📄️ Transport Layer Security
App Transport Security (ATS)
📄️ Sensitive Data Disclosure
iOS apps routinely store information in SQLite databases, or Properly List (PLIST) files. This could include sensitive information such as credentials, session information, encryption keys, etc. It is always worthwhile to review every file in the both the Bundle and Data directories to see what you can find.
📄️ Keyboard Caching
Generate text within the application, and then review the dynamic keyboard cache using strings or similar tools. Review all the .dat files since each iOS app can implement their own custom keyboards, which may store the cache in a different file.
📄️ Apple System Logs (ASL)
It is surprising the number of times a mobile app logs the actual credentials you use to login to the app to the device syslog facility. The easiest way to review the logs is to use the iOS Console on your Mac, with the device connected via the USB cable. The app allows you to filter the output down to your app.
📄️ iOS Backups
iOS has a backup feature that copies the data on the device to either the host computer or iCloud. The backup functionality is initiated from iTunes (up to macOS Catalina) or from the Finder (from macOS Catalina and newer). The backup may include sensitive data that is on the device, and this should be checked at various stages of your testing.
📄️ iOS Local Server
Generally, iOS would not have an app that has an active service (listener) running on it. However, it is possible that an app is running its own web server in order to serve up content by a reverse proxy. This is rare, but does happen. During a penetration testing engagment, you should look to see if the app accepts incoming connections.
📄️ Memory Dumps
There are many applications and scripts available to dump the process memory. The easiest way is to use the Fridump tool.
📄️ Filesystem Monitoring
Monitoring the file system is a good way of determining which files the app is writing to or reading from as it is being used. Reviewing the file system activity may point you to PLIST files or databases that you can review for sensitive information. Performing this tracing can easily be accomplished using the 'fsmon' utility.
📄️ Fuzzing Custom URL Schemes
A custom URL scheme provides the developer a way for users to access resources or functionality that are in the app. When a user taps a link with a custom URL scheme that the app has registered then that specific part of the app will be launched. Other apps can launch the app in the specific context of the URL scheme by crafting a link that will work in the source app (assuming the source app allows this).
📄️ Keychain Protection
iOS can use the Keychain APIs to store sensitive data, such as session tokens, or passwords. The Keychain is a SQLite database on the device that can only be accessed through the Keychain API's.
📄️ iOS Cryptography Monitoring
Cryptography is crucial to mobile application security since a lot of attacks are based on a threat actor having physical access to the device. Cryptography includes Encryption/Decryption, Hashing, Message Authentication Codes (MAC), Signatures, and Key Derivation Functions (KDF’s).
📄️ Data Protection
iOS and iPadOS leverage an API called "Data Protection" which is used to
📄️ Review App Session Cookies
On you are logged into the mobile app, a session is established from the back-end server. This cookie data could be stored in a Cookies.binarycookies file or kept in the Keychain. Along with the session ID, this will also contain the cookie attributes, such as HTTPOnly & secure (among others).
📄️ App Snapshots
When the user presses the Home button on the iOS device, it places the current app in to the background. To give the illusion of re loading the app to the foreground, iOS will take a snapshot image of the running app. When the user re-opens the app, iOS loads this stored image first while it really loads the app in the background. Once the app is fully open, the image disappears, and the user never knows the difference.
📄️ HTML Caching
Almost every iOS app communicates to a web server to perform transactions such as authentication, or data retrieval. Apple makes setting up these connections fairly easy for the Developer by providing the NSURLRequest API to handle HTTP requests. Unfortunately, this API will cache the HTTP requests and responses by default leaving them on the device.
📄️ iOS Universal Links
Universal links are another potential attack vector into an iOS app. Misconfigured URL parameters or malformed links could put the app data at risk. Additionally, overly permissive links could end up exposing more data than the developer anticipated. All universal links should be validated and tested for data leakage.
📄️ Pasteboard Leakage
Monitor pasteboards while using the application, copying and searching application data.
📄️ Biometrics Testing
Apple introduced biometrics in the iPhone 5S with the inclusion of Touch ID. Given the power that biometrics authentication would provide, Apple created a hardware-based key manager called the Secure Enclave Processor (SEP) to store this data.
📄️ Debugging iOS Apps
Woefully Incomplete...