Application Penetration Testing

iOS Frida Objection Pentesting Cheat Sheet

our services

A quick and simple guide for using the most common objection pentesting functions. Penetration testers can use this to quickly find the majority of vulnerabilities in iOS applications.

Usage / Installation

Pre-Install – You need Frida to use objection

If using for the first time, remember that you have two way of using Frida:

  1. A Jailbroken device with Frida server (preferably connected via USB). You can install Frida server from Cydia. To jailbreak you device check our ios jailbreak guide.
  2. Using an app with the Frida agent injected into the IPA (for non-jailbroken devices).

Install Objection

Installation is easy!

pip3 install objection

Check Device Connectivity

Check to make sure the device is successfully connected over USB. If you have

Frida ls devices

Check Installed Apps

List installed applications:

~$ frida-ps -Uai
 PID  Name              Identifier                     
----  ----------------  -------------------------------
5948  Cydia             com.saurik.Cydia               
5829  Mail              com.apple.mobilemail           
5945  Settings          com.apple.Preferences          
   -  App Store         com.apple.AppStore             
   -  BBQ Go            com.bbqGo                      
   -  Books             com.apple.iBooks               
   -  Calendar          com.apple.mobilecal            
   -  Camera            com.apple.camera       

Start Objection and Attach to a Process

Objection will restart the app if required and inject into the process.

~$ objection -g com.client.mytestapp explore
Using USB device `iOS Device`
Agent injected and responds ok!

     _   _         _   _
 ___| |_|_|___ ___| |_|_|___ ___
| . | . | | -_|  _|  _| | . |   |
|___|___| |___|___|_| |_|___|_|_|
      |___|(object)inject(ion) v1.9.4

     Runtime Mobile Exploration
        by: @leonjza from @sensepost

[tab] for command suggestions
com.client.mytestapp on (iPad: 12.4.7) [usb] #  

Disable Certificate Pinning

Certificate pinning can prevent an application from accepting your proxy’s SSL certificate and can restrict your ability to proxy web traffic. For penetration testers that need to get things done quickly, this can be a real pain.

Objection is our best recommendation and first approach to remove certificate pinning on iOS

Pro tip: use --quiet since this hook can generate a lot of noise throughout your testing.

[usb] # ios sslpinning disable --quiet

iOS Disable certificate pinning

Congrats, your certificate pinning is now disabled!

Inspect Binary Info

Dump info on the iOS binary. This will allow you to confirm if the app is encrypted and compiled as a Position Independent Executable (PIE):

 [usb] # ios info binary

Frida binary info

Dump the App Keychain

Assessing keychain storage is a necessity for iOS pentests. You can dump the app keychain and its contents to review settings:

[usb] # ios keychain dump

iOS dump keychain

Explore the App Structure

Objection is also great to quickly explore the IPA package structure. As part of any pentest you will want to review the package for sensitive data, API keys, and other information disclosure in application files.

Navigate the Directories

You can list directories from the REPL with ls:

[usb] # ls

Examine files with file cat:

[usb] # file cat examplefile.txt 

Explore plist Files

Plist files should be examined for sensitive information.

[usb] # ios plist cat Info.plist

Check for Other data stores for sensitive information

Check for sensitive data in NSURLCredentialStorage

[usb] # ios nsurlcredentialstorage dump

Check for sensitive data in NSUserDefaults

[usb] # ios nsuserdefaults get

Check for secure flags and sensitive data stored in cookies:

[usb] # ios cookies get

Objection view cookies

As you can see, Objection is a great tool to quickly identify a significant number of iOS pentesting test cases. Stay tuned, shortly we will follow up with examples of hooking and patching apps with objection.

Troubleshooting

If you receive the following error you will need to go to Settings -> Profiles & Device Management and verify the app.

Unable to connect to the frida server: unable to launch iOS app: The operation couldn’t be completed. Unable to launch com.myapp because it has an invalid code signature, inadequate entitlements or its profile has not been explicitly trusted by the user.
We
Are
Changing
The
Way
Pentesting
Is
Done
  • Application
  • Network
  • Mobile
  • AWS