Book Image

Learning iOS Penetration Testing

By : Swaroop Yermalkar
Book Image

Learning iOS Penetration Testing

By: Swaroop Yermalkar

Overview of this book

iOS has become one of the most popular mobile operating systems with more than 1.4 million apps available in the iOS App Store. Some security weaknesses in any of these applications or on the system could mean that an attacker can get access to the device and retrieve sensitive information. This book will show you how to conduct a wide range of penetration tests on iOS devices to uncover vulnerabilities and strengthen the system from attacks. Learning iOS Penetration Testing discusses the common vulnerabilities and security-related shortcomings in an iOS application and operating system, and will teach you to conduct static and dynamic analysis of iOS applications. This practical guide will help you uncover vulnerabilities in iOS phones and applications. We begin with basics of iOS security and dig deep to learn about traffic analysis, code analysis, and various other techniques. Later, we discuss the various utilities, and the process of reversing and auditing.
Table of Contents (17 chapters)
Learning iOS Penetration Testing
Foreword – Why Mobile Security Matters
About the Author
About the Reviewer

Keyboard cache capturing sensitive data

In iOS, your application's input text fields are logged unless secure flag is not set or autocorrect is not disabled. It's easy to retrieve all keystroke logs from a device. Therefore, the developers should be very careful with sensitive data input fields such as SSN, pin, and so on, so that it should not be captured.

We will perform this exercise on an iOS Simulator. Let's follow the given steps to view keyboard cache that captured sensitive data:

  1. Let's use the iGoat application on an iOS Simulator to demonstrate the vulnerability. Select the Keystroke Logging exercise from the Data Protection (Rest) category of an iGoat application:

  2. Fill the Subject and Message input field and then use the Send option:

  3. Now, check the simulator's Library folder that has the Keyboard directory:

  4. Open the dynamic-text.dat file using any text editor and you will observe our sensitive information is being captured in plain text:

The developers should set secure flag for all...