Hacktricks-skills ios-pentesting-checklist

Comprehensive iOS application security testing checklist. Use this skill whenever you need to pentest an iOS app, perform mobile security assessments, check for iOS vulnerabilities, analyze iOS data storage, test iOS authentication, or audit iOS applications for security issues. This skill covers data storage, keychain, IPC mechanisms, network security, cryptography, and more.

install

source · Clone the upstream repo

git clone https://github.com/abelrguezr/hacktricks-skills

manifest: skills/mobile-pentesting/ios-pentesting-checklist/SKILL.MD

source content

iOS Pentesting Checklist

A comprehensive guide for security testing iOS applications. Follow this checklist systematically to identify vulnerabilities in iOS apps.

Preparation

Before starting your assessment:

Review iOS fundamentals - Understand iOS architecture, sandboxing, and security model
Set up your testing environment - Configure jailbroken device, Frida, and necessary tools
Perform initial analysis - Examine the app's Info.plist, entitlements, and basic structure

Data Storage Analysis

iOS apps store data in multiple locations. Check each for sensitive information:

Plist Files

Search for
```
.plist
```
files in the app's sandbox
Look for hardcoded credentials, API keys, or configuration data
Check
```
~/Library/Preferences/
```
and app container directories

Databases

Core Data (SQLite): Check
```
*.sqlite
```
and
```
*.sqlite3
```
files
YapDatabase: Look for YapDatabase files
Realm: Search for
```
.realm
```
files
Couchbase Lite: Check for Couchbase Lite databases
Firebase: Review Realtime Database configurations for misconfigurations

Other Storage

Binary cookies: Check for stored session tokens
Cache data: Review
```
~/Library/Caches/
```
for sensitive cached content
Automatic snapshots: Check for screenshots or UI snapshots containing sensitive data
Keychain: Enumerate keychain items for stored credentials

Key principle: Systematically check the entire app filesystem for any sensitive information.

Keyboard Security

Verify if the app allows custom keyboards
Check keyboard cache files for leaked sensitive input
Test if sensitive fields disable custom keyboards properly

Log Analysis

Review system logs for leaked sensitive information
Check app-specific logs in
```
~/Library/Logs/
```
Look for debug logging that may expose credentials or tokens

Backup Analysis

Extract and analyze app backups for sensitive data
Test if modifying backup configurations can bypass security controls
Restore modified backups to test configuration bypasses

Memory Analysis

Dump and analyze application memory for sensitive data
Look for credentials, tokens, or PII in memory
Use tools like Frida to inspect runtime memory

Cryptography Review

Search for hardcoded encryption keys or passwords
Identify deprecated or weak cryptographic algorithms
Hook and monitor cryptographic function calls
Verify proper use of iOS Keychain for key storage

Local Authentication Testing

If the app uses local authentication (Face ID, Touch ID, passcode):

Local Authentication Framework: Test for bypass vulnerabilities
Custom implementations: Create Frida scripts to dynamically bypass authentication
Check if authentication can be bypassed by modifying keychain access

IPC and Inter-App Communication

Custom URI Handlers / Deeplinks

Enumerate registered protocols and schemes in Info.plist
Test if the app registers to use external protocols
Attempt to intercept data via custom schemes
Test input sanitization on scheme parameters
Check for exposed sensitive actions callable via schemes

Universal Links

Review registered universal protocols
Analyze
```
apple-app-site-association
```
file
Test input sanitization on universal link parameters
Check for exposed sensitive actions

UIActivity Sharing

Test if the app receives UIActivities
Attempt exploitation with specially crafted activities

UIPasteboard

Monitor if the app copies sensitive data to pasteboard
Check if the app reads from general pasteboard
Test for sensitive data leakage via clipboard

App Extensions

Identify any app extensions (Today widgets, Share extensions, etc.)
Test extension security boundaries

WebViews

Identify WebView types used (WKWebView vs UIWebView)

Check security settings:

```
javaScriptEnabled
```
```
JavaScriptCanOpenWindowsAutomatically
```
```
hasOnlySecureContent
```

Test file access:

allowFileAccessFromFileURLs

allowUniversalAccessFromFileURLs

Check JavaScript-to-native bridges (
```
JSContext
```
,
```
postMessage
```
)

Network Security

Perform Man-in-the-Middle attacks on app communication
Verify hostname validation on certificates
Test and bypass certificate pinning mechanisms
Check for unencrypted data transmission

Additional Checks

Hot patching: Identify automatic update mechanisms that could be exploited
Third-party libraries: Audit dependencies for known vulnerabilities or malicious code
Code obfuscation: Check if the app uses obfuscation and test its effectiveness

Testing Workflow

Static Analysis: Review app binaries, Info.plist, and resources
Dynamic Analysis: Run the app and monitor behavior
Instrumentation: Use Frida to hook and modify runtime behavior
Network Analysis: Intercept and modify network traffic
Data Extraction: Extract and analyze stored data
Bypass Testing: Attempt to bypass security controls

Reporting

Document all findings with:

Vulnerability description
Steps to reproduce
Impact assessment
Remediation recommendations
Evidence (screenshots, logs, code snippets)

Tools Reference

Frida: Runtime instrumentation
Objection: Mobile security testing toolkit
Cycript: Runtime introspection
class-dump: Extract headers from binaries
iMazing: Backup management
Burp Suite: Network interception
MobSF: Mobile security framework