iOS Application Pentesting

iOS PT Mindmap

Requirements

• sudo pip install frida-tools

• Setup

Useful

• Connect to device through usb

  • iproxy 2222 22

  • ssh -p 2222 alpine/root@localhost

• Extracting IPA from iOS

Reversing App

• mv APP.ipa APP.zip

• unzip APP.zip

• mv Payload/App.app/* AppFiles/

• Analyzing plist, json files

• Dumping classes class-dump-z APP > dump.txt

• Reversing using Ghidra

• Reversing using radare2

Framework

Flutter

• reflutter -p file.ipa

• jtool.ELF64 -S App for extracting _kDartIsolateSnapshotInstructions

Dynamic Analysis

SSL Pinning Bypass

• Flutter

Binary Instrumentation

• frida-ps -U

• frida -U -n app_name -l script.js

• frida -U -f bundleId -l script.js

• frida-trace -m "*[ClassName methodName]"

  • frida-trace -U -f bundle_id -i "*cko*"

  • frida-trace -U YourApp -m "*[NSURL* *HTTP*]"

  • `frida-trace -U -f bundleId -m "-[WebView load*]

  • frida-trace -U -f BundleID -m "-[*WebView* *]

• Frida Script

Interceptor.attach(Module.getExportByName('libc.so', 'read'), { 
	onEnter(args) { 
		this.fileDescriptor = args[0].toInt32(); 
	}, 
	onLeave(retval) { 
		if (retval.toInt32() > 0) { 
			/* do something with this.fileDescriptor */ 
		} 
	} 
});

• objection

  • objection -g <bundle_id> explore

    • import script.js

Keychain

• objection

  • ios keychain dump --json keychain_dump.json

ScreenMirroring

Tools

Resources

• https://github.com/Dado1513/frida-mobile-scripts/tree/master

• Frida Script
• Flutter