Pentest Book
Search…
iOS
iOS Hacking - A Beginner’s Guide to Hacking iOS Apps [2022 Edition]
martabyte
1
# All about Jailbreak & iOS versions
2
https://www.theiphonewiki.com/wiki/Jailbreak
3
4
# OWASP MSTG
5
https://github.com/OWASP/owasp-mstg
6
7
# Jailbreak list
8
https://docs.google.com/spreadsheets/d/11DABHIIqwYQKj1L83AK9ywk_hYMjEkcaxpIg6phbTf0/edit#gid=1014970938
9
10
# Checklist
11
https://mobexler.com/checklist.htm#ios
12
13
# Jailbreak for iPhone 5s though iPhone X, iOS 12.3 and up
14
# https://checkra.in/
15
checkra1n
16
17
# 3UTools
18
http://www.3u.com/
19
20
# Cydia
21
# https://ryleylangus.com/repo
22
# Liberty Bypass Antiroot
23
24
# SSL Bypass
25
# https://github.com/evilpenguin/SSLBypass
26
27
28
# Check Info Stored:
29
3U TOOLS - SSH Tunnel
30
31
# Analyzing binary:
32
# Get .ipa
33
# unzip example.ipa
34
# Locate binary file (named as the app usually)
35
36
# Check encryption
37
otool –l BINARY | grep –A 4 LC_ENCRYPTION_INFO
38
# If returned "cryptid 1" ipa is encrypted, good for them
39
40
# Check dynamic dependencies
41
otool –L BINARY
42
43
# Using plutil to modify properties
44
# https://scriptingosx.com/2016/11/editing-property-lists/
45
46
# SSL Bypass
47
# https://github.com/evilpenguin/SSLBypass
48
49
find /data/app -type f -exec grep --color -Hsiran "FINDTHIS" {} \;
50
find /data/app -type f -exec grep --color -Hsiran "\"value\":\"" {} \;
51
52
.pslist= "value":"base64"}
53
54
find APPPATH -iname "*localstorage-wal" -> Check manually
55
56
# Extract IPA from installed app
57
# https://github.com/AloneMonkey/frida-ios-dump
58
# Manual way (without launching the app)
59
ls -lahR /var/containers/Bundle/Application/ | grep -B 2 -i 'appname' # To find app ID
60
scp -r [email protected]:/var/containers/Bundle/Application/{ID} LOCAL_PATH
61
mkdir Payload
62
cp -r appname.app/ Payload/
63
zip -r app.ipa Payload/
64
65
# Objective-C and Swift class dumper
66
# https://github.com/DerekSelander/dsdump
67
68
# Interesting locations
69
/private/var/mobile/Containers/Data/Application/{HASH}/{BundleID-3uTools-getBundelID}
70
/private/var/containers/Bundle/Application/{HASH}/{Nombre que hay dentro del IPA/Payloads}
71
/var/containers/Bundle/Application/{HASH}
72
/var/mobile/Containers/Data/Application/{HASH}
73
/var/mobile/Containers/Shared/AppGroup/{HASH}
Copied!
Export as PDF
Copy link
Edit on GitHub