Home Blogs Profile Contribution Policies Contact About

IOS Penetest Cheatsheet



iOS jailbreaking:

According to Wikipedia,
Jailbreaking refers to privilege escalation on an Apple device to remove software restrictions imposed by Apple on iOS, iPadOS, tvOS, watchOS, and bridgeOS operating systems.

In simple words, Jailbreaking is the process by which Apple’s operating systems are modified to remove restrictions and give the greater user control over the device. The increased privileges permit customizations and unfettered app installation which are not available to users and which are normally prevented by Apple.

1. Checkra1n (Quick Easy Method for IOS 13+)

# Visit "https://checkra.in/releases/#all-downloads" and download compatible version according to your linux system.
chmod +x filename_checkra1n
# Attached ios with linux system via USB.
./filename_checkra1n
# Click/Enter on start and follow the instruction.
# Done!!!


2. Unc0ver

# Visit "https://unc0ver.dev/" and Navigate to Installation Guide section. Download ipa file.
# Install AltServer and iCloud on OS.
# From taskbar click on AltServer icon and install on ios device.
# Navigate to "https://www.diawi.com/" and upload ipa file. Install the application.
# Open unc0ver and jail​break!



Access IOS via SSH:

# Install SSH Connect on IOS app
ssh [email protected]
# SSH Default Password: alpine
# Get compatible version of frida from https://github.com/frida/frida/releases
scp /root/Downloads/frida_server_ios [email protected]:/frida_server_ios
frida-ps -ai -H 192.168.0.109:6969




Automated tools for Static and Dynamic testing:

Sometime we need to speed up static and dynamic testing of iOS testing. There are plenty of tools which almost cover most of security test cases as we needed to test. Here, I have shown 2 most famous tool in which I specially suggest Grapefruit tool which support frida 14.0+ versions while PassionFruit does not work with latest frida versions.

1. Grapefruit
Link : https://github.com/ChiChou/Grapefruit

git clone --recurse-submodules https://github.com/ChiChou/Grapefruit
cd Grapefruit
npm install
npm start

2. PassionFruit
Link : https://github.com/chaitin/passionfruit

npm install -g passionfruit
passionfruit
# listening on http://localhost:31337

3. Mobile Security Framework (MobSF)
Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.

git clone https://github.com/MobSF/Mobile-Security-Framework-MobSF.git
cd Mobile-Security-Framework-MobSF
./setup.sh
./run.sh




Manual Static Analysis:

iOS application frequently store sensitive data on client-side. We can retrive sensitive information from below steps.

The Bundle directory:
Open FileZilla from IOS and visit path: /var/containers/Bundle
Now observe the file name with real name ex. myAppName B0A7E81E-6434-4FBD-9089-5C8D1CBF7717....

# from SSH of iOS
cd /var/containers/Bundle/Application/{B0A7E81E-6434-4FBD-9089-5C8D1CBF7717}
zip -R Bundle.zip .

The Data directory:
Repeat same process for name
Visit from FileZilla /var/mobile/Containers/Data/Application/


cd /var/mobile/Containers/Data/Application/7953069B-01FB-4D1D-A44B-B5757891FCE3
zip -R Data.zip .

For download the same visit : http://192.168.0.115:11111/
Download zip files and analysis sensitive information on client-side.
Below you can see common location where you can find app data.


BundlePath : /var/containers/Bundle/Application/3ADAF47D-A734-49FA-B274-FBCA66589E67/iGoat-Swift.app

CachesDirectory : /var/mobile/Containers/Data/Application/8C8E7EB0-BC9B-435B-8EF8-8F5560EB0693/Library/Caches

DocumentDirectory : /var/mobile/Containers/Data/Application/8C8E7EB0-BC9B-435B-8EF8-8F5560EB0693/Documents

LibraryDirectory : /var/mobile/Containers/Data/Application/8C8E7EB0-BC9B-435B-8EF8-8F5560EB0693/Library

You might be also interested to look into sqlite3 files. You can retrive data from below terminal commands.


sqlite3 *.db # To enter sqlite3 database
.tables
select * from {table_name}




Ending notes:

Here I have not shown the methods or codes to Biometric bypass of IOS application and client-side security control bypass yet. But in future I will update this blog with frida script and other IOS application testing methods.


Thanks For Reading
Husseni Muzkkir



References:

https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06b-basic-security-testing



Comment Section:

Writer: You can write a comment to help me to improve this blog or ask below


Write a Comment








I also think you'll like...





More Blogs
Back to top ↑