# iOS Application Pentesting ## iOS PT Mindmap ### Requirements * `sudo pip install frida-tools` * Setup [libimobiledevice](https://github.com/libimobiledevice) ### Useful * Connect to device through usb * `iproxy 2222 22` * `ssh -p 2222 alpine/root@localhost` * Extracting IPA from iOS * [frida-ios-dump](https://github.com/AloneMonkey/frida-ios-dump) ### Reversing App * `mv APP.ipa APP.zip` * `unzip APP.zip` * `mv Payload/App.app/* AppFiles/` * Analyzing `plist`, `json` files * Dumping classes `class-dump-z APP > dump.txt` * Reversing using Ghidra * [Ghidra Script](https://github.com/ghidraninja/ghidra_scripts) * Reversing using radare2 * [r2frida](https://github.com/nowsecure/r2frida) ### Framework #### Flutter * `reflutter -p file.ipa` * `jtool.ELF64 -S App` for extracting `_kDartIsolateSnapshotInstructions` * Use [reflutter-frida](https://github.com/Impact-I/reFlutter/blob/main/frida.js) for hooking instruction (need output reflutter and above) * [reflutter](https://github.com/Impact-I/reFlutter) ### Dynamic Analysis #### SSL Pinning Bypass * Flutter * [flutter-script](https://blog.nviso.eu/2022/08/18/intercept-flutter-traffic-on-ios-and-android-http-https-dio-pinning/) * [frida-flutter-proxy](https://github.com/hackcatml/frida-flutterproxy) * [burp-flutter-proxy](https://github.com/hackcatml/frida-flutterproxy) #### Binary Instrumentation * `frida-ps -U` * `frida -U -n app_name -l script.js` * `frida -U -f bundleId -l script.js` * `frida-trace -m "*[ClassName methodName]"` * `frida-trace -U -f bundle_id -i "*cko*"` * `frida-trace -U YourApp -m "*[NSURL* *HTTP*]"` * \`frida-trace -U -f bundleId -m "-\[*WebView* load\*] * `frida-trace -U -f BundleID -m "-[*WebView* *]` * Frida Script ```javascript Interceptor.attach(Module.getExportByName('libc.so', 'read'), { onEnter(args) { this.fileDescriptor = args[0].toInt32(); }, onLeave(retval) { if (retval.toInt32() > 0) { /* do something with this.fileDescriptor */ } } }); ``` * objection * `objection -g explore` * `import script.js` #### Keychain * `objection` * `ios keychain dump --json keychain_dump.json` #### ScreenMirroring * [`uxplay`](https://github.com/antimof/UxPlay) ### Tools * [Some Useful Tools](https://github.com/MobSF/Mobile-Security-Framework-MobSF/tree/master/mobsf/StaticAnalyzer/tools/ios) * [grapefruit](https://github.com/ChiChou/grapefruit) * [objection](https://github.com/sensepost/objection) * [class-dump-z](https://mas.owasp.org/MASTG/tools/ios/MASTG-TOOL-0044/) * [Ghidra](https://github.com/NationalSecurityAgency/ghidra) * [Hooper](https://www.hopperapp.com/) * [iproxy](https://mas.owasp.org/MASTG/tools/ios/MASTG-TOOL-0055/) * [frida-cycript](https://github.com/nowsecure/frida-cycript) * [frida-ios-dump](https://github.com/AloneMonkey/frida-ios-dump) * [r2frida](https://github.com/nowsecure/r2frida) ### Resources * [ios-penetration-testing-cheatsheet](https://github.com/ivan-sincek/ios-penetration-testing-cheat-sheet) * [cycript](https://www.cycript.org/) * [OWASP MASTG](https://github.com/OWASP/owasp-mastg) * [Ghidra Reversing](https://github.com/ivRodriguezCA/RE-iOS-Apps/blob/master/Module-3/README.md#disassembling-and-decompiling-the-binary---ghidra) * [iOS Tampering and Reversing OWASP MASTG](https://github.com/boblone19/OWASP-MSTG/blob/master/Document/0x06c-Reverse-Engineering-and-Tampering.md) * [Hacktricks](https://book.hacktricks.wiki/en/mobile-pentesting/ios-pentesting/index.html) * * Frida Script * [Frida Code Share](https://codeshare.frida.re/browse) * [Frida Mobile Script](https://github.com/m0bilesecurity/Frida-Mobile-Scripts/tree/master) * [frida.re](https://frida.re/docs/home) * [learnfrida.info](https://learnfrida.info) * [codeshare.frida.re](https://codeshare.frida.re) * [github.com/dweinstein/awesome-frida](https://github.com/dweinstein/awesome-frida) * [github.com/interference-security/frida-scripts](https://github.com/interference-security/frida-scripts) * Flutter * [Flutter Proxy Openvpn](https://busk3r.medium.com/intercept-traffic-of-proxy-unaware-applications-in-burpsuite-eeb1ac329a87) * [Flutter Proxy Openvpn2](https://medium.com/@meshal_/pentesting-non-proxy-aware-mobile-applications-65161f62a965)