iOS Mobile Application Security Part -1
This article is an overview of iOS application security and checklist, we will discuss some application vulnerabilities, security checks and how we can assess the application security in any iOS devices.
We will also go through some tools need for iOS application security assessment and how to setup these tools and overview of these tools.
Mobile apps can be broadly classified into 3 types:
- Native Mobile App: installed on the device, is developed specifically for one platform and can work offline. Some native apps are calendars, calculators, built-in browsers and office applications.
- Web-Based Mobile App: is an actual website that gives the look and feel of native apps but is implemented differently. They are run by a browser and are typically written in HTML5. Some web-based mobile apps are popular social networks (the versions that are accessed through the browser), email and chatting applications and online mobile games.
- Hybrid App: is a combination of both Native and Web App. Discovery health and fitness app is an example of a hybrid app that redirects to the website to complete some requests.
An iOS application typically runs on an iPad, iPhone, or an iPod touch and is written in Objective-C programming language. The iOS app is stored in an .ipa file that is an iOS application archive file.
iDevice: Any Jailbreak iPhone , IPod, IPad etc.
MacOS(optional) : We can install MAC OS in virtual machine, tutorials are available on the internet, other option is that we can build a dedicated machine for Hackentosh OS :)
- iPhone explorer
- iPhone config utility
- hex editor
- Burp Suite
- class dump-z.0.2
- And many more
The entire security testing of an iOS application can be divided into the following phases:
- Static Analysis:
In static analysis we will be testing and evaluation the application by examining the code, configuration file, local storage and class dump of the application without executing the application.
- Dynamic Analysis:
In dynamic analysis testing we will evaluate of an application during runtime, we will hook application with interception with some dynamic tools Burpsuite Cyscript, Snoopit.