Later this month I will be presenting a talk on iOS applications auditing at EUSecWest in Amsterdam. Here is an overview of this talk.
Mobile applications security is becoming a bigger concern every day and it is not only an idea taken out of some Gartner’s quadrant, this is something we see every day as penetrations testers.
This presentation aims at sharing experience and knowledge in iOS applications pentesting. The first step will be to quickly review the iOS environment, including the ARM platform, the simulator and how applications could be distributed. Before explaining how to find bugs, people have, obviously, to know what to look for. This is why the most common flaws impacting third-party iOS applications will be presented.
After this introduction, we will dig into the main subject. The first thing an auditor should do is set-up his working environment, ie. "should we use the simulator, a jailbroken device or is Apple providing useful tools?" Then we will present how to do a recon on an application using its companion files, including configuration files, bundles, etc. As some applications are using the KeyChain to store information, we will also explain how to recover those. The next part related to more or less the passive analysis of applications will be the communication channel between the application and a possible web-service.
The passive analysis part will be followed by some reverse engineering technics to dig deeper into an application’s internals. The first part will be dealing with static analysis, answering questions like "how to extract class definitions?" and "where are all the xrefs!?". The last part will be dealing with dynamic analysis which can be pretty useful for let’s say you want to manipulate the messages sent to a web-services but they are encrypted the data with an additional layer and not just SSL. We will view how to do that using GDB and bundles injection.