IOS Application Security And Static Analysis

IOS Application Security And Static Analysis
5 min read

Application security refers to the strategies used to protect mobile applications, online apps, and APIs (Application Programming Interfaces) from hackers. In the mobile device market, iOS is the most popular operating system. Because of their popularity, a variety of apps have been developed, making them excellent targets for attackers.

Today, we’ll look at how to perform static security pentesting on iOS apps, starting with bypassing SSL pinning and a few potential security flaws.

Bypassing SSL Pinning on iOS Device

The technique of linking a host with its certificate/public key is known as SSL Certificate Pinning. You pin a certificate or public key to a host after you have it. In other words, you set the app to refuse any certificates or public keys save one or a few predetermined ones.

Bypassing SSL Pinning using Frida:-

Frida:- Frida is a Dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers that allows you to inject JavaScript snippets or your own libraries into native Windows, macOS, iOS, Android, and QNX programmes.

Install Frida from Github:- https://github.com/frida/frida

Install Frida on your Jailbroken iOS Device also through Cydia.

Step 1:- Run the command Frida-ps -Uia to list all the running app’s on the device.

Great. That is all the info you require.

Step 2:- Now Run the command Frida–codeshare federicodotta/ios13-pinning-bypass -f -U –no-pause.

Here, Identifier is the bundle id of the application for which you want to bypass SSL Pinning. So to get the identifier run the command in step 1.

Step 3:- After the process is completed successfully. Configure your iOS device with burp suite and try to intercept the traffic of the app for which you bypassed SSL Pinning.

Below is the example of an amazon application:-

IOS Application Security And Static Analysis

IOS Application Security And Static Analysis

Extracting the IPA file from any iOS Device

You can use Imazing to extract the IPA file of any application installed on your iphone, whether your device is jailbroken or not.

Install the application in your iOS device now go to Imazing, connect your device to your Mac/windows, and go to manage apps. There you will see a list of all the applications installed on your device and in front of all app names you will see a download button as shown in the image below. Now Click on that button and the ipa of that application will be downloaded on your Pc.

IOS Application Security And Static Analysis

MobSF

Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.

IOS Application Security And Static Analysis

Plist

Plist stands for Property List. It is a flexible and easy format for storing application data. It’s what we’d refer to as an iOS app’s manifest. Sometimes you can find sensitive data in these files like Gmap api keys etc.

You can see Plist files in MobSf also or you can use the Objection Framework command.

IOS Application Security And Static Analysis

Objection Command → ios plist cat Info.plist

IOS Application Security And Static Analysis

Keychain Dump

Keychain is a secure storage container on an iOS device that is used to store sensitive information such as usernames, passwords, network passwords, and auth tokens..It allows you to save account names, passwords, and credit card data safely and securely.

IOS Application Security And Static Analysis

Insecure Transport Layer ( App Transport Security )

If App Transport Security is disabled on the domain i.e:- {‘NSAllowsArbitraryLoads’: True}’, While ATS safeguards are maintained everywhere in your programme, disabling ATS might allow unsafe contact with specific servers or unsecured loads for web views or media.

IOS Application Security And Static Analysis

NsUserdefault File

It is also a simple plist file in your app package which can be used to set and get data very easily. Its structure resembles that of a dictionary, and the user defaults are sometimes referred to as a key-value store.

IOS Application Security And Static Analysis

Hardcoded Api Keys

Most of the apps need private/sensitive values, such as secrets , passwords & Api Keys which are stored in the application’s source code to setup third party SDKs or backend Api’s.

During the build process or while using developer tools, such as interacting with an Apple Developer account, some secrets may be required.

IOS Application Security And Static Analysis

Binary Analysis using otool

You can use otool (object file displaying tool) for further binary analysis of the application. The otool command displays sections of object files or libraries that you specify. You can check using otool that if the application is using weak hashing algorithms ,Banned/deprecated api’s, malloc function or insecure random number generators.

Commands to check these are given below:-

To Check for weak hashing algorithms: –

  • Open the terminal and take the ssh of your Iphone.
  • Command:- ssh root@
  • cd /var/containers/Bundle/Application//
  • otool -Iv | grep -w _CC_MD5
  • otool -Iv | grep -w _CC_SHA1

IOS Application Security And Static Analysis

To Check for Banned/Deprecated Api’s :-

  • Open the terminal and take the ssh of your Iphone.
  • Command:- ssh root@<IP>
  • cd /var/containers/Bundle/Application/<APP_ID>/<app>
  • otool -Iv <app> | grep -w _stat
  • otool -Iv <app> | grep -w _sscanf
  • otool -Iv <app> | grep -w _strncpy
  • otool -Iv <app> | grep -w _strle

Similarly is for the malloc function and Insecure random number generator.

Source Blog:- https://detoxtechnologies.com/ios-application-security-overview/

IOS Static Analysis || IOS Application Security || IOS Application Security Solutions || IOS Security Overview || IOS Application Security Testing

In case you have found a mistake in the text, please send a message to the author by selecting the mistake and pressing Ctrl-Enter.
Comments (0)

    No comments yet

You must be logged in to comment.

Sign In / Sign Up