iOS applications like better out-of-the-box security than their Android alternatives due to Apple’s much more tightly controlled environment. Nevertheless, that advantage does not mean much in case you do not perform a thorough job securing the apps of yours.
That is the reason there has to be somebody who assumes the job of penetration tester on each team. The info below highlights the appropriate topics in Apple’s iOS Security Guide and OWASP’s Mobile Security Testing Guide. It can serve as a very helpful cheatsheet for starting up penetration testing for iOS apps.
Preparing the assessment environment
An important component of dog pen testing an iOS software will be the usage of the appropriate tools and devices. You will find numerous different tools.
The first and most significant action is usually to completely evaluate the app’s flow and entry data points, which includes how and where the information is kept in the unit or perhaps transmitted to APIs.
Applying a testing framework
Before you apply an assessment program, you want an obvious method in place. For a place to start, I suggest creating your technique around the OWASP Mobile Top ten.
OWASP suggests you begin by breaking down the ten vulnerabilities into specific tests which could be categorized into one or even much more of these sections. Additionally, you are able to develop specific tests targeting the range of every section.
Specific iOS security concerns
The iOS platform has very specific security concerns when analyzing the vulnerabilities of apps.
Checking for insecure data storage
Data can be stored in different formats including (but not limited to):
- The NSUserDefaults class
- Log files
- XML and plist
- SQLite files
- Keychain data
Capturing the traffic with ZAP or BURP
You are able to make use of BURP of OWASP ZAP as an assault proxy to gain all of the visitors between the app plus its outside connections. This tutorial shows you exactly how to configure OWASP ZAP to intercept all traffic. BURP has specific guidelines to setup the proxy in this situation. Its configuration has an iOS simulator.
When you begin capturing the site traffic, you are able to work with active or passive scanning on each proxies for particular strikes to APIs being called by the app. In case the software is employing SSL certificate pinning, you may wish to try bypassing SSL Pinning by utilizing SSL Kill switch on the iPhone device. In case this doesn’t work, you should most likely try to reverse the application to discover the actual implementation. You are able to accomplish this by utilizing Frida or maybe Cydia to avoid certificate pinning at runtime.
Reversing the application
Among the OWASP Top ten Mobile vulnerability listings recommends you learn just how “reversible” your application is. iOS programs are, by default, significantly tougher to reverse than Android, though it is certainly possible. Think about taking a look at several of the suggested resources for ios reverse engineering.