Application security refers to the strategies used to protect mobile applications, online apps, and APIs (Application Programming Interfaces) from hackers. In the mobile device market, iOS is the most popular operating system. Because of their popularity, a variety of apps have been developed, making them excellent targets for attackers.
Today, we’ll look at how to perform static security pentesting on iOS apps, starting with bypassing SSL pinning and a few potential security flaws.
Bypassing SSL Pinning on iOS Device
The technique of linking a host with its certificate/public key is known as SSL Certificate Pinning. You pin a certificate or public key to a host after you have it. In other words, you set the app to refuse any certificates or public keys save one or a few predetermined ones.
Bypassing SSL Pinning using Frida :-
Frida:- Frida is a Dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers that allows you to inject JavaScript snippets or your own libraries into native Windows, macOS, iOS, Android, and QNX programmes.
Install Frida from Github :- https://github.com/frida/frida
Install Frida on your Jailbroken iOS Device also through Cydia.
Step 1:- Run command frida-ps -Uia to list all the running app’s on the device.
Great. That is all the info you require.
Step 2:- Now Run the command frida –codeshare federicodotta/ios13-pinning-bypass -f <identifier> -U –no-pause.
Here, Identifier is the bundle id of the application for which you want to bypass SSL Pinning. So to get the identifier run the command in step 1 .
Step 3:- After the process is completed successfully. Configure your iOS device with burp suite and try to intercept the traffic of the app for which you bypassed SSL Pinning.
Below is the example of amazon application:-
Extracting the ipa file from any iOS Device
You can use Imazing to extract the ipa file of any application installed on your iphone , whether your device is jailbroken or not.
Install the application in your iOS device now go to Imazing , connect your device to your mac/windows and go to manage apps . There you will see a list of all the applications installed on your device and in the front of all app names you will see a download button as shown in the image below. Now Click on that button and the ipa of that application will be downloaded on your Pc.
MobSF
Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.
Plist
Plist stands for Property List. It is a flexible and easy format for storing application data. It’s what we’d refer to as an iOS app’s manifest. Sometimes you can find sensitive data in these files like Gmap api keys etc.
You can see Plist files in MobSf also or you can use the Objection Framework command.
Objection Command → ios plist cat Info.plist
Keychain Dump
Keychain is a secure storage container on an iOS device that is used to store sensitive information such as usernames, passwords, network passwords, and auth tokens.
It allows you to save account names, passwords, and credit card data safely and securely.
Insecure Transport Layer ( App Transport Security )
If App Transport Security is disabled on the domain i.e :- {‘NSAllowsArbitraryLoads’: True}’,While ATS safeguards are maintained everywhere in your programme, disabling ATS might allow unsafe contact with specific servers or unsecured loads for web views or media.
NsUserdefault File
It is also a simple plist file in your app package which can be used to set and get data very easily. Its structure resembles that of a dictionary, and the user defaults are sometimes referred to as a key-value store.
Hardcoded Api Keys
Most of the apps need private/sensitive values, such as secrets , passwords & Api Keys which are stored in the application’s source code to setup third party SDKs or backend api’s.
During the build process or while using developer tools, such as interacting with an Apple Developer account, some secrets may be required.
Binary Analysis using otool
You can use otool (object file displaying tool) for further binary analysis of the application. The otool command displays sections of object files or libraries that you specify. You can check using otool that if the application is using weak hashing algorithms ,Banned/deprecated api’s, malloc function or insecure random number generators.
Commands to check these are given below:-
To Check for weak hashing algorithms:-
- Open the terminal and take the ssh of your Iphone.
- Command:- ssh root@<IP>
- cd /var/containers/Bundle/Application/<APP_ID>/<app>
- otool -Iv <app> | grep -w _CC_MD5
- otool -Iv <app> | grep -w _CC_SHA1
To Check for Banned/Deprecated Api’s :-
- Open the terminal and take the ssh of your Iphone.
- Command:- ssh root@<IP>
- cd /var/containers/Bundle/Application/<APP_ID>/<app>
- otool -Iv <app> | grep -w _stat
- otool -Iv <app> | grep -w _sscanf
- otool -Iv <app> | grep -w _strncpy
- otool -Iv <app> | grep -w _strle
Similarly is for malloc function and Insecure random number generator.
Blog Source:- https://detoxtechnologies.com/pentesting-of-ios-mobile-application/
Bypassing SSL Pinning on iOS Device | iOS Application Security | iOS Pentesting Tools | iOS Pentesting Without Jailbreak | Pentesting of iOS Mobile Application | iOS Pentesting Checklist | iOS Pentesting | iOS App Pentesting | iOS Penetration Testing | iOS Application Penetration Testing | iphone Pentesting