iOS App Pentesting Discover Exploit Secure ST by Saurabh Tiwari & Jayant Yadav 

Overview of iOS Architecture Each layer builds upon the one beneath it, creating a robust ecosystem. Starting from what users interact with (user interface) and moving down to the system's core (kernel), this architecture allows developers to create efficient and powerful applications. CoreOS • • • • It interacts with the device hardware and provides low-level services that are crucial for system operation. Kernel Security Power Management File System & Networking Core Service • • • • The Core Services layer provides a bridge between the user experience and system resources, handling data, networking, and concurrency that powers modern apps. Data Management Location Service Networking & iCloud Concurrency Cocoa Touch • • • This is the highest layer and the one closest to the user. User Interface Touch & Gestures Notifications. Media Layer • • • The Media layer is responsible for handling all multimedia aspects of an iOS app Graphics Audio/Video Animations 

Jailbreaking an iOS Device Jailbreaking is the act of bypassing software restrictions set by Apple's iOS operating system on devices such as the iPhone, iPad, and iPod touch. It grants users root access, allowing them to install software, tweaks, and customizations that are not authorized by Apple or available in the App Store. Jailbreak leverages the checkm8 bootrom exploit, which is unpatchable because it targets the device's hardware rather than software, making it usable across multiple iOS versions on devices with A5 to A11 chips (iPhone X or older). 

Types of Jailbreaking 1 Tethered Jailbreaking Requires connecting the device to a computer for each reboot. 2 Semi – Tethered Jailbreaking Reboots without jailbreak, but jailbreak features need reactivation via an app. 3 Untethered Jailbreaking No need for a computer after the initial jailbreak, survives reboots. 4 Semi - Untethered Jailbreaking Similar to semi-tethered but can re-jailbreak directly from the device without a computer. 

OWASP Mobile Top 10 2024 The OWASP Mobile Top 10 outlines the most critical security vulnerabilities for mobile apps. 1 Improper Credential Usage Insecure Communication 2 Inadequate Supply Chain Security Inadequate Privacy Controls 3 Insecure Authentication/Authorization Insufficient Binary Protections 4 Insufficient Input/Output Validation Security Misconfiguration Insecure Data Storage Insufficient Cryptography 5 6 7 8 9 10 

Sideloading an iOS App Sideloading is the process of installing apps on an iOS device without going through the App Store. Importance in Pentesting Allows pentesters to test apps in a controlled environment without app store restrictions. How to Sideload Tools like Sideloadly or AltStore enable sideloading. Risks Sideloaded apps bypass App Store security checks, increasing the risk of malware. 

Frida: Dynamic Instrumentation Tool Frida is a powerful tool for dynamic instrumentation and hooking, allowing for real- time analysis and manipulation of app behavior. Code Injection Inject code into running processes Function Hooking Intercept and modify function calls Network Monitoring Intercept and analyze network traffic Memory Analysis Analyze and manipulate memory contents 

MobSF: Mobile Security Framework MobSF is a comprehensive framework for analyzing and testing mobile apps. Static Analysis Code analysis without executing the app Dynamic Analysis Analyzing app behavior during runtime Malware Analysis Detecting and analyzing malicious code 

Analyzing plist files • In iOS development, plist files are commonly used for lightweight data storage. When developers use built-in APIs Like NSUserDefaults, Core Data, or other storage mechanisms, iOS may generate .plist files to store this data. • The data stored in NSUserDefaults or other persistent storage mechanisms may eventually get written to disk in a .plist file located in the app's sandboxed directory (/Library/Preferences/). • These files store data in a serialized XML or binary format. 

Analyzing Keychain • The iOS Keychain is a secure storage system for sensitive data, like passwords, encryption keys, and authentication tokens. It uses strong encryption to protect data and ensures that sensitive information is accessible only by authorized applications. This makes it a crucial part of iOS security for both apps and the operating system itself. • iOS generates its own password for the keychain and stores an encrypted version of key in the device. • This password is encrypted using AES key created by a PBKDF2 function of the user’s passcode + salt (Device’s UID which makes it impossible for another device to decrypt the Keychain’s password). 

Side Channel Leakage • As users interact with an application, various types of data may be stored across the system, including typed input, copied content, screenshots of sensitive information, cookies, and device logs. On jailbroken devices, this information becomes accessible to users and potentially to other applications, increasing the risk of unauthorized access. In such cases, malicious apps could exploit these stored data points to steal sensitive user information. The severity of this threat depends on the sensitivity of the application and the data involved. /private/var/mobile/Containers/Data/Application/$APP_ID/Library/SplashBoard/Snapshots App Snapshots Pasteboard Keystroke logging cd /private/var/mobile/Library/Keyboard/ Cookies 

Jailbreak Detection Bypass Demo 

Biometric Mechanism and its Bypassses Key Concepts: • • 1. Local Authentication (LAContext): The LAContext class is responsible for handling local authentication on iOS devices. It allows apps to prompt the user for authentication, such as using the device’s passcode, passphrase, or biometrics. • • 2. Authentication Process: When using LAContext, you set up a new instance of the class and call the evaluatePolicy method. This method tells iOS to display the appropriate authentication dialog (e.g., Face ID, Touch ID, or passcode). • • • • • • 3. Reply Block: Once the authentication process completes, the app receives a callback (called the reply block) that contains a boolean value indicating the outcome of the authentication: true (success) means the authentication was successful. false (failure) means the authentication failed. Based on this result, the app can proceed with its logic. For example, if authentication succeeds, the user might be granted access to secure parts of the app. If it fails, the app might show an error message or request another attempt. 

SSL Pinning Mechanism & it’s Bypass • SSL Pinning is a client-side security technique used to prevent man-in-the-middle attacks by verifying server certificates. During development, trusted certificates are embedded (or pinned) into the client application. At runtime, these certificates are compared to the server's certificates. If there’s a mismatch, the connection is immediately terminated, preventing any user data from being transmitted to that server. This process ensures that user devices communicate only with trusted, authorized servers. • The latest approach recommended by Apple is to specify a pinned certificate in Info.plist under App Transport Security Settings ( https://developer.apple.com/news/?id=g9ejcf8y ) 

WHOAMI? • • • • • • Saurabh Tiwari 23 Working as a Security Analyst @KPMG India One of the moderators of BreachForce Cybersecurity Cohort Also, a student Life’s motto : Bring on the hardship, it’s preferred in a path of carnage ~ Zoro 

THANKS | linkedin.com/in/saurabh-tiwari-5315801b5 @Zodiac_Minati