maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
hacktricks/src/mobile-pentesting/ios-pentesting-checklist.md
Carlos Polop 6eca4dfedd fix links
2025-01-04 01:40:31 +01:00

97 lines
6.4 KiB
Markdown
Raw Blame History

# iOS Pentesting Checklist
{{#include ../banners/hacktricks-training.md}}
### Preparation
- [ ] Read [**iOS Basics**](ios-pentesting/ios-basics.md)
- [ ] Prepare your environment reading [**iOS Testing Environment**](ios-pentesting/ios-testing-environment.md)
- [ ] Read all the sections of [**iOS Initial Analysis**](ios-pentesting/index.html#initial-analysis) to learn common actions to pentest an iOS application
### Data Storage
- [ ] [**Plist files**](ios-pentesting/index.html#plist) can be used to store sensitive information.
- [ ] [**Core Data**](ios-pentesting/index.html#core-data) (SQLite database) can store sensitive information.
- [ ] [**YapDatabases**](ios-pentesting/index.html#yapdatabase) (SQLite database) can store sensitive information.
- [ ] [**Firebase**](ios-pentesting/index.html#firebase-real-time-databases) miss-configuration.
- [ ] [**Realm databases**](ios-pentesting/index.html#realm-databases) can store sensitive information.
- [ ] [**Couchbase Lite databases**](ios-pentesting/index.html#couchbase-lite-databases) can store sensitive information.
- [ ] [**Binary cookies**](ios-pentesting/index.html#cookies) can store sensitive information
- [ ] [**Cache data**](ios-pentesting/index.html#cache) can store sensitive information
- [ ] [**Automatic snapshots**](ios-pentesting/index.html#snapshots) can save visual sensitive information
- [ ] [**Keychain**](ios-pentesting/index.html#keychain) is usually used to store sensitive information that can be left when reselling the phone.
- [ ] In summary, just **check for sensitive information saved by the application in the filesystem**
### Keyboards
- [ ] Does the application [**allow to use custom keyboards**](ios-pentesting/index.html#custom-keyboards-keyboard-cache)?
- [ ] Check if sensitive information is saved in the [**keyboards cache files**](ios-pentesting/index.html#custom-keyboards-keyboard-cache)
### **Logs**
- [ ] Check if [**sensitive information is being logged**](ios-pentesting/index.html#logs)
### Backups
- [ ] [**Backups**](ios-pentesting/index.html#backups) can be used to **access the sensitive information** saved in the file system (check the initial point of this checklist)
- [ ] Also, [**backups**](ios-pentesting/index.html#backups) can be used to **modify some configurations of the application**, then **restore** the backup on the phone, and the as the **modified configuration** is **loaded** some (security) **functionality** may be **bypassed**
### **Applications Memory**
- [ ] Check for sensitive information inside the [**application's memory**](ios-pentesting/index.html#testing-memory-for-sensitive-data)
### **Broken Cryptography**
- [ ] Check if yo can find [**passwords used for cryptography**](ios-pentesting/index.html#broken-cryptography)
- [ ] Check for the use of [**deprecated/weak algorithms**](ios-pentesting/index.html#broken-cryptography) to send/store sensitive data
- [ ] [**Hook and monitor cryptography functions**](ios-pentesting/index.html#broken-cryptography)
### **Local Authentication**
- [ ] If a [**local authentication**](ios-pentesting/index.html#local-authentication) is used in the application, you should check how the authentication is working.
- [ ] If it's using the [**Local Authentication Framework**](ios-pentesting/index.html#local-authentication-framework) it could be easily bypassed
- [ ] If it's using a [**function that can dynamically bypassed**](ios-pentesting/index.html#local-authentication-using-keychain) you could create a custom frida script
### Sensitive Functionality Exposure Through IPC
- [**Custom URI Handlers / Deeplinks / Custom Schemes**](ios-pentesting/index.html#custom-uri-handlers-deeplinks-custom-schemes)
- [ ] Check if the application is **registering any protocol/scheme**
- [ ] Check if the application is **registering to use** any protocol/scheme
- [ ] Check if the application **expects to receive any kind of sensitive information** from the custom scheme that can be **intercepted** by the another application registering the same scheme
- [ ] Check if the application **isn't checking and sanitizing** users input via the custom scheme and some **vulnerability can be exploited**
- [ ] Check if the application **exposes any sensitive action** that can be called from anywhere via the custom scheme
- [**Universal Links**](ios-pentesting/index.html#universal-links)
- [ ] Check if the application is **registering any universal protocol/scheme**
- [ ] Check the `apple-app-site-association` file
- [ ] Check if the application **isn't checking and sanitizing** users input via the custom scheme and some **vulnerability can be exploited**
- [ ] Check if the application **exposes any sensitive action** that can be called from anywhere via the custom scheme
- [**UIActivity Sharing**](ios-pentesting/ios-uiactivity-sharing.md)
- [ ] Check if the application can receive UIActivities and if it's possible to exploit any vulnerability with specially crafted activity
- [**UIPasteboard**](ios-pentesting/ios-uipasteboard.md)
- [ ] Check if the application if **copying anything to the general pasteboard**
- [ ] Check if the application if **using the data from the general pasteboard for anything**
- [ ] Monitor the pasteboard to see if any **sensitive data is copied**
- [**App Extensions**](ios-pentesting/ios-app-extensions.md)
- [ ] Is the application **using any extension**?
- [**WebViews**](ios-pentesting/ios-webviews.md)
- [ ] Check which kind of webviews are being used
- [ ] Check the status of **`javaScriptEnabled`**, **`JavaScriptCanOpenWindowsAutomatically`**, **`hasOnlySecureContent`**
- [ ] Check if the webview can **access local files** with the protocol **file://** **(**`allowFileAccessFromFileURLs`, `allowUniversalAccessFromFileURLs`)
- [ ] Check if Javascript can access **Native** **methods** (`JSContext`, `postMessage`)
### Network Communication
- [ ] Perform a [**MitM to the communication**](ios-pentesting/index.html#network-communication) and search for web vulnerabilities.
- [ ] Check if the [**hostname of the certificate**](ios-pentesting/index.html#hostname-check) is checked
- [ ] Check/Bypass [**Certificate Pinning**](ios-pentesting/index.html#certificate-pinning)
### **Misc**
- [ ] Check for [**automatic patching/updating**](ios-pentesting/index.html#hot-patching-enforced-updateing) mechanisms
- [ ] Check for [**malicious third party libraries**](ios-pentesting/index.html#third-parties)
{{#include ../banners/hacktricks-training.md}}
Reference in New Issue View Git Blame Copy Permalink