Mobile applications are hugely popular nowadays and can be used for almost anything including social media, shopping and banking. With the increase in mobile applications and especially the usage of sensitive data, mobile app security is an ever growing topic. The smartphone OS market is divided between two systems: Android and iOS. Both work slightly different and an app developed for iOS cannot be run on Android and vice versa. This complicates the life of software developers who have to write the same application twice, but also the life of security testers who need to test two applications and have a knowledge about the security features of both operating systems. In an earlier blog post by Tomaso Vasella, the basics of Android App Analysis have been shown. In this article, similar techniques for iOS apps will be shown to give an overview of the available tools and differences between the two systems.

In this article, we will only work with non-jailbreaked devices. Certain security aspects can only be tested on jailbroken devices and a thorough pentest would include both kind of devices. Considering that this is an introduction article whose tools should be easy for everyone to try out, we will not cover this here.

Getting the IPA package

iOS apps are delivered in IPA packages, which are similar to apk files on Android. The executable files inside an IPA are delivered and stored with a DRM (Digital Rights Management) called FairPlay. To get an unencrypted version of the executable, the following options exist:

1. Start the app on a jailbreaked device and read the unencrypted binary from memory.
2. Download an unencrypted version from someone else on the internet (This should be done with special care as there is no guarantee on what you download).
3. Get an unencrypted version from the developer. This happens often in pentests.

For the rest of this article, the intentionally insecure app iGoat-Swift is used. The source code and the unencrypted IPA can be downloaded from github.

Anatomy of iOS Apps

An IPA package is just a zip file that contains the apps executables, UI-Files and other resources. After unzipping it, we can list the contents of the iGoat app:

> file iGoat-Swift.ipa
iGoat-Swift.ipa: Zip archive data, at least v1.0 to extract, compression method=stored

> unzip -q iGoat-Swift.ipa -d iGoat-Swift-app

> ls iGoat-Swift-app
AppThinning.plist  Payload

> ls -lX iGoat-Swift-app/Payload/iGoat-Swift.app
total 6276
drwxr-xr-x 3 iabo iabo    4096 Apr 18  2020 Frameworks
-rw-r--r-- 1 iabo iabo       8 Apr 18  2020 PkgInfo
drwxr-xr-x 2 iabo iabo    4096 Apr 18  2020 _CodeSignature
-rwxr-xr-x 1 iabo iabo 5648352 Apr 18  2020 iGoat-Swift
drwxr-xr-x 2 iabo iabo    4096 Apr 18  2020 SVProgressHUD.bundle
-rw-r--r-- 1 iabo iabo  470543 Apr 18  2020 Assets.car
-rwxr-xr-x 1 iabo iabo     595 Apr 18  2020 KRvWAssociates.html
...
-rwxr-xr-x 1 iabo iabo    2961 Apr 18  2020 splash.html
drwxr-xr-x 4 iabo iabo    4096 Apr 18  2020 Base.lproj
-rw-r--r-- 1 iabo iabo    7512 Apr 18  2020 embedded.mobileprovision
drwxr-xr-x 2 iabo iabo    4096 Apr 18  2020 CoreData.momd
drwxr-xr-x 2 iabo iabo    4096 Apr 18  2020 AboutCell.nib
...
drwxr-xr-x 2 iabo iabo    4096 Apr 18  2020 YapExerciseVC.nib
-rw-r--r-- 1 iabo iabo   48407 Apr 18  2020 Assets.plist
-rw-r--r-- 1 iabo iabo      81 Apr 18  2020 Credentials.plist
-rw-r--r-- 1 iabo iabo    1517 Apr 18  2020 Info.plist
-rw-r--r-- 1 iabo iabo    3058 Apr 18  2020 AppIcon29x29@2x.png
...
-rw-r--r-- 1 iabo iabo   15151 Apr 18  2020 AppIcon60x60@3x.png
-rwxr-xr-x 1 iabo iabo     324 Apr 18  2020 README.txt
-rwxr-xr-x 1 iabo iabo      67 Apr 18  2020 Sentinel.txt

The important files in this folder are:

• <appName> — In this case iGoat-Swift. The compiled, executable program. With the following command (macOS), the encryption status can be checked: > otool -l <appName> | grep -A 4 LC_ENCRYPTION_INFO
• Info.plist — A file with information about the application, formatted as an xml and containing key/value pairs.
• _CodeSignature/ — Contains a file with a signature over all files in the bundle to ensure the integrity of the application
• CoreData.momd — Place for data storage, usually in a SQLite database. Encryption is left to the applicatoin developer.
• PkgInfo — Contains some of the information of the Info.plist file in a special format. This file is optional and can be added to improve performance.
• .lproj — Files used for internationalization
• .nib, .xib, .storyboard — Files with UI-Definitions
• Frameworks/, Plugins/ — Contain native libraries and frameworks

Using MobSF for static Analysis

When trying to get an overview of an application and its configuration, MobSF can be a great tool. Instead of going through the different files and using different tools to extract the information needed, MobSF does all this for you and shows you an overview. MobSF runs out of a docker container and provides a web interface. It can also do dynamic Analysis, but only when working together with proprietary, costly software to simulate iOS environments.

Reverse engineering

Decompiling and reverse engineering iOS apps is similar to other compiled languages like c. A short introduction about this topic can be found in this article. Basic reverse engineering includes string analysis using the string command and metadata extraction with the otool command (macOS only). For a deep dive into an applications code, full disassemblers/decompilers have to be used. The most famous tools for this are Ghidra, radare2 and IDA Pro (commercial). In comparison to Android Apps, reverse engineering is more tedious on iOS. The reason for this is the underlying programming language: The bytecode used by java retains more information than the assembly code an iOS app is delivered in.

Dynamic Analysis using objection

Now that we know how to analyze an iOS IPA package, we can look at the second big area of testing: Dynamic Analysis, i.e. analyzing the application while it is running on a device. In this article, we will focus on the tool objection. The reason we use objection is that it offers a command line tool to automatically modify and resign an IPA with code that connects back to the objection cli (Command Line Interface). Patching an application means that it can be run on a non-jailbroken device. Note: Patching iOS applications only works on macOS.

To patch and run an IPA we follow the instructions on their website. After having connected objection to the patched application with the command objection explore, we can easily access a lot of information that we already saw during the static analysis but also some more information only available in a running app instance. The most important commands from the point of view of a pentester are the following:

• ls to shows us the files in the package.

OWASP.iGoat-Swifth.iabo on (iPhone: 16.0) [usb] # ls
NSFileType  Perms  NSFileProtection  Read  Write  Owner           Group           Size       Creation                   Name
----------  -----  ----------------  ----  -----  --------------  --------------  ---------  -------------------------  --------------------------------------
Directory     493  None              True  False  _installd (33)  _installd (33)  160.0 B    1970-01-01 00:00:00 +0000  WebkitCacheExerciseVC.nib
Regular       420  None              True  False  _installd (33)  _installd (33)  81.0 B     2024-01-30 12:43:58 +0000  Credentials.plist
Regular       420  None              True  False  _installd (33)  _installd (33)  463.0 B    2024-01-30 12:43:58 +0000  rutger.html
...
Regular       420  None              True  False  _installd (33)  _installd (33)  327.0 B    2024-01-30 12:43:58 +0000  mansi.html

Readable: True  Writable: False

• ios plist cat <filename>.plist shows the content of plist files. We can use this to solve the plist challenge in the iGoat app.

OWASP.iGoat-Swifth.iabo on (iPhone: 16.0) [usb] # ios plist cat Credentials.plist
{
    Password = "Secret@123";
    User = admin;
}

• ios nsuserdefaults get shows what data is stored in the NSUserdefaults storage. We can use this to solve the NSUserDefaults challenge in the iGoat app.

OWASP.iGoat-Swifth.iabo on (iPhone: 16.0) [usb] # ios nsuserdefaults get
{
    AKLastEmailListRequestDateKey = "2024-01-30 12:18:39 +0000";
    AKLastIDMSEnvironment = 0;
    AddingEmojiKeybordHandled = 1;
    AppleLanguages =     (
        "de-CH"
    );
    PIN = 53cr3tP;
    ...
}

• ios keychain dump dumps the contents of the keychain, a special storage available to iOS applications. We can use this to solve the Keychain Usage challenge in the iGoat app.

OWASP.iGoat-Swifth.iabo on (iPhone: 16.0) [usb] # ios keychain dump
Note: You may be asked to authenticate using the devices passcode or TouchID
Save the output by adding `--json keychain.json` to this command
Dumping the iOS keychain...
Created                    Accessible    ACL   Type      Account  Service   Data
-------------------------  ------------  ----  --------  -------  --------  -----
2024-01-30 15:47:39 +0000  WhenUnlocked  None  Password  iGoat    SaveUser  taoGi

• ios jailbreak simulate and ios jailbreak disable: Those commands are useful to test if the jailbreak detection of an app was implemented properly or not.

Objection is also available for Android smartphones and offers a lot more advanced features such as method watching, hooking and even replacing a function with custom code.

Dynamic Analysis: Intercepting traffic with Burp

Many mobile applications connect to a webserver to exchange data with a central database. To analyse this traffic, similar tools as in website penetration testing can be used, for example Burp proxy. To intercept and introspect encrypted https traffic, the proxy needs to decrypt requests and thus the proxy’s certificate has to be trusted by the iOS device. Luckily, using Burp, it is easy to install the certificate in an iPhone. With the proxy listening, open safari on the target device and enter the proxy’s ip address. You should see a Burp welcome page. Click on install certificate on the top right and accept the popups. Next, open the settings app where you should see a new entry at the top. Choose trust certificate, enter your PIN and Burp is ready to go.

Depending on the application, this may not be enough to intercept the traffic with Burp: Certificate pinning is a security measure designed to mitigate this kind of attack and only accept a very specific server certificate. Depending on the details of how it is implemented, objection or a jailbreaked phone can be used to disable it. Alternatively, Brida is a tool to connect a patched iOS application with Burp.

Conclusion

Even without a jailbroken device, basic analysis and security testing of iOS applications is possible. There exist a lot of free and open source tools that each help to cover some test scenario. Intentionally vulnerable apps help demonstrating a tools abilities and practice the discovery and exploitation of vulnerabilities. One challenge that remains for security testers is to keep up to date with the changing environment: New iOS versions introduce new security measures which may break certain tools, some tools are not updated for a long time while new ones appear frequently.

About the Author

Ian Boschung has been taking part in programming competitions since high school and discovered his passion for cyber security during his studies at the ETH with a Master in Electrical Engineering & Information Technology. He focuses on the security testing of web applications and Linux/Unix systems.

Links

• https://ghidra-sre.org/
• https://github.com/OWASP/iGoat-Swift
• https://github.com/federicodotta/Brida
• https://github.com/sensepost/objection
• https://github.com/sensepost/objection/wiki/Patching-iOS-Applications
• https://hex-rays.com/ida-pro/
• https://igoatapp.com/
• https://mas.owasp.org/MASTG/iOS/0×06a-Platform-Overview/#encryption-and-data-protection
• https://rada.re/n/