IOS Application Pentesting Series Part 2: What's inside an IPA?

Apple might be the greatest evil born as a byproduct by  the current capitalist system.  Love them, loathe them they are here to stay. And so we continue to part 2 explaining the IOS application architecture.  Like major Unix Distribution, the IOS Application (or compiled files) is archived in the IPA formats (Which is actually a zip format).

There are two ways to obtained the ipa files. If you are a developers then u can the particular ipa from the developer itself. Else the only way to obtained the ipa is by cracking the application itself. The Hackulo team has written a nice wiki explaining the whole process of decrypting the binary at runtime.


What is the strucutre of a IPA Files? Let's take a look at the Maybank2u Apps structure ..

As you can see the common structure of an mobile-web applicationIPA  usually consist of:

Payload/

Payload/application.app


And a few Plist file. Plist is actually a property file which use DSO that can use to stored binary human-readable data .

So what can we find in an apps? A lot of stuff. Suppose we are interested in finding out how does an app aware that the IOS have been jailbreak or not? In the Maybank2u Apps if we explore the plugin folder:

There's a javascript file called CheckRoot. However it doesn`t yield us too much how exactly the checking mechanism works.  So what we can do is we can fire our IDA and load our Apps. Do take not that the APPs are compile in a Mach-O for Arm . So what we can do is in IDA is find the particular function that is correspond to the CheckRoot.

Click on the names will yield..

The Apps will check the existance of each file and return a 1 if exist.. Since we know that the application determine that jailbreak had occured if any of those file detected a Jailbreak Iphone can actually evade the detection by simply wriite off a hooking function to return each check as Bool 0 .

We will discuss it later on Part 3 or maybe 4.. 

IOS Application Pentesting Series: Part1 (Non Jailbreak method)..

At Scan we always find out new weird toys to play with. Recently we were assigned to do a penetration test on a IOS Mobile Application. Now before we begin , pentesting an IOS Mobile Application is not the same as Jailbreaking from the IOS Firmware..

While jail breaking is pretty much focusing on exploiting core-application and the IOS architecture itself, we shift our focus to the IOS Application itself, the one that needs to be compiled with Xcode, Signed it and push it via Itunes or Appstores..

As a note, it is important to test the application on the IOS Devices itself rather then the simulator since code compile for the simulator is translated into a x86  while our IOS is a baby little ARM.

While Android is famous for it's android static page we haven`t see much how the Application resides in the IOS Architecture..

Most commercial application is actually programmed as a precompiled dedicated browser to access their data on the WebServer.. in short words, mobile web application.. We say web because it's using HTTP/HTTPS as a transportation to exchange resources for example Maybank2u and GSCMobile.

In normal web application pentest you would normally use Paros, ZAP or BurpSuite as our intercepting proxy. However in an IOS enviroment, self-signed cert will be rejected from the IOS Application by default! This is due to the way NSURLConnection API have it's own way of validating SSL Cert.( It's a good features to reduce MiTM attack on an IOS Devices).

So how do we solve this dillema? Simple Just install our self-signed cert into the IOS and mark it as trusted...

1. Generate our Dynamic SSL With ZAP  and save the cert file.

2. Host it up on temporary webserver and point our safari to the location that we save our cert file.

3. On Safari click on our Cert will lead us to this particular page..

4. Now all your HTTPS IOS app belong to us...

............Noted all of this can be done without jailbreaking your IOS Devices and lets keep it that way since that's the way we would like to see how secure is the application on a default settings. ...

P/S: You could combing it in a social engineering attack using a rogue AP redirect to a landing page forcing the user to install the cert but that's another topic.

We continue on part 2 later.... now dah kawin malas nak tulis panjangx2.