iOS Mobile Pentest Tutorial

Por

Module 0 — Legal, Ethics, Scope & Lab Setup

  • 0.1 Authorization & rules of engagement (RoE)
    • Written authorization checklist
    • Scope definition: in-scope assets, out-of-scope limits
    • Data handling, privacy, chain of custody
    • Emergency contacts & escalation
  • 0.2 Test types and methodologies
    • Black-box, gray-box, white-box testing distinctions
    • Risk-based vs feature-based assessments
    • Goal setting: confidentiality, integrity, availability objectives
  • 0.3 Lab & safe environment setup (recommended)
    • Hardware options: physical iPhones/iPads (jailbroken & non-jailbroken), macOS host
    • Emulators/simulators: differences (iOS Simulator vs real device)
    • Network lab: isolated VLAN, proxying, MITM lab machines
    • Recommended VM images, snapshots, and backups
  • 0.4 Evidence collection & reporting best practices
    • Triage forms, screenshots, logs, PCAPs, timestamps, reproducibility
    • Report templates, severity mapping, CVSS basics
    • Disclosure workflow & remediation verification

Module 1 — iOS Basics & App Anatomy

  • 1.1 iOS architecture & app lifecycle (high level)
    • Process model, sandboxing, entitlements, provisioning
    • App bundle structure: .app folder, Info.plist, assets
  • 1.2 IPA, provisioning profiles, and code signing
    • IPA format, payload layout, embedded provisioning profile
    • Code signing basics and entitlements (conceptual)
  • 1.3 Mach-O binary format & Objective-C/Swift runtime fundamentals
    • Symbols, sections, Objective-C runtime (classes, selectors), Swift metadata
  • 1.4 iOS storage primitives
    • NSUserDefaults/UserDefaults, SQLite, Realm, Keychain basics
  • 1.5 Networking stack overview
    • NSURLSession, CFNetwork, TLS basics, certificate pinning concept
  • 1.6 App protections & common countermeasures (overview)
    • Obfuscation, anti-tamper, anti-debug, jailbreak/root detection, runtime integrity checks, SSL pinning

Module 2 — Reconnaissance & Information Gathering

  • 2.1 Passive recon from App Store / TestFlight / APK mirrors
    • Metadata, permissions, release notes, binaries (how to obtain IPAs legally)
  • 2.2 Static metadata collection
    • Info.plist, entitlements, URL schemes, deep links, supported architectures
  • 2.3 OSINT & infrastructure mapping
    • Backend domains, API endpoints, certificate info, mobile API discovery
  • 2.4 Binary acquisition (legal & safe methods)
    • Downloading IPAs from TestFlight/App Store (authorized flows), enterprise builds
  • 2.5 Initial threat modeling for the app
    • Assets, trust boundaries, attacker capabilities & likely attack vectors

Module 3 — Static Analysis (conceptual → tooling)

  • 3.1 Manual inspection of bundle contents
    • Info.plist, embedded.mobileprovision, resource files, configuration leaks
  • 3.2 Class-dump & header reconstruction (conceptual)
    • Recreating class interfaces and method lists
  • 3.3 Decompilation & disassembly overview
    • Hopper, Ghidra, IDA, Binary Ninja — what each gives you conceptually
  • 3.4 Swift reverse engineering basics (metadata, mangled names)
  • 3.5 Searching for secrets & misconfigurations
    • Hardcoded keys, embedded credentials, API keys, dev endpoints
  • 3.6 Static analysis tools & scanners (list + purpose)
    • mobSF (Mobile Security Framework), iOS-specific linters, strings, grep, floss

Module 4 — Dynamic Analysis & Instrumentation (non-exploitative)

  • 4.1 Runtime observation techniques
    • Logging, network inspection, local storage observation
  • 4.2 Proxying & MITM (conceptual)
    • Burp/mitmproxy usage with mobile: device proxying, certificate installation, TLS limits
  • 4.3 Debugging basics on iOS
    • lldb overview, process attachment concepts, sandbox constraints
  • 4.4 Tainting & data flow observation (conceptual)
    • Tracing sensitive data from source (input) to sink (network, file)
  • 4.5 App behavioral profiling
    • Monitoring app lifecycle and network patterns

Module 5 — Runtime Hooking & Frida (conceptual + safe guidance)

  • 5.1 What is Frida and when to use it
    • Frida architecture (agent + host), dynamic instrumentation benefits
  • 5.2 Frida session lifecycle & primitives (conceptual)
    • Interceptors, Stalker, NativeFunction, Memory.read/write (concepts)
  • 5.3 Typical Frida use-cases (authorized testing)
    • Inspecting method calls, bypassing client-side logic for testing, extracting runtime secrets
  • 5.4 Anti-Frida & anti-instrumentation concepts
    • Detecting injected agents, checksums, dynamic integrity checks
  • 5.5 Safe, high-level examples of hooks (no copy/paste exploit code)
    • How to approach hooking: identify target functions, log inputs/outputs, validate effects
  • 5.6 Tooling ecosystem: Objection, frida-swift, frida-objc, gadget injection options (conceptual)

Module 6 — Jailbreak Detection, Anti-Debug & Anti-Tamper

  • 6.1 Typical jailbreak checks & detection vectors
    • File path checks, process checks, URL scheme checks, sandbox escapes (conceptual)
  • 6.2 Anti-debug / anti-attach techniques apps use
    • ptrace, sysctl checks, signal handlers (conceptual)
  • 6.3 Counter-anti-debug and bypassing approaches (conceptual)
    • Hardening vs testing: safe ways to test anti-debug without posting weaponized steps
  • 6.4 Tamper detection & runtime integrity checks
    • Checksums, encrypted resources, runtime attestation concepts
  • 6.5 Best practices for responsibly testing and reporting bypassable protections

Module 7 — SSL / TLS and Certificate Pinning (analysis + testing)

  • 7.1 TLS basics & failure modes
  • 7.2 Pinning approaches (public key, certificate, SPKI) and how apps implement them (conceptual)
  • 7.3 Testing strategies to verify pinning and check fallback behaviors
  • 7.4 MitM evasion defenses and responsible testing notes
  • 7.5 Defensive remediation guidance for developers

Module 8 — Authentication & Session Management Attacks

  • 8.1 Local authentication flows (PIN, biometric, server verification)
  • 8.2 Session token lifecycle, renewal, revocation, and fixation issues
  • 8.3 Broken authentication scenarios and tests
    • Weak session tokens, predictable tokens, insufficient logout, duplicate login handling
  • 8.4 OAuth / SSO integration pitfalls
  • 8.5 Recommended tests and safe verification steps

Module 9 — Data Storage & Keychain Attacks

  • 9.1 iOS Keychain model & access groups (conceptual)
  • 9.2 Common misuses of secure storage
  • 9.3 Local file storage weaknesses (unencrypted DBs, caches, logs)
  • 9.4 Safe methods to verify sensitive data leakage (without providing exploit scripts)
  • 9.5 Mitigations and secure storage best practices

Module 10 — Reverse Engineering, Binary Patching & Repackaging (overview + ethics)

  • 10.1 When and why to patch or repackage an app in testing
  • 10.2 High-level process: unpack → analyze → modify → repackage → re-sign (conceptual)
  • 10.3 Code signing, entitlements, provisioning constraints (conceptual)
  • 10.4 Common pitfalls and safe lab practices (don’t present weaponized steps)
  • 10.5 Secure reporting: how to present proof of concept without shipping exploit code

Module 11 — Advanced Code & Flow Analysis

  • 11.1 Dynamic taint analysis & data flow tracing concepts
  • 11.2 Finding logic flaws: authorization, business logic, race conditions
  • 11.3 Interplay of client & server logic — how to model and test
  • 11.4 Advanced reverse engineering topics (Swift generics, runtime symbols)

Module 12 — Exploit Development (conceptual, lab-only)

  • 12.1 Memory corruption basics (conceptual only)
  • 12.2 Exploit mitigations on iOS (ASLR, DEP, code signing) — why real exploits are hard
  • 12.3 Vulnerability chaining and the ethics of exploitation
  • 12.4 Safe, simulated exploit examples for learning inside isolated lab VMs (recommendations — no weaponized code here)

Module 13 — Runtime Patching & Function Hooking Techniques (advanced, conceptual)

  • 13.1 Inline patching vs trampolines — concepts
  • 13.2 Using runtime hooks to change business logic (authorized testing)
  • 13.3 Detecting and defeating self-integrity checks (conceptual)
  • 13.4 Best practices for building PoCs that are safe, reproducible, and non-destructive

Module 14 — Obfuscation & Protections: How They Work and How to Assess Them

  • 14.1 Types of obfuscation: symbol/identifier, control-flow, string encryption
  • 14.2 Packing & runtime loaders
  • 14.3 Measuring protection strength and limitations
  • 14.4 Guidance for developers: choosing protections that don’t break maintainability

Module 15 — Mobile Backend Attacks & API Security

  • 15.1 API enumeration and attack surface mapping
  • 15.2 Common API flaws: broken access control, IDOR, excessive data exposure
  • 15.3 Rate limiting, throttling, and brute force protections
  • 15.4 Testing methodology and responsible disclosure steps to backend teams

Module 16 — Advanced Topics: Side-channels, Inter-process, and System-level Issues

  • 16.1 Side-channel information leakage (timing, resource usage)
  • 16.2 Inter-app communication risks (URL schemes, pasteboard, XPC)
  • 16.3 Exploiting misconfigured entitlements & app groups (conceptual)
  • 16.4 Hardware-assisted protections and bypass realities

Module 17 — Automation, Tooling & Frameworks

  • 17.1 Scripting reconnaissance and repeated checks (conceptual)
  • 17.2 CI/CD security checks for mobile apps
  • 17.3 Useful toolchain: mobSF, Frida, Objection, class-dump, radare2, Hopper, Ghidra, IDA, Burp, mitmproxy, lldb, Xcode tools, codesigners
  • 17.4 Building reproducible testcases & PoCs safely

Module 18 — Reporting, Remediation, and Developer Collaboration

  • 18.1 Structuring a technical pentest report (Executive Summary → Technical → PoC → Remediation)
  • 18.2 Risk rating, CVSS and practical business impact
  • 18.3 Recommended fixes for frequent issues
  • 18.4 Retest and verification process

Module 19 — Defensive Guidance & Secure Development Lifecycle (SDLC)

  • 19.1 Secure coding patterns for iOS apps
  • 19.2 Threat modeling during design
  • 19.3 Secure third-party library management
  • 19.4 Runtime monitoring and detection as defense

Module 20 — Appendix: Reference Material, Cheat Sheets, and Labs

  • 20.1 Recommended reading & blogs, vulnerability databases, CVE feeds
  • 20.2 Labs, CTFs and learning resources (safe environments)
  • 20.3 Glossary of iOS pentest terms
  • 20.4 Example RoE template, test checklists, report templates

For each module I will include (per your request)

  • Purpose & learning objectives
  • Prerequisites
  • Full tool list with alternatives (why choose each)
  • Step-by-step methodology at the conceptual level
  • Safe, reproducible lab exercises (where applicable) using isolated devices/VMs
  • What to capture as evidence and how to present it
  • Common pitfalls, mitigations, and developer recommendations
  • Links to further reading & reference (where publicly available)