# IoS Pentesting Checklist

## Apple Security Architecture

[Official Apple Security Documentation](https://support.apple.com/guide/security/welcome/web)

**iOS Overview**

* All applications are signed by Apple
* These devices have a hardware security component
* Hardware/Firmware Layer, Software Layer
* Two partitions
* Filesystem is Linux based
* Must have a developer profile on Xcode to test apps (this allows sideloading)
* Must have apple ID for testing

Jailbreak Tools:

Linux Jailbreak Software Checkra1n\
[Palera1n (newer iOS Jailbreak)](https://github.com/palera1n/palera1n)\
\
Windows version of Checkra1n - iRa1n\
3utools.com - iOS device management tool

Testing Tools:\
\- OpenSSH\
\- BurpPro mobile assistant\
\- Emulator such as [Corellium](https://www.corellium.com/), [Appetize.io](https://appetize.io/)\
\- Install [MobSF](https://github.com/MobSF/Mobile-Security-Framework-MobSF) for Static Analysis -

```bash
git clone https://github.com/MobSF/Mobile-Security-Framework-MobSF.git
```

**Pulling IPA from App Store:**

* Install IPATool on Mac: `brew tap majd/repo && brew install ipatool`
* Authenticate to the tool -`ipatool auth -e <yourEmail@email.com>`
* Search for an app in the App Store - `ipatool search <myKeyword>`
* Download an app based on the bundle ID from search command - `dipatool download --bundle-identifier <bundleIDFromSearchCommand>`

#### Application Testing setup

1. Install iproxy `npm install iproxy` and BurpSuite application proxy on host
2. Start Burp suite and add a listener on port 8082 for all interfaces
3. Go to iOS settings, set a manual proxy using the Burp Suite host's IP and port 8082
4. Connect host PC to mobile device using SSH through iproxy using

   a. `iproxy 2222 22 & ssh -R 8082:localhost:8082 root@localhost -p 2222`
5. On iOS device visit <http://burpsuite> to verify connectivity and download Burp CA certificate
6. Go to apple device settings in the "profile downloaded" section and install certificate
7. Go Settings >General >About > Certificate Trust Settings and activate toggle switch

#### Methodology

Source: <https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06b-basic-security-testing>\\

1. Download app from appstore OR install ipa file from local machine to iphone
2. Proxy iphone with iproxy this will establish a usb connection
   * [ ] iproxy 2222 22 & ssh -R 8082:localhost:8082 root\@localhost -p 2222
3. Proxy traffic through burp
4. Pull ipa off the phone to a local directory by using frida-ios-dump
   * [ ] a. python3 dump.py -l (this will check all the files on the phone)
   * [ ] b. python3 dump.py com.example.ipa
5. Make a copy of the file and rename it to Payload.zip
6. Unzip the file from the command line
   * [ ] Unzip example.ipa OR unzip in the file location
7. From finder go into the Payload folder and into the next payload folder. This is where the example.app is stored
8. Right click on the example.app and click show package contents
9. Look at all the files. Some can be opened in xcode
10. Look more specifically at the info.plist file and open it with xcode
    * [ ] Plists generally have a lot of info and this is where we can find API keys and other juciy items
11. Open and look at json files if any are available.
12. Run mobsf and drop the example.ipa file in
    * [ ] Mobsf is not as verbose with ios compared to android which is why we do more of a manual click through of the files
    * [ ] Still use it as it can save some time
13. Run Objection
    * [ ] objection --gadget com.example.ipa explore
    * [ ] Once objection is running use the follow commands to search and dump different files
    * [ ] Check binary info
      * [ ] ios info binary
    * [ ] Check Ios KeyChain
      * [ ] ios keychain dump
    * [ ] Check plist files
      * [ ] ios plist cat info.plist
    * [ ] Check user credential storage
      * [ ] ios nsurlcredentialstorage dump
    * [ ] Check userdefaults
      * [ ] ios nsuserdefaults get
    * [ ] Check cookies
      * [ ] ios cookies get
    * [ ] Disable cert pinning
      * [ ] ios sslpinning disable --quiet
      * [ ] If you have issues with sslpinning you can use sslkillswitch or try patching with objection manually
14. Do a manual click through and generate some traffic with burp
15. Run a burp scan
16. Test app like it’s a web app. (XSS, SQL injection, login bypass etc)
17. Check IOS logs
    * [ ] a. Connect the iPhone or iPad you want to view logs for to a Mac by using a USB connection, be sure to unlock the iOS device as well
    * [ ] b. Open the “Console” app on Mac OS, found in the /Applications/Utilities/ directory
    * [ ] c. From the Console app sidebar, look under the ‘Devices’ section and select the iPhone or iPad that is connected to the Mac