Scribd
Upload
138 views2 pages

Mobile Hacking iOS Cheatsheet v1.0

This document provides a cheat sheet for assessing mobile applications. It outlines the main steps which include reviewing the codebase, running the app, and using dynamic instrumentation. It also lists relevant OWASP mobile security projects and common tools used like Frida, Objection, and BurpSuite.

Uploaded by

diego.carideiuk
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
138 views2 pages

Mobile Hacking iOS Cheatsheet v1.0

This document provides a cheat sheet for assessing mobile applications. It outlines the main steps which include reviewing the codebase, running the app, and using dynamic instrumentation. It also lists relevant OWASP mobile security projects and common tools used like Frida, Objection, and BurpSuite.

Uploaded by

diego.carideiuk
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 2

Mobile Hacking CHEAT SHEET

ASSESSING MOBILE APPLICATIONS V1.0


MAIN STEPS OWASP MOBILE SECURITY PROJECTS TOOLS
TOOLS
• Review the codebase Mobile Security Testing Guide • Frida• Frida
• Run the app • https://github.com/OWASP/owasp-mstg • Objection
• Objection
• Dynamic instrumentation Mobile Application Security Verification Standard • Impactor
• Impactor
• Analyze network communications • https://github.com/OWASP/owasp-masvs • BurpSuite
• BurpSuite
Mobile Security Checklist • Wireshark
• Wireshark
• https://github.com/OWASP/owasp-mstg/tree/master/Checklists

Filesystem App decryption


/User/Library/FrontBoard/applicationState.db 1. Add https://level3tjg.xyz/repo/ src to Cydia and install bfdecrypt tool
• App list database 2. Go to bfdecrypt pref pane in Settings and set the app to decrypt
/private/var/containers/Bundle/Application/UUID/App.app 3. Launch the app to decrypt: decrypted IPA is stored in the Documents folder of the app
• Binary directory: include all the static resources of the app
/private/var/containers/Bundle/Application/UUID/App.app/App
• Path of the binary (executable)
Dynamic analysis with Frida
/private/var/containers/Bundle/Application/UUID/App.app/Info.plist List all processes
• App metadata: configuration of the app (icon to display, supported document types, etc.) # frida-ps –U
/private/var/mobile/Containers/Data/Application/Data-UUID Analyse the calls to a method by launching Frida with the objc-method-observer script
• Data directory # frida -U <App_name> –c mrmacete/objc-method-observer
UUID (Universally Unique Identifier): random 36 alphanumeric characters string unique to the app And then using the command ‘observeSomething’
Data-UUID: random 36 alphanumeric characters string unique to the app [iPhone::App]-> observeSomething('*[* *<Method_name>*]’);
Hook the calls to the method <Method_name>
# frida-trace -U <App_name> -m "-[* <Method_name>*]"
Bundle ID Then open the JavaScript handler file to edit the onEnter or onLeave functions to manipulate the
The bundle ID represents the app’s unique identifier (e.g. for YouTube) behavior of the app
com.google.ios.youtube
Dynamic analysis with Objection
How to find the data and binary directories Inject objection
Grep is the not-so-quick ‘n dirty way to find where are the data and binary directories of your app objection -g "<App_name>" explore
iPhone:~ root# grep -r <App_name> /private/var/* List the classes (output will contain thousands of lines)
ios hooking list classes
List the methods of a class
How to find the data and binary directories and the Bundle ID ios hooking list class_methods <Class_name>
Search for classes|methods names containing <String>
By launching Frida with the ios-app-info script ios hooking search classes|methods <String>
# frida -U <App_name> -c dki/ios-app-info Analyse the calls to the method <Method_name>
And then ios hooking watch method "-[<Class_name> <Method_name>]"
[iPhone::App]-> appInfo() Hook the <Method_name> and return true to each call
Or manually by opening the app list database ios hooking set return_value "-[<Class_name> <Method_name>]" true
iPhone:~ root# sqlite3 /User/Library/FrontBoard/applicationState.db
And displaying the key_tab table to get the binary directories Get the NSLog (syslog)
sqlite> select * from key_tab;
Or displaying the application_identifier_tab table to get the bundle IDs Impactor (http://www.cydiaimpactor.com) let you display the NSLog (syslog) on command line
sqlite> select * from application_identifier_tab; # ./Impactor idevicesyslog -u <UDID>

CC BY-SA 4.0 • [email protected] • https://www.randorisec.fr The OWASP brand is the property of the OWASP Foundation. OWASP does not endorse any product, services or tools.
Version 1.0 • Updated: 2021-08 Template: https://rstudio.com/resources/cheatsheets/how-to-contribute-a-cheatsheet/ Background psd created by rawpixel.com – https://www.freepik.com
Mobile Hacking CHEAT SHEET
ASSESSING MOBILE APPLICATIONS V1.0
MAIN STEPS OWASP MOBILE SECURITY PROJECTS TOOLS
TOOLS
• Review the codebase Mobile Security Testing Guide • Frida• Frida
• Run the app • https://github.com/OWASP/owasp-mstg • Objection
• Objection
• Dynamic instrumentation Mobile Application Security Verification Standard • Impactor
• Impactor
• Analyze network communications • https://github.com/OWASP/owasp-masvs • BurpSuite
• BurpSuite
Mobile Security Checklist • Wireshark
• Wireshark
• https://github.com/OWASP/owasp-mstg/tree/master/Checklists

SSL Interception with BurpSuite Sideloading an app


1. Launch Burp and modify proxy settings in order to listen on “All interfaces” Sideloading an app including an instrumentation library like Frida let you interact with the app
2. Browse to the IP/port of your Burp proxy using Safari even if it’s installed on a non jailbroken device.
3. Tap on the “CA Certificate” at the top right of the screen Here’s the process to do it with IPAPatch:
4. Tap on “Allow” on the pop-up asking to download a configuration profile 1. Clone the IPAPatch project
5. Go to “Settings->Profile Downloaded” and select the “PortSwigger CA” profile # git clone https://github.com/Naituw/IPAPatch
6. Tap on “Install” then “Install” again and then “Install” one last time 2. Move the IPA of the app you want to sideload to the Assets directory
7. Edit the wireless network settings on your device to set a proxy (“Settings->Wi-Fi” then tap on # mv <IPAfile> IPAPatch/Assets/
the blue “i”, slide to the bottom of the screen and tap on “Configure Proxy”) 3. Download the FridaGadget library (in Assets/Dylibs/FridaGadget.dylib)
8. Tap on ”Manual”, set the IP/port of your Burp proxy, tap on “Save” # curl -O https://build.frida.re/frida/ios/lib/FridaGadget.dylib
9. Go to “Settings->General->About->Certificate Trust Settings” & toggle on the PortSwiggerCA 4. Select the identity to sign the app
# security find-identity -p codesigning –v
Bypass SSL Pinning using SSL Kill Switch 2 5. Sign FridaGadget library
# codesign -f -s <IDENTITY> FridaGadget.dylib
Download and install SSL Kill Switch 2 tweak 6. Then open IPAPatch Xcode project, Build and Run.
# wget https://github.com/nabla-c0d3/ssl-kill- Here’s the process to do it with Objection (detailed steps on
switch2/releases/download/0.14/com.nablac0d3.sslkillswitch2_0.14.deb https://github.com/sensepost/objection/wiki/Patching-iOS-Applications)
# dpkg -i com.nablac0d3.sslkillswitch2_0.14.deb # security find-identity -p codesigning –v
# killall -HUP SpringBoard # objection patchipa --source <IPAfile> --codesign-signature <IDENTITY>
Go to “Settings->SSL Kill Switch 2” to ”Disable Certificate Validation” # unzip <patchedIPAfile>
# ios-deploy --bundle Payload/my-app.app -W –d
# objection explore
UDID (Unique Device Identifier)
UDID is a string that is used to identify a device. Needed for some operations like signature, app Data Protection Class
installation, network monitoring
Four levels are provided by iOS to encrypt automatically files on the device:
Get UDID with MacOS
1. NSProtectionComplete: file is only accessible when device is unlocked (files are encrypted with
# ioreg -p IOUSB -l | grep "USB Serial"
a key derived from the user PIN code & an AES key generated by the device)
Get UDID with Linux
2. NSProtectionCompleteUntilFirstUserAuthentication: (defaut class) same except as before, but
# lsusb -s :`lsusb | grep iPhone | cut -d ' ' -f 4 | sed 's/://'` -v | grep iSerial | awk '{print $3}'
the decryption key is not deleted when the device is locked
3. ProtectedUnlessOpen: file is accessible until open
Network capture (works also on non jailbroken devices) 4. NoProtection: file is accessible even if device is locked
MacOS (install Xcode and additional tools and connect the device with USB)
# rvictl -s <UDID> Get Data Protection Class
# tcpdump or tshark or wireshark –i rvi0
Linux (get https://github.com/gh2o/rvi_capture and connect the device with USB) By launching Frida with the ios-dataprotection script
# ./rvi_capture.py --udid <UDID> iPhone.pcap # frida -U <App_name> -c ay-kay/ios-dataprotection

CC BY-SA 4.0 • [email protected] • https://www.randorisec.fr The OWASP brand is the property of the OWASP Foundation. OWASP does not endorse any product, services or tools.
Version 1.0 • Updated: 2021-08 Template: https://rstudio.com/resources/cheatsheets/how-to-contribute-a-cheatsheet/ Background psd created by rawpixel.com – https://www.freepik.com

You might also like