iOS Application Hacking - PenTesting Mobile Apps

Chilik Tamir, AppSec Labs | August 4-5

On This Page


Day 1

Introduction to iOS Security
• Mobile application threat model - What makes mobile application security so different?
• What is iOS
• iOS device architecture
• iOS security model
• Application file system isolation
• iOS Sandbox
• iOS Simulator
• The iOS Simulator VS. physical device
• Why Jailbreak
• LAB: Exploring the iOS security mechanisms

Coffee break

Traffic Analysis and Manipulation
• Intro to server side attacks - SQL injection, XSS
• Insecure remote Authentication - UUID, IMEI, etc.
• Insecure session management
• Authorization vulnerabilities
• Traffic interception
• Using proxies and sniffers
• Importing SSL certificates & trusted CA's configuration profile
• Sensitive information transmission
• Bypassing server certificate validations
• Exposing insecure traffic
• LAB: HTTP/HTTPS Sniffing and Proxying
• LAB: Parameter Manipulation

Meal break (lunch)

Insecure data storage
• Exploring deployed application files and directories
• The file system security model and public directories
• Insecure file system storage
• The SQLite Database storage
• Using sqlite browser
• Secrets inside Code
• Storage of sensitive data at the server side
• Insecure log exposure
• Bad cryptography

Coffee break

• LAB: Exposing insecure data storage
• LAB: Insecure Configuration

Day 2

iOS Application Static Analysis
• The ipa file package
• ipa extraction - Investigating layout, preferences, permissions and binaries
• Jailbreak benefits
• Cydia installation and configuration
• Installing decrypted ipa using Installious
• ViewController Enumeration
• property list files and plutil
• application info.plist file
• cfurl and urlScheme invocations
• harvesting binary for strings
• binary SQL statements
• binary URI peers
• binary parameters usage
• binary entitlements
• the macho file format
• class prototype Enumeration
• otool for the rescue
• LAB: Binary decryption
• LAB: Binary Analysis

Coffee break 

iOS application security testing toolkit
• Cydia repository and packages configuration
• cycript introduction
• cycript basic usage
• cycript attachment
• cycript functions
• cycript methods overwrite
• cycript iVars
• cycript as a hacking tool
• cycript ssl modifications
• iOS ipa encryption
• iOS ipa decryption - manual
• iOS ipa decryption - automatic
• iOS ipa patching and resigning
• class-dump-z revisited
• cycript ViewControllers
• LAB: Cycript as a hacking tool

Meal break (lunch)

Analyzing Runtime Analysis with iNalyzer
• Monitoring process activity
• why use iNalyzer?
• iNalyzer key features
• iNalyzer components
• iNalyzer installation and usage
• iNalyzer Dashboard
• Application Decryption
• Application File system snapshot
• Application peer Enumeration
• Application SQL vulnerabilities
• Application URI vulnerabilities
• Application handleOpenURL: vulnerabilities
• Application Object enumeration
• Application Methods Enumerations
• Application Variables Enumerations
• Application Strings Analysis
• Application Objects and Analysis
• Cycript and iNalyzer integration
• Harnessing Web Scanners to iNalyzer
• No more black box iOS analysis

Coffee break

• LAB: iNalyzer Vs. a running application

Who Should Take This Course

Members of the security / software development team:

• Security penetration testers
• iOS developers

Student Requirements

Before attending this course, students should be familiar with:
• Common security concepts

What Students Should Bring

At least 2GB of RAM (4GB is highly recommended)
• 15GB of free HD space
• Jailbreaked iOS device
• VMWare Palyer installed

What Students Will Be Provided With

• Slides (pdf)
• Labs (pdf)
• iOS iNalyzer (DVD) containing all tools, runtime, target apps, scripts, etc.
• Certificate of completion
• Access to AppSec Labs' LMS (learning management system), at


Chilik Tamir is an experienced security trainer and speaker (Black Hat USA2013, HITB Amsterdam2013, OWASP Israel2011-2012-2013, Intel, HP, Cisco, Amdocs, Verint, RedBend and others). He is known for his security expertize with over two decades of experience in training, research, development, testing and consulting in the field of applicative information security for clients in the fields of finance, security, government offices and corporations. His latest research - the iOS iNalyzer is an open-source iOS application Penetration Testing Dashboard. Among his previous publications you will find AppUse - a testing environment for Android applications developed together with Erez Metula; Belch - an automatic tool for analysis and testing of binary protocols such as Flex and Java-Serialization; as well as his lectures in conferences . He is the Chief Scientist at AppSec-Labs responsible for innovating and leading security development and research of tools, exploits and vulnerabilities in web applications. Chilik holds an Biomedical Engineering B.Sc. degree.