IoS Security Testing

Security Testing is a must whenever talking about device especially mobile application. Mobile device such as iOs and APK have run on various of programming language and frameworks where the mobile apps developers will be using for creating applications.

An common attacks that usually will be exploited by hacker such as follows:

  • SQL Injection
  • Buffer Overflows
  • Cross-Site Scripting(XSS)

On this post, I would like to share some knowledge focusing on how to access the mobile security from the IOS device.

Reverse Engineering

This phrase can be considered as crucial for a security consultant to run an analyze the iOS been secure from any vulnerabilities been exposed to the public.

There is Two(2) method that been used to reverse the iOS application:

  1. iOS application normally executes in .ipa format for the developer and user to execute for any application within the iPhone Device. In order to reverse the application into a source code folder, the security consultant will zip the .ipa file and unzip back the folder such as follows:

The screenshot above shows the .ipa file that I have downloaded from the internet.

Disclaimer: For the learning purpose, I have to download a random application which i didn’t own anything from the source code of the application.

After finish download the file into your machine, A security consultant will zip the file as been shown on the screenshot above.

Next, the security consultant will unzip the file and a Payload folder will appear as shown below:

To analyze the iOS application, the security consultant will look into the file’s folder such as follow:

Mobile Security Checklist

OWASP has come out with the Mobile Security Checklist that is known as MSTG which listed the ARCH and PLATFORM:

The listed ARCH have been listed as follows:

  • MSTG-ARCH-1 (All app components are identified and known to be needed.)
  • MSTG-ARCH-2 (Security controls are never enforced only on the client-side, but on the respective remote endpoints.)
  • MSTG-ARCH-3 (A high-level architecture for the mobile app and all connected remote services has been defined and security has been addressed in that architecture.)
  • MSTG-ARCH-4 (Data considered sensitive in the context of the mobile app is clearly identified.)
  • MSTG-ARCH-5 (All app components are defined in terms of the business functions and/or security functions they provide.)
  • MSTG-ARCH-6 (A threat model for the mobile app and the associated remote services has been produced that identifies potential threats and countermeasures.)
  • MSTG-ARCH-7 (All security controls have a centralized implementation.)
  • (There is an explicit policy for how cryptographic keys (if any) are managed, and the lifecycle of cryptographic keys is enforced. Ideally, follow a key management standard such as NIST SP 800-57.)
  • (A mechanism for enforcing updates of the mobile app exists.)
  • (Security is addressed within all parts of the software development lifecycle.)
  • (A responsible disclosure policy is in place and effectively applied.)
  • (The app should comply with privacy laws and regulations.)

The listed PLATFORM have been listed as follows:

  • MSTG-PLATFORM-1(The app only requests the minimum set of permissions necessary.)
  • MSTG-PLATFORM-2 (All inputs from external sources and the user are validated and if necessary sanitized. This includes data received via the UI, IPC mechanisms such as intents, custom URLs, and network sources. )
  • MSTG-PLATFORM-3 (The app does not export sensitive functionality via custom URL schemes unless these mechanisms are properly protected. )
  • MSTG-PLATFORM-4 (The app does not export sensitive functionality through IPC facilities unless these mechanisms are properly protected.)
  • MSTG-PLATFORM-5 (JavaScript is disabled in WebViews unless explicitly required. )
  • MSTG-PLATFORM-6 (WebViews are configured to allow only the minimum set of protocol handlers required (ideally, the only https is supported). Potentially dangerous handlers, such as a file, tel and app-id, are disabled.)
  • MSTG-PLATFORM-7 (If native methods of the app are exposed to a WebView, verify that the WebView only renders JavaScript contained within the app package.)
  • MSTG-PLATFORM-8 (Object deserialization, if any, is implemented using safe serialization APIs. )
  • MSTG-PLATFORM-9 (The app protects itself against screen overlay attacks. (Android only)
  • MSTG-PLATFORM-10 (A WebView’s cache, storage, and loaded resources (JavaScript, etc.) should be cleared before the WebView is destroyed.)
  • MSTG-PLATFORM-11 (Verify that the app prevents usage of custom third-party keyboards whenever sensitive data is entered.)

Reference: Github OWASP MSTG; OWASP Mobile Security Testing Guide

Author: Wan Ariff

He brings with him working experience in Information Security filed which specializing in Penetration Testing and Digital Forensic. His passion is more to IT Security

Leave a Reply

Your email address will not be published. Required fields are marked *