Book Image

Learning iOS Penetration Testing

By : Swaroop Yermalkar
Book Image

Learning iOS Penetration Testing

By: Swaroop Yermalkar

Overview of this book

iOS has become one of the most popular mobile operating systems with more than 1.4 million apps available in the iOS App Store. Some security weaknesses in any of these applications or on the system could mean that an attacker can get access to the device and retrieve sensitive information. This book will show you how to conduct a wide range of penetration tests on iOS devices to uncover vulnerabilities and strengthen the system from attacks. Learning iOS Penetration Testing discusses the common vulnerabilities and security-related shortcomings in an iOS application and operating system, and will teach you to conduct static and dynamic analysis of iOS applications. This practical guide will help you uncover vulnerabilities in iOS phones and applications. We begin with basics of iOS security and dig deep to learn about traffic analysis, code analysis, and various other techniques. Later, we discuss the various utilities, and the process of reversing and auditing.
Table of Contents (17 chapters)
Learning iOS Penetration Testing
Foreword – Why Mobile Security Matters
About the Author
About the Reviewer

Insecure storage in SQLite database

As we already studied, the iOS application interacts with local system in order to store persistent/temporary data and SQLite is the most preferred format to store persistent data.

Unless you are using encrypted variant of SQLite, the data stored in simple SQLite file is not secure. An attacker having access to the SQLite file can view its contents using any SQLite client.

Let's follow the given steps to find the insecure storage in SQLite files:

  1. Start the Insecure Local Storage exercise from iGoat and it will look as follows:

  2. Enter the credentials and select the Login option:

  3. Download application files from /var/mobile/Containers/Data/Application and navigate to the Documents folder in order to see the contents of the credentials.sqlite file.

  4. You can see the user's credentials stored in plain text, as shown in the following screenshot:

So the developers should never use simple SQLite files to store sensitive data. You can make use of SQLCipher to encrypt the...