maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
hacktricks/src/mobile-pentesting/ios-pentesting-checklist.md

94 lines
6.4 KiB
Markdown
Raw Blame History

# iOS Pentesting Checklist
{{#include ../banners/hacktricks-training.md}}
### Preparation
- [ ] Read [**iOS Basics**](ios-pentesting/ios-basics.md)
- [ ] Prepare your environment reading [**iOS Testing Environment**](ios-pentesting/ios-testing-environment.md)
- [ ] Read all the sections of [**iOS Initial Analysis**](ios-pentesting/index.html#initial-analysis) to learn common actions to pentest an iOS application
### Data Storage
- [ ] [**Plist files**](ios-pentesting/index.html#plist) zinaweza kutumika kuhifadhi taarifa nyeti.
- [ ] [**Core Data**](ios-pentesting/index.html#core-data) (SQLite database) inaweza kuhifadhi taarifa nyeti.
- [ ] [**YapDatabases**](ios-pentesting/index.html#yapdatabase) (SQLite database) inaweza kuhifadhi taarifa nyeti.
- [ ] [**Firebase**](ios-pentesting/index.html#firebase-real-time-databases) kukosekana kwa usanidi sahihi.
- [ ] [**Realm databases**](ios-pentesting/index.html#realm-databases) zinaweza kuhifadhi taarifa nyeti.
- [ ] [**Couchbase Lite databases**](ios-pentesting/index.html#couchbase-lite-databases) zinaweza kuhifadhi taarifa nyeti.
- [ ] [**Binary cookies**](ios-pentesting/index.html#cookies) zinaweza kuhifadhi taarifa nyeti.
- [ ] [**Cache data**](ios-pentesting/index.html#cache) zinaweza kuhifadhi taarifa nyeti.
- [ ] [**Automatic snapshots**](ios-pentesting/index.html#snapshots) zinaweza kuhifadhi taarifa nyeti za kuona.
- [ ] [**Keychain**](ios-pentesting/index.html#keychain) kwa kawaida hutumika kuhifadhi taarifa nyeti ambazo zinaweza kuachwa wakati wa kuuza simu.
- [ ] Kwa muhtasari, **angalia taarifa nyeti zilizohifadhiwa na programu katika mfumo wa faili.**
### Keyboards
- [ ] Je, programu [**inaruhusu kutumia keyboards za kawaida**](ios-pentesting/index.html#custom-keyboards-keyboard-cache)?
- [ ] Angalia kama taarifa nyeti zimehifadhiwa katika [**keyboards cache files**](ios-pentesting/index.html#custom-keyboards-keyboard-cache).
### **Logs**
- [ ] Angalia kama [**taarifa nyeti zinaandikwa**](ios-pentesting/index.html#logs).
### Backups
- [ ] [**Backups**](ios-pentesting/index.html#backups) zinaweza kutumika **kupata taarifa nyeti** zilizohifadhiwa katika mfumo wa faili (angalia kipengele cha mwanzo cha orodha hii).
- [ ] Pia, [**backups**](ios-pentesting/index.html#backups) zinaweza kutumika **kubadilisha usanidi wa programu**, kisha **rejesha** backup kwenye simu, na kama **usanidi uliobadilishwa** unachukuliwa, baadhi ya (usalama) **kazi** zinaweza **kuepukwa**.
### **Applications Memory**
- [ ] Angalia taarifa nyeti ndani ya [**kumbukumbu ya programu**](ios-pentesting/index.html#testing-memory-for-sensitive-data).
### **Broken Cryptography**
- [ ] Angalia kama unaweza kupata [**nywila zinazotumika kwa ajili ya cryptography**](ios-pentesting/index.html#broken-cryptography).
- [ ] Angalia matumizi ya [**algorithms zilizopitwa na wakati/za udhaifu**](ios-pentesting/index.html#broken-cryptography) kutuma/kuhifadhi taarifa nyeti.
- [ ] [**Hook and monitor cryptography functions**](ios-pentesting/index.html#broken-cryptography).
### **Local Authentication**
- [ ] Ikiwa [**uthibitishaji wa ndani**](ios-pentesting/index.html#local-authentication) unatumika katika programu, unapaswa kuangalia jinsi uthibitishaji unavyofanya kazi.
- [ ] Ikiwa inatumia [**Local Authentication Framework**](ios-pentesting/index.html#local-authentication-framework) inaweza kuepukwa kwa urahisi.
- [ ] Ikiwa inatumia [**kazi ambayo inaweza kuepukwa kwa dinamik**](ios-pentesting/index.html#local-authentication-using-keychain) unaweza kuunda script maalum ya frida.
### Sensitive Functionality Exposure Through IPC
- [**Custom URI Handlers / Deeplinks / Custom Schemes**](ios-pentesting/index.html#custom-uri-handlers-deeplinks-custom-schemes)
- [ ] Angalia kama programu **inasajili protokali/scheme yoyote**.
- [ ] Angalia kama programu **inasajili kutumia** protokali/scheme yoyote.
- [ ] Angalia kama programu **inasubiri kupokea aina yoyote ya taarifa nyeti** kutoka kwa scheme maalum ambayo inaweza **kukamatwa** na programu nyingine inayosajili scheme hiyo hiyo.
- [ ] Angalia kama programu **haiangalii na kusafisha** pembejeo za watumiaji kupitia scheme maalum na baadhi ya **udhaifu unaweza kutumika**.
- [ ] Angalia kama programu **inasambaza hatua yoyote nyeti** ambayo inaweza kuitwa kutoka mahali popote kupitia scheme maalum.
- [**Universal Links**](ios-pentesting/index.html#universal-links)
- [ ] Angalia kama programu **inasajili protokali/scheme yoyote ya ulimwengu**.
- [ ] Angalia faili ya `apple-app-site-association`.
- [ ] Angalia kama programu **haiangalii na kusafisha** pembejeo za watumiaji kupitia scheme maalum na baadhi ya **udhaifu unaweza kutumika**.
- [ ] Angalia kama programu **inasambaza hatua yoyote nyeti** ambayo inaweza kuitwa kutoka mahali popote kupitia scheme maalum.
- [**UIActivity Sharing**](ios-pentesting/ios-uiactivity-sharing.md)
- [ ] Angalia kama programu inaweza kupokea UIActivities na ikiwa inawezekana kutumia udhaifu wowote na shughuli iliyoundwa kwa njia maalum.
- [**UIPasteboard**](ios-pentesting/ios-uipasteboard.md)
- [ ] Angalia kama programu **ina nakala chochote kwenye pasteboard ya jumla**.
- [ ] Angalia kama programu **ina matumizi ya data kutoka pasteboard ya jumla kwa chochote**.
- [ ] Fuata pasteboard ili kuona kama **taarifa nyeti inakopwa**.
- [**App Extensions**](ios-pentesting/ios-app-extensions.md)
- [ ] Je, programu **inatumia nyongeza yoyote**?
- [**WebViews**](ios-pentesting/ios-webviews.md)
- [ ] Angalia ni aina gani ya webviews zinazotumika.
- [ ] Angalia hali ya **`javaScriptEnabled`**, **`JavaScriptCanOpenWindowsAutomatically`**, **`hasOnlySecureContent`**.
- [ ] Angalia kama webview inaweza **kupata faili za ndani** kwa protokali **file://** **(**`allowFileAccessFromFileURLs`, `allowUniversalAccessFromFileURLs`).
- [ ] Angalia kama Javascript inaweza kupata **mbinu za asili** (`JSContext`, `postMessage`).
### Network Communication
- [ ] Fanya [**MitM to the communication**](ios-pentesting/index.html#network-communication) na tafuta udhaifu wa wavuti.
- [ ] Angalia kama [**hostname ya cheti**](ios-pentesting/index.html#hostname-check) inakaguliwa.
- [ ] Angalia/Kuepuka [**Certificate Pinning**](ios-pentesting/index.html#certificate-pinning).
### **Misc**
- [ ] Angalia kwa [**automatic patching/updating**](ios-pentesting/index.html#hot-patching-enforced-updateing) mifumo.
- [ ] Angalia kwa [**maktaba za tatu zenye uharibifu**](ios-pentesting/index.html#third-parties).
{{#include ../banners/hacktricks-training.md}}
Reference in New Issue View Git Blame Copy Permalink