Book Image

Learning iOS Penetration Testing

By : Yermalkar
Book Image

Learning iOS Penetration Testing

By: Yermalkar

Overview of this book

iOS has become one of the most popular mobile operating systems with more than 1.4 million apps available in the iOS App Store. Some security weaknesses in any of these applications or on the system could mean that an attacker can get access to the device and retrieve sensitive information. This book will show you how to conduct a wide range of penetration tests on iOS devices to uncover vulnerabilities and strengthen the system from attacks. Learning iOS Penetration Testing discusses the common vulnerabilities and security-related shortcomings in an iOS application and operating system, and will teach you to conduct static and dynamic analysis of iOS applications. This practical guide will help you uncover vulnerabilities in iOS phones and applications. We begin with basics of iOS security and dig deep to learn about traffic analysis, code analysis, and various other techniques. Later, we discuss the various utilities, and the process of reversing and auditing.
Table of Contents (11 chapters)
10
Index

Analyzing code by reverse engineering


Many times, an application makes the mistake of storing sensitive API keys and encryption keys at client side. After reverse engineering the iOS application, we can look in the source code for sensitive keys, application logic, and other such aspects.

In the iGoat application, there is an exercise of String Analysis where you have to find the answer to the riddle that lies in the source code and input it in the box to complete the challenge.

Follow these steps to perform string analysis:

  1. Start the Reverse Engineering exercise from the iGoat application. It will prompt you with a window to answer the riddle:

  2. If you provide the wrong answer to the riddle, it will show you an Incorrect! error and suggest you to look for hints:

  3. You can reverse engineer the iOS application using methods that you learned earlier and perform string analysis using the string command.

  4. Another way could be to use the Hopper Disassembler. Provide the application's decrypted binary to...