Penetration testing

How Do Pentesters Document and Remediate Vulnerabilities in iOS?

August 29, 2018 by Graeme Messina

Mobile platforms have exploded in popularity over the past decade, and iOS is arguably the main driver for this massive growth in the mobile technology segment. iOS is the software that runs Apple’s widely-adopted mobile hardware products, such as iPhones and iPads, and is one of the most-used operating systems on the planet.

Attackers are always looking for new methods of bypassing Apple’s security features, which means that pentesters are, too. Unfortunately, hackers have one advantage: they don’t need to keep records. Hackers are able to attack any system without having to take any notes about how they manage to do what they do, which lets them concentrate on the act of hacking instead of completing reports.

Documentation standards are very high when pentesters are tasked with discovering vulnerabilities in general, and Apple products are no exception. Attention to detail and knowledge of the underlying systems of Apple products is essential when trying to document and remediate iOS vulnerabilities. This becomes even more complicated when third-party developers inadvertently weaken iOS’s built-in security when creating apps for Apple.

How Do Companies Use Their History of Penetration Testing Documentation?

This sounds like an obvious question at first, but, logically speaking, it’s a really interesting point that needs to be understood. These documents are referenced by developers and updated versions of each document are generated with each version release of the product as it gets tested. Below are some examples of how these documents are used within the company that is developing the application.

When an Application Release Is First Tested Before Deployment

All of the notes that were recorded in the original and subsequent pentest documents help to create a permanent record of how the application performed during previous release cycles.

After a Security Event

If an identifiable breach occurs within the application, then the previous pentest documents need to be reviewed. This allows all parties to discover if a similar vulnerability was present in previous versions of the software and what steps were taken, if any, to mitigate it.

When Planning a New Release

Product owners and developers will want to keep the application as safe as possible, so looking at past reports will allow them to fine-tune their security development strategy when planning a new release.

If breaches occur with later releases of the software, the earlier versions of the pentesting document become vital to the product developers that are responsible for maintaining the code.

Why Is It Important to Maintain Documentation of All Tests and Test Results?

It is specifically important because this documentation serves as a guide for future developers who may wish to build on the application. The documented test results need to be maintained and kept up-to-date so that any new vulnerabilities that were not discovered in the development phase of the project release can be dealt with as they are uncovered. Other important reasons to keep this documentation up-to-date include:

Regulatory and Standards Requirements

Some industries require different standards of record-keeping for compliance purposes and pentesting documentation may fall under this category. This helps businesses to avoid penalties, fines and — in some extreme cases where industry standards are particularly strict, such as those that are generally found in governmental departments  — potential cessation of operations.

Onboarding and Training

When new members are added to the development team, it is important to have as much documentation available to them as possible. This is done so that they can properly understand the security methodologies that are in place for the application and how it has been implemented and tested. This is especially important for mobile app development platforms like iOS, where developer training needs to be done as rapidly as possible in order to reach release dates and milestones.

How Does iOS Pentesting Differ From Other Forms of Pentesting?

Basic pentesting principles apply to most platforms in very similar ways, but in the case of Apple, things are a little more controlled. This is due to the fact that Apple devices are the only hardware that can run iOS and iOS is worked on exclusively by Apple’s engineers. This is in stark contrast to platforms like Android, which is open-source and can be edited, changed and built upon by anyone that wishes to do so from a development perspective.

iOS applications created by external developers are all subject to Apple’s strict review process and any applications that are deemed unfit for the iStore are rejected and not published. This has led to the development of an alternative and unsupported app store called Cydia, which lets users install unapproved applications onto their iOS devices. This is especially useful for pentesters, as it provides a source of applications that Apple would not normally authorize to be used on their devices.  

Pentesting Apple devices requires that the consultant understands the following security features of iOS:

  • Applications are signed with paid-for certificates
  • Encryption is achieved via FairPlayDRM, a binary protection system similar to that used by iTunes
  • Code signing is used to protect applications
  • Jailbreaking status determines the accessibility of sandbox data
  • Data protection classes for created files on the iOS device

Other than these differences, the basic mechanics of performing a pentest on an Apple device is similar to any other type of security analysis. It is important for all of these security measures to be understood by the consultant, so that the results of the testing are properly understood.

Who Is the Typical Audience for a Penetration Testing Report?

There are many different stakeholders in a pentesting report and this single document needs to be able to convey all of the necessary information to all of the relevant parties.

The document normally opens with a high-level summary that allows the less-technical managerial members of the company to receive a breakdown of what was tested, how it was tested and what the results mean for the product. If there are results that will push back development and release dates, then the executives need to be made aware of this so that they can plan accordingly.

The technical details of the document will be aimed at the different parties that are responsible for interacting with the product, both from an IT security perspective and a developmental perspective. The severity of each identified threat is also shown in a graphical form, making it very easy to understand the potential danger that each noted issue presents to the company and product owner.

What Tools Are Commonly Used for iOS Pentesting?

Reverse Engineering — iRET

iRET (iOS Reverse Engineering Tool) is a suite of security applications that lets pentesters automate manual tasks that need to be repeated during the course of the investigation. Entering in manual commands gets tedious very quickly; iRET is very convenient because it is able to run these tasks with much less user input.

Its main features are:

 

  • Binary Analysis: Data such as binary headers, encryption and PIE status is made available through the automation of otool
  • Keychain Analysis: Keychain content such as passwords, keys and certificates can all be found and analyzed through this facility. It is powered by keychain_dumper
  • Database Analysis: The database type that is used by a specific application can be found and its contents displayed quickly and easily.
  • Log Viewing: Sort through log files that are associated with the application that is being investigated.

 

Other Reverse-Engineering Applications

 

  • Clutch: Used for decrypting application and dump data into a readable binary file for analysis

 

  • DumpDecrypted: Decrypts the mach-o files that are found in memory on iOS devices and saves them to disk
  • Class-dump: Useful for looking inside mach-o files for Objective-C runtime information

Runtime Analysis Tools

Using dynamic and runtime analytic tools lets pentesters observe application behavior while it is running on the iOS device. This gives pentesters insight into how the application works and how they can use this information to find flaws in the security of the application. These exploits are documented and added to the report for later remediation.

Examples

  • Cycript: This is an application that allows pentesters to explore and change the parameters of the program that they are testing in real-time while it is running. It’s command-based, but features convenient tools such as syntax highlighting and tab completion for easy command execution
  • iNalyzer: This tool provides both static and dynamic analysis, but the dynamic features are especially useful. It helps pentesters with finding items such as variable tampering, constraints tampering, methods tampering, memory enumeration and memory overwrite instances
  • Snoop-it: This is a tool that allows analysts to assess the security of applications by using injection and general dynamic analysis via a GUI instead of the command line

Filesystem Analysis

Exploring the device’s file structure is also important in pentesting, as this allows the analyst to look at how applications and the OS interact with the device’s storage devices. It is also a method by which pentesters can copy files to and from a device, which is especially useful for obvious reasons.

Examples

  • Itunnel: This application lets pentesters copy files via USB while using SSH
  • Cyberduck: This is a file browser that gives access to FTP and SFTP protocols when connecting to iOS devices
  • iFunbox: Perhaps one of the most widely-used apps for this purpose. iFunbox is more than just a filesystem navigation tool: it is also an application installation program and phone management tool for iOS devices

Conclusion

Prepping, performing and reporting iOS pentests is similar to web application and Android pentesting, but with different tools and Apple-specific techniques. There will be differences from the approach described in this article, depending on the application and the company that is requesting the pentest, but most of the landscape will remain the same.

This should serve as a basic overview of some of the most common interactions that you can expect when you are tasked with trying to search for application vulnerabilities on an iOS-enabled device. Once you understand how a pentesting procedure is carried out as a whole operation, it becomes easier to visualize what is expected of you in your role as a pentester.

 

Sources

Penetration Testing Guidance, PCI Security Standards Council

Testing Tools, OWASP

Posted: August 29, 2018
Graeme Messina
View Profile

Graeme is an IT professional with a special interest in computer forensics and computer security. When not building networks and researching the latest developments in network security, he can be found writing technical articles and blog posts at InfoSec Resources and elsewhere.

Website
In this Series
Related Bootcamps
Incident Response