At Scan we always find out new weird toys to play with. Recently we were assigned to do a penetration test on a IOS Mobile Application. Now before we begin , pentesting an IOS Mobile Application is not the same as Jailbreaking from the IOS Firmware..
While jail breaking is pretty much focusing on exploiting core-application and the IOS architecture itself, we shift our focus to the IOS Application itself, the one that needs to be compiled with Xcode, Signed it and push it via Itunes or Appstores..
As a note, it is important to test the application on the IOS Devices itself rather then the simulator since code compile for the simulator is translated into a x86 while our IOS is a baby little ARM.
While Android is famous for it's android static page we haven`t see much how the Application resides in the IOS Architecture..
While jail breaking is pretty much focusing on exploiting core-application and the IOS architecture itself, we shift our focus to the IOS Application itself, the one that needs to be compiled with Xcode, Signed it and push it via Itunes or Appstores..
As a note, it is important to test the application on the IOS Devices itself rather then the simulator since code compile for the simulator is translated into a x86 while our IOS is a baby little ARM.
While Android is famous for it's android static page we haven`t see much how the Application resides in the IOS Architecture..
Most commercial application is actually programmed as a precompiled dedicated browser to access their data on the WebServer.. in short words, mobile web application.. We say web because it's using HTTP/HTTPS as a transportation to exchange resources for example Maybank2u and GSCMobile.
In normal web application pentest you would normally use Paros, ZAP or BurpSuite as our intercepting proxy. However in an IOS enviroment, self-signed cert will be rejected from the IOS Application by default! This is due to the way NSURLConnection API have it's own way of validating SSL Cert.( It's a good features to reduce MiTM attack on an IOS Devices).
So how do we solve this dillema? Simple Just install our self-signed cert into the IOS and mark it as trusted...
1. Generate our Dynamic SSL With ZAP and save the cert file.
2. Host it up on temporary webserver and point our safari to the location that we save our cert file.
3. On Safari click on our Cert will lead us to this particular page..
4. Now all your HTTPS IOS app belong to us...
............Noted all of this can be done without jailbreaking your IOS Devices and lets keep it that way since that's the way we would like to see how secure is the application on a default settings. ...
P/S: You could combing it in a social engineering attack using a rogue AP redirect to a landing page forcing the user to install the cert but that's another topic.
We continue on part 2 later.... now dah kawin malas nak tulis panjangx2.
1 comment:
ayat last tu menarik kan. hehe
Post a Comment