Book Image

Learning iOS Penetration Testing

By : Yermalkar
Book Image

Learning iOS Penetration Testing

By: Yermalkar

Overview of this book

iOS has become one of the most popular mobile operating systems with more than 1.4 million apps available in the iOS App Store. Some security weaknesses in any of these applications or on the system could mean that an attacker can get access to the device and retrieve sensitive information. This book will show you how to conduct a wide range of penetration tests on iOS devices to uncover vulnerabilities and strengthen the system from attacks. Learning iOS Penetration Testing discusses the common vulnerabilities and security-related shortcomings in an iOS application and operating system, and will teach you to conduct static and dynamic analysis of iOS applications. This practical guide will help you uncover vulnerabilities in iOS phones and applications. We begin with basics of iOS security and dig deep to learn about traffic analysis, code analysis, and various other techniques. Later, we discuss the various utilities, and the process of reversing and auditing.
Table of Contents (11 chapters)
10
Index

Insecure storage in the NSUserDefaults class

As per the Apple documentation, NSUserDefaults is used for customization as per the user's preferences. Many times, the developer uses the NSUderDefaults format to store sensitive information.

We will use the iGoat app to demonstrate this vulnerability. Follow the given steps to reveal sensitive information that is stored in NSUserDefaults:

  1. Start the iGoat iOS application and select the Keychain Usage exercise:
    Insecure storage in the NSUserDefaults class
  2. You can keep default values or customize them and then use the Login option:
    Insecure storage in the NSUserDefaults class
  3. Let's download iGoat application files from /var/mobile/Containers/Data/Application using SFTP and then navigate to Library | Preferences and you will observe the com.krvw.iGoat.plist file. Open the file using the Vim editor and you will see the data in binary, which is not in human-readable format:
    Insecure storage in the NSUserDefaults class
  4. Let's convert the binary file into the XML format so that we can read its contents. You can use the plutil utility to convert the binary file into the XML...