A detailed checklist for iOS pentesting ensures a methodical and in-depth evaluation of the security of iOS applications for security researchers and professionals. While the particular items on the checklist could change based on the engagement’s goals and scope.
Data Storage
- Sensitive information may be stored in Plist files.
- Sensitive data may be stored in Core Data (a SQLLite database).
- Sensitive data may be stored in YapDatabases (a SQLLite database).Misshapen firebase setup.
- Sensitive information may be stored in realm databases.
- Sensitive data may be stored in Couchbase Lite databases.
- Binary cookies may include sensitive data.
- Sensitive data may be stored in caches.
- Snapshots taken automatically can store visually delicate information.
- Sensitive information that might be left behind when selling the phone is typically stored on the keychain.
- In conclusion, simply search the filesystem for any sensitive data that the application may have saved.
Keyboards
- Can users of the application use their own keyboards?
- Verify whether private data is stored in the cache files on the keyboard.
Logs
- Verify whether sensitive data is being logged.
Backups
- When restoring the backup on the phone from a backup, some (security-related) functionality can be ignored while the new configuration is loaded. Backups can be used to modify some programme configurations.
- You can access private data saved in the file system using backups (mark the first box on the list).
Applications Memory
- Scan the application’s memory for critical information.
Broken Cryptography
- Check for the usage of outdated/weak algorithms to transfer or store sensitive data.
- Hook and keep an eye on cryptographic operations.
- See if you can find the passwords used for cryptography.
Local Authentication
- You should check the authentication process if the application uses local authentication.
- It may be readily defeated if it uses the Local Authentication Framework.
- If the function being used can be dynamically overridden, you could write a special Frida script.
Sensitive Functionality Exposure Through IPC
- Custom URI Handlers / Deeplinks / Custom Schemes
- Examine the application to see whether it is registering any protocols or schemes.
- Verify whether the application is signing up to utilise any protocol or scheme.
- Determine whether the application anticipates receiving any sensitive data from the custom scheme that could be eavesdropped on by another application registered the same scheme.
- validate to see if the programme uses a proprietary scheme to validate and sanitise user input and expose any vulnerabilities.
- Determine whether the programme exposes any private actions accessible through the custom scheme from elsewhere.
- Universal Links
- Verify whether the programme is registering any universal protocols or schemes.
- Examine the file called apple-app-site-association.
- Validate to see if the programme uses a proprietary scheme to validate and sanitise user input and expose any vulnerabilities.
- Determine whether the programme exposes any private actions accessible through the custom scheme from elsewhere.
- UIActivity Sharing
- Ascertain whether the application can accept UIActivities and whether any vulnerabilities may be exploited using a specially crafted activity.
- UIPasteboard
- Examine the programme to check if it is copying anything to the system’s general pasteboard or utilising the information within in any other way.
- Keep an eye on the pasteboard to check if any private information is copied.
- App Extensions
- Is the application using any extension?
- WebViews
- Verify the type of webviews being used.
- Check whether javaScriptEnabled, JavaScriptCanOpenWindowsAutomatically, and hasOnlySecureContent are enabled.
- By using the protocol file, determine whether the webview may access local files:// (allowUniversalAccessFromFileURLs, allowFileAccessFromFileURLs)
- Verify whether Javascript has access to Native methods (JSContext, postMessage).
Network Communication
- Run a MitM on the communication and look for web security holes.
- Verify or evade certificate pinning.
- Check to see if the certificate’s hostname has been verified.
Misc
- Verify any automatic patching or upgrading features.
- Scan third-party libraries for danger.
Reference:
https://book.hacktricks.xyz/mobile-pentesting/ios-pentesting-checklist
https://hacktricks.boitatech.com.br/mobile-apps-pentesting/ios-pentesting-checklist
For further clarifications or support, please write to contact@paradigmitcyber.com