Skip to main content

Introduction

As a mobile application penetration tester, your primary objective is to identify security vulnerabilities on both iOS and Android platforms before malicious attackers can discover and exploit them.

Version: 8.5.0 - June 2025

iOS Testing

This guide covers iOS/iPadOS 13 – 17 application penetration testing. It may work fine on older iOS versions, but I do not usually perform testing activities on those older versions of iOS.

Apple Security Guide

With each major iOS release, Apple updates the Platform Security guide. This guide describes the overall implementation of security features - both hardware and software - for the latest release. To fully understand the security features of both the device and iOS, it is recommended that you read through the security guide.

The latest guide is located at: https://support.apple.com/en-ca/guide/security/welcome/web

OWASP Mobile Top 10 (2024)

Official Link

M1: Improper Credential Usage

M2: Inadequate Supply Chain Security

M3: Insecure Authentication/Authorization

M4: Insufficient Input/Output Validation

M5: Insecure Communication

M6: Inadequate Privacy Controls

M7: Insufficient Binary Protections

M8: Security Misconfiguration

M9: Insecure Data Storage

M10: Insufficient Cryptography

OWASP Mobile Testing Guide

Official Link

OWASP produces a very good mobile application penetration testing guide. It covers both Android & iOS, and is frequently updated. For a more complete guide of testing procedures, I highly recommend that you use the OWASP guide during any testing engagements!

iOS Mobile Application Testing:

a. Static Analysis:

  • Obtain the application binary (IPA file) from the App Store or the developer, if possible.
  • Use static analysis tools like class-dump, Hopper, or commercial tools to disassemble the binary and review the application's code and resources.
  • Look for sensitive data stored in code or resources, such as API keys, passwords, or private keys.
  • Check for any insecure coding practices, hard-coded values, or clear text storage of sensitive data.

b. Dynamic Analysis:

  • Run the application on an iOS device using tools like Frida.
  • Monitor network traffic to identify if the app communicates securely and if any sensitive data is transmitted over insecure channels.
  • Test for runtime vulnerabilities, such as insecure data storage or memory management issues.
  • Identify potential areas for input validation and boundary testing.

c. Jailbreak and Root Detection:

  • Test the application's response to jailbroken or rooted devices, as they may be more vulnerable to attacks.
  • Check if the app has implemented any jailbreak or root detection mechanisms and analyze their effectiveness.

d. Secure Communication:

  • Evaluate the implementation of secure communication protocols like TLS/SSL.
  • Verify that the application enforces certificate pinning to prevent man-in-the-middle attacks.

e. Authentication and Authorization:

  • Test the strength of user authentication mechanisms, including password policies and multi-factor authentication (if available).
  • Check for authorization issues, ensuring users can only access their own data.

f. Data Storage:

  • Assess the security of local data storage, ensuring sensitive data is encrypted and properly protected.

g. Code Review:

  • Conduct a thorough manual code review, focusing on security-critical parts of the application.
  • Look for common vulnerabilities such as SQL injection, cross-site scripting (XSS), and insecure data handling.

h. Business Logic Flaws:

  • Analyze the application's business logic to identify any potential vulnerabilities or logic flaws.