How to get started with mobile penetration testing for iOS

by Johanna Curiel

iOS applications enjoy better out-of-the-box security than their Android counterparts because of Apple's more tightly controlled environment. However, that advantage doesn't mean much if you don't do a thorough job securing your apps.

That's why there needs to be someone who takes on the role of penetration tester on every team. The information below highlights the relevant subjects in Apple's iOS Security Guide and OWASP's Mobile Security Testing Guide. It serves as a helpful cheatsheet for starting penetration testing for iOS apps.

Preparing the testing environment

An essential part of pen testing an iOS application is the use of the right tools and devices. There are many different tools, but this list includes the bare minimum you'll need if you want to execute effective pen tests:

A jailbroken iPhone

A MacBook able to connect to the phone

Xcode with a developer profile

Frida or Cydia

BURP or OWASP ZAP

Hopper

IDA pro (optional)

an SFTP client

Application logic

The first and most important step is to fully analyze all of the app’s flow and entry data points, including where and how the data is stored in the device or transmitted to APIs. You can do this by testing the application functionally, giving it a code review, or debugging it. As you do, follow these steps:

Enumerate all the fields that require data input from the user.

Check validation rules on entry fields such as password strength, text fields requiring numeric values only, or alphanumeric fields.

If you have access to source code, enumerate critical calls to APIs by using the search function to look for all instances od "http" or "https", or "//".

Applying a testing framework

Before you implement a testing plan, you need a clear strategy in place. For a starting point, I recommend building your strategy around the OWASP Mobile Top 10.

OWASP suggests that you start by breaking down the 10 vulnerabilities into specific tests that can be categorized into one or more of these sections. In addition, you can create specific tests targeting the scope of each section. The OWASP mobile testing guide (still a work in progress) provides this scoping. Consider black-, gray-, or white-box testing as part of the strategy.

Once you have established the app's testing scope, you can break it down into those essential steps.

Specific iOS security concerns

The iOS platform has very specific security concerns when analyzing the vulnerabilities of apps.

The following list contains specific security check-ups for an iOS application:

Verify that the application has implemented file data protection: Third-party apps installed on iOS 7 or later receive this protection automatically. You can verify this by searching for keywords in the source code, such as the ones described in this table:

Table: Data protection and classes from the iOS Security Guide

Data protection is available for file and database APIs, including NSFileManager, CoreData, NSData, and SQLite.

Check if the application makes use of extensions by searching for the keyword "sharedApplication": This allows an application to provide other apps access and services, but improper access due to configurations could be an issue.

This allows an application to provide other apps access and services, but improper access due to configurations could be an issue. Apps groups: Are there applications being shared by the same developer account? Verifying this is important to make sure that applications that are sharing with others aren't vulnerable. If serious flaws are found on one of them, it could jeopardize all of them.

Checking for insecure data storage

Data can be stored in different formats including (but not limited to):

The NSUserDefaults class

Log files

XML and plist

SQLite files

Keychain data

The following provides a general guide how to look for sensitive information depending on what kind of file you're dealing with.

Check for sensitive stored data in the NSUserDefaults: Use an SFTP client and download the file stored in /var/mobile/Containers/Data/Application. The data is in binary, therefore use plutil or another program to change the binary to XML so the file becomes readable. Once extracted, check for sensitive information.

Check for sensitive data in your insecure Plist: Check this info by using an SFTP program. Download the app data on /var/mobile/Containers/Data/Application and open the file data with extension *.plist. Once opened, you can analyze any sensitive info saved in it.

For insecure SQLite data: Navigate to /var/mobile/Containers/Data/Application specifically in the Documents folder. Look for a file with the extension *.sqlite. As you open this file, the information can be evaluated. Check for potential credentials or any sensitive information saved in here.

For insecure storage in the Keychain: Check if the app makes use of Keychain to access certain items. You can do this by looking for the following options in the class kSecClassGenericPassword:

kSecAttrAccessControl

kSecAttrAccessGroup (iOS; also macOS if kSecAttrSynchronizable specified)

kSecAttrAccessible (iOS; also macOS if kSecAttrSynchronizable specified)

kSecAttrCreator

kSecAttrAccount

kSecAttrService

kSecAttrGeneric

kSecAttrSynchronizable

Capturing the traffic with ZAP or BURP

You can use BURP of OWASP ZAP as an attack proxy to capture all the traffic between the app and its external connections. This video shows you how to configure OWASP ZAP to intercept all traffic. BURP also has clear guidelines to set up the proxy in this case. Its configuration uses an iOS simulator.

Once you start capturing the traffic, you can use passive or active scanning on both proxies for specific attacks to APIs being called by the app. If the application is using SSL certificate pinning, you might want to attempt bypassing SSL Pinning by using SSL Kill switch on the iPhone device. If this does not work, you should probably attempt to reverse the application to find out the exact implementation. You can do this by using Cydia or Frida to bypass certificate pinning at runtime.

Reversing the application

One of the OWASP Top 10 Mobile vulnerability listings recommends that you find out how “reversible” your application is. iOS applications are, by default, much harder to reverse than Android, but it's definitely possible. Consider looking at some of the recommended tools for reverse engineering iOS. Tools such as IDA pro are quite effective, but not free.

Use Clutch to decrypt signed iOS apps.

Use class-dump-z to decrypt the iOS app if it is unassigned, or after using Clutch.

Use the "String" command to look for specific words or keys patterns within the application.

Use Hopper or IDA dissembler to get insights into the content of the app.

Additional resources

After you've become more comfortable pen testing in iOS, you should develop your own strategy that's finely tuned to your particular apps. Here are a few more resources to get you up to speed faster on iOS penetration testing and security practices:

Ready to see solutions?

Learn about Mobile Testing from Micro Focus and sign up for a free trial .