Welcome to my 7th blog post on “iOS Application Security Testing Series”. You can find Part Six here. One of the most painstaking aspects of testing against an iOS Application is the efforts of decrypting the application. In this article, I would like to go over an easy way of turning a painful Black Box testing into an automatic Gray-Box effort.
Using the OWASP Mobile Security Testing Guide (MSTG)
The OWASP MSTG is a manual for testing the security of mobile apps. It describes the technical processes for verifying the requirements listed in the MASVS. The MSTG includes a list of test cases, each of which maps to a requirement in the MASVS. While the MASVS requirements are high-level and generic, the MSTG provides in-depth recommendations and testing procedures on a per-mobile-OS basis.
Using iNalyzer
In this section, we will look at a tool called iNalyzer and how we can automate assessment of iOS applications.
iNalyzer Installation
The first step is to install iNalyzer on your jailbroken device. Go to Cydia > Manage (make sure the following source URL is added https://appseclabs.com/cydia)
iNalyzer automates the efforts for decrypting the application and presents it in a much more logical way.
Usage: iNalyzer.sh [list | clean | version | help] Usage: iNalyzer.sh [info | ipa | sandbox | dynamic | nslog | cycript] <bundleGUID> Usage: iNalyzer.sh [static] [auto | class-dump-z | classdump-dyld] <bundleGUID>
Run the following command to get the full list of applications available for analysis.
sh iNalyzer.sh list
iNalyzer – Dynamic Analysis
In the past blog posts, we studied how to perform dynamic analysis using the command-line tool, Cycript. If you are not comfortable with command-line analysis, We also talked about some GUI tools like Snoop-it to perform all of the tasks.
After running the dynamic command above you will get the following zip to open the files you would need GraphVlz-Doc and DoxyGen (pre-installed in your MC)
In the zip folder, you will see a shell script named doxMe.sh. If you look inside it, you will notice that it automates the task of running Doxygen for us.
iNalyzer has already stored all the class information for us inside a folder named Reversing Files and it uses Doxygen and Graphviz to display the information in a clean format. This shell script also opens up the index.html file inside the created HTML folder.
When assessing an application, one of the things to check is hardcoded credentials stored in plist files. Here is what it looks like.
We can also check what data is being stored inside the cache,
iNalyzer -Static Analysis
You can have a look at all the *.nib files used in the app. A nib file is a special type of resource file that you use to store the user interfaces of iOS apps here is what it looks like.
You can also have a look at all the view controller classes used in the app.
Conclusion
In this article, we looked at the static and dynamic analysis of iOS applications using iNalyzer and how we can perform an automated assessment of the application.
References
https://appsec-labs.com/iNalyzer
http://highaltitudehacks.com/
Pingback: iOS Application Security Part 8-Dumping Application Memory. | agostini.tech