recent articles

In the previous article, we looked at how we can use Keychain-Dumper and Snoop-it to analyze and dump the contents of the Keychain from an iOS device. In this article, we will look at how we can boot a non-jailbroken device using a custom ramdisk and analyze the contents of the device. So what is the need of booting a device using a custom ramdisk ? Imagine a scenario where you only have temporary access to a device and you can’t jailbreak it. You just have access to the device for say like 30...

The smartphone world is buzzing about rumors for the new Iphone. The new Iphone is rumored to be launched on September 10 in an event in San Francisco, which means that the invitations for the event would be sent to the press sometime around September 3. This time, Apple is reported to be releasing two models of iPhone, one is the iPhone 5s and the other a cheaper variant, reportedly named as the iPhone 5C. Here is a complete rumor roundup from multiple sources about the next generation iPhone. Fingerprint Sensor There is absolutely...

In the previous article, we looked at the different ways in which we could analyze the network traffic and the api calls being made through an iOS application. In this article, we will look at how we can dump the contents of the Keychain from an iOS device. Keychain Basics According to Apple, a Keychain in an iOS device is a secure storage container that can be used to store sensitive infromation like usernames, passwords,network passwords, authentication tokens for different applications. Apple itself uses the Keychain to store Wi-fi network passwords, VPN credentials etc....

In the previous article, we looked at iOS filesystem and forensics. In this article, we will be looking at how we can analyze the network traffic flowing across an iOS device. Analyzing the network traffic for an application could be helpful in many ways. It could help us deduce how the application is managing the session of its users, the endpoints to which the application makes the call, how the application works internally etc. We will also look at how we can analyze network traffic over SSL. There are both active and passive ways...

In this article, we will be looking at the iOS filesystem, understand how the directories are organized, look at some important files, and look at how we can extract data from database and plist files. We will look at how applications store their data in their specific directories (sandbox) and how we can extract them. One of the important things to note is that in all the previous articles, we have been logging in to the device as the user root. There is another kind of user with the username mobile. A mobile user...

In some of the previous articles, we have looked at how we can dump class information of iOS apps using class-dump-z, hook into the runtime using Cycript and perform runtime manipulation and method swizzling, analyze the flow of the app using gdb etc. However, there could be a much better way of doing these things. We shouldn’t be using seperate tools for all these tasks. It would be great if a tool could perform all these tasks and at the same time display the information in a much more presentable way. Snoop-it is a...

In the previous article, we looked at how we can install custom apps on our device without a developer certificate. In this article, we will look at how we can perform method Swizzling using Cycript on a sample application. The first thing is to download the sample Xcode project. You can download the Xcode project from here. Or you can also just download the binary file on your device from here. If you have installed the Xcode project, you will have to build the Xcode project using a self signed certificate.The previous article talks...

Usually, to test apps on a device, you need to be a registered developer which costs about $99/year. For people who want to learn iOS Application security, it is very important that they should be able to run applications on device so that they can perfom tests on them. For some people who do not want to publish any apps on the app store, it may not be worth it to pay the $99/year fees. In this article we will be looking at how we can build and install an application on a jailbroken...

As we all know, Apple recently introducted its new version of iOS at WWDC 2013 with a completely redesinged User Interface. If you haven’t seen it yet, check out this video from WWDC 2013. This article will be a small deviation from the other parts in this series. In this articles, we will discuss about the latest security features introduced in iOS 7. Getting iOS 7. To get iOS 7 beta, you have to be a registered apple developer. Go to http://developer.apple.com , log in with your registered Apple ID, and go to this...

In the previous article, we learnt how to setup Cycript on your idevice, hook into a running process and obtain information about its properties in runtime. In this article, we will look at some advanced runtime analysis techniques. We will look at how we can obtain information about a particular class (methods, instance variables) and modify them at runtime. Finding methods for a particular class Let’s say we are analyzing the flow of an app during its runtime. It would be really good to know what are the methods being called in a particular...

In the previous article, we learnt about the runtime capabilities of an iOS App written in Objective-C which uses the Cocoa framework. In this article, we will look at how we can use a very essential tool named Cycript to analyze and modify the runtime of an iOS application. In this article, we will be performing our analysis on the Yahoo Weather iOS app. Cycript Cycript is a javascript interpreter which also understands Objective-C syntax, meaning we can write either Objective-C or javascript or even both in a particular command. It can also hook...

Burpsuite is one of the best tools available for web application testing. Its wide variety of features helps us perform various tasks, from intercepting a request and modifying it on the fly, to scanning a web application for vulnerabilities, to brute forcing login forms, to perfoming a check for the randomness of session tokens and many other functions. In this article we will be doing a complete walkthrough of Burpsuite discussing all its major features. Burpsuite (free edition) is available by default in Backtrack 5. The professional edition can be downloaded from here. Some...

Almost all the native iOS applications are written in Objective-C. All these apps use Cocoa which is a library that sits on top on Objc-C and provides high level APIs that make development for Mac and iOS much easier. Cocoa also adds a runtime environment for the applications. In this article, we will focus on understanding the Objective-C runtime and all the intricate details about how the language functions internally. This will help us get a much deeper understanding of its applications to iOS application security. Objective-C runtime Objective-C is a runtime oriented language....

Have you ever checked out an iOS app and thought it was cool, and wondered if you could find some information about the source code of the app, the third-party libraries it uses, or how the code is designed internally ? Have you ever wondered if it was possible to dump all the images, plist files used in any app either preinstalled on your device or downloaded from the App store? If the answer is Yes, then you have come to the right place. In this article, we will look at how we can...

In this article series, we will be learning about the tools and techniques required to perform penetration testing and Vulnerability assessment on iOS Applications. Jailbreaking your device If you are serious about iOS security, then having a jailbroken device is a must. In this section, we will look at how we can jailbreak an iOS device. Jailbreaking a device has many advantages. You can install tools like nmap, metasploit and even run your own custom python code on the device. Imagine having the power to run a vulnerability scan on a website from the...

This article is in continuation of Part 1 of the series on Ghost USB Honeypot. Malware threats have become very common these days and hence the need of honeypots to detect those malwares have become equally important. In the last few years, we have seen how USB based malwares can be used to target highly protected machines that are not connected to the internet. In order to detect malwares that spread over USB devices, the Ghost USB Honeypot project was started. Ghost is a honeypot for detecting malware that spreads via USB devices. The...

Malware threats have become very common these days. In the past, many honeypots have been created to detect malware propagation over the network. These honeypots trick the malware into believing that they are a part of the network. These honeypots are however isolated and once they have been infected, they can be used to study the behaviour of the malware. Network based malware have always been more successful, given the large number of systems they can affect in a short period of time. These kind of network based malwares are however not able to...

DHCPig DHCPig is a very nice and handy little tool used to carry out an advanced DHCP exhaustion attack. It does this by grabbing all the IP addresses in its subnet by sending different DHCP requests for those IP addresses. It also finds out its neighbour’s IP addresses in its vicinity and releases their IP addresses by sending DHCP releases to the server. It then waits for a specific timeout on its sent packets, and if the timeout is reached, it means all the IP addresses in the network are now used up.However, some...

This article is in continuation to part 2 of the Backtrack 5 r3 walkthrough series. In this article we will we looking at some of the other new tools that were added into Backtrack 5 with the release of its latest version R3. Wifite Wifite is probabaly one of the best tools out there for cracking wireless networks. It just makes the whole task so simple for you by hiding all the intricate details of cracking a wireless network and making the whole process automated. It can crack WEP/WPA/WPS encrypted networks in a row....

This article is in continuation to part 1 of the Backtrack Walkthrough Series. In the previous articles we discussed some of the most important new tools that were added in the most recent revision of Backtrack 5 like Dnmap, Fern-Wifi-Cracker etc. In this article we will look at some of the other main tools added in Backtrack 5 R3. HTExploit HTExploit was released at Blackhat 2012 by Matias KATZ and Maximiliano SOLER. HTExploit (HiperText access Exploit) is a tool that is used to bypass authentication mechanisms which is deployed on websites using .htaccess files....