocorrect on test fields that may contain require sensitive data.

follow the step to execute the test case.

Go to /var/mobile/Library/keyboard/ en-dynamic.lm directory, then open the file dynamic-lexicon.dat to see logged keystroke.

Then use this command to open the dynamic-lexicon.dat file

# file cat dynamic-lexicon.dat

Sensitive Information through Device Logs.

Sometimes developers add logs while debugging the application but forget to remove them while publishing the application.

Follow the below step to execute the test case.

You need to install the idevice utility.

# idevice_id to get idevice ID

# idevicesyslog -u (your device ID) | grep “DVIA-v2”

Every time I clicked on the Sign-Up button with the DVIA-v2 application, it crashed, so we were not able to access the logs to view the data.

Broken Cryptography

Broken Cryptography is a vulnerability that occurs when the data stored in the application is not encrypted properly thereby allowing an attacker to gain access to the data by exploiting it by following the hooking command.

# ios monitor crypto

Jailbreak Detection Bypass

Using Tweaks- For this, we are going to use the HideJB tweak. Open the Settings app on your iOS device > Locate the HideJB preferences > Tap on “Select Apps” > Toggle on the button next to the app name that you want to hide the jailbreak status for, as shown in the screenshot. Make sure you close the running app after starting the HideJB to bypass the detection.

And you can also use the following commands using Frida and objection you can bypass jailbreak.

# ios jailbreak disable

# frida -l JBbypass.js -n “DVIA-v2” -U

Ø Network Layer Security

Jailbreak Detection Bypass

For this, we are going to use the SSL Kill Switch 2 tweak. Open the Settings app on your device. > Locate the SSL Kill Switch 2 preferences. > Toggle on the button next to ‘Disable Certificate Validation’ > Use the Burp Suite to capture the request. Make sure you close the running app after starting the SSL Kill Switch 2 to bypass the SSL Pinning.

We also simply use the Objection to do the same just by using the following command.

# ios sslpinning disable

Ø Sensitive Information in Memory

iOS applications may store sensitive information like passwords, session IDs, etc in the memory of the application without releasing them. In some cases, releasing these variables may not be an option. For e.g, it might be required for the application to send an authentication token with every request and hence there has to be a reference to it in the memory somewhere. Even though these variables might be encrypted when stored locally in the application, these variables will be in their unencrypted format while the application is running. Hence, analyzing the contents of the memory is an important thing while pen-testing an iOS application.

Now, run the fridump tool on the application to extract the information from memory

Tool: https://github.com/Nightbringer21/fridump

Command: python fridump.py –usb -s DVIA-v2

Open the Strings.txt file and search for sensitive information such as passwords and observe that the sensitive information was found in the application memory.

Ø WebView Issues

Client-side injections occur when the input Ito the application is not validated properly.

Because the code is injected on the client side, it is possible to call native functions in the device and perform malicious activities.

It is clear from the above image that it added the text to this UIWebview. If this input is not validated properly, we might be able to inject some JavaScript that will get executed in the UIWebview. Let’s enter the following as the input.

Well after injecting the script <script>alert(1)</script>, our injection is executed we got a Popup.

Ø Runtime Manipulation.

All native iOS applications are written in Objective-C which is a runtime-oriented language. This feature makes all native applications vulnerable to runtime analysis and manipulation.

To perform this test case, we must gather all the Classes and inspect them for a special class that we can manipulate.

To do so follow the below steps:

Hook the application using objection and run the following commands:

#objection -g DVIA-v2 explore.

Login bypass

#ios hooking search classes login.

Observe that a total of 27 Classes are returned and the class Login Validate looks interesting.

Now run the following command: #ios hooking watch class LoginValidate

Observe that the two highlighted methods were returned.

Now in the application, press the Login Method 1 button and the method isLoginValidated from the class LoginValidate is getting called.

Now run the following command to watch this method: #ios hooking watch method “+[LoginValidate isLoginValidated]” — dump-args — dump-return

Now. press the Login Method button again and observe the output as shown in the below image.

Now run the following command to bypass the restrictions: #ios hooking set return_value “+[LoginValidate isLoginValidated]” true

So, we bypassed the authentication check.

CONCLUSION

In this article, we discussed the basics and more in-depth aspects of iOS penetration testing.
We began by grasping the iOS app architecture, filing system, and sandboxing.
Continuing with jailbreaking iOS 16.11 and older versions, installing the tweaks on the idevice.
Introducing the tools needed for testing and installing.
And finally, run static and dynamic iOS test cases on the DIVA app.