How To Set Up An iOS Pen Testing Environment
Over the past few years I have focussed heavily on mobile application security and in particular application security on the iOS platform. A lot of people starting out want to know how to get set up to test iOS application so I thought I'd do up a quick guide to getting started.
The following is a list the hardware and software you will need to get started pen testing iOS applications.
It doesn't really matter which iOS device you choose. An iPad is probably the most versatile as it can run iPhone and iPad apps.
You can do some testing on a non-jailbroken device but the coverage is not as great. The latest public jailbreak, evasi0n, is for iOS 6.1.2 and is available here. The team behind the jailbreak, evad3rs, have done a great job with a really polished tool that makes jailbreaking the device a pretty simple exercise.
There is currently no jailbreak for iOS 7 (yet) so if you have a more recent device or have updated then you are unfortunately out of luck for now.
As a side note - finding and exploiting vulnerabilities in iOS to allow for a jailbreak is not a trivial task. It requires skill and time. iOS bugs are also pretty valuable. So if the jailbreak team asks for a donation, consider throwing some money their way. Especially if you intend to use the jailbreak to pen test applications in a commercial sense or to test your own commercial apps.
There are multiple ways to connect to the device but a wireless network is the simplest way to get started. You can use SSH over USB (more on setting this up below) but it's usually just easier to set up and use a wireless network.
The most common question I get asked is "do I need a Mac to test iOS applications?". The short answer is no. The slightly longer answer is no, but it's probably a good idea, particularly if you would like to do code review or test using the simulator. You could get away with an Linux box or an OS X VM but I just prefer to use OS X natively.
The following is a list of software you will need to get going. I will go over setting these up in the next section.
Xcode and Command Line Utilities available from the Mac App Store (requires an Apple ID)
Intercepting Proxy such as Burp Proxy available here, ZAP Proxy available here or Abrupt Proxy available here. I will use Burp.
openSSH available via Cydia and iPhone-tunnel available here
SQLite available here or SQLite Database Browser available here
keychain-dumper available here
class-dump-z available here
mobilesubstrate available here
adv-cmds available via Cydia
Darwin CC Tools available via Cydia
evasi0n available here (latest public Jailbreak)
redsn0w available from the Dev Team
ios-ssl-killswitch by iSEC Partners available here
Setting up the Environment
Install Xcode and Command Line Tools
Xcode is Apple's IDE and includes the latest iOS SDK and iOS Simulator. It's available for free on the Mac App Store (requires an Apple ID). Once Xcode is installed be sure to install the Command Line Tools via the components download tab in the preferences (XCode->Preferences->Downloads->Components). Older versions of the iOS Simulator are available here too if necessary.
The current public jailbreak is available at [evasi0n.com]. The jailbreak software is pretty slick and easy to use so I won't detail the steps here however as a caution always back up your device first.
OpenSSH can be installed via Cydia (which would have been installed when the device was jailbroken). The default password for the root account on iOS is alpine but you should probably change it, as well as the password for the user mobile, to something else.
To change the root password first SSH into the device over the wireless network using the default credentials:
If you don't have a wireless network the easiest way to connect to the device is using iPhone Tunnel:
Use the passwd command to change the root password:
To change the password for the mobile user:
In order to intercept HTTPS traffic you will need to add the self signed Burp Portswigger cert (or the equivalent for whatever proxy you are using) to your device:
Use your desktop browser to export Burp's CA certificate. Using your browser, visit http://burp and click the "Cert" link to download your Burp CA certificate. Save the certificate somewhere on your computer using the .crt file extension.
Attach the cert to an email and send it from your desktop computer to an email account that you can access on your device.
On the device, open the email and click on the attached cert
Tap "Install" and follow the prompts to install the cert on the device.
Don't forget to set the proxy settings on the device (available in the network settings) appropriately.
Install Mobile Substrate, dpkg, wget and Preference Loader
All of these packages can be install via Cydia.
It is increasingly common to find applications that use certificate pinning. If the application employs cert pinning or other application level SSL validation methods it may impact the interception of HTTPS traffic.
There are manual ways to do this (which will probably be the subject of another blog post) but for now there we will use a great tweak to disable SSL validation - ios-ssl-killswitch by iSEC Partners.
It works by patching functions in the Secure Transport API, SSLCreateContext(), SSLSetSessionOption() and SSLHandshake(). Higher level APIs like NSURLConnection rely on the Secure Transport API for their certificate validation routines and should defeat cert pinning in most apps.
dpkg -i com.isecpartners.nabla.sslkillswitch_v0.5-iOS_6.1.deb
You will then need to "respring" the device:
Cycript is a "programming language designed to blend the barrier between Objective-C and JavaScript" and is very useful when testing iOS apps. To install Cycript, first install the mobilesubstrate and libffi packages using Cydia. You’ll be prompted to reboot. Once the device has come back up, log into it using SSH. Download the latest Cycript package from http://www.cycript.org/debs/. Copy the package to your device and install it using dpkg:
dpkg -i cycript_0.9.461_iphoneos-arm.deb
Once the package is installed, you should now have cycript available in your path.
To install weak_classdump SSH into the device and use wget:
wget --no-check-certificate https://raw.github.com/limneos/weak\_classdump/master/weak\_classdump.cy
gdb can be installed via Cydia. The latest version should work fine.
Copy keychain-dumper to the device. Just use scp to copy to the device. I usually have this in /var/tmp but you can put it wherever.
This should be everything you need to get started testing iOS applications. Hopefully this has been of some help. If people are interested I will try and write up some posts on how to go about testing an application and they basic usage of some of these tools.