iOS#

iOS artifacts, jailbreaks, and app-testing tools. Forensic recovery runs against the artifact locations; offensive testing wraps the jailbreak chain plus a stable of app-pentest toolkits.

Artifact locations#

Contacts          /var/mobile/Library/AddressBook/AddressBookImages.sqlitedb
Calls             /var/mobile/Library/CallHistoryDB/CallHistory.storedata
SMS               /var/mobile/Library/SMS/sms.db
Maps              /var/mobile/Applications/com.apple.Maps/Library/Maps/GeoHistory.mapsdata
Safari            /var/mobile/Library/Safari/History.db
Photos Database   /var/mobile/Media/PhotoData/Photos.sqlite

Jailbreaks#

Checkra1n, a high-quality semi-tethered jailbreak based on the checkm8 bootrom exploit. iPhone 5s through iPhone X, iOS 12.3 and up. https://checkra.in/

PhoenixPwn, semi-untethered jailbreak for 9.3.5 to 9.3.6. All 32-bit devices supported. https://phoenixpwn.com/

App testing#

  • IDB, iOS App Security Assessment Tool. https://github.com/dmayer/idb

  • iRET, iOS Reverse Engineering Toolkit. https://github.com/S3Jensen/iRET

  • DVIA, Damn Vulnerable iOS App for learning. http://damnvulnerableiosapp.com/

  • LibiMobileDevice, cross-platform protocol library to communicate with iOS devices. https://github.com/libimobiledevice/libimobiledevice

  • Needle, iOS App Pentesting Tool. https://github.com/mwrlabs/needle

  • AppCritique, iOS App Security Assessment Tool. https://appcritique.boozallen.com/

Cracked IPA apps#

  • AppCake, https://www.iphonecake.com

  • IPA Rocks, https://ipa.rocks/

Reverse engineer an iOS app (works on iOS 11 and 12).

  1. Add https://level3tjg.github.io source to Cydia.

  2. Install bfdecrypt.

  3. Go to bfdecrypt preference pane in Settings, set the app to decrypt.

  4. Launch it.

  5. Decrypted IPA is stored in the Documents folder of the app.

References#