🛠️iOS Application Pentesting

iOS PT Mindmap

Requirements

• sudo pip install frida-tools

• Setup libimobiledevice

Useful

• Connect to device through usb

  • iproxy 2222 22

  • ssh -p 2222 alpine/root@localhost

• Extracting IPA from iOS

  • frida-ios-dump

Reversing App

• mv APP.ipa APP.zip

• unzip APP.zip

• mv Payload/App.app/* AppFiles/

• Analyzing plist, json files

• Dumping classes class-dump-z APP > dump.txt

• Reversing using Ghidra

  • Ghidra Script

• Reversing using radare2

  • r2frida

Framework

Flutter

• reflutter -p file.ipa

• jtool.ELF64 -S App for extracting _kDartIsolateSnapshotInstructions

• Use reflutter-frida for hooking instruction (need output reflutter and above)

  • reflutter

Dynamic Analysis

SSL Pinning Bypass

• Flutter

  • flutter-script

  • frida-flutter-proxy

  • burp-flutter-proxy

Binary Instrumentation

• frida-ps -U

• frida -U -n app_name -l script.js

• frida -U -f bundleId -l script.js

• frida-trace -m "*[ClassName methodName]"

  • frida-trace -U -f bundle_id -i "*cko*"

  • frida-trace -U YourApp -m "*[NSURL* *HTTP*]"

  • `frida-trace -U -f bundleId -m "-[WebView load*]

  • frida-trace -U -f BundleID -m "-[*WebView* *]

• Frida Script

• objection

  • objection -g <bundle_id> explore

    • import script.js

Keychain

• objection

  • ios keychain dump --json keychain_dump.json

ScreenMirroring

• uxplay

Tools

• Some Useful Tools

• grapefruit

• objection

• class-dump-z

• Ghidra

• Hooper

• iproxy

• frida-cycript

• frida-ios-dump

• r2frida

Resources

• ios-penetration-testing-cheatsheet

• cycript

• OWASP MASTG

• Ghidra Reversing

• iOS Tampering and Reversing OWASP MASTG

• Hacktricks

• https://github.com/Dado1513/frida-mobile-scripts/tree/master

• Frida Script

  • Frida Code Share

  • Frida Mobile Script

  • frida.re

  • learnfrida.info

  • codeshare.frida.re

  • github.com/dweinstein/awesome-frida

  • github.com/interference-security/frida-scripts

• Flutter

  • Flutter Proxy Openvpn

  • Flutter Proxy Openvpn2