MOBILE HACKING iOS CHEATSHEET

ASSESSING MOBILE APPLICATIONS V1.1

MAIN STEPS OWASP MOBILE SECURITY PROJECTS TOOLS

§ Review the codebase § Mobile Security Testing Guide § Frida
§ Run the app https://github.com/OWASP/owasp-mstg § Objection
§ Dynamic instrumentation § Mobile Application Security Verification Standard § Impactor
§ Analyze network communications https://github.com/OWASP/owasp-masvs § BurpSuite
§ Mobile Security Checklist § Wireshark
https://github.com/OWASP/owasp-mstg/tree/master/Checklists § Fsmon

Filesystem App decryption

/User/Library/FrontBoard/applicationState.db 1. Add https://level3tjg.me/repo source to Cydia and install bfdecrypt tool
• App list database 2. Go to bfdecrypt pref pane in Settings and set the app to decrypt
/private/var/containers/Bundle/Application/UUID/App.app 3. Launch the app to decrypt: decrypted IPA is stored in the Documents folder of the app
• Binary directory: include all the static resources of the app
/private/var/containers/Bundle/Application/UUID/App.app/App Dynamic analysis with Frida
• Path of the binary (executable)
/private/var/containers/Bundle/Application/UUID/App.app/Info.plist List all processes
• App metadata: configuration of the app (icon to display, supported document types, etc.) # frida-ps –U
/private/var/mobile/Containers/Data/Application/Data-UUID Analyse the calls to a method by launching Frida with the objc-method-observer script
• Data directory # frida -U <App_name> –c mrmacete/objc-method-observer
And then using the command ‘observeSomething’
UUID (Universally Unique Identifier): random 36 alphanumeric characters string unique to the app [iPhone::App]-> observeSomething('*[* *<Method_name>*]’);
Data-UUID: random 36 alphanumeric characters string unique to the app Hook the calls to the method <Method_name>
# frida-trace -U <App_name> -m "-[* <Method_name>*]"
Bundle ID Then open the JavaScript handler file to edit the onEnter or onLeave functions to manipulate the behavior of
the app
The bundle ID represents the app’s unique identifier (e.g. for YouTube): com.google.ios.youtube
Dynamic analysis with Objection
How to find the data and binary directories
Inject objection
Grep is the quick ‘n dirty way to find where are the data and binary directories of your app objection -g "<App_name>" explore
iPhone: ~ root# grep -r <App_name> /private/var/* List the classes (output will contain thousands of lines)
ios hooking list classes
How to find the data and binary directories and the Bundle ID List the methods of a class
ios hooking list class_methods <Class_name>
By launching Frida with the ios-app-info script Search for classes|methods names containing <String>
# frida -U <App_name> -c dki/ios-app-info ios hooking search classes|methods <String>
And then Analyse the calls to the method <Method_name>
[iPhone::App]-> appInfo() ios hooking watch method "-[<Class_name> <Method_name>]"
Or manually by opening the app list database Hook the <Method_name> and return true to each call
iPhone:~ root# sqlite3 /User/Library/FrontBoard/applicationState.db ios hooking set return_value "-[<Class_name> <Method_name>]" true
And displaying the key_tab table to get the binary directories
sqlite> select * from key_tab; Get the NSLog (syslog)
Or displaying the application_identifier_tab table to get the bundle IDs
sqlite> select * from application_identifier_tab; Impactor (http://www.cydiaimpactor.com) let you display the NSLog (syslog) on command line
# ./Impactor idevicesyslog -u <UDID>
Monitor filesystem access
Fsmon (https://github.com/nowsecure/fsmon) let you monitor which files are accessed
iPhone: ~ root# fsmon-ios -P <App_name>

CC BY-SA 4.0 • [email protected] • https://www.randorisec.fr Version 1.1 • Updated: 2023-03 The OWASP brand is the property of the OWASP Foundation. OWASP does not endorse any product, services or tools.
 MOBILE HACKING iOS CHEATSHEET
ASSESSING MOBILE APPLICATIONS V1.1

MAIN STEPS OWASP MOBILE APPLICATION SECURITY TOOLS

§ Review the codebase § Mobile Application Security Testing Guide § Frida
§ Run the app https://mas.owasp.org/MASTG/ § Objection
§ Dynamic instrumentation § Mobile Application Security Verification Standard § Impactor
§ Analyze network communications https://mas.owasp.org/MASVS/ § BurpSuite
§ Mobile Application Security Checklist § Wireshark
https://mas.owasp.org/MAS_checklist/

SSL Interception with BurpSuite Sideloading an app with IPAPatch

1. Launch Burp and modify proxy settings in order to listen on “All interfaces” Sideloading an app including an instrumentation library like Frida let you interact with the app even if it’s
2. Browse to the IP/port of your Burp proxy using Safari installed on a non jailbroken device.
3. Tap on the “CA Certificate” at the top right of the screen
4. Tap on “Allow” on the pop-up asking to download a configuration profile 1. Clone the IPAPatch project
5. Go to “Settings->Profile Downloaded” and select the “PortSwigger CA” profile # git clone https://github.com/Naituw/IPAPatch
6. Tap on “Install” then “Install” again and then “Install” one last time 2. Move the IPA of the app you want to sideload to the Assets directory
7. Edit the wireless network settings on your device to set a proxy (“Settings->Wi-Fi” then tap on the blue “i”, # mv <IPAfile> IPAPatch/Assets/
slide to the bottom of the screen and tap on “Configure Proxy”) 3. Download the FridaGadget library (in Assets/Dylibs/FridaGadget.dylib)
8. Tap on ”Manual”, set the IP/port of your Burp proxy, tap on “Save” # curl -O https://build.frida.re/frida/ios/lib/FridaGadget.dylib
9. Go to “Settings->General->About->Certificate Trust Settings” & toggle on the PortSwiggerCA 4. Select the identity to sign the app
# security find-identity -p codesigning –v
Bypass SSL Pinning using SSL Kill Switch 2 5. Sign FridaGadget library
# codesign -f -s <IDENTITY> FridaGadget.dylib
Download and install SSL Kill Switch 2 tweak 6. Then open IPAPatch Xcode project, Build and Run.
# wget https://github.com/nabla-c0d3/ssl-kill-
switch2/releases/download/0.14/com.nablac0d3.sslkillswitch2_0.14.deb Sideloading an app with Objection
# dpkg -i com.nablac0d3.sslkillswitch2_0.14.deb
# killall -HUP SpringBoard (detailed steps on https://github.com/sensepost/objection/wiki/Patching-iOS-Applications)
Go to “Settings->SSL Kill Switch 2” to ”Disable Certificate Validation”
# security find-identity -p codesigning –v
UDID (Unique Device Identifier) # objection patchipa --source <IPAfile> --codesign-signature <IDENTITY>
# unzip <patchedIPAfile>
UDID is a string that is used to identify a device. Needed for some operations like signature, app installation, # ios-deploy --bundle Payload/my-app.app -W –d
network monitoring # objection explore
Get UDID with MacOS
# idevice_id -l Data Protection Class
Get UDID with Linux
# usbfluxctl list Four levels are provided by iOS to encrypt automatically files on the device:
1. NSProtectionComplete: file is only accessible when device is unlocked (files are encrypted with a key
Network capture (works also on non jailbroken devices) derived from the user PIN code & an AES key generated by the device)
2. NSProtectionCompleteUntilFirstUserAuthentication: (defaut class) same except as before, but the
MacOS (install Xcode and additional tools and connect the device with USB) decryption key is not deleted when the device is locked
# rvictl -s <UDID> 3. ProtectedUnlessOpen: file is accessible until open
# tcpdump or tshark or wireshark –i rvi0 4. NoProtection: file is accessible even if device is locked
Linux (get https://github.com/gh2o/rvi_capture and connect the device with USB)
# ./rvi_capture.py --udid <UDID> iPhone.pcap Get Data Protection Class
By launching Frida with the ios-dataprotection script
# frida -U <App_name> -c ay-kay/ios-dataprotection

CC BY-SA 4.0 • [email protected] • https://www.randorisec.fr Version 1.1 • Updated: 2023-03 The OWASP brand is the property of the OWASP Foundation. OWASP does not endorse any product, services or tools.