iOS Penetration Testing - what you need to know - JOYK Joy of Geek, Geek News, Link all geek

Wednesday, 10 November 2021 09:32

iOS Penetration Testing - what you need to know

By Guest Writer

GUEST OPINION: In today’s mobile security world, it is often assumed that the iOS environment requires minimal security interventions due to the closed system of Apple limiting access to the public. However, this doesn’t completely negate the possibility of hacking attempts. Therefore, one of the methods for ensuring application security is the iOS penetration testing procedure.

The first step to begin with iOS penetration testing is to understand why pentesting is important and how it can help you secure your iOS app. will help you enforce application security by evaluating the mobile, web applications and its associated APIs for any hidden security vulnerabilities. Since the mobile market has the iOS operating system as the dominant player, it’s important to detect and exploit possible attack vectors for resolution.

The Different Aspects of iOS Penetration Testing

To make the pentesting process seamless, it is recommended that you should define a scope of penetration testing. Also, there are several aspects every tester must keep in mind before proceeding with the iOS penetration testing procedure. Here are some of aspects:

1. The iOS architecture

These are a series of predefined system interfaces that connect to different hardware available within the mobile for smoother operation of the application. The core OS is placed directly on top of the hardware and placed last on the iOS stack with the basic provision of further iOS features. This includes networking, low-level access to external accessories, and the primary features of a basic OS including memory, threads, and handling the files.

Over this, the core services layer builds on the functions provided by the core OS such as fundamental access to other iOS services. The Cocoa-Touch layer allows access to different libraries for programming most iOS devices such as the iPhone while the media layer opens up multimedia services such as graphics, audio, and video technologies within the phone. The developer can use the media layer to work on pictures, graphics, animations, etc.

2. IPA file structure

We can observe the structure of an IPA file by using the .zip extension. Usually, these files include the info.plist file that includes information on configuration details including version number, application display, and bundle ID. There are also details on the frameworks, or the dynamic libraries available, the unreadable file with the application source code called the app binary, and the certificates.

3. Initiating jailbreak

These simulated attack situations lift the user restrictions on the device set by the company, essentially nullifying the warranty on the device. There are free tools available online that let you know the kind of jailbreak suited for the iOS version on the device, which can be initiated using Windows, Mac, or Linux.

The untethered jailbreak is of a permanent nature and can be done even after the device is rebooted. On the other hand, the tethered jailbreak is temporary and is resolved after the device is rebooted. There’s also the semi-tethered jailbreak and the semi-untethered jailbreak.

The former involves the lack of a patched kernel, implying that while the device can start on its own, it will not be able to run any code modifications. The latter also allows independent booting of the device with no changes in the startup sequence so that it can go back to its non-jailbroken state. However, in this method, the user can jailbreak again by simply using the app that’s on the device. Some of the tools used for jailbreak include Phoenix, Home Depot, and uncOver.

4. The lab setup

Corellium is the only publicly available iOS emulator and has a trial service for free before having to pay for the service. This is used to test the vulnerabilities in iOS applications such as DVIA and iGOAT.

5. The iOS application sandbox

Once applications are installed within the Apple device, the sandboxing features allow them to set up local databases to keep them differentiated from other applications. In this manner, each application gains its own sandbox to avoid conflicts from data stored on the hard drive. The three types of sandboxes in an Apple device are the pre-installed app directory, bundle directory, and data directory.

Pre-installed applications come with their own app files stored in the directory while the Bundle directory (“IPA container”) has files belonging to the apps downloaded from the Apple store as well as other locations. Each application’s version has a specific set of files stored in each directory.

Finally, the Data Directory or the “Local Data Storage Container” contains files according to the developer’s wishes. This could be files related to storing cached information for immediate access or any offline data that allows the app to resume quickly by functioning as a backup.

6. Useful tools

Some of the useful tools for penetration testing processes include Objections (run-time hooking iOS apps), plutil (functions as a plist viewer), Mobsf (dynamic and static analysis scanning tool), otool (tool displaying object files), and darwin CC tools (able to audit mach-o files). Testers use these tools to assist them in automated testing for quicker testing and wider scope.

Summing Up...

These are some of the aspects that need to be kept in mind when embarking on an iOS penetration testing process, both for amateurs and experts. Following this, a bit of contextualization helps set the tone for a successful pentest.

Subscribe to ITWIRE UPDATE Newsletter here JOIN our iTWireTV our YouTube Community here BACK TO LATEST NEWS here

PROMOTE YOUR WEBINAR ON ITWIRE

It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site itwire.com and prominent Newsletter promotion https://itwire.com/itwire-update.html and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV https://www.youtube.com/c/iTWireTV/videos which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinatrs and campaigns and assassistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.

MORE INFO HERE!

INTRODUCING ITWIRE TV

iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.

We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.

In addition, your interview post message can be displayed in up to 7 different post displays on our the iTWire.com site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.

We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.

See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.

SEE WHAT'S ON ITWIRE TV NOW!

iOS Penetration Testing - what you need to know