Book Image

Learning iOS Penetration Testing

By : Swaroop Yermalkar
Book Image

Learning iOS Penetration Testing

By: Swaroop Yermalkar

Overview of this book

iOS has become one of the most popular mobile operating systems with more than 1.4 million apps available in the iOS App Store. Some security weaknesses in any of these applications or on the system could mean that an attacker can get access to the device and retrieve sensitive information. This book will show you how to conduct a wide range of penetration tests on iOS devices to uncover vulnerabilities and strengthen the system from attacks. Learning iOS Penetration Testing discusses the common vulnerabilities and security-related shortcomings in an iOS application and operating system, and will teach you to conduct static and dynamic analysis of iOS applications. This practical guide will help you uncover vulnerabilities in iOS phones and applications. We begin with basics of iOS security and dig deep to learn about traffic analysis, code analysis, and various other techniques. Later, we discuss the various utilities, and the process of reversing and auditing.
Table of Contents (17 chapters)
Learning iOS Penetration Testing
Credits
Foreword – Why Mobile Security Matters
About the Author
About the Reviewer
www.PacktPub.com
Preface
Index

Web API attack demo


You studied how to intercept iOS application traffic in iDevice or iOS Simulator over HTTP and HTTPS. However, what's next with this setup? What could be the possible attack vectors after intercepting the traffic? The answer is that all attacks are applicable for web applications. I will encourage you to go through OWASP Top 10 Web Application Risks in order to understand various attack vectors, if you are not familiar with web app pentesting.

Let's study a simple brute force attack. Consider an iOS application that has login functionality and communicates with backend web APIs to check whether the provided login credentials are valid or not. The following steps will help you in understanding a web application attack such as the brute force for iOS application, which uses web API for login:

  1. Let's assume an iOS application that has the login page. Once the user enters the credentials, it is checked with the backend web API components and then the user gets logged in if a...