HackTricks

HackTricks

HackTricks Afrikaans - Ht Chinese - Ht Español - Ht Français - Ht German - Ht Greek - Ht Hindi - Ht Italian - Ht Japanese - Ht Korean - Ht Polish - Ht Português - Ht Serbian - Ht Swahili - Ht Turkish - Ht Ukranian - Ht

HackTricks Training Twitter Linkedin Sponsor

👾Welcome!
🤩Generic Methodologies & Resources
🐧Linux Hardening
🍏MacOS Hardening
🪟Windows Hardening
📱Mobile Pentesting
👽Network Services Pentesting
🕸️Pentesting Web
⛈️Cloud Security
😎Hardware/Physical Access
🎯Binary Exploitation
🔩Reversing
🔮Crypto & Stego
🦂C2
✍️TODO

Powered by GitBook

iOS Pentesting Checklist

Use Trickest to easily build and automate workflows powered by the world's most advanced community tools. Get Access Today:

Workflow-powered solution for Bug Bounty, Pentesting, SecOps | TrickestTrickest

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Try Hard Security Group

Join the Try Hard Security Discord Server!Discord

Preparation

Read iOS Basics
Prepare your environment reading iOS Testing Environment
Read all the sections of iOS Initial Analysis to learn common actions to pentest an iOS application

Data Storage

Plist files can be used to store sensitive information.
Core Data (SQLite database) can store sensitive information.
YapDatabases (SQLite database) can store sensitive information.
Firebase miss-configuration.
Realm databases can store sensitive information.
Couchbase Lite databases can store sensitive information.
Binary cookies can store sensitive information
Cache data can store sensitive information
Automatic snapshots can save visual sensitive information
Keychain is usually used to store sensitive information that can be left when reselling the phone.
In summary, just check for sensitive information saved by the application in the filesystem

Keyboards

Does the application allow to use custom keyboards?
Check if sensitive information is saved in the keyboards cache files

Logs

Check if sensitive information is being logged

Backups

Backups can be used to access the sensitive information saved in the file system (check the initial point of this checklist)
Also, backups can be used to modify some configurations of the application, then restore the backup on the phone, and the as the modified configuration is loaded some (security) functionality may be bypassed

Applications Memory

Check for sensitive information inside the application's memory

Broken Cryptography

Check if yo can find passwords used for cryptography
Check for the use of deprecated/weak algorithms to send/store sensitive data
Hook and monitor cryptography functions

Local Authentication

If a local authentication is used in the application, you should check how the authentication is working.
- If it's using the Local Authentication Framework it could be easily bypassed
- If it's using a function that can dynamically bypassed you could create a custom frida script

Sensitive Functionality Exposure Through IPC

Custom URI Handlers / Deeplinks / Custom Schemes
- Check if the application is registering any protocol/scheme
- Check if the application is registering to use any protocol/scheme
- Check if the application expects to receive any kind of sensitive information from the custom scheme that can be intercepted by the another application registering the same scheme
- Check if the application isn't checking and sanitizing users input via the custom scheme and some vulnerability can be exploited
- Check if the application exposes any sensitive action that can be called from anywhere via the custom scheme
Universal Links
- Check if the application is registering any universal protocol/scheme
- Check the apple-app-site-association file
- Check if the application isn't checking and sanitizing users input via the custom scheme and some vulnerability can be exploited
- Check if the application exposes any sensitive action that can be called from anywhere via the custom scheme
UIActivity Sharing
- Check if the application can receive UIActivities and if it's possible to exploit any vulnerability with specially crafted activity
UIPasteboard
- Check if the application if copying anything to the general pasteboard
- Check if the application if using the data from the general pasteboard for anything
- Monitor the pasteboard to see if any sensitive data is copied
App Extensions
- Is the application using any extension?
WebViews
- Check which kind of webviews are being used
- Check the status of javaScriptEnabled, JavaScriptCanOpenWindowsAutomatically, hasOnlySecureContent
- Check if the webview can access local files with the protocol file:// (allowFileAccessFromFileURLs, allowUniversalAccessFromFileURLs)
- Check if Javascript can access Native methods (JSContext, postMessage)

Network Communication

Perform a MitM to the communication and search for web vulnerabilities.
Check if the hostname of the certificate is checked
Check/Bypass Certificate Pinning

Misc

Check for automatic patching/updating mechanisms
Check for malicious third party libraries

Try Hard Security Group

Join the Try Hard Security Discord Server!Discord

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Use Trickest to easily build and automate workflows powered by the world's most advanced community tools. Get Access Today:

Workflow-powered solution for Bug Bounty, Pentesting, SecOps | TrickestTrickest

PreviousWebview Attacks NextiOS Pentesting

Last updated 7 days ago

On this page

Preparation
Data Storage
Keyboards
Logs
Backups
Applications Memory
Broken Cryptography
Local Authentication
Sensitive Functionality Exposure Through IPC
Network Communication
Misc

Was this helpful?

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)