Extensive IOS hacking guide released by Security Innovation
Security Innovation has published a very extensive guide to IOS hacking that's worth checking out. Here's the table of contents
1. Setting Up iOS Pentest Lab.................. 5 1.1 Get an iOS Device...................5 1.2 Jailbreaking an iOS Device.................. 7 1.3 Installing Required Software and Utilities .................. 10 2. Acquiring iOS Binaries.................. 13 3. Generating iOS Binary (.IPA file) from Xcode Source Code: .................. 15 3.1 Method I – With A Valid Paid Developer Account. .................. 15 3.2 Method II - Without a Valid Paid Developer Account.................. 18 4. Installing iOS Binaries on Physical Devices.................. 23 4.1 Method I - Using iTunes .................. 23 4.2 Method II - Using Cydia Impactor .................. 27 4.3 Method III - Using iOS App Signer..................27 4.4 Method IV - Installing .app file..................27 4.5 Method V - Installing Modified Binary..................28 4.6 Method VI - Using Installipa Utility .................. 29 4.7 Method VII - Using iPhone Configuration Utility .................. 29 4.8 Method VIII - Using iFunBox .................. 29 5. iOS Binary Package Primer .................. 30 5.1 Understanding the iOS Binary Package Structure.................. 30 5.2 Understanding the Supported Architectures for the Provided Application .................. 31 5.3 Understanding the Architecture Available on the Test Devices .................. 32 5.4 Converting Application Binaries from FAT Binary to Specific Architecture Binary .................. 34 5.5 Converting Pre-iOS 9 Executables to an iOS 9 Executable..................34 5.6 Converting 32 Bit Applications into 64 Bit Applications in Xcode.................. 35 6. Compiling Customer-Provided Source Code for Pentesting on Latest iOS Using Xcode ...... 36 6.1 Download the Source Code .................. 36 6.2 Launch the Workspace.................. 36 6.3 Application Configuration .................. 37 7. iOS Security Model Primer .................. 41 7.1 Security Features .................. 41 8. Exploring iOS File System .................. 42 8.1 Reading Data Using iExplorer.................. 42 8.2 Reading Data Using iFunBox .................. 42 8.3 Reading iOS > 8.3 Application SandBox Data Using Backup Method .................. 44 8.3.1 Backing Up the iDevice.................. 44 8.3.2 Using iBackupBot .................. 45 8.3.3 Using iExplorer .................. 45 8.4 Reading Application Data Using OpenSSH..................47 8.5 Reading Application Data Using SSH Over USB.................. 48 8.6 Reading Application Data on the iOS Device .................. 49 8.6.1 FileExplorer/iFile.................. 49 8.6.2 Using Mobile Terminals .................. 50 9. Application Data Encryption .................. 50 9.1 Understanding Apple Data Protection API.................. 50 9.2 Validate the Data Protection Classes Being Used..................51 9.3 Insecure Local Data Storage.................. 52 9.3.1 PropertyList files.................. 52 9.3.2 NSUserDefaults Class .................. 53 9.3.3 Keychain .................. 54 9.3.4 CoreData and SQLite Databases .................. 57 9.4 Broken Cryptography .................. 58 10. Binary Analysis .................. 61 10.1 Binary Analysis – Check for Exploit Mitigations – Position Independent Executable (PIE & ASLR) 61 10.2 Binary Analysis – Check for Exploit Mitigations – Automatic Reference Counting (ARC) .............. 62 10.3 Binary Analysis – Check for Exploit Mitigations – Stack Protectors..................64 10.4 Binary Analysis – List All Libraries Used in the iOS Binary .................. 65 10.5 Simple Reverse Engineering iOS Binaries Using class-dump-z.................. 68 11. Decrypting iOS Applications (AppStore Binaries) .................. 72 11.1 Manual Method .................. 72 11.1.1 Using GDB .................. 72 11.1.2 Using LLDB .................. 75 11.2 Automated Method .................. 79 11.2.1 Using dump decrypted .................. 79 11.2.2 Using Clutch .................. 81 12. iOS Application Debugging - Runtime Manipulation .................. 85 12.1 Cycript on Jailbroken Device .................. 85 12.1.1 Using Cycript to Invoke Internal Methods..................85 12.1.2 Using Cycript to Override Internal Methods .................. 90 12.2 Debugging iOS Applications Using LLDB .................. 94 13. Reverse Engineering Using Hopper.................. 100 14. Reverse Engineering Using IDA PRO .................. 112 15. MITM on iOS.................. 113 15.1 MITM HTTP Traffic .................. 114 15.2 MITM SSL/TLS Traffic .................. 116 15.3 MITM non HTTP/SSL/TLS Traffic .................. 118 15.4 MITM using VPN .................. 118 15.5 MITM When iOS Application Accessible Only Via VPN..................119 15.6 MITM Bypassing Certificate Pinning .................. 120 15.7 MITM by DNS Hijacking.................. 123 15.8 MITM Using Network Gateway.................. 123 15.9 Monitoring iOS FileSystem Activities .................. 124 16. Side Channel Leakage.................. 127 16.1 iOS Default Screen Shot Caching Mechanism..................127 16.2 iOS UIPasteboard Caching.................. 130 16.3 iOS Cookie Storage..................132 16.4 iOS Keyboard Cache Storage.................. 134 16.5 iOS Device Logging .................. 137 |
Download Link
https://web.securityinnovation.com/hubfs/iOS%20Hacking%20Guide.pdf
Comments
You can follow this conversation by subscribing to the comment feed for this post.
All Comments are Moderated and will be delayed!
Post a comment