Web app pentesters must be familiar with the SQL injection, where the user input is treated as arbitrary command due to the lack of input validation. The iOS applications using local storage are also vulnerable to injection attacks if the developers are not sanitizing/escaping user input. The danger here is that the attack is also possible on non-jailbroken devices and the local data can be corrupted, causing unpredictable behavior in the app when it is relying on this data.
We will use a vulnerable iGoat application to demonstrate this SQL injection attack on its local storage. The iGoat application's source code is available, so let's look into the code using Xcode. In other cases, when you just have binary, you can reverse engineer the application using the techniques mentioned in the upcoming chapters to view SQL queries and understand backend application logic.
If you take a look at the SQL query, it is as follows:
NSString *query = [NSString stringWithFormat...