Penetration testing, or “pentesting,” is an essential process to ensure the security of iOS devices and applications. In this iOS Penetration Testing Cheatsheet, we’ll cover the critical aspects of iOS penetration testing split into four phases: device security, data security, network security, and application security. Additionally, we will discuss essential tools for iOS penetration testing and provide examples for each.
1. Device Security
Device security is the foundation of iOS penetration testing. The first step is to gain access to the device’s filesystem. To achieve this, use tools like FileZilla, Cyberduck, itunnel, iProxy, and iFunbox.
FileZilla
Use FileZilla to access the device’s filesystem via SFTP:
filezilla sftp://username:password@IP_ADDRESS:PORT
Cyberduck
Use Cyberduck to access the device’s filesystem via SFTP:
open -a Cyberduck sftp://username:password@IP_ADDRESS:PORT
itunnel
Use itunnel to create a local port forwarding tunnel:
itunnel_mux --iport 2222 --lport 22
iProxy
Use iProxy to create a TCP connection from a local port to a remote port on a connected iOS device:
iproxy 2222 22
iFunbox
Use iFunbox to access the device’s filesystem. Simply connect your device, open iFunbox, and navigate the file system.
2. Data Security
Data security focuses on protecting the information stored on iOS devices. To examine and manipulate application data, use reverse engineering and static analysis tools like otool, Clutch, Dumpdecrypted, class-dump, Weak Classdump, IDA Pro, HopperApp, hopperscripts, and Radare2.
otool
Use otool to analyze the object files and executables:
otool -L /path/to/executable
Clutch
Use Clutch to decrypt and dump the application binary:
Clutch -d /path/to/application
Dumpdecrypted
Use Dumpdecrypted to decrypt an encrypted iOS app binary:
DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /path/to/encrypted_binary
class-dump
Use class-dump to generate header files from an iOS binary:
class-dump /path/to/binary -o /output/directory
Weak Classdump
Use Weak Classdump to dump class information for an iOS app:
weak_classdump.py /path/to/binary -o /output/directory
IDA Pro
Use IDA Pro to disassemble and analyze an iOS binary. Simply open IDA Pro, load the binary, and start the analysis.
HopperApp
Use HopperApp to disassemble and reverse engineer an iOS binary. Simply open HopperApp, load the binary, and start the analysis.
hopperscripts
Use hopperscripts to automate tasks in HopperApp. Note that hopperscripts are Python scripts that run within the HopperApp GUI. To use a hopperscript, open HopperApp, load the binary, go to the Scripts menu, and choose the desired script.
Radare2
Use Radare2 to perform static analysis and reverse engineering of an iOS binary:
radare2 -A /path/to/binary
3. Network Security
Network security entails securing the communication channels between iOS devices and external servers. To monitor and manipulate network traffic, use network analysis and server-side testing tools like Canape, Mallory, Burp Suite, OWASP ZAP, and Charles Proxy.
Canape
Use Canape to intercept and manipulate network traffic. Simply open Canape, configure the proxy settings, and start intercepting traffic.
Mallory
Use Mallory to intercept and manipulate network traffic between an iOS device and a remote server:
# Start Mallory with default settings ./mallory.py start
Burp Suite
Use Burp Suite to intercept and manipulate network traffic. Simply open Burp Suite, configure the proxy settings, and start intercepting traffic.
OWASP ZAP
Use OWASP ZAP to intercept and manipulate network traffic. Simply open OWASP ZAP, configure the proxy settings, and start intercepting traffic.
Charles Proxy
Use Charles Proxy to intercept and manipulate network traffic. Simply open Charles Proxy, configure the proxy settings, and start intercepting traffic.
4. Application Security
Application security involves assessing the security of iOS applications by analyzing their runtime behavior and detecting potential vulnerabilities. Dynamic and runtime analysis tools like cycript, Frida-cycript
, Fridpa, iNalyzer, Passionfruit, idb, snoop-it, Introspy-iOS, gdb, keychaindumper, and SSL Kill Switch 2 are essential for this process. Additionally, you can use tools like iOS TrustMe, Xcon, and tsProtector to bypass root detection and SSL pinning.
cycript
Use cycript to inject JavaScript into running iOS applications and analyze their runtime behavior:
cycript -p <process_name_or_pid>
Frida-cycript
Use Frida-cycript to inject JavaScript into running iOS applications using Frida’s instrumentation capabilities:
frida-cycript -U -f <process_name_or_pid>
Fridpa
Use Fridpa to automate the process of bypassing SSL pinning and root detection using Frida:
./fridpa.py -a <app_identifier>
iNalyzer
Use iNalyzer to perform dynamic analysis of iOS applications. Simply open iNalyzer, load the target application, and start the analysis.
Passionfruit
Use Passionfruit to perform dynamic analysis and interact with the runtime environment of iOS applications:
# Start Passionfruit server passionfruit
idb
Use idb to analyze and manipulate the runtime environment of iOS applications:
# Start idb server idb
snoop-it
Use snoop-it to perform dynamic analysis of iOS applications. Simply open snoop-it, load the target application, and start the analysis.
Introspy-iOS
Use Introspy-iOS to perform dynamic analysis of iOS applications. Simply open Introspy-iOS, load the target application, and start the analysis.
gdb
Use gdb to debug iOS applications at runtime:
gdb -p <process_id>
keychaindumper
Use keychaindumper to dump the contents of the iOS keychain:
./keychaindumper
SSL Kill Switch 2
Use SSL Kill Switch 2 to bypass SSL pinning in iOS applications. Note that SSL Kill Switch2 is a tweak installed through Cydia, so there is no command-line instruction. Simply install SSL Kill Switch 2 on a jailbroken device, enable it in Settings, and restart the target application.
iOS TrustMe
Use iOS TrustMe to bypass SSL pinning in iOS applications. Note that iOS TrustMe is a tweak installed through Cydia, so there is no command-line instruction. Simply install iOS TrustMe on a jailbroken device, enable it in Settings, and restart the target application.
Xcon
Use Xcon to bypass jailbreak detection in iOS applications. Note that Xcon is a tweak installed through Cydia, so there is no command-line instruction. Simply install Xcon on a jailbroken device and restart the target application.
tsProtector
Use tsProtector to bypass jailbreak detection and protect system files from being accessed by iOS applications. Note that tsProtector is a tweak installed through Cydia, so there is no command-line instruction. Simply install tsProtector on a jailbroken device, configure the settings, and restart the target application.
Conclusion
This iOS penetration testing cheatsheet provides a guide to help you secure iOS devices and applications. With the right tools and techniques, you can detect vulnerabilities, protect sensitive data, and safeguard network communication. By following this guide, you will ensure your iOS devices and applications are robust and secure against potential threats.