Book Image

Learning iOS Penetration Testing

By : Swaroop Yermalkar
Book Image

Learning iOS Penetration Testing

By: Swaroop Yermalkar

Overview of this book

iOS has become one of the most popular mobile operating systems with more than 1.4 million apps available in the iOS App Store. Some security weaknesses in any of these applications or on the system could mean that an attacker can get access to the device and retrieve sensitive information. This book will show you how to conduct a wide range of penetration tests on iOS devices to uncover vulnerabilities and strengthen the system from attacks. Learning iOS Penetration Testing discusses the common vulnerabilities and security-related shortcomings in an iOS application and operating system, and will teach you to conduct static and dynamic analysis of iOS applications. This practical guide will help you uncover vulnerabilities in iOS phones and applications. We begin with basics of iOS security and dig deep to learn about traffic analysis, code analysis, and various other techniques. Later, we discuss the various utilities, and the process of reversing and auditing.
Table of Contents (17 chapters)
Learning iOS Penetration Testing
Foreword – Why Mobile Security Matters
About the Author
About the Reviewer

Data leakage via application screenshot

One of the features of iOS is that it takes a screenshot of the application when it moves into the background. An attacker having physical access to the system can easily access this screenshot and view sensitive information contained in it.

Let's follow the given steps to demonstrate the side channel data leakage vulnerability:

  1. Download the ContactDetails.ipa iOS app provided with the code bundle of this chapter. It has various fields such as name, credit card number, CVV, and so on. Enter data in all these fields and background the app:

  2. Download application files and go to the application's Library directory that has the Snapshots subfolder:

  3. Open this image using any image viewer tool and you will observe the victim's sensitive financial information, such as credit card number, CVV, and so on, in plain text:

  4. You can also perform this task using tools such as idb. Start the idb tool and make sure that you have installed all the prerequisites:

  5. It has the...