iOS Pentest

MASVS-STORAGE

MASTG-TEST-0052

To verify how an app manage and store sensitive data locally.

Connect to the phone via SSH and grep for sesitive data within the /data/path/appname directory.

MASTG-TEST-0060

To check memory leaks.

frida-ps -U {obtain app name or package name}

fridump -U {appname}

fridump -u {package name}

string * | grep -B 5 -A 5 -i "{text to search}"

MASTG-TEST-0053

To check logs leaks.

Use the following extension: https://codeshare.frida.re/@neil-wu/fridanslogger/ or https://github.com/libimobiledevice/libimobiledevice

frida --codeshare neil-wu/fridanslogger -f {app}

idecicesyslog | grep -i {app name}

MASVS-CRYPTO

MASTG-TEST-0061

To check weak cipher algorithms.

Check this with Mobsf.

MASTG-TEST-0063

To check weak random number generation functions.

Check with Mobsf.

MASTG-TEST-0062

To check the lack of secure cipher implementation.

Use thie following frida package to check if the cipher and keys are easly extractable: https://codeshare.frida.re/@xperylab/cccrypt-dump/

frida --codeshare xperylab/cccrypt-dump -f {app}

MASVS-AUTH

MASVS-AUTH-1

To check for IDORs.

Modify requests with Burp Suite and try evading security controls.

MASVS-AUTH-3

To check incorrect implementation of 2FA/MFA.

Modify requests with Burp Suite and try evading security controls (session tokens, expiration tokens, …).

MASVS-NETWORK

MASTG-TEST-0066

To check for TLS vulnerabilities and weak cipher algorithms whithin secure comunications.

Use testssl.sh

MASTG-TEST-0067

To check the lack of certificate implementation.

Use burp and check the app requests.

MASTG-TEST-0022

To bypass certificate pinning.

Use RMS and the different options within the default scripts.

Use the following frida package: https://codeshare.frida.re/@akabe1/frida-multiple-unpinning/

frida --codeshare akabe1/frida-multiple-unpinning -f {app}

Use SSLKillswitch 3: Activate in settings

MASVS-PLATFORM

MASTG-TEST-0069

To check permissions missconfigurations.

Use Mobsf and check if the app permissions are consisten with the app functionality.

MASTG-TEST-0059

To check for information leak from app sent to background.

Post-authenticated sent the app to the background and call the background to check if there is sensitive data or if its blured.

MASVS-CODE

MASVS-CODE-1

To discover leaks and API in source code.

Use Mobsf to check leaks (most of them will be false positives).

Use Hopper for manually search.

MASTG-TEST-0085

To check vulnerable thrid-party libraries.

Mobsf will check this.

MASVS-RESILIENCE

MASTG-TEST-0088

To check antiroot/antijb measures.

Open app with jailbreaked mobile and use + Palera1n! app along with the app sent to background to evidence this.

MASTG-TEST-0092

To check for anti-virtualization measures.

Use Corellium (GLHF) and open the app to check.

MASTG-TEST-0090

To check the lack of application integrity checks.

Use Xcode or Node-applesign and sing the IPA with a certificate.

MASTG-TEST-0091

To check anti-instrumentation measures.

Open the app with Frida, if this does not crash, then is vulnerable.

PreviousAndroid PentestNext5. Privesc and Post-explotation

Last updated