OpenSkillIndex← back to search

Hacktricks-skills ios-pentesting-basics

iOS security architecture and pentesting fundamentals. Use this skill whenever the user mentions iOS security, mobile app pentesting, iOS app analysis, Info.plist inspection, Keychain investigation, data protection classes, sandboxing, or anything related to iOS penetration testing. This skill provides the foundational knowledge needed to understand iOS security mechanisms and how to investigate them during security assessments.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/mobile-pentesting/ios-pentesting/ios-basics/SKILL.MD
source content

iOS Pentesting Basics

This skill provides foundational knowledge for iOS security assessments. Use it to understand iOS security architecture, filesystem structure, data protection mechanisms, and app investigation techniques.

iOS Filesystem Structure

When investigating an iOS device, know where to look:

PathPurpose
/Applications
Native applications (e.g., 
/Applications/Calculator.app
)
/var/containers/Bundle/application/[uuid]
Application bundles for installed apps
/var/mobile/Containers/Data/Application/[uuid]
Application data directories
/System
Core system files and libraries
/Library
System-wide resources and settings
/private/var/mobile/Library/Logs/CrashReporter/
Crash logs for applications
/dev
Device files
/Core
OS core dumps

Finding App Data

To locate a specific app's data:

  1. Navigate to 
    /var/mobile/Containers/Data/Application/
  2. Look for directories with UUID names
  3. Each UUID corresponds to an app bundle
  4. The app's data (documents, preferences, databases) lives here

SQLite Databases

iOS apps commonly use SQLite for local storage. A SQLite database generates three files:

  • <name>.db
    - Main database file
  • <name>.db-shm
    - Shared memory journal file
  • <name>.db-wal
    - Write-ahead log file

Investigation tip: Look for 

.db
files in app data directories. These often contain user data, credentials, or sensitive information.

Privilege Separation and Sandbox

User Privileges

  • mobile
    user    : Applications run under this identity
  • root
    user    : System processes run as root

Sandbox Restrictions

Even apps running as the same user cannot access each other's data. The sandbox:

  • Restricts file system access to the app's container
  • Requires explicit user permission for protected resources (SMS, contacts, location)
  • Enforces access through permission pop-ups

Pentesting implication: To access another app's data, you typically need to:

  1. Jailbreak the device (bypasses sandbox)
  2. Exploit a sandbox escape vulnerability
  3. Use legitimate APIs with proper entitlements

Data Protection Classes

iOS uses the Secure Enclave Processor (SEP) for cryptographic operations. Files are encrypted with unique 256-bit AES keys.

Protection Classes

ClassWhen AccessibleUse Case
NSFileProtectionComplete
Only when device is unlockedHighly sensitive data
NSFileProtectionCompleteUnlessOpen
While open, even when lockedFiles actively in use
NSFileProtectionCompleteUntilFirstUserAuthentication
After first unlock post-bootData needed for background tasks
NSFileProtectionNone
Always (only device UID protected)Quick remote wipe scenarios

Default since iOS 7: 

NSFileProtectionCompleteUntilFirstUserAuthentication

Checking File Protection

Use FileDP to inspect file protection classes:

# On a jailbroken device with Python
git clone https://github.com/abjurato/FileDp-Source
cd FileDp-Source
python filedp.py /path/to/file

Keychain Security

The Keychain is an encrypted container for sensitive data (passwords, tokens, certificates).

Keychain Security Model

  • Encrypted with AES using a password generated by iOS
  • Password derived via PBKDF2 from user passcode + device UID salt
  • Device UID only accessible via Secure Enclave
  • Managed by 
    securityd
    daemon
  • Access controlled by app entitlements

Keychain API Operations

FunctionPurpose
SecItemAdd
Add new item
SecItemUpdate
Update existing item
SecItemCopyMatching
Retrieve item
SecItemDelete
Remove item

Keychain Accessibility Levels

AttributeWhen AccessibleBackup
kSecAttrAccessibleAlways
AlwaysYes
kSecAttrAccessibleAlwaysThisDeviceOnly
AlwaysNo
kSecAttrAccessibleAfterFirstUnlock
After first unlockYes
kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly
After first unlockNo
kSecAttrAccessibleWhenUnlocked
When unlockedYes
kSecAttrAccessibleWhenUnlockedThisDeviceOnly
When unlockedNo
kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly
When passcode setNo

Keychain Persistence Risk

Critical: Keychain data persists after app uninstallation. A new device owner could:

  1. Install the same app
  2. Access previous owner's Keychain data

Mitigation: Apps should clear Keychain data on first launch or logout.

Jailbroken Devices Warning

On jailbroken devices, Keychain protections are significantly compromised. Assume Keychain data is accessible to any app with Keychain access entitlements.

App Capabilities and Permissions

Info.plist Investigation

The 

Info.plist
file contains app configuration, including privacy permissions.

From Xcode Project

  1. Open project in Xcode
  2. Locate 
    Info.plist
  3. Search for keys prefixed with 
    "Privacy -"
  4. View raw keys/values for clarity

From IPA File

  1. Unzip the IPA (it's a ZIP archive)
  2. Navigate to 
    Payload/<appname>.app/
  3. Find 
    Info.plist
  4. Convert to XML if needed for easier reading

Privacy Purpose Strings

Apps must declare why they need certain permissions:

<key>NSLocationWhenInUseUsageDescription</key>
<string>Your location is used to provide turn-by-turn directions.</string>

<key>NSCameraUsageDescription</key>
<string>Camera access needed to scan documents.</string>

<key>NSPhotoLibraryUsageDescription</key>
<string>Photo library access to select profile pictures.</string>

Pentesting tip: Compare declared purpose strings with actual app behavior. Mismatches may indicate privacy violations or misconfigured permissions.

Device Capabilities

Apps declare required hardware capabilities:

<key>UIRequiredDeviceCapabilities</key>
<array>
    <string>armv7</string>
    <string>arm64</string>
    <string>nfc</string>
</array>

This helps the App Store filter compatible devices.

Entitlements

Entitlements are key-value pairs granting apps special permissions beyond runtime checks.

Common Entitlements

  • com.apple.developer.icloud-container-identifiers
    - iCloud access
  • com.apple.developer.key-chain-access-groups
    - Keychain sharing
  • com.apple.developer.team-identifier
    - App team identifier
  • application-identifier
    - App bundle identifier

Finding Entitlements

From Xcode: Check the project's entitlements file (usually 

*.entitlements
)

From IPA: Look in 

Payload/<appname>.app/embedded.mobileprovision
or 
*.entitlements
file

Investigation Workflow

When starting an iOS app assessment:

  1. Get the app - IPA file or installed on device
  2. Extract Info.plist - Review declared permissions and capabilities
  3. Check entitlements - Identify special access granted
  4. Locate app data - Find the app's container directory
  5. Search for databases - Look for 
    .db
    files
  6. Check file protection - Use FileDP on sensitive files
  7. Investigate Keychain - Look for stored credentials (requires jailbreak)
  8. Review crash logs - May contain sensitive data or stack traces

References