Book Image

Learning iOS Penetration Testing

By : Swaroop Yermalkar
Book Image

Learning iOS Penetration Testing

By: Swaroop Yermalkar

Overview of this book

iOS has become one of the most popular mobile operating systems with more than 1.4 million apps available in the iOS App Store. Some security weaknesses in any of these applications or on the system could mean that an attacker can get access to the device and retrieve sensitive information. This book will show you how to conduct a wide range of penetration tests on iOS devices to uncover vulnerabilities and strengthen the system from attacks. Learning iOS Penetration Testing discusses the common vulnerabilities and security-related shortcomings in an iOS application and operating system, and will teach you to conduct static and dynamic analysis of iOS applications. This practical guide will help you uncover vulnerabilities in iOS phones and applications. We begin with basics of iOS security and dig deep to learn about traffic analysis, code analysis, and various other techniques. Later, we discuss the various utilities, and the process of reversing and auditing.
Table of Contents (17 chapters)
Learning iOS Penetration Testing
Credits
Foreword – Why Mobile Security Matters
About the Author
About the Reviewer
www.PacktPub.com
Preface
Index

iOS MVC design


While creating Xcode project, you must have observed different files, such as storyboard, controller, and so on as shown in following screenshot. The iOS applications are based on the Model-View-Controller (MVC) design. This concept is really useful while performing dynamic analysis of an iOS application:

Following is a high-level diagram of the MVC design. It mainly has three components such as Model, View, and Controller. View and Model always communicate via Controller.

Let's take a sample application as shown in the following that takes user input as password, checks with the backend value, and displays whether the password is correct or incorrect.

  • View: View displays the information that is contained in the Model. The UIkit framework contains classes to draw typical interface elements such as tables (lists), buttons, textfields, sliders, and so on.

    Remember, View and Model do not communicate directly, they work via Controller. The following is the UI part of application that is nothing but View of application:

  • Model: Model contains the data. The Model objects obtain the data either from a database or the files that could be located locally or externally. The data can be obtained from hardcoded values or web services. Model also represents the logic that manipulates and processes the data, as follows:

    NSString *password =
    [NSStringstringWithFormat:@"secret_password"];

    Here secret_password is hardcoded value that is nothing but Model.

  • Controller: It acts as a mediator between Model and View. Now, here Enter Password is an action. So, whenever the user enters the password from View and hits enter, the request goes to Controller that checks the data in Model and if the password does not match, it informs the Controller and then Controller notifies it to View. Controller asks Model to validate the user password and once it gets the response from Model, it will notify the View whether the user has entered the correct password or not. Hence, View shows the Incorrect Password message, as shown in the following screenshot:

    Now, if the data entered in View matches with the data in Model, then the message will be displayed as follows:

So, if you have observed, all communication happens through Controller. Now you are proficient with some basics about iOS developments. Let's study iOS security concepts from basics.