« Presentation: Problems you'll face when building a software security program | Main

Extensive IOS hacking guide released by Security Innovation

Security Innovation has published a very extensive guide to IOS hacking that's worth checking out. Here's the table of contents

1. Setting Up iOS Pentest Lab.................. 5
1.1 Get an iOS Device...................5
1.2 Jailbreaking an iOS Device.................. 7
1.3 Installing Required Software and Utilities .................. 10
2. Acquiring iOS Binaries.................. 13
3. Generating iOS Binary (.IPA file) from Xcode Source Code: .................. 15
3.1 Method I – With A Valid Paid Developer Account. .................. 15
3.2 Method II - Without a Valid Paid Developer Account.................. 18
4. Installing iOS Binaries on Physical Devices.................. 23
4.1 Method I - Using iTunes .................. 23
4.2 Method II - Using Cydia Impactor .................. 27
4.3 Method III - Using iOS App Signer..................27
4.4 Method IV - Installing .app file..................27
4.5 Method V - Installing Modified Binary..................28
4.6 Method VI - Using Installipa Utility .................. 29
4.7 Method VII - Using iPhone Configuration Utility .................. 29
4.8 Method VIII - Using iFunBox .................. 29
5. iOS Binary Package Primer .................. 30
5.1 Understanding the iOS Binary Package Structure.................. 30
5.2 Understanding the Supported Architectures for the Provided Application .................. 31
5.3 Understanding the Architecture Available on the Test Devices .................. 32
5.4 Converting Application Binaries from FAT Binary to Specific Architecture Binary .................. 34
5.5 Converting Pre-iOS 9 Executables to an iOS 9 Executable..................34
5.6 Converting 32 Bit Applications into 64 Bit Applications in Xcode.................. 35
6. Compiling Customer-Provided Source Code for Pentesting on Latest iOS Using Xcode ...... 36
6.1 Download the Source Code .................. 36
6.2 Launch the Workspace.................. 36
6.3 Application Configuration .................. 37
7. iOS Security Model Primer .................. 41
7.1 Security Features .................. 41
8. Exploring iOS File System .................. 42
8.1 Reading Data Using iExplorer.................. 42
8.2 Reading Data Using iFunBox .................. 42
8.3 Reading iOS > 8.3 Application SandBox Data Using Backup Method .................. 44
8.3.1 Backing Up the iDevice.................. 44
8.3.2 Using iBackupBot .................. 45
8.3.3 Using iExplorer .................. 45
8.4 Reading Application Data Using OpenSSH..................47
8.5 Reading Application Data Using SSH Over USB.................. 48
8.6 Reading Application Data on the iOS Device .................. 49
8.6.1 FileExplorer/iFile.................. 49
8.6.2 Using Mobile Terminals .................. 50
9. Application Data Encryption .................. 50
9.1 Understanding Apple Data Protection API.................. 50
9.2 Validate the Data Protection Classes Being Used..................51
 9.3 Insecure Local Data Storage.................. 52
9.3.1 PropertyList files.................. 52
9.3.2 NSUserDefaults Class .................. 53
9.3.3 Keychain .................. 54
9.3.4 CoreData and SQLite Databases .................. 57
9.4 Broken Cryptography .................. 58
10. Binary Analysis .................. 61
10.1 Binary Analysis – Check for Exploit Mitigations – Position Independent Executable (PIE & ASLR) 61
10.2 Binary Analysis – Check for Exploit Mitigations – Automatic Reference Counting (ARC) .............. 62
10.3 Binary Analysis – Check for Exploit Mitigations – Stack Protectors..................64
10.4 Binary Analysis – List All Libraries Used in the iOS Binary .................. 65
10.5 Simple Reverse Engineering iOS Binaries Using class-dump-z.................. 68
11. Decrypting iOS Applications (AppStore Binaries) .................. 72
11.1 Manual Method .................. 72
11.1.1 Using GDB .................. 72
11.1.2 Using LLDB .................. 75
11.2 Automated Method .................. 79
11.2.1 Using dump decrypted .................. 79
11.2.2 Using Clutch .................. 81
12. iOS Application Debugging - Runtime Manipulation .................. 85
12.1 Cycript on Jailbroken Device .................. 85
12.1.1 Using Cycript to Invoke Internal Methods..................85
12.1.2 Using Cycript to Override Internal Methods .................. 90
12.2 Debugging iOS Applications Using LLDB .................. 94
13. Reverse Engineering Using Hopper.................. 100
14. Reverse Engineering Using IDA PRO .................. 112
15. MITM on iOS.................. 113
15.1 MITM HTTP Traffic .................. 114
15.2 MITM SSL/TLS Traffic .................. 116
15.3 MITM non HTTP/SSL/TLS Traffic .................. 118
15.4 MITM using VPN .................. 118
15.5 MITM When iOS Application Accessible Only Via VPN..................119
15.6 MITM Bypassing Certificate Pinning .................. 120
15.7 MITM by DNS Hijacking.................. 123
15.8 MITM Using Network Gateway.................. 123
15.9 Monitoring iOS FileSystem Activities .................. 124
16. Side Channel Leakage.................. 127
16.1 iOS Default Screen Shot Caching Mechanism..................127
16.2 iOS UIPasteboard Caching.................. 130
16.3 iOS Cookie Storage..................132
16.4 iOS Keyboard Cache Storage.................. 134
16.5 iOS Device Logging .................. 137

Download Link

https://web.securityinnovation.com/hubfs/iOS%20Hacking%20Guide.pdf

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.


All Comments are Moderated and will be delayed!


Post a comment







Remember personal info?