iOS Pentest
Last updated
Last updated
To verify how an app manage and store sensitive data locally.
Connect to the phone via SSH and grep for sesitive data within the /data/path/appname directory.
To check memory leaks.
frida-ps -U {obtain app name or package name}
fridump -U {appname}
fridump -u {package name}
string * | grep -B 5 -A 5 -i "{text to search}"
To check logs leaks.
Use the following extension: or
frida --codeshare neil-wu/fridanslogger -f {app}
idecicesyslog | grep -i {app name}
To check weak cipher algorithms.
Check this with Mobsf.
To check weak random number generation functions.
Check with Mobsf.
To check the lack of secure cipher implementation.
frida --codeshare xperylab/cccrypt-dump -f {app}
To check for IDORs.
Modify requests with Burp Suite and try evading security controls.
To check incorrect implementation of 2FA/MFA.
Modify requests with Burp Suite and try evading security controls (session tokens, expiration tokens, …).
To check for TLS vulnerabilities and weak cipher algorithms whithin secure comunications.
Use testssl.sh
To check the lack of certificate implementation.
Use burp and check the app requests.
To bypass certificate pinning.
Use RMS and the different options within the default scripts.
frida --codeshare akabe1/frida-multiple-unpinning -f {app}
Use SSLKillswitch 3: Activate in settings
To check permissions missconfigurations.
Use Mobsf and check if the app permissions are consisten with the app functionality.
To check for information leak from app sent to background.
Post-authenticated sent the app to the background and call the background to check if there is sensitive data or if its blured.
To discover leaks and API in source code.
Use Mobsf to check leaks (most of them will be false positives).
Use Hopper for manually search.
To check vulnerable thrid-party libraries.
Mobsf will check this.
To check antiroot/antijb measures.
Open app with jailbreaked mobile and use + Palera1n! app along with the app sent to background to evidence this.
To check for anti-virtualization measures.
Use Corellium (GLHF) and open the app to check.
To check the lack of application integrity checks.
Use Xcode or Node-applesign and sing the IPA with a certificate.
To check anti-instrumentation measures.
Open the app with Frida, if this does not crash, then is vulnerable.
Use thie following frida package to check if the cipher and keys are easly extractable:
Use the following frida package: