Book Image

Learning iOS Penetration Testing

By : Swaroop Yermalkar
Book Image

Learning iOS Penetration Testing

By: Swaroop Yermalkar

Overview of this book

iOS has become one of the most popular mobile operating systems with more than 1.4 million apps available in the iOS App Store. Some security weaknesses in any of these applications or on the system could mean that an attacker can get access to the device and retrieve sensitive information. This book will show you how to conduct a wide range of penetration tests on iOS devices to uncover vulnerabilities and strengthen the system from attacks. Learning iOS Penetration Testing discusses the common vulnerabilities and security-related shortcomings in an iOS application and operating system, and will teach you to conduct static and dynamic analysis of iOS applications. This practical guide will help you uncover vulnerabilities in iOS phones and applications. We begin with basics of iOS security and dig deep to learn about traffic analysis, code analysis, and various other techniques. Later, we discuss the various utilities, and the process of reversing and auditing.
Table of Contents (17 chapters)
Learning iOS Penetration Testing
Foreword – Why Mobile Security Matters
About the Author
About the Reviewer

Insecure storage in Core Data

Core Data is an object-relational mapping (ORM) that creates a layer between user interface and database. The developers prefer Core Data as it is faster in terms of record creation than the traditional SQLite format.

From security point of view, these files are similar to SQLite, with the only difference being that the tables are prefixed with Z.

In this exercise, let's follow the steps to find out the sensitive data that is stored in Core Data:

  1. We will use the Core Data.ipa iOS app for this exercise. Once you open the application, you will observe the following view:

  2. Let's insert a Username and Password and select the Register option:

  3. Now, the records are stored successfully. Let's see whether user credentials are stored securely or not:

  4. Now, download Core Data application files from /var/mobile/Containers/Data/Application and open the CredentialManager.sqlite file, using the SQLite browser:

You may have noticed all tables starting with prefix Z and credentials are...