Getting Started with iOS 13+ App Pentesting

In today’s world, there are so many resources in information security for learning. However, one might get confused about where to start exactly?

If you’re interested to learn about how to perform security reviews/pentest of iOS Apps running on iOS 13+ (latest version), this blog is for you. Here I’ll introduce you to a free and open-source project to help you in getting started with the learning of iOS app pentesting and security.

Note: Like my other blogs, this blog will also be short, to the point and easy to understand. So you might not find too many descriptions, theory.

Pre-requisite

  • MacBook Or
  • Jailbroken iPhone / iPad running latest iOS

If you’re already familiar with some AppSec concepts like web app security, how you started learning it? Probably using some vulnerable web app? WebGoat? DVWA?

One of the above, right? Similarly, you can start learning iOS App Security, using intentionally vulnerable iOS App – OWASP iGoat. You can find more about iGoat at – https://igoatapp.com/.

Condition 1: If you have MacBook, follow the below steps. If you don’t have Macbook, you can jump on Condition 2.

Step 1: Git clone project from https://github.com/owasp/igoat-swift. If you’re not familiar with git, simply use the Download Zip option.

Screenshot 2020-04-19 at 10.49.29 AM.png

Step 2: Inside iGoat-Swift folder, open iGoat-Swift.xcodeproj.

Step 3: Now select the target device as you wish. I’ve selected iPhone 11 running iOS 13.3 and click play!

iGoat on MacBook.png

Condition 2: If you have an iPhone / iPad (physical iDevice)

Step 1: Download iGoat (.IPA) file from https://github.com/owasp/igoat-swift

Step 2: Install AppSync Unified in Cydia (on your iPhone / iPad)

AppSync.PNG

Step 3: Use iFunBox to install IPA on iDevice

iGoat.PNG

That’s all! You have successfully installed the intentionally vulnerable iOS App – iGoat! What’s next?

You can start with Data Protection (Rest) challenges.

Let’s take a look at sample challenge –

Screenshot 2020-04-19 at 12.20.14 AM.png

  1. If you think, your answer is right! Selection option 1 of ‘Verify.
  2. Need hints? Select Option 2 of ‘Hints‘.
  3. Need Solution? Select Option 3 of ‘Solutions’

You can find more documentation of this project at https://docs.igoatapp.com/.

If you’re facing any issues while following the blog, please drop it in the comment section.

If you find any issues or want to request a feature, update at https://github.com/owasp/igoat-swift/issues

References:

  1. OWASP iGoat – https://igoatapp.com/
  2. iGoat Project Code – https://github.com/OWASP/iGoat-Swift

 

One thought on “Getting Started with iOS 13+ App Pentesting

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s