Some recommendations for pentest specialists seeking security failures in iOS operating system apps.
As our phones play a more relevant role in our daily lives, releasing secure apps has become a necessity to protect the user. As a result, the work of pentest specialists (pentesters) has gained importance in identifying unwanted behaviors, such as allowing data filtering, producing errors in other applications installed on the device, generating costs unexpectedly or deny other services to the device user.
Some guidelines are listed below in the analysis and implementation of pentest:
- Think as the programmer would
As far as possible, try to understand the people behind the code under pentest and determine which programming language you work with or what your primary coding language was. The experience of the programmers is reflected in the architecture of their code and, consequently, in the nature of their mistakes. Knowing these things can lead you in the right direction when it comes to conducting penetration tests.
As an example, developers who work with Java often replicate design patterns, abstracting functionality over and over again. On the other hand, the mobile developments carried out by web programmers will have the greatest possible functionality deposited in the web applications, and depend to a great extent on the use of WebKit.
- Get the source code
Although it’s not where an attacker is usually found, getting the source code will help you detect most of the bugs in the shortest possible time. Pentest usually involve limited resources in terms of time and money, so it’s a good idea to get the most out of them. Your goal should not be to replicate a real attack scenario, but to find as much vulnerabilities as possible to make the product safer.
Objective C works very well with reverse engineering and allows you to get a broad view of the internal mechanisms of an app, even without starting from the source code. It’s best to save time and devote your efforts to finding security flaws.
- Keep in mind programming language’s flaws
Although Objective-C and Cocoa avoid some frequent security errors, the use of dangerous APIs, such as strcpy and strcat, or mistakenly implemented mechanisms, such as the swizzling of categories or methods, can cause unexpected behaviors that lead to serious security bugs. For that reason, be sure to investigate how these techniques might affect the app.
- Identify possible vulnerable codes reutilization
Many programmers have acquired the bad habit of consulting online programming forums and copying codes without actually proving how they work, especially when it comes to low-level auxiliary functions, network connectivity and encryption. Others integrate libraries and third-party developments into the codebase without checking for security failures. This can result in the same vulnerable code being found in multiple apps.
- Work with two test devices
Having a device with the factory operating system will help you evaluate how the app behaves at user level, with all the security mechanisms enabled and without problems to register the automatic notifications. Besides, you can use a jailbreakdevice to analyze the file system in more detail and the operation of the operating system.
The International Institute of Cyber Security hopes that these recommendations will help you to better understand the environment under which pentest are implemented.
Working as a cyber security solutions architect, Alisa focuses on application and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.