SecuRing, profile picture
Uploaded bySecuRing
PDF, PPTX4,063 views

Testing iOS apps without jailbreak in 2018

The document discusses methods for testing iOS applications without jailbreaking, highlighting the current state of jailbreaking and its challenges. It details the types of vulnerabilities to examine, the testing stages (static and dynamic analysis), and alternative methods like dylib injection for pentesting. It concludes that while jailbreaking is arduous, techniques exist to successfully conduct tests on iOS apps without it.

Embed presentation

Download as PDF, PPTX
Testing iOS Apps without Jailbreak in 2018 Wojciech Reguła
Pwning WebView ⬇️ https://medium.com/securing
Testing iOS Apps without Jailbreak in 2018 > Whoami Wojciech Reguła • Pentester @ SecuRing • Creator of Ruby secure code examples for OWASP SKF • 🍎 products fan • Blogger – https://wojciechregula.blog wojciech.regula@securing.pl @_r3ggi wojciech-regula
Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 Agenda 1. Introduction to iOS apps pentests 2. Current jailbreak situation 3. Pentesting without jailbreak • Setting environment 💻 📲 • Pentesting 👾 4. Summary wojciech.regula@securing.pl @_r3ggi wojciech-regula
Why should we care about iOS? Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 wojciech.regula@securing.pl @_r3ggi wojciech-regula
Wojciech Reguła Testing iOS Apps without Jailbreak in 2018
❤️ SEXUAL ACTIVITY ❤️ BY SMART PHONE BRAND Men Women
Do we really need checking iOS apps security? Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 wojciech.regula@securing.pl @_r3ggi wojciech-regula
Selected problems with iOS apps Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 wojciech.regula@securing.pl @_r3ggi wojciech-regula
Selected problems with iOS apps Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 wojciech.regula@securing.pl @_r3ggi wojciech-regula
Selected problems with iOS apps Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 wojciech.regula@securing.pl @_r3ggi wojciech-regula
So what we have to check? Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 wojciech.regula@securing.pl @_r3ggi wojciech-regula
Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 OWASP MASVS V1: Architecture, Design and Threat Modelling V2: Data Storage and Privacy V3: Cryptography Verification V4: Authentication and Session Management V5: Network Communication V6: Platform Interaction V7: Code Quality and Build Settings V8: Resiliency Against Reverse Engineering wojciech.regula@securing.pl @_r3ggi wojciech-regula
Let's split the tests into two stages Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 Static analysis Dynamic analysis wojciech.regula@securing.pl @_r3ggi wojciech-regula
Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 Static analysis Examples: • Excessive data in application package • Binaries security • Obfuscation • ATS configuration, iTunes file sharing wojciech.regula@securing.pl @_r3ggi wojciech-regula
Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 Examples: • Files saved by application • Data in Keychain • Vulnerable URL handlers (IPC) • Application logs • Certificate pinning • Cache • Confidential information in snapshot Dynamic analysis wojciech.regula@securing.pl @_r3ggi wojciech-regula
Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 Examples: • Files saved by application • Data in Keychain • Vulnerable URL handlers (IPC) • Application logs • Certificate pinning • Cache • Confidential information in snapshot Dynamic analysis wojciech.regula@securing.pl @_r3ggi wojciech-regula
What do we need a Jailbreak for? Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 1. Usually for dynamic analysis 2. For static analysis when we don’t have app package (*ipa) wojciech.regula@securing.pl @_r3ggi wojciech-regula
Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 #update – recently it gets better
Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 But could have been even better
So, if you are a security guy, why can’t you just create your own jailbreak? Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 wojciech.regula@securing.pl @_r3ggi wojciech-regula
Alriiight, let’s start jailbreaking 😈 Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 wojciech.regula@securing.pl @_r3ggi wojciech-regula
Not so fast! 👿 Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 wojciech.regula@securing.pl @_r3ggi wojciech-regula
Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 wojciech.regula@securing.pl @_r3ggi wojciech-regula
Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 FAIL: Jailbreak on your iOS but for 32-bit devices wojciech.regula@securing.pl @_r3ggi wojciech-regula
Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 wojciech.regula@securing.pl @_r3ggi wojciech-regula
Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 FAIL: Jailbreak exploiting bug in iPhone 7 driver wojciech.regula@securing.pl @_r3ggi wojciech-regula
Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 wojciech.regula@securing.pl @_r3ggi wojciech-regula
Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 FAIL: Jailbreak from iOS x.3.0 but you have only iOS x.2.9 wojciech.regula@securing.pl @_r3ggi wojciech-regula
Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 wojciech.regula@securing.pl @_r3ggi wojciech-regula
Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 FAIL: Jailbreak for your iOS in not public wojciech.regula@securing.pl @_r3ggi wojciech-regula
Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 wojciech.regula@securing.pl @_r3ggi wojciech-regula
Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 FAIL: Jailbreak up to iOS y.1.0 but you have only iOS y.1.2 wojciech.regula@securing.pl @_r3ggi wojciech-regula
Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 wojciech.regula@securing.pl @_r3ggi wojciech-regula
Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 SUCCESS: Congratz, you have working jailbreak! 👑 wojciech.regula@securing.pl @_r3ggi wojciech-regula
But there is a way! Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 wojciech.regula@securing.pl @_r3ggi wojciech-regula
Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 Injecting custom dylib 0*. Downloading application package 1. Setting up the environment 2. Injecting custom dylib & modification of executable file 3. Repacking and signing the package 4. Installing the app on device in debug mode wojciech.regula@securing.pl @_r3ggi wojciech-regula
0*. Downloading application package Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 wojciech.regula@securing.pl @_r3ggi wojciech-regula
1. Setting up the environment Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 embedded.mobileprovision Signing certificate wojciech.regula@securing.pl @_r3ggi wojciech-regula
embedded.mobileprovision
embedded.mobileprovision
Signing certificate
Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 1. Setting up the environment wojciech.regula@securing.pl @_r3ggi wojciech-regula
Injecting custom dylib & modification of executable file Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 wojciech.regula@securing.pl @_r3ggi wojciech-regula
Installing the App in debug mode Link to demo: ➡️ https://vimeo.com/273879188 Wojciech Reguła Testing iOS Apps without Jailbreak in 2018
Connecting to Frida dylib Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 • Objection (Leonjza, bernard-wagner) • Needle • Directly using Frida • Passionfruit (ChiChou, oleavr) wojciech.regula@securing.pl @_r3ggi wojciech-regula
Connecting with Passionfruit Link to demo: ➡️ https://vimeo.com/273879557 Wojciech Reguła Testing iOS Apps without Jailbreak in 2018
Files saved by application Wojciech Reguła Testing iOS Apps without Jailbreak in 2018
Cookies 🍪 Wojciech Reguła Testing iOS Apps without Jailbreak in 2018
User defaults Wojciech Reguła Testing iOS Apps without Jailbreak in 2018
Application cache Wojciech Reguła Testing iOS Apps without Jailbreak in 2018
Accessing Keychain Wojciech Reguła Testing iOS Apps without Jailbreak in 2018
Sometimes it crashes Wojciech Reguła Testing iOS Apps without Jailbreak in 2018
Keychain
Summary Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 1. Jailbreaking needs a lot of effort from us 2. Using ‘dylib injection’ makes it possible to perform pentests of iOS apps 3. This method sometimes causes problems: • SSL Pinning not so obvious like on jailbroken device • How to get the application package (*.ipa)
Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 wojciech.regula@securing.pl @_r3ggi wojciech-regula Try it at home 😎 https://goo.gl/XDD53U
More general mobile sec guide ⬇️ https://www.securing.biz/en/secure-mobile- applications-key-issues/index.html
Question: How do you deal with this problem? Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 wojciech.regula@securing.pl @_r3ggi wojciech-regula
SecuRing Kalwaryjska 65/6 30-504 Kraków, Poland info@securing.pl tel. +48 124252575 http://www.securing.biz/en Contact Wojciech Reguła wojciech.regula@securing.pl @_r3ggi wojciech-regula

More Related Content

PDF
Building & Hacking Modern iOS Apps
bySecuRing
 
PDF
REST API Pentester's perspective
bySecuRing
 
PDF
Building&Hacking modern iOS apps
bySecuRing
 
PDF
Approaching the unknown - Windows Phone application security assessment guide
bySecuRing
 
PDF
Attacking AWS: the full cyber kill chain
bySecuRing
 
PDF
20+ Ways to Bypass Your macOS Privacy Mechanisms
bySecuRing
 
PDF
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
byFrans Rosén
 
PDF
Hunting for the secrets in a cloud forest
bySecuRing
 
Building & Hacking Modern iOS Apps
bySecuRing
 
REST API Pentester's perspective
bySecuRing
 
Building&Hacking modern iOS apps
bySecuRing
 
Approaching the unknown - Windows Phone application security assessment guide
bySecuRing
 
Attacking AWS: the full cyber kill chain
bySecuRing
 
20+ Ways to Bypass Your macOS Privacy Mechanisms
bySecuRing
 
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
byFrans Rosén
 
Hunting for the secrets in a cloud forest
bySecuRing
 

What's hot

PDF
Tale of Forgotten Disclosure and Lesson learned
byAnant Shrivastava
 
PDF
Hijacking Softwares for fun and profit
byNipun Jaswal
 
PPTX
Bug Bounty #Defconlucknow2016
byShubham Gupta
 
PPTX
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
byMazin Ahmed
 
PDF
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
byfangjiafu
 
PDF
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologies
byOWASP
 
PDF
Ground Zero Training- Metasploit For Web
byNipun Jaswal
 
PDF
CMS Hacking Tricks - DerbyCon 4 - 2014
byGreg Foss
 
PDF
The State of Open Source Security - Liran Tal - 2019 NodeJS+Interactive Montreal
byLiran Tal
 
PDF
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...
byMazin Ahmed
 
PPTX
Believe It Or Not SSL Attacks
byAkash Mahajan
 
PPTX
PLNOG23 - Paweł Rzepa - Attacking AWS: the full cyber kill chain
byPROIDEA
 
PDF
Networking 2016-05-24 - Topic 2 - The "Hack Back" - How Hacking Team Became t...
byNorth Texas Chapter of the ISSA
 
PDF
Wi-Fi Hotspot Attacks
byGreg Foss
 
PDF
Networking 2016-05-24 - Topic 1- Cybereason Lab Analysis by Brad Green
byNorth Texas Chapter of the ISSA
 
PDF
OWASP Top 10 and Securing Rails - Sean Todd - PayNearMe.com
bySV Ruby on Rails Meetup
 
PPTX
A bug's life - Decoupled Drupal Security and Vulnerability Management
byBalázs Tatár
 
PPTX
XSS (Cross Site Scripting)
byShubham Gupta
 
PPTX
Bug bounty
byn|u - The Open Security Community
 
PPTX
OSX/Pirrit: The blue balls of OS X adware
byAmit Serper
 
Tale of Forgotten Disclosure and Lesson learned
byAnant Shrivastava
 
Hijacking Softwares for fun and profit
byNipun Jaswal
 
Bug Bounty #Defconlucknow2016
byShubham Gupta
 
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
byMazin Ahmed
 
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
byfangjiafu
 
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologies
byOWASP
 
Ground Zero Training- Metasploit For Web
byNipun Jaswal
 
CMS Hacking Tricks - DerbyCon 4 - 2014
byGreg Foss
 
The State of Open Source Security - Liran Tal - 2019 NodeJS+Interactive Montreal
byLiran Tal
 
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...
byMazin Ahmed
 
Believe It Or Not SSL Attacks
byAkash Mahajan
 
PLNOG23 - Paweł Rzepa - Attacking AWS: the full cyber kill chain
byPROIDEA
 
Networking 2016-05-24 - Topic 2 - The "Hack Back" - How Hacking Team Became t...
byNorth Texas Chapter of the ISSA
 
Wi-Fi Hotspot Attacks
byGreg Foss
 
Networking 2016-05-24 - Topic 1- Cybereason Lab Analysis by Brad Green
byNorth Texas Chapter of the ISSA
 
OWASP Top 10 and Securing Rails - Sean Todd - PayNearMe.com
bySV Ruby on Rails Meetup
 
A bug's life - Decoupled Drupal Security and Vulnerability Management
byBalázs Tatár
 
XSS (Cross Site Scripting)
byShubham Gupta
 
Bug bounty
byn|u - The Open Security Community
 
OSX/Pirrit: The blue balls of OS X adware
byAmit Serper
 

Similar to Testing iOS apps without jailbreak in 2018

PPTX
Hands-On iOS Application Penetraion Testing.pptx
byAkashKatare9
 
PPTX
128-ch3.pptx
byDeepakPanchal65
 
PDF
R fun utrecht
bydatasciencenl
 
PDF
2a Analyzing iOS Apps Part 1
bySam Bowne
 
PDF
CNIT 128 Ch 3: iOS
bySam Bowne
 
PDF
CNIT 128 2. Analyzing iOS Applications (Part 1)
bySam Bowne
 
PDF
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
byDefconRussia
 
PPTX
iOS jailbreaking
byVarun Luthra
 
PDF
Introduction to iOS Penetration Testing
byOWASP
 
PDF
[CONFidence 2016] Sławomir Kosowski - Introduction to iOS Application Securit...
byPROIDEA
 
PDF
YOW! Connected 2014 - Developing Secure iOS Applications
byeightbit
 
PDF
AusCERT - Developing Secure iOS Applications
byeightbit
 
PPTX
Mobile security part 2
byRomansh Yadav
 
PPTX
iOS-Application-Security-iAmPr3m
byPrem Kumar (OSCP)
 
PDF
SyScan 2015 - iOS 678 Security - A Study in Fail
byStefan Esser
 
PDF
Yow connected developing secure i os applications
bymgianarakis
 
PPTX
Unlocking-iOS-A-Hackers-Guide-to-App-Testing.pptx
byAbida Shariff
 
PPTX
EkoParty 2010: iPhone Rootkit? There's an App for that.
byEric Monti
 
PPTX
iOS Basics
byRicha Jain
 
PDF
108484130 pod2g-jailbreak-techniques-wwjc-2012
bywtreterte
 
Hands-On iOS Application Penetraion Testing.pptx
byAkashKatare9
 
128-ch3.pptx
byDeepakPanchal65
 
R fun utrecht
bydatasciencenl
 
2a Analyzing iOS Apps Part 1
bySam Bowne
 
CNIT 128 Ch 3: iOS
bySam Bowne
 
CNIT 128 2. Analyzing iOS Applications (Part 1)
bySam Bowne
 
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
byDefconRussia
 
iOS jailbreaking
byVarun Luthra
 
Introduction to iOS Penetration Testing
byOWASP
 
[CONFidence 2016] Sławomir Kosowski - Introduction to iOS Application Securit...
byPROIDEA
 
YOW! Connected 2014 - Developing Secure iOS Applications
byeightbit
 
AusCERT - Developing Secure iOS Applications
byeightbit
 
Mobile security part 2
byRomansh Yadav
 
iOS-Application-Security-iAmPr3m
byPrem Kumar (OSCP)
 
SyScan 2015 - iOS 678 Security - A Study in Fail
byStefan Esser
 
Yow connected developing secure i os applications
bymgianarakis
 
Unlocking-iOS-A-Hackers-Guide-to-App-Testing.pptx
byAbida Shariff
 
EkoParty 2010: iPhone Rootkit? There's an App for that.
byEric Monti
 
iOS Basics
byRicha Jain
 
108484130 pod2g-jailbreak-techniques-wwjc-2012
bywtreterte
 

More from SecuRing

PDF
Developer in a digital crosshair, 2023 edition - 4Developers
bySecuRing
 
PDF
Developer in a digital crosshair, 2022 edition - Oh My H@ck!
bySecuRing
 
PDF
Developer in a digital crosshair, 2022 edition - No cON Name
bySecuRing
 
PPTX
Is persistency on serverless even possible?!
bySecuRing
 
PDF
What happens on your Mac, stays on Apple’s iCloud?!
bySecuRing
 
PDF
0-Day Up Your Sleeve - Attacking macOS Environments
bySecuRing
 
PDF
Developer in a digital crosshair, 2022 edition
bySecuRing
 
PDF
20+ Ways To Bypass Your Macos Privacy Mechanisms
bySecuRing
 
PDF
How secure are webinar platforms?
bySecuRing
 
PDF
Serverless security: attack & defense
bySecuRing
 
PDF
Abusing & Securing XPC in macOS apps
bySecuRing
 
PDF
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
bySecuRing
 
PDF
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
bySecuRing
 
PDF
Let's get evil - threat modeling at scale
bySecuRing
 
PDF
Web Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standards
bySecuRing
 
PDF
Budowanie i hakowanie nowoczesnych aplikacji iOS
bySecuRing
 
PDF
We need t go deeper - Testing inception apps.
bySecuRing
 
PDF
Artificial Intelligence – a buzzword, new era of IT or new threats?
bySecuRing
 
PDF
Czy S w PSD2 znaczy Secure?
bySecuRing
 
PDF
Testowanie bezpieczeństwa chmury na przykładzie AWS.
bySecuRing
 
Developer in a digital crosshair, 2023 edition - 4Developers
bySecuRing
 
Developer in a digital crosshair, 2022 edition - Oh My H@ck!
bySecuRing
 
Developer in a digital crosshair, 2022 edition - No cON Name
bySecuRing
 
Is persistency on serverless even possible?!
bySecuRing
 
What happens on your Mac, stays on Apple’s iCloud?!
bySecuRing
 
0-Day Up Your Sleeve - Attacking macOS Environments
bySecuRing
 
Developer in a digital crosshair, 2022 edition
bySecuRing
 
20+ Ways To Bypass Your Macos Privacy Mechanisms
bySecuRing
 
How secure are webinar platforms?
bySecuRing
 
Serverless security: attack & defense
bySecuRing
 
Abusing & Securing XPC in macOS apps
bySecuRing
 
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
bySecuRing
 
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
bySecuRing
 
Let's get evil - threat modeling at scale
bySecuRing
 
Web Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standards
bySecuRing
 
Budowanie i hakowanie nowoczesnych aplikacji iOS
bySecuRing
 
We need t go deeper - Testing inception apps.
bySecuRing
 
Artificial Intelligence – a buzzword, new era of IT or new threats?
bySecuRing
 
Czy S w PSD2 znaczy Secure?
bySecuRing
 
Testowanie bezpieczeństwa chmury na przykładzie AWS.
bySecuRing
 

Recently uploaded

PDF
AI/ML Infra Meetup | Open Source Michelangelo: Uber's Predictive to Generativ...
byAlluxio, Inc.
 
PPTX
The Sync Strikes Back: Tales from the MOPs Trenches
bybbedford2
 
PDF
SCORM Cloud: The 5 categories of content distribution
byRustici Software
 
PDF
The Ultimate Serial Port Detective – Baudowl
byCysinfo Cyber Security Community
 
PDF
DSD-INT 2025 The Singapore Regional Model in Delft3D FM - Zijl
byDeltares
 
PPTX
BI and Reporting Software Turning Clinic Data Into Smarter, More Compassionat...
byEasy Clinic
 
PDF
The Evolution of Project Portfolio Management - What Modern PMOs Are Doing Di...
byOnePlan Solutions
 
PDF
6 Hotel Booking Trends You Can’t Ignore in 2025.pdf
byHotelogix
 
PPTX
Key Benefits of Odoo Customization Services
byCandidRoot Solutions Private Limited
 
PDF
Quantum TechDocs - Technology & Compliance.pdf
byietmsoftware1
 
PPTX
Communicating Software Architecture using Arc42 v1.1
byAshraf Fouad
 
PDF
Combinatorial Interview Problems with Backtracking Solutions - From Imperativ...
byPhilip Schwarz
 
PDF
SWEBOK: the software engineering body of knowledge (SC25 Workshop Research So...
byHironori Washizaki
 
PDF
DSD-INT 2025 From Software to Impact - Water Quality Modelling for the UN Oce...
byDeltares
 
DOCX
Open Source BI Tableau Alternatives You Can Trust.docx
byVarsha Nayak
 
PDF
Smarter Testing Safer Systems Balancing AI and Oversight in Regulated Environ...
byApplitools
 
PPTX
Attacking and Defending AI by Adity Roy and Nikita Biradar
byCysinfo Cyber Security Community
 
PDF
Oracle AI Database 26ai _ AI-Native Database for Enterprises.pdf
byAstuteBusiness
 
PDF
AI/ML Infra Meetup | Bringing Data to GPUs Anywhere + Get Low-Latency on Obje...
byAlluxio, Inc.
 
PDF
DSD-INT 2025 3D Modeling of Shallow Water Dynamics Using Delft3D FM - Martins
byDeltares
 
AI/ML Infra Meetup | Open Source Michelangelo: Uber's Predictive to Generativ...
byAlluxio, Inc.
 
The Sync Strikes Back: Tales from the MOPs Trenches
bybbedford2
 
SCORM Cloud: The 5 categories of content distribution
byRustici Software
 
The Ultimate Serial Port Detective – Baudowl
byCysinfo Cyber Security Community
 
DSD-INT 2025 The Singapore Regional Model in Delft3D FM - Zijl
byDeltares
 
BI and Reporting Software Turning Clinic Data Into Smarter, More Compassionat...
byEasy Clinic
 
The Evolution of Project Portfolio Management - What Modern PMOs Are Doing Di...
byOnePlan Solutions
 
6 Hotel Booking Trends You Can’t Ignore in 2025.pdf
byHotelogix
 
Key Benefits of Odoo Customization Services
byCandidRoot Solutions Private Limited
 
Quantum TechDocs - Technology & Compliance.pdf
byietmsoftware1
 
Communicating Software Architecture using Arc42 v1.1
byAshraf Fouad
 
Combinatorial Interview Problems with Backtracking Solutions - From Imperativ...
byPhilip Schwarz
 
SWEBOK: the software engineering body of knowledge (SC25 Workshop Research So...
byHironori Washizaki
 
DSD-INT 2025 From Software to Impact - Water Quality Modelling for the UN Oce...
byDeltares
 
Open Source BI Tableau Alternatives You Can Trust.docx
byVarsha Nayak
 
Smarter Testing Safer Systems Balancing AI and Oversight in Regulated Environ...
byApplitools
 
Attacking and Defending AI by Adity Roy and Nikita Biradar
byCysinfo Cyber Security Community
 
Oracle AI Database 26ai _ AI-Native Database for Enterprises.pdf
byAstuteBusiness
 
AI/ML Infra Meetup | Bringing Data to GPUs Anywhere + Get Low-Latency on Obje...
byAlluxio, Inc.
 
DSD-INT 2025 3D Modeling of Shallow Water Dynamics Using Delft3D FM - Martins
byDeltares
 

Testing iOS apps without jailbreak in 2018

  • 1.
    Testing iOS Appswithout Jailbreak in 2018 Wojciech Reguła
  • 2.
  • 3.
    Testing iOS Appswithout Jailbreak in 2018 > Whoami Wojciech Reguła • Pentester @ SecuRing • Creator of Ruby secure code examples for OWASP SKF • 🍎 products fan • Blogger – https://wojciechregula.blog wojciech.regula@securing.pl @_r3ggi wojciech-regula
  • 4.
    Wojciech Reguła Testing iOSApps without Jailbreak in 2018 Agenda 1. Introduction to iOS apps pentests 2. Current jailbreak situation 3. Pentesting without jailbreak • Setting environment 💻 📲 • Pentesting 👾 4. Summary wojciech.regula@securing.pl @_r3ggi wojciech-regula
  • 5.
    Why should wecare about iOS? Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 wojciech.regula@securing.pl @_r3ggi wojciech-regula
  • 6.
    Wojciech Reguła Testing iOSApps without Jailbreak in 2018
  • 7.
    ❤️ SEXUAL ACTIVITY❤️ BY SMART PHONE BRAND Men Women
  • 8.
    Do we reallyneed checking iOS apps security? Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 wojciech.regula@securing.pl @_r3ggi wojciech-regula
  • 10.
    Selected problems withiOS apps Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 wojciech.regula@securing.pl @_r3ggi wojciech-regula
  • 13.
    Selected problems withiOS apps Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 wojciech.regula@securing.pl @_r3ggi wojciech-regula
  • 15.
    Selected problems withiOS apps Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 wojciech.regula@securing.pl @_r3ggi wojciech-regula
  • 18.
    So what wehave to check? Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 wojciech.regula@securing.pl @_r3ggi wojciech-regula
  • 19.
    Wojciech Reguła Testing iOSApps without Jailbreak in 2018 OWASP MASVS V1: Architecture, Design and Threat Modelling V2: Data Storage and Privacy V3: Cryptography Verification V4: Authentication and Session Management V5: Network Communication V6: Platform Interaction V7: Code Quality and Build Settings V8: Resiliency Against Reverse Engineering wojciech.regula@securing.pl @_r3ggi wojciech-regula
  • 20.
    Let's split thetests into two stages Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 Static analysis Dynamic analysis wojciech.regula@securing.pl @_r3ggi wojciech-regula
  • 21.
    Wojciech Reguła Testing iOSApps without Jailbreak in 2018 Static analysis Examples: • Excessive data in application package • Binaries security • Obfuscation • ATS configuration, iTunes file sharing wojciech.regula@securing.pl @_r3ggi wojciech-regula
  • 22.
    Wojciech Reguła Testing iOSApps without Jailbreak in 2018 Examples: • Files saved by application • Data in Keychain • Vulnerable URL handlers (IPC) • Application logs • Certificate pinning • Cache • Confidential information in snapshot Dynamic analysis wojciech.regula@securing.pl @_r3ggi wojciech-regula
  • 24.
    Wojciech Reguła Testing iOSApps without Jailbreak in 2018 Examples: • Files saved by application • Data in Keychain • Vulnerable URL handlers (IPC) • Application logs • Certificate pinning • Cache • Confidential information in snapshot Dynamic analysis wojciech.regula@securing.pl @_r3ggi wojciech-regula
  • 25.
    What do weneed a Jailbreak for? Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 1. Usually for dynamic analysis 2. For static analysis when we don’t have app package (*ipa) wojciech.regula@securing.pl @_r3ggi wojciech-regula
  • 27.
    Wojciech Reguła Testing iOSApps without Jailbreak in 2018 #update – recently it gets better
  • 28.
    Wojciech Reguła Testing iOSApps without Jailbreak in 2018 But could have been even better
  • 29.
    So, if youare a security guy, why can’t you just create your own jailbreak? Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 wojciech.regula@securing.pl @_r3ggi wojciech-regula
  • 31.
    Alriiight, let’s startjailbreaking 😈 Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 wojciech.regula@securing.pl @_r3ggi wojciech-regula
  • 32.
    Not so fast!👿 Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 wojciech.regula@securing.pl @_r3ggi wojciech-regula
  • 33.
    Wojciech Reguła Testing iOSApps without Jailbreak in 2018 wojciech.regula@securing.pl @_r3ggi wojciech-regula
  • 34.
    Wojciech Reguła Testing iOSApps without Jailbreak in 2018 FAIL: Jailbreak on your iOS but for 32-bit devices wojciech.regula@securing.pl @_r3ggi wojciech-regula
  • 35.
    Wojciech Reguła Testing iOSApps without Jailbreak in 2018 wojciech.regula@securing.pl @_r3ggi wojciech-regula
  • 36.
    Wojciech Reguła Testing iOSApps without Jailbreak in 2018 FAIL: Jailbreak exploiting bug in iPhone 7 driver wojciech.regula@securing.pl @_r3ggi wojciech-regula
  • 37.
    Wojciech Reguła Testing iOSApps without Jailbreak in 2018 wojciech.regula@securing.pl @_r3ggi wojciech-regula
  • 38.
    Wojciech Reguła Testing iOSApps without Jailbreak in 2018 FAIL: Jailbreak from iOS x.3.0 but you have only iOS x.2.9 wojciech.regula@securing.pl @_r3ggi wojciech-regula
  • 39.
    Wojciech Reguła Testing iOSApps without Jailbreak in 2018 wojciech.regula@securing.pl @_r3ggi wojciech-regula
  • 40.
    Wojciech Reguła Testing iOSApps without Jailbreak in 2018 FAIL: Jailbreak for your iOS in not public wojciech.regula@securing.pl @_r3ggi wojciech-regula
  • 41.
    Wojciech Reguła Testing iOSApps without Jailbreak in 2018 wojciech.regula@securing.pl @_r3ggi wojciech-regula
  • 42.
    Wojciech Reguła Testing iOSApps without Jailbreak in 2018 FAIL: Jailbreak up to iOS y.1.0 but you have only iOS y.1.2 wojciech.regula@securing.pl @_r3ggi wojciech-regula
  • 43.
    Wojciech Reguła Testing iOSApps without Jailbreak in 2018 wojciech.regula@securing.pl @_r3ggi wojciech-regula
  • 44.
    Wojciech Reguła Testing iOSApps without Jailbreak in 2018 SUCCESS: Congratz, you have working jailbreak! 👑 wojciech.regula@securing.pl @_r3ggi wojciech-regula
  • 45.
    But there isa way! Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 wojciech.regula@securing.pl @_r3ggi wojciech-regula
  • 46.
    Wojciech Reguła Testing iOSApps without Jailbreak in 2018 Injecting custom dylib 0*. Downloading application package 1. Setting up the environment 2. Injecting custom dylib & modification of executable file 3. Repacking and signing the package 4. Installing the app on device in debug mode wojciech.regula@securing.pl @_r3ggi wojciech-regula
  • 47.
    0*. Downloading applicationpackage Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 wojciech.regula@securing.pl @_r3ggi wojciech-regula
  • 48.
    1. Setting upthe environment Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 embedded.mobileprovision Signing certificate wojciech.regula@securing.pl @_r3ggi wojciech-regula
  • 49.
  • 50.
  • 51.
  • 54.
    Wojciech Reguła Testing iOSApps without Jailbreak in 2018 1. Setting up the environment wojciech.regula@securing.pl @_r3ggi wojciech-regula
  • 55.
    Injecting custom dylib& modification of executable file Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 wojciech.regula@securing.pl @_r3ggi wojciech-regula
  • 59.
    Installing the Appin debug mode Link to demo: ➡️ https://vimeo.com/273879188 Wojciech Reguła Testing iOS Apps without Jailbreak in 2018
  • 60.
    Connecting to Fridadylib Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 • Objection (Leonjza, bernard-wagner) • Needle • Directly using Frida • Passionfruit (ChiChou, oleavr) wojciech.regula@securing.pl @_r3ggi wojciech-regula
  • 61.
    Connecting with Passionfruit Linkto demo: ➡️ https://vimeo.com/273879557 Wojciech Reguła Testing iOS Apps without Jailbreak in 2018
  • 62.
    Files saved byapplication Wojciech Reguła Testing iOS Apps without Jailbreak in 2018
  • 63.
    Cookies 🍪 Wojciech Reguła TestingiOS Apps without Jailbreak in 2018
  • 64.
    User defaults Wojciech Reguła TestingiOS Apps without Jailbreak in 2018
  • 65.
    Application cache Wojciech Reguła TestingiOS Apps without Jailbreak in 2018
  • 66.
    Accessing Keychain Wojciech Reguła TestingiOS Apps without Jailbreak in 2018
  • 67.
    Sometimes it crashes WojciechReguła Testing iOS Apps without Jailbreak in 2018
  • 68.
  • 69.
    Summary Wojciech Reguła Testing iOSApps without Jailbreak in 2018 1. Jailbreaking needs a lot of effort from us 2. Using ‘dylib injection’ makes it possible to perform pentests of iOS apps 3. This method sometimes causes problems: • SSL Pinning not so obvious like on jailbroken device • How to get the application package (*.ipa)
  • 70.
    Wojciech Reguła Testing iOSApps without Jailbreak in 2018 wojciech.regula@securing.pl @_r3ggi wojciech-regula Try it at home 😎 https://goo.gl/XDD53U
  • 71.
    More general mobilesec guide ⬇️ https://www.securing.biz/en/secure-mobile- applications-key-issues/index.html
  • 72.
    Question: How doyou deal with this problem? Wojciech Reguła Testing iOS Apps without Jailbreak in 2018 wojciech.regula@securing.pl @_r3ggi wojciech-regula
  • 73.
    SecuRing Kalwaryjska 65/6 30-504 Kraków,Poland info@securing.pl tel. +48 124252575 http://www.securing.biz/en Contact Wojciech Reguła wojciech.regula@securing.pl @_r3ggi wojciech-regula