Book Image

Learning iOS Penetration Testing

By : Yermalkar
Book Image

Learning iOS Penetration Testing

By: Yermalkar

Overview of this book

iOS has become one of the most popular mobile operating systems with more than 1.4 million apps available in the iOS App Store. Some security weaknesses in any of these applications or on the system could mean that an attacker can get access to the device and retrieve sensitive information. This book will show you how to conduct a wide range of penetration tests on iOS devices to uncover vulnerabilities and strengthen the system from attacks. Learning iOS Penetration Testing discusses the common vulnerabilities and security-related shortcomings in an iOS application and operating system, and will teach you to conduct static and dynamic analysis of iOS applications. This practical guide will help you uncover vulnerabilities in iOS phones and applications. We begin with basics of iOS security and dig deep to learn about traffic analysis, code analysis, and various other techniques. Later, we discuss the various utilities, and the process of reversing and auditing.
Table of Contents (11 chapters)
10
Index

Pasteboard leaking sensitive information

When we copy/cut text in iOS, it goes in a buffer known as pasteboard. In iOS, pasteboard is a commonplace among all applications. If one application copies data on the pasteboard, other applications can also access it by reading the pasteboard. In iOS, there are three types of pasteboard, which are as follows:

  • General pasteboard: Used for generic copy and paste operations
  • Find pasteboard: Used for search operations
  • Custom pasteboard: Used for application specific copy/cut operations

So, developers should be very careful while allowing sensitive data to be copied. If an application is allowing sensitive data, such as SSN, pin, and so on, to be copied on the pasteboard, then other applications can also access this sensitive information.

Let's follow the given steps to demonstrate pasteboard data leakage vulnerability:

  1. Start the ContactDetails.ipa application and instead of entering the credit card number, paste it as shown in the following screenshot...