Awesome iOS Application Security

This is a repository of iOS Security resources and tools which can be used in iOS pentesting and security research. It’s a continued effort to provide good quality content on various topics in iOS security, The list will be updated frequently to ensure high quality content and latest updates in the field of iOS security research.

This is just a compilation of iOS application security resources. We are not promoting these resources in any way. Also, we are sure that there would be many more great resources on iOS app security which we missed to add here. If you know of any such resource please comment below to let us know and we will add it to the list. 

Pentesting environment

Host Device

Although a Linux or Windows device should work just fine many tasks are often quiet difficult or totally impossible on these platforms. You are going to need a macOS for source code analysis or debugging purposes. A basic setup must include.

  1. Mac OS machine
  2. Wifi-Network with client to client traffic
  3. One jailbroken iOS device
  4. One interception proxy ideally Burp Suite

Testing Device

Testing on real device (Jailbroken)

A jailbroken device is ideal for testing as it  allows for easy installation of tools and makes the process of security testing much more straightforward, if you don’t have a jailbroken device then there are some workarounds but they provide a more difficult experience.

Testing on iOS Simulator

The iOS SDK provides a high level simulator where the binaries are compiled to x86 instead of ARM code. Android provides a similar solution but it fully emulates the hardware of the device. Apps compiled for a real device won’t run on a simulator hence it is useless for black box assessment and reverse engineering. The following limits are imposed if using a simlulator.

  1. Libraries In some cases, iOS Simulator binaries link to OS X frameworks that may behave differently than those on iOS. This can result in slightly different behaviour.
  2. Camera As of now, the iOS Simulator does not use your development machine’s camera. This is rarely a huge issue, but some applications do contain functionality such as “Take a picture of my check stub or receipt,” where the handling of this photo data can be crucial.
  3. SMS and cellular You can’t test interaction with phone calls or SMS integration with the iOS Simulator, though you can technically simulate some aspects, such as toggling the “in-call” status bar.

Privileged Access(Jailbreak)

For easier pentesting of iOS device getting a higher level privilege is recommended which can be obtained by jailbreaking the device to get a shell on the device. The benefits of jailbreaking are

 

  1. Root access to file system
  2. Execute apps not signed by apple including security tools.
  3. Greater debugging and analysis capabilities.
  4. Access to application runtime.

Below mentioned resources can be used to get a full jailbreak for your iOS device.

Jailbreaking Resources

Higher level privileges are required to do a thorough pentest of an iOS application in order to understand the application functionality in depth for that purposes, a jailbreak is often required. Below mentioned sites can be very useful in determining what all jailbreaks are available for your device.

 
  1. Can I Jaibreak?
  2. The iPhone Wiki
  3. Redmond Pie
  4. Reddit Jailbreak
 

Tools

Below are some common tools which are used often in black box iOS testing.

For iOS Device

  1. http://apt.thebigboss.org/repofiles/cydia/ – Most popular cydia repository which contains the BigBoss Recommended Tools package.

  2. http://repo.hackyouriphone.org: – Source repo for AppSync Packages

  3. https://build.frida.re – Install repo for frida.

  4. http://mobiletools.mwrinfosecurity.com/cydia/ – The Needle agent which has its own repository.

  5. https://apt.bingner.com/ – Another set of awesome tools.

  6. https://coolstar.org/publicrepo/ – Required repo for the Needle agent to install the Darwin CC tools package.

After installing these repositories you should install the following packages:

  • 1. adv-cmds: Advanced command line, which includes important linux command line utilities like finger, fingerd, last, lsvfs, md, and ps.
  •  
  • 2. Apt: Used to install, upgrade, downgrade and manage application on the iDevice, similar to dpkg but more user friendly. Packages can directly be installed using Apt.

  •  
  • 3. Class-dump: A command line tool for examining the Objective-C runtime information stored in Mach-O files and generates header files with class interfaces.

  •  
  • 4. Class-dump-Z: A command line tool for examining the Swift runtime information stored in Mach-O files and generates header files with class interfaces. This is not available via Cydia, therefore please refer to installation steps in order to get class-dump-z running on your iOS device.

  •  
  • 5. Clutch: Used to decrypt an app executable.

  •  
  • 6. Cycript: Is an inlining, optimizing, Cycript-to-JavaScript compiler and console environment that can be injected into running processes (associated to Cydia Substrate).

  •  
  • 7. Cydia Substrate: A platform that makes developing third-party iOS add-ons easier via dynamic app manipulation or introspection.

  •  
  • 8. cURL: Is a well known http client which you can use to download packages faster to your device. This can be a great help when you need to install different versions of Frida-server on your device for instance.

  •  
  • 9. Darwin CC Tools: Install the Darwin CC Tools from the Coolstar repo as a dependency for Needle.

  •  
  • 10. Frida: An app you can use for dynamic instrumentation which include run-time manipulation of application, analysing data storage enumeration and bypassing critical security controls.

  •  
  • 11. Grep: Handy tool to filter lines.

  •  
  • 12. Gzip: A well known ZIP utility.

  •  
  • 13. Needle-Agent: This agent is part of the Needle framework and need to be installed on the iOS device.

  •  
  • 14. Open for iOS 11: Tool required to make Needle Agent function.

  •  
  • 15. PreferenceLoader: A Substrate-based utility that allows to add entries to the Settings application.

  •  
  • 16. SOcket CAT: a utility with which you can connect to sockets to read and write messages. Useful when you want to trace the syslog on iOS 12 devices.

 

For the Host Device

  • 1. Burp Suite – Burp Suite is an interception proxy that can be used to analyse network traffic of the application.

  •  
  • 2. Mobexler – An all in one mobile application security testing platform, which has collection of all the tools which are needed in mobile application pentesting. A highly versatile platform for both iOS and Android pentesting. Go here, to know more.

  •  
  • 3. Frida – The client utility which is used to connect to the remote frida server running on the device and issues commands and inject javascript into running processes.

  •  
  • 4. frida-ios-dump – Frida script to dump the unencrypted ipa from the memory of the iDevice thus bypassing the apple Fairplay DRM.

  •  
  • 5. ios-deploy – Command line utility to sign and install ipa onto the iDevice.

  •  
  • 6. iFunBox – File and app management framework, used to install apps and access the application sandbox without jailbreak.

  •  
  • 7. Keychain Dumper – Used to dump the keychain of the iDevice.

  •  
  • 8. Mobile Security Framework – MobSF – Automated all in one Mobile Application Testing Framework for blackbox assessment of iOS and android application, it supports the static analysis of iOS applications.

  •  
  • 9. Needle – All in one iOS security assessment framework, which is used to automate comman pentesting tasks.

  •  
  • 10. Objection – Run-time mobile application analysis framework based on frida. It allows security assessment of applications on non-jailbroken devices.

  •  
  • 11. Passionfruit – A GUI based browser utility which uses the frida server to provide a graphical representation of application data in a much more user friendly way.

  •  
  • 12. Radare 2 – A command line reverse engineering framework for analysing binaries.

Learning Resources

Books

Blogs and Articles

Interested in getting trained on iOS application security? Drop an email to:

training[at]enciphers[dot]com | 

Content Sources:

- Mobile Security Testing Guide
- OWASP