mirror of
https://github.com/carlospolop/hacktricks.git
synced 2023-12-14 19:12:55 +01:00
GitBook: [master] 456 pages modified
This commit is contained in:
parent
fed0f5f23b
commit
92b3947a84
|
@ -1,6 +1,8 @@
|
|||
# iOS Pentesting
|
||||
|
||||
## Privilege Separation and Sandbox
|
||||
## iOS Basics
|
||||
|
||||
### Privilege Separation and Sandbox
|
||||
|
||||
Applications the user can access run as the **mobile** user while critical system processes run as **root**.
|
||||
However, the sandbox allows better control over actions that processes and applications can perform.
|
||||
|
@ -27,7 +29,18 @@ For decrypting the file, the **metadata is decrypted using the system's key**. T
|
|||
|
||||
\*\*\*\*[**FileDP**](https://github.com/abjurato/FileDp-Source) is a program that you can upload and use inside the IPhone to **inspect the data protection class** of each file.
|
||||
|
||||
## Jailbreaking
|
||||
### Apple Developer Program
|
||||
|
||||
A **provisioning identity** is a collection of public and private keys that are associated an Apple developer account. In order to **sign apps** you need to pay **99$/year** to register in the **Apple Developer Program** to get your provisioning identity. Without this you won't be able to run applications from the source code in a physical device. Another option to do this is to use a **jailbroken device**.
|
||||
|
||||
Starting in Xcode 7.2 Apple has provided an option to create a **free iOS development provisioning profile** that allows to write and test your application on a real iPhone. Go to _Xcode_ --> _Preferences_ --> _Accounts_ --> _+_ \(Add new Appli ID you your credentials\) --> _Click on the Apple ID created_ --> _Manage Certificates_ --> _+_ \(Apple Development\) --> _Done_
|
||||
Then, in order to run your application in your iPhone you need first to **indicate the iPhone to trust the computer.** Then, you can try to **run the application in the mobile from Xcode,** but and error will appear. So go to _Settings_ --> _General_ --> _Profiles and Device Management_ --> Select the untrusted profile and click "**Trust**".
|
||||
|
||||
Note that **applications signed by the same signing certificate can share resources on a secure manner, like keychain items**.
|
||||
|
||||
The provisioning profiles are stored inside the phone in **`/Library/MobileDevice/ProvisioningProfiles`**
|
||||
|
||||
### Jailbreaking
|
||||
|
||||
Apple strictly requires that the code running on the iPhone must be **signed by a certificate issued by Apple**. **Jailbreaking** is the process of actively **circumventing such restrictions** and other security controls put in places by the OS. Therefore, once the device is jailbroken, the **integrity check** which is responsible for checking apps being installed is patched so it is **bypassed**.
|
||||
|
||||
|
@ -49,12 +62,22 @@ Note also that updating the OS removes the effect of jailbreaking.**
|
|||
|
||||
**In order to jailbreak a device you can use the exploit provided in** [**https://checkra.in/**](https://checkra.in/)\*\*\*\*
|
||||
|
||||
### **After Jailbreaking**
|
||||
#### **After Jailbreaking**
|
||||
|
||||
* Install **Cydia**
|
||||
* In the Cydia main page you can access user guides like how to **enable SSH** and how to **change root and mobile users password. Follow them.**
|
||||
|
||||
## **Simulator**
|
||||
**Jailbreak Checks**
|
||||
|
||||
* After jailbreaking an iOS **files and folders are usually installed**, these can be searched to determine if the device is jailbroken.
|
||||
* In a jailbroken device applications get **read/write access to new files** outside the sandbox
|
||||
* Some **API** **calls** will **behave differently**
|
||||
* The presence of the **OpenSSH** service
|
||||
* Calling `/bin/sh` will **return 1** instead of 0
|
||||
|
||||
**More information** [**here**](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/jailbreak-detection-methods/)**.**
|
||||
|
||||
### **Simulator**
|
||||
|
||||
All the tools required to build and support an iOS app are **only officially supported on Mac OS**.
|
||||
Apple's de facto tool for creating/debugging/instrumenting iOS applications is **Xcode**. It can be used to download other components such as **simulators** and different **SDK** **versions** required to build and **test** your app.
|
||||
|
@ -84,18 +107,7 @@ However, surprisingly you won't find the application here. You need to access `/
|
|||
|
||||
And in this folder you can **find the package of the application.**
|
||||
|
||||
## Apple Developer Program
|
||||
|
||||
A **provisioning identity** is a collection of public and private keys that are associated an Apple developer account. In order to **sign apps** you need to pay **99$/year** to register in the **Apple Developer Program** to get your provisioning identity. Without this you won't be able to run applications from the source code in a physical device. Another option to do this is to use a **jailbroken device**.
|
||||
|
||||
Starting in Xcode 7.2 Apple has provided an option to create a **free iOS development provisioning profile** that allows to write and test your application on a real iPhone. Go to _Xcode_ --> _Preferences_ --> _Accounts_ --> _+_ \(Add new Appli ID you your credentials\) --> _Click on the Apple ID created_ --> _Manage Certificates_ --> _+_ \(Apple Development\) --> _Done_
|
||||
Then, in order to run your application in your iPhone you need first to **indicate the iPhone to trust the computer.** Then, you can try to **run the application in the mobile from Xcode,** but and error will appear. So go to _Settings_ --> _General_ --> _Profiles and Device Management_ --> Select the untrusted profile and click "**Trust**".
|
||||
|
||||
Note that **applications signed by the same signing certificate can share resources on a secure manner, like keychain items**.
|
||||
|
||||
The provisioning profiles are stored inside the phone in **`/Library/MobileDevice/ProvisioningProfiles`**
|
||||
|
||||
## Objective-C and Swift Basics
|
||||
### Objective-C and Swift Basics
|
||||
|
||||
**Objecttive-C** has a **dynamic runtime**, so when an Objective-C program is executed in iOS, it calls libraries whose **address are resolved at runtime** by comparing the name of the function sent in the message against a list of all the function names available.
|
||||
|
||||
|
@ -103,6 +115,21 @@ At the beginning, only apps created by Apple run the iPhones, so they had **acce
|
|||
|
||||
Then, Swift appeared. As **Swift is statically bound** \(it doesn't resolve the address of the functions in runtime like Objective-C\), it can be checked more easily the calls a Swift program is going to make via static code analysis.
|
||||
|
||||
### Device Management
|
||||
|
||||
From iOS version 6, there is **built-in support for device management** capability with fine grain controls that allows an organisation to control the corporate apple devices.
|
||||
The enrolment can be **initiated by the user installing an agent** in order to access the corporate apps. In this case the device usually belongs to the user.
|
||||
Or the **company can indicate the serial numbers** of the bought devices or the purchase order ID and specify the MDM profile to install on those devices. Note that Apple **doesn't allow to enrol a particular device this way twice**. Once the first profile is deleted the user needs to give consent to install another one.
|
||||
|
||||
The user can see the installed policies in _**Settings**_ --> _**General**_ --> _**Profile and Device Management**_
|
||||
|
||||
As these MDM policies are checking and limiting other applications, they are **running with more privileges**.
|
||||
A MDM policy can **enforce** **users** to have a **passcode** set with a **minimun** password **complexity**.
|
||||
The profiles are tied to the deviceID, **signed** and **encrypted** by the MDM server and **tamper** **proof**. They **cannot** be **removed** without **losing** all the **corporate** **data**.
|
||||
MDM profiles allow to **wipe** all the **data** if there are X **failed** password **attempts**. Also, the **admin** can **remote** **wipe** the iPhone whenever via the MDM interface.
|
||||
|
||||
MDM agents will **check** also for **possible jailbreaks of the device**, as this is very dangerous state for an iPhone.
|
||||
|
||||
## Obfuscation
|
||||
|
||||
Unlike an Android Application, the binary of an iOS app **can only be disassembled** and not decompiled.
|
||||
|
@ -180,7 +207,9 @@ However, you can use tools like [**MachOView**](https://sourceforge.net/projects
|
|||
|
||||
You can use tools like [**Clutch**](https://github.com/KJCracks/Clutch) to automatically remove the encryption and an app.
|
||||
|
||||
## IPA Reversing
|
||||
## Static Analysis
|
||||
|
||||
### IPA Reversing
|
||||
|
||||
`.ipa` files are **zipped** **packages**, so you can change the extension to `.zip` and **decompress** them. A **complete** **packaged** app ready to be installed is commonly referred to as a **Bundle**.
|
||||
After decompressing them you should see `<NAME>.app` , a zipped archive that contains the rest of the resources.
|
||||
|
@ -193,7 +222,7 @@ After decompressing them you should see `<NAME>.app` , a zipped archive that con
|
|||
|
||||
There are multiple ways to define the UI in an iOS application: _storyboard_, _nib_ or _xib_ files.
|
||||
|
||||
### Binary
|
||||
#### Binary
|
||||
|
||||
Inside the `<application-name>.app` folder you will find a binary file called `<application-name>`. This is the file that will be **executed**. You can perform a basic inspection of the binary with the tool **`otool`**:
|
||||
|
||||
|
@ -283,8 +312,6 @@ struct CGSize {
|
|||
|
||||
However, the best options to disassemble the binary are: [**Hopper**](https://www.hopperapp.com/download.html?) and [**IDA**](https://www.hex-rays.com/products/ida/support/download_freeware/).
|
||||
|
||||
## Static Analysis
|
||||
|
||||
### Storage Access
|
||||
|
||||
You can use [**iFunBox**](https://www.i-funbox.com/en/page-download.html) to access the all the storage inside an application sandbox/folder
|
||||
|
|
Loading…
Reference in a new issue