Five tips for pentesters in iOS, from Denise Giusto Bilić at ESET

Denise Giusto Bilić, Security Researcher at ESET , looks at recommendations for pentesters looking for security flaws in iOS applications made by developers. 
As our phones play an increasingly essential role in our lives, releasing secure applications has become a necessity for protecting end users. As a result, the role of pentesters has gained importance in identifying unwanted behaviors, such as allowing data leaks, producing errors in other apps installed on the device, generating unexpected costs, or denying a certain service to the phone user.
In previous publications we shared some tips for secure developments in iOS. You may want to read these articles, as they will help you to detect certain errors that developers often make when creating applications for iOS. In addition to these articles, we are sharing the following guidelines, which can be used to guide your analysis.
1 – Put yourself in the shoes of the programmer
To the furthest extent possible, try to understand the people behind the development of the code you are auditing. Figure out which programming language they work with most of the time or what was their first (main) coding language. The experience of programmers is usually evident in the architecture of their code and, consequently, the nature of their errors. Knowing these things can point you in the right direction when it comes to investigating.
For example, programmers with a Java background often tirelessly replicate design patterns, abstracting functionality over and over again. In contrast, mobile developments made by web programmers will have as much functionality as possible deposited into web applications, and rely heavily on the use of WebKit. Both types of developers will be familiar with using high-level APIs, but they are susceptible to errors when manipulating low-level APIs.
2 – Get the source code
Although it is not the place where an attacker is usually found, obtaining the source code will help you to detect the most errors in the shortest possible time. Penetration tests usually involve limited resources in terms of time and money, so it is a good idea to get the most out of them. Your goal should not be to replicate a real attack scenario, but to find as many vulnerabilities as possible to make the final application more secure.
Objective-C works great with reverse engineering and makes it possible to get a fairly transparent look at the internal mechanisms of an application, even without starting from the source code. An attacker with unlimited time can get an approximate—if not exact—look at what you will have with the code. It is best to save time and dedicate your efforts to finding those security flaws.
3 – Keep in mind the weak points of the language
While Objective-C and Cocoa prevent some frequent security errors in C and C++, the use of dangerous APIs, such as strcpy and strcat, or poorly implemented mechanisms, such as categories or method swizzling , can cause unexpected behaviors that lead to serious security errors. For that reason, be sure to investigate how these techniques impact the application.
4 – Identify the possible reuse of vulnerable code
Many programmers have developed the bad habit of consulting online programming forums and copying code without really testing how it works, especially when it comes to low-level auxiliary functions, network connectivity, and encryption. Others integrate third-party libraries and developments into the base code without checking whether they have any security flaws. This can result in the same vulnerable code being found across multiple applications.
5 – Use two testing teams: one with jailbreak and the other with factory
Having a device with the factory OS will help you to assess how the application behaves in a real end-user environment, with all the security mechanisms enabled and no problems registering push notifications. In contrast, you can use the device with jailbreak to analyze the file system in more detail and how the operating system works.

Georgina Turner image

Georgina Turner

Sales Manager

Read the Latest Issue

Follow us on X

Follow us on X

Click Here

Follow us on LinkedIn

Follow us on LinkedIn

Click Here

Advertise here

Reach decision makers and amplify your marketing

Advertise here

Click Here

Related News

Graphic displaying a lockdown solution

Netgenium debuts next gen display and touchscreen technologies

Power-over-Ethernet (PoE) solutions specialist Netgenium will be showcasing its new range of IP…

ICT® Launches New TSL Access Reader Series

Integrated Control Technology (ICT®), a leading manufacturer of intelligent access control and…
Image Provided by Paxton

Paxton Partners with Skills for Security

The security technology manufacturer Paxton is proud to announce a partnership with Skills for Security…
Image Provided by ICT

ICT and Ingram Micro sign distribution agreement MEA

Integrated Control Technology (ICT), award-winning global manufacturer of intelligent electronic access control and security solutions..
Image Provided by Toshiba

Toshiba launches new HDD Innovation Lab

Toshiba Electronics Europe GmbH (Toshiba) has inaugurated a new HDD Innovation Laboratory (HDD Innovation Lab) at its site in Düsseldorf..
Image Provided by Verkada

Verkada Doubles Down on the Channel with Strategic New Hire

Verkada, a leader in cloud-based physical security, today announced the appointment of Micah Deriso as Head of Global Channel…
Image Provided by IPSA

IPSA Appoint Frontline Hero as Ambassador

Abdullah, the courageous security officer praised for foiling a horrific knife attack at Leicester Square, has been appointed as…
Image Provided by Codelocks

New Surface Latch from Codelocks

Codelocks is expanding its Gate Solutions by Codelocks range with the introduction of the new Codelocks’ Surface Latch…
Image provided by Genetec

Nicholas Smith to Lead Genetec UK and Ireland Operations

Genetec, provider of enterprise physical security software, announced the appointment of Nicholas Smith as its new Regional Sales Director…

News Desk

View all the latest, product, project and people news

News Desk

Click Here

Technology News

Keep up-to-date with the latest product innovation

Technology News

Click Here

Industry Sectors

Discover technology in action in all applications

Industry Sectors

Click Here

Enter The Awards

Showcase personal or organisation excellence

Advertise With Us

Reach decision makers and amplify your marketing

Advertise With Us

Click Here
Scroll to Top