Book Image

Learning iOS Penetration Testing

By : Swaroop Yermalkar
Book Image

Learning iOS Penetration Testing

By: Swaroop Yermalkar

Overview of this book

iOS has become one of the most popular mobile operating systems with more than 1.4 million apps available in the iOS App Store. Some security weaknesses in any of these applications or on the system could mean that an attacker can get access to the device and retrieve sensitive information. This book will show you how to conduct a wide range of penetration tests on iOS devices to uncover vulnerabilities and strengthen the system from attacks. Learning iOS Penetration Testing discusses the common vulnerabilities and security-related shortcomings in an iOS application and operating system, and will teach you to conduct static and dynamic analysis of iOS applications. This practical guide will help you uncover vulnerabilities in iOS phones and applications. We begin with basics of iOS security and dig deep to learn about traffic analysis, code analysis, and various other techniques. Later, we discuss the various utilities, and the process of reversing and auditing.
Table of Contents (17 chapters)
Learning iOS Penetration Testing
Credits
Foreword – Why Mobile Security Matters
About the Author
About the Reviewer
www.PacktPub.com
Preface
Index

Pentesting using iOS Simulator


There are many limitations while using simulator for iOS app pentesting. The most important limitation is that you cannot install the iTunes application on simulator as they are compiled for the ARM platform, which is used for iDevice.

Therefore, the basic requirement to conduct penetration test of an iOS app using simulator is that you should have the application's Xcode project. A client rarely shares their Xcode project as it's their intellectual property.

Therefore, only if you have an Xcode project, you can use the iOS Simulator to pentest with a limited scope.

You can access the iOS Simulator filesystem; set up proxy for it. Here, you will learn how to use the Cycript utility for an iOS Simulator that is used in dynamic analysis.

You can get Cycript from http://www.cycript.org/ and can directly run it from the command line using the #sudo ./Cycript command.

You can start the application in the simulator, get the PID of the app using the ps command. Once you...