Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Security
Unlock the full power of Microsoft Security
Offensive Security
Solutions to maximize your security ROI
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Assessing iOS Applications – setting up a test environment and grabbing low hanging fruit

This guide should serve as an introduction for those wishing to get into iOS application security testing. It demonstrates grabbing low hanging fruit. This guide will not cover all aspects of iOS application security and therefore should not be used as a fully fledged methodology. The line between web application assessments and mobile assessments is blurred as both consist of client/server models and most apps (if not all) speak HTTP (and hopefully some HTTPS). Many of the vulnerabilities you find will therefore require an intelligent web application security specialist's brain behind that Burp proxy. Incidentally, we have tons of them here at SpiderLabs! :)

Alas, let's get on with the show.

Ingredients

1x Jailbroken iPhone/iPad (Cydia)

1x Macbook Pro (to create a wireless network) OR a wirelessnetwork

1x Burp
 Proxy (or similar)

1x Self-signed Certificate (to MiTM HTTPS traffic)

Prepare iPhone/iPad

Cydia should already be installed if the device is jailbroken. OpenCydia, select Sources and add a new source; "http://cydia.hackulo.us".

9251_5021bae8-7a6f-4e5e-aceb-5181171dc109

Install OpenSSH, Installous 4 and Clutch.

Installing the app

If the app is on iTunes then this is easy - find it on the AppStore, download, sync device. If the app isn't on iTunes then the likelihood is that your client will send you a .IPA file. You can double click this file and it will load in iTunes - sync device as before.

WARNING: iTunes may force you to wipe the device if it is synced with another computer. If so, there is a way around this that doesn't involve syncing. Don't click on the .IPA and don't open iTunes. Instead, scp the .IPA file over to /User/Documents/Installous/Downloads/ on the device and install that way using Installous.

If your client sends you a .XCArchive package, don't worry, not all is lost. Assuming you're on OS X, sort out your X code path else you'll get this error.

Error: No developer directory foundat /Developer. Run /usr/bin/xcode-select to update the developer directorypath.

To fix, do the following:

sudo xcode-select -switch/Applications/Xcode.app/Contents/Developer

Now go to your .XCArchive file, right click and "Show Package Contents" and navigate to where the iOS .app file is - jot this down, you'll need it for the next bit.

Now armed with the .app file location you can bust out xcrun (our magic wand in this case) and create the .IPA file/package.Replace the path to your .app (what you jotted down before) in the command below. Note to specify "-sdk iphoneos" even if it is for the iPad.

/usr/bin/xcrun -sdk iphoneos PackageApplication"/absolute/path/to/MyApp.xcarchive/Products/Applications/MyApp.app"-o "/absolute/path/to/MyApp.ipa"

You can now scp the .IPA to your iPad and use Installous (within Cydia) to install as usual.

Finding the app

SSH to the device, the app will be installed in /var/mobile/Applications/<ID>/.

HINT: Look for the date when trying to locate the app, or justdo a find.

Connect to the wireless network

Connect the device to the wireless network - be it the Macbook Pro's "Internet Sharing" wireless network or an actual wireless network. Ensure that the Macbook Pro which will intercept requests/responses(via Burp) is on the same network.

Install the self-signed certificate

On the intercepting Macbook Pro we will export Burp's certificate via Firefox. Set Burp up as a proxy on TCP port 8080 (listening on ALL interfaces). Open Firefox, visit any HTTPS site, view the exception message, view certificate, highlight "PortSwigger CA" in the certificate hierarchy and not the site. Export as .CER. Mail it to yourself, open the e-mail on the device, click on the attachment and install it.

Important: Make sure you export the "PortSwigger CA" line item and not the random website below (twitter.com in this case).

11711_c6804ef9-fb3c-4604-900b-7b43bc6dad95

Setting up the proxy

Ensure that Burp is listening on ALL interfaces, or at least one that the device could see over the network. On the device, go to Network, Wi-Fi, click on the blue arrow to the right of the connected wireless network, scroll down to "HTTP Proxy" and select Manual. Insert the details of the Macbook Pro with Burp running, IP and TCP port 8080.

9626_64080648-0385-4b0e-ae0a-fed5e674c5eb

Testing the proxy works

Open Safari on the device and test that Burp captures the HTTP traffic correctly. If it works then load up the iOS application and you will be able to see traffic.

10689_94b6f556-0c1a-4c96-9f28-3e4b9a9a40aa

Decrypting apps from iTunes

If you downloaded your client's app from iTunes then you will need to remove the encryption before you analyse it with strings, etc. Tore move iTunes encryption you can use gdb, or you can use an app called Clutch(which you installed earlier in Cydia). Clutch puts cracked apps in /var/root/Documents/Cracked/.Scp the .IPA file off the device to the Macbook Pro to analyse.

Looking for strings in the binary

Unzip the .IPA file (it's a package really) that you received from the previous step. Go to the extracted folder, e.g./BAH.app/<BAH> and use "strings" on the binary: stringsBAH > stringsdump.txt. Review stringsdump.txt for any useful stuff.HINT: grep "password", "secret", "http://","encrypt", etc, etc.

8195_1bcacd78-aac1-4950-a9df-d058dad327c7

Looking at classes, objects, libraries

Use class-dump against the binary and discover information: ./class-dumpbinary or otool: ./otool -ov binary. Things here will become useful during runtime manipulation - variables, view classes, etc.

8271_1fe6f6ca-5d2c-4dd4-90c2-dd89f2f1751c

App files

Apps are installed in /var/mobile/Applications/<ID>/.Inside <APP>.app are application resource files including the binary. Have a look for cached data, databases, etc. A typical app file structure looks like:

/var/mobile/Applications/<ID>/App.app/


/var/mobile/Applications/<ID>/Library/Caches/


/var/mobile/Applications/<ID>/Library/Cookies/


/var/mobile/Applications/<ID>/Library/Preferences/


/var/mobile/Applications/<ID>/tmp/


/var/mobile/Applications/<ID>/Documents/


various .plist files


various .sqlite files

Keychain

Apple's Keychain also worth a look for sensitive data relating to the app: /var/Keychains/keychain-2.db. Use the KeychainDumper tool at https://github.com/ptoomey3/Keychain-Dumper/blob/master/keychain_dumper to dump allKeychain items (using a wildcard entitlements.xml). If you don't trust the binary you can also download the source and build it yourself.

Finito.

What I covered is finding low hanging fruit. Testing past this point will depend on what the app does, its complexity, etc. A lot of testing can be done via Burp as it will interface with web services in many cases, speak HTTP(S) (JSON goodness) and the OWASP Top 10 will apply. Other things to look for; how the app is sent to the background (snapshots), file protection, how it uses the pasteboard, how input/output is handled (UI Web View), etc. There is also a whole world related to runtime manipulation... another blog post!

ABOUT TRUSTWAVE

Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.

Latest Intelligence

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo