Book Image

Learning iOS Penetration Testing

By : Swaroop Yermalkar
Book Image

Learning iOS Penetration Testing

By: Swaroop Yermalkar

Overview of this book

iOS has become one of the most popular mobile operating systems with more than 1.4 million apps available in the iOS App Store. Some security weaknesses in any of these applications or on the system could mean that an attacker can get access to the device and retrieve sensitive information. This book will show you how to conduct a wide range of penetration tests on iOS devices to uncover vulnerabilities and strengthen the system from attacks. Learning iOS Penetration Testing discusses the common vulnerabilities and security-related shortcomings in an iOS application and operating system, and will teach you to conduct static and dynamic analysis of iOS applications. This practical guide will help you uncover vulnerabilities in iOS phones and applications. We begin with basics of iOS security and dig deep to learn about traffic analysis, code analysis, and various other techniques. Later, we discuss the various utilities, and the process of reversing and auditing.
Table of Contents (17 chapters)
Learning iOS Penetration Testing
Foreword – Why Mobile Security Matters
About the Author
About the Reviewer

SQL injection in iOS applications

Web app pentesters must be familiar with the SQL injection, where the user input is treated as arbitrary command due to the lack of input validation. The iOS applications using local storage are also vulnerable to injection attacks if the developers are not sanitizing/escaping user input. The danger here is that the attack is also possible on non-jailbroken devices and the local data can be corrupted, causing unpredictable behavior in the app when it is relying on this data.

We will use a vulnerable iGoat application to demonstrate this SQL injection attack on its local storage. The iGoat application's source code is available, so let's look into the code using Xcode. In other cases, when you just have binary, you can reverse engineer the application using the techniques mentioned in the upcoming chapters to view SQL queries and understand backend application logic.

If you take a look at the SQL query, it is as follows:

NSString *query = [NSString stringWithFormat...