Introduction to IOS Application Penetration Testing
-
Upload
ammar-wk -
Category
Technology
-
view
2.014 -
download
2
description
Transcript of Introduction to IOS Application Penetration Testing
![Page 1: Introduction to IOS Application Penetration Testing](https://reader036.fdocuments.net/reader036/viewer/2022062312/5559f64cd8b42ad00a8b484d/html5/thumbnails/1.jpg)
Introduction toiOS Mobile Application Penetration Testing
@y3dips1 Dekade ECHO.OR.ID
![Page 2: Introduction to IOS Application Penetration Testing](https://reader036.fdocuments.net/reader036/viewer/2022062312/5559f64cd8b42ad00a8b484d/html5/thumbnails/2.jpg)
![Page 3: Introduction to IOS Application Penetration Testing](https://reader036.fdocuments.net/reader036/viewer/2022062312/5559f64cd8b42ad00a8b484d/html5/thumbnails/3.jpg)
MobileSmartphone
www.astanos.ch/img/apple-android-windows-mobile-blackberry-logo.png
![Page 4: Introduction to IOS Application Penetration Testing](https://reader036.fdocuments.net/reader036/viewer/2022062312/5559f64cd8b42ad00a8b484d/html5/thumbnails/4.jpg)
http://www.wired.com/gadgetlab/2012/02/meet-the-asus-padfone-the-phone-thats-a-tablet-thats-a-notebook/
![Page 5: Introduction to IOS Application Penetration Testing](https://reader036.fdocuments.net/reader036/viewer/2022062312/5559f64cd8b42ad00a8b484d/html5/thumbnails/5.jpg)
Mobile Infrastructure
![Page 6: Introduction to IOS Application Penetration Testing](https://reader036.fdocuments.net/reader036/viewer/2022062312/5559f64cd8b42ad00a8b484d/html5/thumbnails/6.jpg)
http://mobile.infostretch.com/images/application-architecture.jpg
![Page 7: Introduction to IOS Application Penetration Testing](https://reader036.fdocuments.net/reader036/viewer/2022062312/5559f64cd8b42ad00a8b484d/html5/thumbnails/7.jpg)
http://conwet.fi.upm.es/morfeo-project/mymobileweb_blog/wp-content/uploads/2009/04/mymw_architecture_overview.png
![Page 8: Introduction to IOS Application Penetration Testing](https://reader036.fdocuments.net/reader036/viewer/2022062312/5559f64cd8b42ad00a8b484d/html5/thumbnails/8.jpg)
http://www.ipfaces.org/sites/default/files/images/schema.gif
![Page 9: Introduction to IOS Application Penetration Testing](https://reader036.fdocuments.net/reader036/viewer/2022062312/5559f64cd8b42ad00a8b484d/html5/thumbnails/9.jpg)
Mobile Infrastructure
Mobile Client/ Application
Communication Channel
Server Side Infrastructure
![Page 10: Introduction to IOS Application Penetration Testing](https://reader036.fdocuments.net/reader036/viewer/2022062312/5559f64cd8b42ad00a8b484d/html5/thumbnails/10.jpg)
Mobile Infrastructure
Mobile Client/Application
Communication Channel
Server Side Infrastructure
![Page 11: Introduction to IOS Application Penetration Testing](https://reader036.fdocuments.net/reader036/viewer/2022062312/5559f64cd8b42ad00a8b484d/html5/thumbnails/11.jpg)
Facteur d'attaque
![Page 12: Introduction to IOS Application Penetration Testing](https://reader036.fdocuments.net/reader036/viewer/2022062312/5559f64cd8b42ad00a8b484d/html5/thumbnails/12.jpg)
Information Disclosure
Insecure File Permission
Authentication & Authorization
Session Management
Logic (Business) Testing
Data Protection
Client Side Injection
Decompiling Etc.
Attack Vector
![Page 13: Introduction to IOS Application Penetration Testing](https://reader036.fdocuments.net/reader036/viewer/2022062312/5559f64cd8b42ad00a8b484d/html5/thumbnails/13.jpg)
ວiທ$ການ
![Page 14: Introduction to IOS Application Penetration Testing](https://reader036.fdocuments.net/reader036/viewer/2022062312/5559f64cd8b42ad00a8b484d/html5/thumbnails/14.jpg)
Methodology
Analysis ExploitationReport &
QAInformation Gathering
![Page 15: Introduction to IOS Application Penetration Testing](https://reader036.fdocuments.net/reader036/viewer/2022062312/5559f64cd8b42ad00a8b484d/html5/thumbnails/15.jpg)
http://www.ibroadcastnetwork.org/images/uploads/ios-logo.png
![Page 16: Introduction to IOS Application Penetration Testing](https://reader036.fdocuments.net/reader036/viewer/2022062312/5559f64cd8b42ad00a8b484d/html5/thumbnails/16.jpg)
http://cdn3.sbnation.com/entry_photo_images/8958675/iosguide_1020_new_large_verge_super_wide.jpg
![Page 17: Introduction to IOS Application Penetration Testing](https://reader036.fdocuments.net/reader036/viewer/2022062312/5559f64cd8b42ad00a8b484d/html5/thumbnails/17.jpg)
Inventory
Jailbroken Device Decompiler Analysis
Tools
ProxySecurity Tools
Hacker’s Mind
![Page 18: Introduction to IOS Application Penetration Testing](https://reader036.fdocuments.net/reader036/viewer/2022062312/5559f64cd8b42ad00a8b484d/html5/thumbnails/18.jpg)
Cheat Sheet Applica'on_home /var/mobile/Applica.ons/[folder]/app_name
Config files Applica.on_Home/Library/Preferences/app_name.plist
Database .db, .sqlite, .sqlite3, *
Cache Applica.on_Home/Library/Caches
Cookies cookies.binarycookies | copy read with binarycookies.py
Logs see logs via iphone configura.on u.lity
List Running Apps ps -‐axf
Decompiler/Disassembler otool, class-‐dump-‐o, class-‐dump-‐z, gdb
Analysis Tools/Framework snoop-‐it , cycript
![Page 19: Introduction to IOS Application Penetration Testing](https://reader036.fdocuments.net/reader036/viewer/2022062312/5559f64cd8b42ad00a8b484d/html5/thumbnails/19.jpg)
Cycript
Objective-Javascript
www.cycript.org
Hook into a running process of the application
![Page 20: Introduction to IOS Application Penetration Testing](https://reader036.fdocuments.net/reader036/viewer/2022062312/5559f64cd8b42ad00a8b484d/html5/thumbnails/20.jpg)
Cycript
![Page 21: Introduction to IOS Application Penetration Testing](https://reader036.fdocuments.net/reader036/viewer/2022062312/5559f64cd8b42ad00a8b484d/html5/thumbnails/21.jpg)
Snoop-it
Dynamic Analysis Tools
Runtime Tracing Capabilities
Invoke Arbitrary methods at runtime
Bypass basic Jailbreak detection
![Page 22: Introduction to IOS Application Penetration Testing](https://reader036.fdocuments.net/reader036/viewer/2022062312/5559f64cd8b42ad00a8b484d/html5/thumbnails/22.jpg)
Snoop-it
![Page 23: Introduction to IOS Application Penetration Testing](https://reader036.fdocuments.net/reader036/viewer/2022062312/5559f64cd8b42ad00a8b484d/html5/thumbnails/23.jpg)
Proof-Of-concept
![Page 24: Introduction to IOS Application Penetration Testing](https://reader036.fdocuments.net/reader036/viewer/2022062312/5559f64cd8b42ad00a8b484d/html5/thumbnails/24.jpg)
![Page 25: Introduction to IOS Application Penetration Testing](https://reader036.fdocuments.net/reader036/viewer/2022062312/5559f64cd8b42ad00a8b484d/html5/thumbnails/25.jpg)
![Page 26: Introduction to IOS Application Penetration Testing](https://reader036.fdocuments.net/reader036/viewer/2022062312/5559f64cd8b42ad00a8b484d/html5/thumbnails/26.jpg)
Proof of concept
![Page 27: Introduction to IOS Application Penetration Testing](https://reader036.fdocuments.net/reader036/viewer/2022062312/5559f64cd8b42ad00a8b484d/html5/thumbnails/27.jpg)
Proof of concept
![Page 28: Introduction to IOS Application Penetration Testing](https://reader036.fdocuments.net/reader036/viewer/2022062312/5559f64cd8b42ad00a8b484d/html5/thumbnails/28.jpg)
Proof of concept
![Page 29: Introduction to IOS Application Penetration Testing](https://reader036.fdocuments.net/reader036/viewer/2022062312/5559f64cd8b42ad00a8b484d/html5/thumbnails/29.jpg)
Proof of concept
![Page 30: Introduction to IOS Application Penetration Testing](https://reader036.fdocuments.net/reader036/viewer/2022062312/5559f64cd8b42ad00a8b484d/html5/thumbnails/30.jpg)
Proof of concept
![Page 31: Introduction to IOS Application Penetration Testing](https://reader036.fdocuments.net/reader036/viewer/2022062312/5559f64cd8b42ad00a8b484d/html5/thumbnails/31.jpg)
Snoop-it
![Page 32: Introduction to IOS Application Penetration Testing](https://reader036.fdocuments.net/reader036/viewer/2022062312/5559f64cd8b42ad00a8b484d/html5/thumbnails/32.jpg)
ReferenceIOS Application Security Testing Cheat Sheet - http://owasp.org
Series of article "Penetration testing of iPhone applications" - http://securitylearn.net
Snoop-it official page https://code.google.com/p/snoop-it
Cycript Tricks http://iphonedevwiki.net/index.php/Cycript_Tricks
![Page 33: Introduction to IOS Application Penetration Testing](https://reader036.fdocuments.net/reader036/viewer/2022062312/5559f64cd8b42ad00a8b484d/html5/thumbnails/33.jpg)
http://sciencetoybox.com/images/Procedures/Raising_hands.jpg