Jailbreaking
The act of eliminating Apple’s software limitations from an iOS device’s operating system is known as “jailbreaking.” Users can take full control of the device by gaining root access, which gives them the ability to install unauthorised software, change system preferences, and access the file system. Although jailbreaking can provide some flexibility and personalization advantages for device users, it also increases security risks.A pentester can explore the environment of the device more thoroughly and potentially find vulnerabilities or weaknesses that can be exploited by using a jailbroken device, which is what most pentesters prefer to use to gain more administrative access to the operating system and file system.
Examples of tools utilised by the jailbreaking community include Checkra1n, Unc0ver, Chimaera, FlyJB,and LibertyLite. To get root access, these tools use flaws in the iOS firmware. In particular, Checkra1n makes use of a hardware flaw that Apple finds difficult to address through software upgrades. This makes it a popular option for those who enjoy jailbreaking.
Disassembler-based Static Code Analysis
An iOS pentester may use a disassembler like Hopper to inspect an executable and the machine-level code that makes up the binary. In order to seek for significant information that might be saved in strings preferences, it is possible to use Hopper to evaluate the bytecode of iOS apps (a more human-readable format) to understand what the code does and infer how the app performs without actually running the programme.
Using a disassembler like Hopper or IDA-pro, hackers can hunt for crucial information concealed in strings, preferences, or other parts of the software. In order understand how the code operates and predict the behaviour of the app, they can also look at the classes, objects, functions, and methods of the application. This knowledge aids the tester in locating potential security flaws or key areas where the security of the app may be compromised.
Hardcoded app values or data that is stored insecurely
All mobile apps use and store sensitive data, and there are several places within the app where data is held. In order to give users a useful app that they like, access to such data is commonly shared with other programmes or app-related components. All of this, to put it simply, is necessary for the app experience, but the data must be secure. The problem is that the majority of hackers and pentesters are aware of where to get this information, and they have access to a variety of tools to disassemble the app and discover where crucial data is kept.
A penetration tester would indeed focus on searching and extracting sensitive data from these locations given below:
- Property Lists – To store configuration options and metadata, property lists are frequently used in iOS apps. Particularly significant data, like the app’s bundle identifier, permissions, and any integrated third-party libraries or SDKs, may be found in the info.plist file.
- Strings – CFString is used to store user information that is frequently accessed by a variety of internal components or external systems. Penetration testers look for sensitive data stored in strings, such as API keys, login credentials, or other private information that might be visible in the app’s source code.
- User defaults – NSUser are a handy way to save user preferences and app-specific settings. However, developers occasionally accidentally save private information in user settings like access tokens or authentication statuses. Hence testers can easily get to exploit and get the details.
- SQLite – SQLite is a widely used embedded database in iOS apps. If not properly secured, sensitive data stored in an SQLite database can be vulnerable to unauthorized access.
- Keychain – The Keychain is a secure storage mechanism provided by iOS to store sensitive data, such as user passwords, authentication tokens, or API keys. Penetration testers pay attention to the Keychain, as it is intended to be a secure location for sensitive information.
Privilege Escalation
After successfully jailbreaking the iOS device, the pen tester may try to abuse these elevated powers, elevate them even more, increase their level of visibility and control, or permit more powerful tools in their jailbroken environment. A pen tester might, for instance, download Cydia, a repository for jailbroken apps, giving them access to thousands of various third-party extensions and jailbreak tools they can use to harm your app. They can get Mobile Substrate from Cydia, which facilitates the installation and execution of apps on a jailbroken phone.They might also install a file system manager, such Filza or PlankFilza, to have complete control over the iOS file system.
Additionally, they will likely use OpenSSH to obtain shell access, move data across jailbroken devices, execute commands and scripts, and perform other tasks. If you have shell access, it will be easier to disable, alter, or get past other security features. Since jailbreaking iOS enables an attacker to undermine the security model, it is always vital to include in-app Jailbreak protection in your app’s security defence.
SSL Pinning Bypass / MitM Attack
Another typical element of a pentester’s test plan is to see whether they can compromise the networking connections or chain of trust that the app uses when it talks with the backend servers. Two common methods for doing this involve a MitM attack and replacing the app’s digital certificate with the one from their favourite proxy tool (common proxy tools include Charles Proxy, Burp Suite, Wireshark, etc.). In an effort to further compromise, modify, or analyse the app, the tester will then be able to divert the app’s traffic to their own proxy. For this reason, security procedures like certificate pinning and other techniques are commonly used to protect data while it is in transit.
Method Hooking, Code Injection with Frida
An attacker may locate, attach to, and interact with the processes of iOS apps that are currently running while also modifying the functionality of the app dynamically while it is in use with the help of the incredibly powerful dynamic instrumentation toolkit known as Frida. Because of this, the tester may follow an iOS process that is currently running using the Frida Trace module before connecting to it using function hooking. They can then interact dynamically with the target application and alter the output by injecting custom code into it. By using automated scripts, Frida allows the injected code to be further tweaked and made to be extremely contextual to the target app.
Frida is widely used in iOS pentests along with other tools to uncover sensitive code and bypass an application’s security precautions. If you believe the pentester will use Frida as part of the penetration test, you might want to add Frida prevention capabilities to your security architecture.
Reference:
https://www.appdome.com/dev-sec-blog/ios-pentesting-techniques/
https://otakuhp.medium.com/top-mobile-application-penetration-testing-apps-for-ios-ffd1f48eec31
For further clarifications or support, please write to contact@paradigmitcyber.com