🛠️iOS Application Pentesting

iOS PT Mindmap

Requirements

Useful

  • Connect to device through usb

    • iproxy 2222 22

    • ssh -p 2222 alpine/root@localhost

  • Extracting IPA from iOS

Reversing App

  • mv APP.ipa APP.zip

  • unzip APP.zip

  • mv Payload/App.app/* AppFiles/

  • Analyzing plist, json files

  • Dumping classes class-dump-z APP > dump.txt

  • Reversing using Ghidra

  • Reversing using radare2

Framework

Flutter

  • reflutter -p file.ipa

  • jtool.ELF64 -S App for extracting _kDartIsolateSnapshotInstructions

  • Use reflutter-frida for hooking instruction (need output reflutter and above)

Dynamic Analysis

SSL Pinning Bypass

Binary Instrumentation

  • frida-ps -U

  • frida -U -n app_name -l script.js

  • frida -U -f bundleId -l script.js

  • frida-trace -m "*[ClassName methodName]"

    • frida-trace -U -f bundle_id -i "*cko*"

    • frida-trace -U YourApp -m "*[NSURL* *HTTP*]"

    • `frida-trace -U -f bundleId -m "-[WebView load*]

    • frida-trace -U -f BundleID -m "-[*WebView* *]

  • Frida Script

Interceptor.attach(Module.getExportByName('libc.so', 'read'), { 
	onEnter(args) { 
		this.fileDescriptor = args[0].toInt32(); 
	}, 
	onLeave(retval) { 
		if (retval.toInt32() > 0) { 
			/* do something with this.fileDescriptor */ 
		} 
	} 
});
  • objection

    • objection -g <bundle_id> explore

      • import script.js

Keychain

  • objection

    • ios keychain dump --json keychain_dump.json

ScreenMirroring

Tools

Resources

Last updated