iOS Pentesting Checklist
Do you use Hacktricks every day? Did you find the book very useful? Would you like to receive extra help with cybersecurity questions? Would you like to find more and higher quality content on Hacktricks? Support Hacktricks through github sponsors so we can dedicate more time to it and also get access to the Hacktricks private group where you will get the help you need and much more!
If you want to know about my latest modifications/additions or you have any suggestion for HackTricks or PEASS, join the π¬βtelegram group, or follow me on Twitter π¦β@carlospolopm. If you want to share some tricks with the community you can also submit pull requests to https://github.com/carlospolop/hacktricks that will be reflected in this book and don't forget to give β on github to motivate me to continue developing this book.
Preparation
Prepare your environment reading iOS Testing Environmentβ
Read all the sections of iOS Initial Analysis to learn common actions to pentest an iOS application
Data Storage
βPlist files can be used to store sensitive information.
βCore Data (SQLite database) can store sensitive information.
βYapDatabases (SQLite database) can store sensitive information.
βFirebase miss-configuration.
βRealm databases can store sensitive information.
βCouchbase Lite databases can store sensitive information.
βBinary cookies can store sensitive information
βCache data can store sensitive information
βAutomatic snapshots can save visual sensitive information
βKeychain is usually used to store sensitive information that can be left when reselling the phone.
In summary, just check for sensitive information saved by the application in the filesystem
Keyboards
Check if sensitive information is saved in the keyboards cache filesβ
Logs
Backups
βBackups can be used to access the sensitive information saved in the file system (check the initial point of this checklist)
Also, backups can be used to modify some configurations of the application, then restore the backup on the phone, and the as the modified configuration is loaded some (security) functionality may be bypassed
Applications Memory
Check for sensitive information inside the application's memoryβ
Broken Cryptography
Check for the use of deprecated/weak algorithms to send/store sensitive data
Local Authentication
If a local authentication is used in the application, you should check how the authentication is working.
If it's using the Local Authentication Framework it could be easily bypassed
If it's using a function that can dynamically bypassed you could create a custom frida script
Sensitive Functionality Exposure Through IPC
βCustom URI Handlers / Deeplinks / Custom Schemesβ
Check if the application is registering any protocol/scheme
Check if the application is registering to use any protocol/scheme
Check if the application expects to receive any kind of sensitive information from the custom scheme that can be intercepted by the another application registering the same scheme
Check if the application isn't checking and sanitizing users input via the custom scheme and some vulnerability can be exploited
Check if the application exposes any sensitive action that can be called from anywhere via the custom scheme
βUniversal Linksβ
Check if the application is registering any universal protocol/scheme
Check the
apple-app-site-associationfileCheck if the application isn't checking and sanitizing users input via the custom scheme and some vulnerability can be exploited
Check if the application exposes any sensitive action that can be called from anywhere via the custom scheme
βUIActivity Sharingβ
Check if the application can receive UIActivities and if it's possible to exploit any vulnerability with specially crafted activity
βUIPasteboardβ
Check if the application if copying anything to the general pasteboard
Check if the application if using the data from the general pasteboard for anything
Monitor the pasteboard to see if any sensitive data is copied
βApp Extensionsβ
Is the application using any extension?
βWebViewsβ
Check which kind of webviews are being used
Check the status of
javaScriptEnabled,JavaScriptCanOpenWindowsAutomatically,hasOnlySecureContentCheck if the webview can access local files with the protocol file:// (
allowFileAccessFromFileURLs,allowUniversalAccessFromFileURLs)Check if Javascript can access Native methods (
JSContext,postMessage)
Network Communication
Perform a MitM to the communication and search for web vulnerabilities.
Misc
Last updated
Was this helpful?