IOS APP black box/gray box audit checklist

This article describes how to perform a basic security audit for an iOS application, mainly through manual audit of black box or gray box. Note that the red font is the checklist for security audit.1. IPA installation package analysis (Static Analysis)1.Mach-OExecutable File Analysis (Address:/private/var/mobile/Application/[GUID]/Appname. app/). Note that the mach-o file from the APP store must be decrypted first.

Clutch AppName

Strings Mach-OFileName

Class-dump-z Mach-OFileName> FileName_classdump.h

$ THEOS/bin/logif. pl FileName_classdump.h> tweak. xm

Otool-TV Mach-OFileName> FileName_assembledump

Cyloud

 

Check object: jailbreak/non-Jailbreak device check list: (1) whether the PIE function is enabled to be continued... Check tools: class-dump, class dump z, IDA Pro, IDA plugin: runtime tracer, Hopper, cypper, otool, lsof,

 

2. Application main directory file analysis App store Application stored in/private/var/mobile/Application/[GUID] (1) DocumentsFolder user archive files, check whether there is insecure file storage, such as plaintext storage, base64 encoding storage, can be used IToolsGUI tool check
(2) LibraryFolder 1) Library/Preferences/Preference setting file, which is generally in plist format and can be used Plist editor Pro for windowsYou can also use the GUI tool PlutilEdit command line tool

Plutil plistFileName

2) Library/Caches/Stores the persistent data of an application. It is used to store the updated or closed data of an application. It is permanently saved. It is generally in the sqlite3 format and can be used. SQLite Database BrowserYou can also use the GUI tool Sqlite3Edit the command line tool. Of course, the plist format is also stored. For more information, see the preceding section. This folder contains Library/Caches/Snapshots/Folder, used to store the application's screen snapshots. During source code review, check the settings of the keyWindow. hidden option to avoid storing sensitive application screens.

Sqlite3 databasename

3) Library/Cookies/Saves the persistent Cookies of Safari and iOS apps. The general file name is Cookies. binarycookies are already familiar with PC-based cookie storage. For example, IE stores persistent cookies in the temporary directory in plain text format, while firefox and chrome store cookies in sqlite3 data format. We can use the python script tool provided by SecurityLearn. Cookies. binarycookies ReaderRead content

Python BinaryCookieReader. py Cookies. binarycookies

4) Library/WebkitSave the webkit local storage file. Some applications do not have this folder (3) AppName. app folder 1) Info. plist file APP Information 2) iTunesMetadata. plist file purchaser information file 3) SC _Info folder, signature-related file 4) _ CodeSignature folder, signature-Related File 5) other resource files

 

For details, refer to the archive modification and Defense Check object for game security review on iOS platform: jailbreak/non-Jailbreak device check list: (1) encrypted storage of important information (2) check whether the local archive can be modified (including plaintext, base64, and binary) and whether the application will detect the integrity of the Archive (3) whether the local archive can be replaced or not. If the archive of a lower version is used to replace the archive of a higher version, the security of the application of a lower version is usually poor, so the chances of cheating is high ), replace archive with different IDs (for example, replace archive with high-score archive with low-score archive), and check whether the application detects the uniqueness of the archive.Tool: editor iTools, plist editor Pro for windows, SQLite Database Browser, Cookies. binarycookies Reader, UltraEdit for various file formats

 

2. Memory numerical analysis (Dynamic Analysis)

 

For details, refer to the memory modification of the Ghost artifact in the security review of the iOS platform game. The IAP Free game purchased cracking Protection check object: jailbreak device check list: (1) Check whether important values in the game process in the memory can be located and modifiedTool: Ghost, gdb

 

Iii. APP store IPA cracking (Dynamic Analysis)

 

For details, refer to the IPA cracking principle and Defense Check object for game security on iOS platform: jailbreak device check list: (1) Can IPA of app store be cracked? Can the app be cracked? IPA for detection and processingTool: Clutch

 

Iv. Payment analysis (Dynamic Analysis) 1. IAP (in-appstore-purchase)

 

For more information, see the complete in-appstore.com free purchase method analysis check list: (1) is IAP Cracker valid for jailbreaking devices? (2) Is IAP Free valid for jailbreaking devices? (3) is LocalIAPFree valid for jailbreaking devices? (4) is the Apple Server forged in Russia valid for jailbreaking devices? (5) is xCon + IAP Cracker valid for jailbreaking devices? (6) is xCon + IAP Free valid for jailbreaking devices? (7) is xCon + LocalIAPFree valid for jailbreaking devices? (8) is the xCon + Russian counterfeit Apple Server valid for jailbreaking devices? (9) is the Russian counterfeit Apple Server valid for a non-jailbreaking device iOS 5.1.1?Tools: IAP cracker, IAP Free, LocalIAPFree, xCon

 

2. third-party payment platforms

 

You can refer to the three common types of payment vulnerability analysis methods, mainly from the communication package analysis and the source code audit of the API interface to be continued...

 

5. Communication packet analysis (Dynamic Analysis) 1. http/https

 

(1) For details about HTTP, see the mobile app communication analysis method (iOS/Android) tool BurpSuite and Fiddler (2) for details about HTTPS, see how to capture HTTPS communication packets using Burp Suite on the iPhone, iOS SSL kill switch tool: BurpSuit, ios-ssl-kill-switch, turstme check list: Same as web application Vulnerabilities(1) Whether the mobile advertising platform collects private data from mobile devices(Currently, the Mac address seems to be a common thing to send the device UDID. However, if you send the device's internal application installation list, the contact method must be disabled.) (2) 0Auth SecurityTo be continued

 

2 sockets

 

For details, refer to: Real-time capturing of communication packages (ADVsock2pipe + Wireshark + nc + tcpdump) on mobile devices: wireshark, ADVsock2pipe, TCPdump, and Mallory check list: (mainly man-in-the-middle attack) (1) Can the packet be modified? (2) can packets be replayed?

 

Vi. Subsequent work we will introduce the manual security audit from all aspects of the application (file system, communication, executable files, and business logic, it is expected that there will be an automated tool that is as mature as web Application Security Audit/vulnerability detection in the future. So far, the only iOS semi-automated audit tool I know is iAuditor-the iOS APP security audit tool. This tool has common defects in free tools on the market, that is, it is too theoretical, and it is a bit difficult to audit the security of the actual APP, but it is better than nothing. (Welcome to the recommended automated/semi-automatic iOS app security audit tools) in general, for iOS app security audit, in addition to black box/gray box audit, it is also a white box audit of the source code, HP's Fortify SCA seems quite mature. I have also collected some source code audit White Papers from foreign security teams, but I always feel that it is too theoretical for real iOS applications. Write an audit checklist for iOS app source code that can be used as a reference for Real Apps in the future, or write an open-source automated audit tool closer. Fuel