Book Image

Learning iOS Penetration Testing

By : Yermalkar
Book Image

Learning iOS Penetration Testing

By: Yermalkar

Overview of this book

iOS has become one of the most popular mobile operating systems with more than 1.4 million apps available in the iOS App Store. Some security weaknesses in any of these applications or on the system could mean that an attacker can get access to the device and retrieve sensitive information. This book will show you how to conduct a wide range of penetration tests on iOS devices to uncover vulnerabilities and strengthen the system from attacks. Learning iOS Penetration Testing discusses the common vulnerabilities and security-related shortcomings in an iOS application and operating system, and will teach you to conduct static and dynamic analysis of iOS applications. This practical guide will help you uncover vulnerabilities in iOS phones and applications. We begin with basics of iOS security and dig deep to learn about traffic analysis, code analysis, and various other techniques. Later, we discuss the various utilities, and the process of reversing and auditing.
Table of Contents (11 chapters)
10
Index

Insecure data in the plist files


The plist files are convenient to use and can be used to store standard data types, such as integer, strings, and so on. Many times a developer makes the mistake of saving sensitive information in plist. Many top companies' iOS app had mistakenly stored users' credentials/pin in the plist files in their earlier versions.

An attacker can easily look into these plist files for sensitive information.

We will use the ContactDetails.ipa iOS app that is provided with the code bundle of this chapter in order to demonstrate this vulnerability. Let's follow the given steps in order to identify the insecure storage vulnerability in the given iOS app:

  1. Start the ContactDetails app and you will observe various fields, such as name, credit card number, CVV, and password, as shown in the following screenshot:

  2. Fill up all the details and use the Save option. All of the earlier information such as credit card number and CVV is sensitive financial information and is supposed to...