While iPhones boast robust security, attackers constantly seek weak points. Enter iOS penetration testing – the security validation exercise against your controls attempting to stop data breaches and unauthorised access. Through manual and automated techniques like vulnerability scanning and reverse engineering, it uncovers hidden flaws in your iOS apps, protecting sensitive data and user trust. This article delves into the critical role of iOS pentesting, exploring essential methods and tools like jailbreak detection and SSL pinning assessments. Let’s ensure your iOS apps stand firm against evolving threats.
In this article, we will look into the importance of iOS pentesting and why CREST accredited penetration testing services should be your go to choice. We will also review some of the critical methods and tools utilised during the iOS pentesting, such as determining whether the device has been jailbroken, examining the location of the data, and SSL pinning security.
Mobile application security
Mobile app pentesting is quite different from web application pen testing and, thus, are two other areas requiring different skill sets and tools with unique challenges and objectives. Since web applications involve web browsers, the testing scenarios revolve around applications running over web servers, e-commerce sites, CMS, and other related security factors.
The key difference between web and mobile app penetration testing is the tester’s challenges during testing. These are usually device-specific, e.g., camera, GPS, microphones, webviews, etc.) and platform-specific (e.g., Android or iOS-based operating systems, app store distribution, device fragmentations, Touch ID) in the mobile app.
In addition, the testing technique differs from the web, requiring testers to look into mobile app dynamic instrumentation for code injection, reverse engineering, and SSL pinning. In contrast, web applications generally require some vulnerability scanner and source code analysis.
How is iOS one of the safest OS?
One of the benefits of iOS is its platform security, which is exceptionally esteemed in the mobile industry. Apple has executed different safety efforts to guarantee that its gadgets are secure and that clients’ information is safeguarded. Unlike Android, iOS apps are primarily built on a sandbox environment, significantly improving their security.
Along with it, iOS is planned with a diverse security approach that incorporates hardware-based security, the working framework, and programming safety efforts.
iOS application in-built security
iOS is generally considered to be one of the safest mobile top operating system systems compared to Android due to several in-built factors:
- The first thing that sets it apart is the closed ecosystem. Apple controls the overall iOS ecosystem from hardware to software. This differs from Android, as it uses a combination of hardware from other vendors.
- iOS assigns a sandbox environment to every app, meaning that each app will have its separate environment, and none of the apps has access to the other app’s data. This mechanism makes the iOS app more secure if any user installs a malicious app or compromises their device. The attacker could not access any other apps or sensitive data.
- iOS emphasises user privacy, and for the same, they have robust security measures such as end-to-end encryption that prevent the leaking of users’ PII and unnecessary data collection.
- Other than this, iOS devices have embedded hardware security components that maximise security through biometric authentication, such as TouchID, FaceID, and secure data storage.
- Lastly, the Apple app store has strict security countermeasures and review processes that only publish iOS applications that meet their security criteria.
iOS applications penetration testing methodology
Reconnaissance: Gathering information
This stage is all about collecting information on application development and business logic data to understand the technical context of the iOS application. This includes but is not limited to gathering info such as payment gateways, hardware type, application map, third-party library, frameworks, etc.
Scanning: Identifying vulnerabilities
After collecting information, the testing proceeds to vulnerability detection. The gathered data is analysed to identify vulnerabilities in iOS application design, development and behaviour. Here, every information researched can create or trigger any weak point of the application, which may result in the threat actors taking advantage.
At this stage, the tester exploits the identified vulnerability and chains up them with other security issues, such as jailbreaking, SSL pinning, etc., to validate if they can bypass any restrictions. This stage helps clarify what client-side, server-side and platform specifics vulnerabilities can be exploited or bypassed and impact the overall business and iOS application functionality.
Reporting: Summarising and communicating findings
This stage is about writing down all the findings with their identified risks, mitigation recommendations, and further brief over the related security issues if left open.
This stage verifies that all identified and reported vulnerabilities have been adequately mitigated and that the application has no known open security issues.
Standard iOS application penetration testing techniques:
Bypass jailbreak detection is one of the crucial elements in iOS application penetration testing. The idea behind it is to gain root access and have control over the device’s OS and hidden functionalities, which are typically not accessible to users.
The overall process involves jailbreak detection, bypassing or removing the jailbreak quality control checks built by manufacturers or carriers on an iOS application.
Secure code is an essential element for business growth
Show your customers and supply chain you can manage application risks with secure coding practices.
Types of jailbreaking
These are some of the different kinds of jailbreaking:
When a device is jailbroken using the tethered method, it must be connected to a computer or other device whenever it restarts or loses power to finish the jailbreak procedure. This is so that tethered jailbreaking can modify the device’s boot process, which must be loaded onto the device using a computer or other external device.
Untethered jailbreak/permanent jailbreak
The untethered jailbreak is more persistent as it does not require a connection to a computer or external device to maintain the jailbreak.
Semi-tethered jailbreaking combines aspects of both tethered and untethered jailbreaking. If the device restarts, it will return to a standard, un-jailbroken state and require jailbreaking again. In essence, it is a temporary jailbreak technique.
It is used to enhance the overall iOS application communication. Typically, in SSL pinning, the iOS app compares the TLS certificates with a public key or pinned certificates to verify the server’s authenticity. Essentially, SSL pinning prevents man-in-the-middle attacks.
During the iOS penetration testing, an SSL pinning bypass is performed on the target application for authenticity testing purposes to check whether any malicious user can achieve the same activity through any means and intercept the iOS app communication or not.
iOS penetration testing use cases
Jailbreak checks are required to ensure the safety of the iOS device and the applications installed on it. Devices that have been jailbroken are more susceptible to malware and other security attacks. These include attacks such as MITM. It is essential to check for jailbreak detection bypass to ensure adherence to security requirements, regulatory bodies, or industry standards.
Unauthorised access to sensitive information or system resources may be possible with hardcoded credentials. Attackers can use the credentials to log into the application or device and carry out unauthorised actions like stealing confidential information or changing system settings. Because attackers can quickly find and use hardcoded credentials to gain unauthorised access to systems, applications, or data, they raise the risk of data breaches.
Hardcoded credentials violate security best practices, which recommend using secure credential storage mechanisms like keychains or credential stores. Storing credentials in plaintext within code or configuration files makes them vulnerable to theft, loss, or exposure.
As a part of penetration testing, it is necessary to determine the effectiveness of data encryption techniques used in an app, including encryption used for the database. Thoroughly testing for data storage, transmission, and key management is essential because each of them is interconnected to the mechanism used for data encryption.
iOS Pentesters can attempt to extract data from the database or bypass encryption by accessing the keychain to identify vulnerabilities.
Obfuscating source code is the deliberate process of making it more challenging to read or reverse engineer to safeguard intellectual property or improve security. Security professionals and iOS developers frequently use code obfuscation to shield their iOS apps from malicious actors’ reverse engineering and tampering. Pentesters can use tools such as IDA Pro or Hopper to assist with reverse engineering and analysing obfuscated source code.
HTTPS and other areas
HTTPS is a critical security measure in the iOS app development process, as it helps to protect sensitive data transmitted over the internet from interception or tampering. When pentesting iOS applications, testing the app’s behaviour when connecting to the internet over wireless networks is essential. This can introduce security risks such as data leakage, man-in-the-middle attacks, and overall network security flaws.
Using a valid SSL/TLS certificate issued by a reputable certificate authority and client-side certificate verification significantly helps prevent MITM attacks in iOS applications.
Top iOS pentesting tools
Following are some iOS penetration testing tools that help test iOS applications.
A widely-used proxy tool for web application security testing is also used for iOS apps. Burp helps intercept HTTPS requests and responses to analyse network traffic and application vulnerabilities, including OWASP top 10, both manually and automated.
It is an open-source mobile application testing framework for Android and iOS app pentesting. MobSF supports static and dynamic testing and also can be used for malware analysis in mobile apps. It identifies issues like insecure data storage, hard-coded credentials, network traffic, IPA file system access, suspicious API connections, malicious codes, buffer overflow, and other security loopholes.
It is a dynamic testing toolkit used in mobile app penetration testing. Frida allows the tester to inject and run modified code into running iOS apps to monitor application traffic, change the behaviour at runtime, bypass SSL, hooking, reverse engineering, code injection, etc.
Our approach to iOS penetration testing
Scoping and customer insight
The first step in our iOS mobile penetration testing service is to prepare a scoping document, understand your organisational needs and requirements from this penetration test and determine the criticality of the systems.
This usually includes determining what mobile apps are to be tested, i.e. Android, iOS or Huawei, and their criticality and importance in the entire organisational IT infrastructure.
After deciding on the scope and the nature of mobile apps, the next step is to plan the penetration test. This step includes preparing an asset list ranked according to each application’s criticality and a testing checklist so that the applications are thoroughly and comprehensively tested.
The planning phase also prepares a list of low-hanging fruits that might be present in the applications.
OWASP mobile top 10
The pen testers here at Cyphere follow the OWASP Mobile Top 10 as a baseline standard testing guide to look for vulnerabilities in mobile applications. The OWASP Mobile Application Security Testing Guide (based on OWASP Mobile Top 10) covers mobile app vulnerabilities from head to toe. These include but are not limited to insecure authentication, broken access controls, authorisation, and injection flaws such as SQL injection, XSS, XXE, etc. The MASTG acts like the bible for our expert security consultants.
Web server analysis
When testing a mobile app, our expert team of pen testers also looks for vulnerabilities in the underlying infrastructure, including testing the web server where the mobile applications are hosted. A single vulnerability in the underlying infrastructure may cause a devastating breach of valuable data and information for an organisation.
Local file/storage analysis
When a mobile app is installed, it first creates a directory in the mobile OS’s local storage where the application stores sensitive data and files, libraries, data and cache. Sometimes, the local data storage is not encrypted and leaks sensitive information such as hardcoded credentials, session tokens or PII. Hence, testing an application’s local data storage is an essential step in our mobile app penetration testing program.
Cyber attacks are not a matter of if, but when. Be prepared.
Box-ticking approach to penetration tests is long gone. We help you identify, analyse and remediate vulnerabilities so you don’t see the same pentest report next time.
Thorough analysis and reporting
We believe that any security assessment is incomplete without proper documentation and reporting. Every finding from our penetration test is documented comprehensively and in a clear tone in the form of a professional report. Our penetration testing report includes an executive and high-level summary of the pen testing activity along with an overview of the identified vulnerabilities and an in-depth technical report which consists of a detailed analysis of every finding, along with pieces of evidence, steps to reproduce the vulnerability and the recommendations and mitigation steps to fix and patch the identified issues.
With the sudden hype in the usage of iPhones, iOS applications have also seen a sudden rise. iOS penetration testing is a highly specialised security assessment encompassing advanced security and penetration testing techniques and methodologies to identify and exploit potential security vulnerabilities in iOS applications. It requires penetration testers to deeply understand the iOS platform, its architecture, and pre-built security and defence mechanisms.
Although iPhones and iOS are considered more secure than Android, pentesting iOS applications is an important part of any comprehensive security plan and is crucial in improving overall organisational cyber security.
Amit Kumar is a cybersecurity enthusiast with a bachelor’s degree in Information Technology. His dedication to the field is evident through his invaluable contributions to the security community. Having reported numerous vulnerabilities to renowned companies such as Microsoft, Nokia, Synology, and others. Amit’s expertise and proactive approach make him an integral part of the cybersecurity landscape.