0x22bb/hacktricks
1
2
Fork 0
mirror of https://github.com/carlospolop/hacktricks.git synced 2023-12-14 19:12:55 +01:00
Code Releases Activity

GitBook: [master] 456 pages modified

Browse source
This commit is contained in:
CPol 2021-05-13 19:13:08 +00:00 committed by gitbook-bot
parent fed0f5f23b
commit 92b3947a84
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
1 changed files with 47 additions and 20 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

67
ios-pentesting/README.md
View file

@ -1,6 +1,8 @@
# iOS Pentesting
## Privilege Separation and Sandbox
## iOS Basics
### Privilege Separation and Sandbox
Applications the user can access run as the **mobile** user while critical system processes run as **root**.
However, the sandbox allows better control over actions that processes and applications can perform.
@ -27,7 +29,18 @@ For decrypting the file, the **metadata is decrypted using the system's key**. T
\*\*\*\*[**FileDP**](https://github.com/abjurato/FileDp-Source) is a program that you can upload and use inside the IPhone to **inspect the data protection class** of each file.
## Jailbreaking
### Apple Developer Program
A **provisioning identity** is a collection of public and private keys that are associated an Apple developer account. In order to **sign apps** you need to pay **99$/year** to register in the **Apple Developer Program** to get your provisioning identity. Without this you won't be able to run applications from the source code in a physical device. Another option to do this is to use a **jailbroken device**.
Starting in Xcode 7.2 Apple has provided an option to create a **free iOS development provisioning profile** that allows to write and test your application on a real iPhone. Go to _Xcode_ --> _Preferences_ --> _Accounts_ --> _+_ \(Add new Appli ID you your credentials\) --> _Click on the Apple ID created_ --> _Manage Certificates_ --> _+_ \(Apple Development\) --> _Done_
Then, in order to run your application in your iPhone you need first to **indicate the iPhone to trust the computer.** Then, you can try to **run the application in the mobile from Xcode,** but and error will appear. So go to _Settings_ --> _General_ --> _Profiles and Device Management_ --> Select the untrusted profile and click "**Trust**".
Note that **applications signed by the same signing certificate can share resources on a secure manner, like keychain items**.
The provisioning profiles are stored inside the phone in **`/Library/MobileDevice/ProvisioningProfiles`**
### Jailbreaking
Apple strictly requires that the code running on the iPhone must be **signed by a certificate issued by Apple**. **Jailbreaking** is the process of actively **circumventing such restrictions** and other security controls put in places by the OS. Therefore, once the device is jailbroken, the **integrity check** which is responsible for checking apps being installed is patched so it is **bypassed**.
@ -49,12 +62,22 @@ Note also that updating the OS removes the effect of jailbreaking.**
**In order to jailbreak a device you can use the exploit provided in** [**https://checkra.in/**](https://checkra.in/)\*\*\*\*
### **After Jailbreaking**
#### **After Jailbreaking**
* Install **Cydia**
* In the Cydia main page you can access user guides like how to **enable SSH** and how to **change root and mobile users password. Follow them.**
## **Simulator**
**Jailbreak Checks**
* After jailbreaking an iOS **files and folders are usually installed**, these can be searched to determine if the device is jailbroken.
* In a jailbroken device applications get **read/write access to new files** outside the sandbox
* Some **API** **calls** will **behave differently**
* The presence of the **OpenSSH** service
* Calling `/bin/sh` will **return 1** instead of 0
**More information** [**here**](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/jailbreak-detection-methods/)**.**
### **Simulator**
All the tools required to build and support an iOS app are **only officially supported on Mac OS**.
Apple's de facto tool for creating/debugging/instrumenting iOS applications is **Xcode**. It can be used to download other components such as **simulators** and different **SDK** **versions** required to build and **test** your app.
@ -84,18 +107,7 @@ However, surprisingly you won't find the application here. You need to access `/
And in this folder you can **find the package of the application.**
## Apple Developer Program
A **provisioning identity** is a collection of public and private keys that are associated an Apple developer account. In order to **sign apps** you need to pay **99$/year** to register in the **Apple Developer Program** to get your provisioning identity. Without this you won't be able to run applications from the source code in a physical device. Another option to do this is to use a **jailbroken device**.
Starting in Xcode 7.2 Apple has provided an option to create a **free iOS development provisioning profile** that allows to write and test your application on a real iPhone. Go to _Xcode_ --> _Preferences_ --> _Accounts_ --> _+_ \(Add new Appli ID you your credentials\) --> _Click on the Apple ID created_ --> _Manage Certificates_ --> _+_ \(Apple Development\) --> _Done_
Then, in order to run your application in your iPhone you need first to **indicate the iPhone to trust the computer.** Then, you can try to **run the application in the mobile from Xcode,** but and error will appear. So go to _Settings_ --> _General_ --> _Profiles and Device Management_ --> Select the untrusted profile and click "**Trust**".
Note that **applications signed by the same signing certificate can share resources on a secure manner, like keychain items**.
The provisioning profiles are stored inside the phone in **`/Library/MobileDevice/ProvisioningProfiles`**
## Objective-C and Swift Basics
### Objective-C and Swift Basics
**Objecttive-C** has a **dynamic runtime**, so when an Objective-C program is executed in iOS, it calls libraries whose **address are resolved at runtime** by comparing the name of the function sent in the message against a list of all the function names available.
@ -103,6 +115,21 @@ At the beginning, only apps created by Apple run the iPhones, so they had **acce
Then, Swift appeared. As **Swift is statically bound** \(it doesn't resolve the address of the functions in runtime like Objective-C\), it can be checked more easily the calls a Swift program is going to make via static code analysis.
### Device Management
From iOS version 6, there is **built-in support for device management** capability with fine grain controls that allows an organisation to control the corporate apple devices.
The enrolment can be **initiated by the user installing an agent** in order to access the corporate apps. In this case the device usually belongs to the user.
Or the **company can indicate the serial numbers** of the bought devices or the purchase order ID and specify the MDM profile to install on those devices. Note that Apple **doesn't allow to enrol a particular device this way twice**. Once the first profile is deleted the user needs to give consent to install another one.
The user can see the installed policies in _**Settings**_ --> _**General**_ --> _**Profile and Device Management**_
As these MDM policies are checking and limiting other applications, they are **running with more privileges**.
A MDM policy can **enforce** **users** to have a **passcode** set with a **minimun** password **complexity**.
The profiles are tied to the deviceID, **signed** and **encrypted** by the MDM server and **tamper** **proof**. They **cannot** be **removed** without **losing** all the **corporate** **data**.
MDM profiles allow to **wipe** all the **data** if there are X **failed** password **attempts**. Also, the **admin** can **remote** **wipe** the iPhone whenever via the MDM interface.
MDM agents will **check** also for **possible jailbreaks of the device**, as this is very dangerous state for an iPhone.
## Obfuscation
Unlike an Android Application, the binary of an iOS app **can only be disassembled** and not decompiled.
@ -180,7 +207,9 @@ However, you can use tools like [**MachOView**](https://sourceforge.net/projects
You can use tools like [**Clutch**](https://github.com/KJCracks/Clutch) to automatically remove the encryption and an app.
## IPA Reversing
## Static Analysis
### IPA Reversing
`.ipa` files are **zipped** **packages**, so you can change the extension to `.zip` and **decompress** them. A **complete** **packaged** app ready to be installed is commonly referred to as a **Bundle**.
After decompressing them you should see `<NAME>.app` , a zipped archive that contains the rest of the resources.
@ -193,7 +222,7 @@ After decompressing them you should see `<NAME>.app` , a zipped archive that con
There are multiple ways to define the UI in an iOS application: _storyboard_, _nib_ or _xib_ files.
### Binary
#### Binary
Inside the `<application-name>.app` folder you will find a binary file called `<application-name>`. This is the file that will be **executed**. You can perform a basic inspection of the binary with the tool **`otool`**:
@ -283,8 +312,6 @@ struct CGSize {
However, the best options to disassemble the binary are: [**Hopper**](https://www.hopperapp.com/download.html?) and [**IDA**](https://www.hex-rays.com/products/ida/support/download_freeware/).
## Static Analysis
### Storage Access
You can use [**iFunBox**](https://www.i-funbox.com/en/page-download.html) to access the all the storage inside an application sandbox/folder