Breaking iOS Security Testing Barrier How we did it & How you can to 

Akshay Product Security Engineer mast3root Web2/Mobile security specialist Bharath Product Security Engineer 0xbharath https://disruptivelabs.in 

Why this talk? iOS security testing is nuanced iOS security testing is daunting iOS security testing has a lot of tribal knowledge It’s fun! 

The logistics of iOS security testing 

What device should you buy? https://idevicecentral.com/ios-jailbreak-tool-finder/ 

How we manage to get hands-on Apple hardware in real world Refurbished sellers are your best bet: Cashify OLX Your equivalent in your country 

Structure of an iOS application 

Jailbreak detection An app’s capability to detect when they are running on a jailbroken device This has become a baseline security mechanism for most apps (opinion) Apps use a variety of libraries or methods to implement this such as IOSSecuritySuite 

Bypassing Jailbreak detection Using Objection objection -g com.attack.ipaname explore -s "ios jailbreak disable" 

Bypassing Jailbreak detection Frida Hooks Frida trace frida-trace -U -i "*jailbreak*" appname 

Bypassing Jailbreak detection LLDB Cydia tweaks 

What to do when automated scripts or tools fail? Using frida we can start experimenting and start hooking into interesting places and syscalls using early instrumentation. Start looking at the unzipped IPA file which contains the Frameworks folder. Check if anything dylib contains any interesting strings or methods Start looking at various syscalls like pathconf , stat64 , fopen etc. Code signature checks using sys_csops syscall 

A quick tale from trenches (case study) Testing a hardened iOS application The application was doing something unique, it was making using svc #0x80 inline arm assembly call and using dlsym calls to obsfucate function calls Using LLDB we patched those functions Later the application was vulnerable to the issues SSRF as they were heavily banking upon the jailbreak detection check ARM64 code to Hex code mov x16 , #1 ---> 300080D2 svc #0x80 ---> 011000D4 

A quick tale from trenches (case study) Using memory scan module of Frida Patch the exit syscall to 0x1F , 0x20 , 0x03 , 0xD5 This with patch the exit syscall to the NOP 

Certificate Pinning Certificate pinning is mechanism that allows accepting only authorized ("pinned") certificates for authentication of client-server connections. This mechainism is devised as a means of thwarting MiTM. For us, it essentially means, we will not be able to use our interception proxies to manipulate API traffic. 

Bypassing Certificate Pinning - Tips Use Objection Check info.plist SSLkillswitch v2 Scripts available on Frida codeshare 

What to do when automated scripts or tools fail? Identify which protocols the application uses to communicate with the server Does the application depends upon the OS provided SSL library or it comes with its own SSL library (Flutter for example) Does the application has any hardcoded Certificate file, public key stored. Start by hooking at lower level Apple provided networking library like NSURLSession Hook into lower level api calls like SecCertificateCreateWithBytes and replace the bytes with Burp cert bytes 

Attacking Webviews Webviews are in-app browser components for displaying interactive web content iOS apps generally use WKWebview . UIWebview is deprecated Webviews have a property to call native code from Javascript using JSBridges 

Common ways to attack Webviews Looking at application deeplinks Looking for the presence of HTML injection (or XSS) Once you find a HTML injection you can Use file:/// and then exfiltrate the data back to your server See if the webview has any JSBridges exposed and what sort of data they serve 

Common ways to attack Webviews ObjC.choose(ObjC.classes['WKWebView'], { onMatch: function (wk) { console.log('onMatch: ', wk); console.log('URL: ', wk.URL().toString()); console.log('javaScriptEnabled: ', wk.configuration().preferences().javaScriptEnabled()); console.log('allowFileAccessFromFileURLs: ', wk.configuration().preferences().valueForKey_('allowFileAccessFromFileURLs').toString()); console.log('hasOnlySecureContent: ', wk.hasOnlySecureContent().toString()); console.log('allowUniversalAccessFromFileURLs: ', wk.configuration().valueForKey_('allowUniversalAccessFromFileURLs').toString()); }, onComplete: function () { console.log('done for WKWebView!'); } }); 

A quick tale from trenches (case study) Found a deeplink for an iOS application which used to open the T&C page on webview Turns out the deeplink had no URL validation We are able to load an attacker controlled URL and then access JSbridges provided on that Webview 

Attacking Cryptographic operations Cryptographic operations in iOS development are crucial for securing data, communication, and overall app integrity. They play a significant role in ensuring the privacy and security of user information and maintaining the trust of app users. 

Common ways to figure out crypto operations Generally iOS applications tend to use cccrypt library which is provided by apple ecosystem to properly do encryption stuff Hook into above library using objection ios monitor crypto Use frida trace frida-trace -U -i "*EVP*" appname frida-trace -U -i "*SHA*" appname In the above frida command keep on experimenting with various keywords 

Attacking local storage Devs tend to store information to local storage, sometimes it could be sensitive Information we have seen commonly stored on local storage: Property List (PList) files CoreData and SQLite databases NSUserDefaults Stores Insecure Data Keychain 

Common ways to look for sensitive stuff it "Command" can be: env ios nsuserdefaults get ios plist cat filename.plist ios keychain dump --json keychain.json objection -g AppName explore > Insert "Command" 

A quick tale from trenches (case study) We have seen developers store AWS Security Creds in Keychain which in turn had excess privileges that we used to escalate privileges in their cloud account 

Finding Hidden functions Generally, iOS apps are written in Objective C or Swift (unless you are dogmatic and use rust) Developers tend to use internal company names or specific names like debugMenu or debugger etc 

Common techniques to figure out hidden functions Enumerate list of classes and methods and start going through each of them ( Hacker way would be "grep interesting strings") 

A quick tale from trenches (case study) Tested a gaming application in which app had a developer console embedded (Intended to do dev operations) We forcefully called it using Frida and then triggered an internal dev console which helped us get unlimted coins which means we won the game! 

Shoutouts & people to follow Hexploitable Ole André Leon Jacobs Jiska Classen Eduardo Novella FrenchYeti