diff --git a/Document/0x06b-Basic-Security-Testing.md b/Document/0x06b-Basic-Security-Testing.md index f10a22508d..29d64f9930 100644 --- a/Document/0x06b-Basic-Security-Testing.md +++ b/Document/0x06b-Basic-Security-Testing.md @@ -150,7 +150,6 @@ Many tools on a jailbroken device can be installed by using Cydia, which is the - : Install Frida by adding the repository to Cydia. - : Useful when managing your jailbreak on iOS 11. - : Another repository, with quiet a few good tools, is Elucubratus, which gets installed when you install Cydia on iOS 12 using Unc0ver. -- : For Needle you should consider adding the Coolstar repo, to install Darwin CC Tools. > In case you are using the Sileo App Store, please keep in mind that the Sileo Compatibility Layer shares your sources between Cydia and Sileo, however, Cydia is unable to remove sources added in Sileo, and [Sileo is unable to remove sources added in Cydia](https://www.idownloadblog.com/2019/01/11/install-sileo-package-manager-on-unc0ver-jailbreak/ "You can now install the Sileo package manager on the unc0ver jailbreak"). Keep this in mind when you’re trying to remove sources. @@ -167,13 +166,11 @@ After adding all the suggested repositories above you can install the following - Cycript: Is an inlining, optimizing, Cycript-to-JavaScript compiler and immediate-mode console environment that can be injected into running processes (associated to Substrate). - Cydia Substrate: A platform that makes developing third-party iOS add-ons easier via dynamic app manipulation or introspection. - cURL: Is a well known http client which you can use to download packages faster to your device. This can be a great help when you need to install different versions of Frida-server on your device for instance. -- Darwin CC Tools: Install the Darwin CC Tools from the Coolstar repo as a dependency for Needle. +- Darwin CC Tools: A useful set of tools like nm, and strip that are capable of auditing mach-o files. - IPA Installer Console: Tool for installing IPA application packages from the command line. After installing two commands will be available `installipa` and `ipainstaller` which are both the same. - Frida: An app you can use for dynamic instrumentation. Please note that Frida has changed its implementation of its APIs over time, which means that some scripts might only work with specific versions of the Frida-server (which forces you to update/downgrade the version also on macOS). Running Frida Server installed via APT or Cydia is recommended. Upgrading/downgrading afterwards can be done, by following the instructions of [this Github issue](https://github.com/AloneMonkey/frida-ios-dump/issues/65#issuecomment-490790602 "Resolving Frida version"). - Grep: Handy tool to filter lines. - Gzip: A well known ZIP utility. -- Needle-Agent: This agent is part of the Needle framework and need to be installed on the iOS device. -- Open for iOS 11: Tool required to make Needle Agent function. - PreferenceLoader: A Substrate-based utility that allows developers to add entries to the Settings application, similar to the SettingsBundles that App Store apps use. - SOcket CAT: a utility with which you can connect to sockets to read and write messages. This can come in handy if you want to trace the syslog on iOS 12 devices. @@ -331,16 +328,6 @@ The following is displayed: Refer to [MobSF documentation](https://mobsf.github.io/docs "MobSF documentation") for more details. -##### Needle - -[Needle](https://github.com/mwrlabs/needle "Needle") is an all-in-one iOS security assessment framework, which you can compare to as a "Metasploit" for iOS. The [installation guide](https://github.com/mwrlabs/needle/wiki/Installation-Guide "Needle Installation Guide") in the Github wiki contains all the information needed on how to prepare your Kali Linux or macOS and how to install the Needle Agent on your iOS device. - -Please also ensure that you install the Darwin CC Tools from the Coolstar repository, to get Needle to work on iOS 12. - -In order to configure Needle read the [Quick Start Guide](https://github.com/mwrlabs/needle/wiki/Quick-Start-Guide "Quick Start Guide") and go through the [Command Reference of Needle](https://github.com/mwrlabs/needle/wiki/Command-Reference "Command Reference of Needle") to get familiar with it. - -> There are known issues with Needle when running on iOS devices that are [jailbroken with Chimera](https://github.com/mwrlabs/needle/issues/273 "Many modules dont work with chimera jail break"). Instead, the unc0ver jailbreak should be used. - ##### Objection [Objection](https://github.com/sensepost/objection "Objection on GitHub") is a "runtime mobile exploration toolkit, powered by Frida". Its main goal is to allow security testing on non-rooted or jailbroken devices through an intuitive interface. @@ -529,8 +516,6 @@ root@localhost's password: iPhone:~ root# ``` -You can also connect to your iPhone's USB via [Needle](https://labs.mwrinfosecurity.com/blog/needle-how-to/ "Needle"). - ##### On-device Shell App While usually using an on-device shell (terminal emulator) might be very tedious compared to a remote shell, it can prove handy for debugging in case of, for example, network issues or check some configuration. For example, you can install [NewTerm 2](https://repo.chariz.io/package/ws.hbang.newterm2/ "NewTerm 2") via Cydia for this purpose (it supports iOS 6.0 to 12.1.2 at the time of this writing). @@ -1226,13 +1211,6 @@ Additionally, Passionfruit offers a view of all the NSLog-based application logs Passionfruit Console Logs View -Needle also has an option to capture the logs of an iOS application, you can start the monitoring by opening Needle and running the following commands: - -```bash -[needle] > use dynamic/monitor/syslog -[needle][syslog] > run -``` - ##### Dumping KeyChain Data Dumping the KeyChain data can be done with multiple tools, but not all of them will work on any iOS version. As is more often the case, try the different tools or look up their documentation for information on the latest supported versions. @@ -1262,55 +1240,6 @@ Note that currently, the latest versions of frida-server and objection do not co Finally, since the keychain dumper is executed from within the application context, it will only print out keychain items that can be accessed by the application and **not** the entire keychain of the iOS device. -###### Needle (Jailbroken) - -Needle can list the content of the keychain through the `storage/data/keychain_dump_frida` module. However, getting Needle up and running can be difficult. First, make sure that `open`, and the `darwin cc tools` are installed. The installation procedure for these tools is described in "Recommended Tools - iOS Device". - -Before dumping the keychain, open Needle and use the `device/dependency_installer` plugin to install any other missing dependencies. This module should return without any errors. If an error did pop up, be sure to fix this error before continuing. - -Finally, select the `storage/data/keychain_dump_frida` module and run it: - -```bash -[needle][keychain_dump_frida] > use storage/data/keychain_dump_frida -[needle][keychain_dump_frida] > run -[*] Checking connection with device... -[+] Already connected to: 192.168.43.91 -[+] Target app: OWASP.iGoat-Swift -[*] Retrieving app's metadata... -[*] Pulling: /private/var/containers/Bundle/Application/92E7C59C-2F0B-47C5-94B7-DCF506DBEB34/iGoat-Swift.app/Info.plist -> /Users/razr/.needle/tmp/plist -[*] Setting up local port forwarding to enable communications with the Frida server... -[*] Launching the app... -[*] Attaching to process: 4448 -[*] Parsing payload -[*] Keychain Items: -[+] { - "AccessControls": "", - "Account": "keychainValue", - "CreationTime": "2019-06-06 10:53:09 +0000", - "Data": " (UTF8 String: 'mypassword123')", - "EntitlementGroup": "C9MEM643RA.org.dummy.fastlane.FastlaneTest", - "ModifiedTime": "2019-06-06 16:53:38 +0000", - "Protection": "kSecAttrAccessibleWhenUnlocked", - "Service": "com.highaltitudehacks.dvia", - "kSecClass": "kSecClassGenericPassword" -} -... -[+] { - "AccessControls": "", - "Account": "<53434465 76696365 546f6b65 6e56616c 756532>", - "CreationTime": "2019-06-06 10:53:30 +0000", - "Data": " (UTF8 String: 'CJ8Y8K2oE3rhOFUhnxJxDS1Zp8Z25XzgY2EtFyMbW3U=')", - "EntitlementGroup": "C9MEM643RA.org.dummy.fastlane.FastlaneTest", - "ModifiedTime": "2019-06-06 10:53:30 +0000", - "Protection": "kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly", - "Service": "com.toyopagroup.picaboo", - "kSecClass": "kSecClassGenericPassword" -} -[*] Saving output to file: /Users/razr/.needle/output/frida_script_dump_keychain.txt -``` - -Note that currently only the `keychain_dump_frida` module works on iOS 12, but not the `keychain_dump` module. - ###### Passionfruit (Jailbroken / non-Jailbroken) With Passionfruit it's possible to access the keychain data of the app you have selected. Click on **Storage** -> **Keychain** and you can see a listing of the stored Keychain information. @@ -1456,7 +1385,6 @@ For information on disabling SSL Pinning both statically and dynamically, refer - Keychain-dumper - - libimobiledevice - - MobSF - -- Needle - - Objection - - Passionfruit - - Radare2 - diff --git a/Document/0x06c-Reverse-Engineering-and-Tampering.md b/Document/0x06c-Reverse-Engineering-and-Tampering.md index 372ceaf808..ab67642d66 100644 --- a/Document/0x06c-Reverse-Engineering-and-Tampering.md +++ b/Document/0x06c-Reverse-Engineering-and-Tampering.md @@ -240,7 +240,7 @@ Manually analyzing all the native functions completely will be time consuming an #### Automated Static Analysis -Several automated tools for analyzing iOS apps are available; most of them are commercial tools. The free and open source tools [MobSF](https://github.com/MobSF/Mobile-Security-Framework-MobSF "Mobile Security Framework (MobSF)") and [Needle](https://github.com/mwrlabs/needle "Needle") have some static and dynamic analysis functionality. Additional tools are listed in the "Static Source Code Analysis" section of the "Testing Tools" appendix. +Several automated tools for analyzing iOS apps are available; most of them are commercial tools. The free and open source tools [MobSF](https://github.com/MobSF/Mobile-Security-Framework-MobSF "Mobile Security Framework (MobSF)") and [objection](https://github.com/sensepost/objection "objection") have some static and dynamic analysis functionality. Additional tools are listed in the "Static Source Code Analysis" section of the "Testing Tools" appendix. Don't shy away from using automated scanners for your analysis - they help you pick low-hanging fruit and allow you to focus on the more interesting aspects of analysis, such as the business logic. Keep in mind that static analyzers may produce false positives and false negatives; always review the findings carefully. diff --git a/Document/0x06d-Testing-Data-Storage.md b/Document/0x06d-Testing-Data-Storage.md index 2e9bcf3091..3d284fd0c9 100644 --- a/Document/0x06d-Testing-Data-Storage.md +++ b/Document/0x06d-Testing-Data-Storage.md @@ -93,33 +93,17 @@ Objective-C: On iOS, when an application is uninstalled, the Keychain data used by the application is retained by the device, unlike the data stored by the application sandbox which is wiped. In the event that a user sells their device without performing a factory reset, the buyer of the device may be able to gain access to the previous user's application accounts and data by reinstalling the same applications used by the previous user. This would require no technical ability to perform. -When assessing an iOS application, you should look for Keychain data persistence. This is normally done by using the application to generate sample data that may be stored in the Keychain, uninstalling the application, then reinstalling the application to see whether the data was retained between application installations. You can also verify persistence by using the iOS security assessment framework Needle to read the Keychain. The following Needle commands demonstrate this procedure: +When assessing an iOS application, you should look for Keychain data persistence. This is normally done by using the application to generate sample data that may be stored in the Keychain, uninstalling the application, then reinstalling the application to see whether the data was retained between application installations. Use objection runtime mobile exploration toolkit to dump the keychain data. The following `objection` command demonstrates this procedure: ```bash -$ python needle.py -[needle] > use storage/data/keychain_dump -[needle] > run - { - "Creation Time" : "Jan 15, 2018, 10:20:02 GMT", - "Account" : "username", - "Service" : "", - "Access Group" : "ABCD.com.test.passwordmngr-test", - "Protection" : "kSecAttrAccessibleWhenUnlocked", - "Modification Time" : "Jan 15, 2018, 10:28:02 GMT", - "Data" : "testUser", - "AccessControl" : "Not Applicable" - }, - { - "Creation Time" : "Jan 15, 2018, 10:20:02 GMT", - "Account" : "password", - "Service" : "", - "Access Group" : "ABCD.com.test.passwordmngr-test, - "Protection" : "kSecAttrAccessibleWhenUnlocked", - "Modification Time" : "Jan 15, 2018, 10:28:02 GMT", - "Data" : "rosebud", - "AccessControl" : "Not Applicable" - } -``` +...itudehacks.DVIAswiftv2.develop on (iPhone: 13.2.3) [usb] # ios keychain dump +Note: You may be asked to authenticate using the devices passcode or TouchID +Save the output by adding `--json keychain.json` to this command +Dumping the iOS keychain... +Created Accessible ACL Type Account Service Data +------------------------- ------------------------------ ----- -------- ------------------------- ------------------------------------------------------------- ------------------------------------ +2020-02-11 13:26:52 +0000 WhenUnlocked None Password keychainValue com.highaltitudehacks.DVIAswiftv2.develop mysecretpass123 +``` There's no iOS API that developers can use to force wipe data when an application is uninstalled. Instead, developers should take the following steps to prevent Keychain data from persisting between application installations: @@ -315,55 +299,124 @@ $ grep -iRn keyword . Then you can monitor and verify the changes in the filesystem of the app and investigate if any sensitive information is stored within the files while using the app. -##### Dynamic Analysis with Needle +##### Dynamic Analysis with Objection -On a jailbroken device, you can use the iOS security assessment framework Needle to find vulnerabilities caused by the application's data storage mechanism. +You can use the [objection](https://github.com/sensepost/objection "objection") runtime mobile exploration toolkit to find vulnerabilities caused by the application's data storage mechanism. Objection can be used without a Jailbroken device, but it will require [patching the iOS Application](https://github.com/sensepost/objection/wiki/Patching-iOS-Applications "Objection"). ###### Reading the Keychain -To use Needle to read the Keychain, execute the following command: +To use Objection to read the Keychain, execute the following command: ```bash -[needle] > use storage/data/keychain_dump -[needle][keychain_dump] > run +...itudehacks.DVIAswiftv2.develop on (iPhone: 13.2.3) [usb] # ios keychain dump +Note: You may be asked to authenticate using the devices passcode or TouchID +Save the output by adding `--json keychain.json` to this command +Dumping the iOS keychain... +Created Accessible ACL Type Account Service Data +------------------------- ------------------------------ ----- -------- ------------------------- ------------------------------------------------------------- ------------------------------------ +2020-02-11 13:26:52 +0000 WhenUnlocked None Password keychainValue com.highaltitudehacks.DVIAswiftv2.develop mysecretpass123 ``` ###### Searching for Binary Cookies -iOS applications often store binary cookie files in the application sandbox. Cookies are binary files containing cookie data for application WebViews. You can use Needle to convert these files to a readable format and inspect the data. Use the following Needle module, which searches for binary cookie files stored in the application container, lists their data protection values, and gives the user the options to inspect or download the file: +iOS applications often store binary cookie files in the application sandbox. Cookies are binary files containing cookie data for application WebViews. You can use objection to convert these files to a JSON format and inspect the data. ```bash -[needle] > use storage/data/files_binarycookies -[needle][files_binarycookies] > run +...itudehacks.DVIAswiftv2.develop on (iPhone: 13.2.3) [usb] # ios cookies get --json +[ + { + "domain": "highaltitudehacks.com", + "expiresDate": "2051-09-15 07:46:43 +0000", + "isHTTPOnly": "false", + "isSecure": "false", + "name": "username", + "path": "/", + "value": "admin123", + "version": "0" + } +] ``` ###### Searching for Property List Files -iOS applications often store data in property list (plist) files that are stored in both the application sandbox and the IPA package. Sometimes these files contain sensitive information, such as usernames and passwords; therefore, the contents of these files should be inspected during iOS assessments. Use the following Needle module, which searches for plist files stored in the application container, lists their data protection values, and gives the user the options to inspect or download the file: +iOS applications often store data in property list (plist) files that are stored in both the application sandbox and the IPA package. Sometimes these files contain sensitive information, such as usernames and passwords; therefore, the contents of these files should be inspected during iOS assessments. Use the `ios plist cat plistFileName.plist` command to inspect the plist file. + +To find the file userInfo.plist, use the `env` command. It will print out the locations of the applications Library, Caches and Documents directories: ```bash -[needle] > use storage/data/files_plist -[needle][files_plist] > run +...itudehacks.DVIAswiftv2.develop on (iPhone: 13.2.3) [usb] # env +Name Path +----------------- ------------------------------------------------------------------------------------------- +BundlePath /private/var/containers/Bundle/Application/B2C8E457-1F0C-4DB1-8C39-04ACBFFEE7C8/DVIA-v2.app +CachesDirectory /var/mobile/Containers/Data/Application/264C23B8-07B5-4B5D-8701-C020C301C151/Library/Caches +DocumentDirectory /var/mobile/Containers/Data/Application/264C23B8-07B5-4B5D-8701-C020C301C151/Documents +LibraryDirectory /var/mobile/Containers/Data/Application/264C23B8-07B5-4B5D-8701-C020C301C151/Library ``` -###### Searching for Cache Databases +Go to Documents directory and list files there by *ls* command. -iOS applications can store data in cache databases. These databases contain data such as web requests and responses. Sometimes the data is sensitive. Use the following Needle module, which searches for cache files stored in the application container, lists their data protection values, and gives the user the options to inspect or download the file: +```bash +...itudehacks.DVIAswiftv2.develop on (iPhone: 13.2.3) [usb] # ls +NSFileType Perms NSFileProtection Read Write Owner Group Size Creation Name +------------ ------- ------------------------------------ ------ ------- ------------ ------------ -------- ------------------------- ------------------------ +Directory 493 n/a True True mobile (501) mobile (501) 192.0 B 2020-02-12 07:03:51 +0000 default.realm.management +Regular 420 CompleteUntilFirstUserAuthentication True True mobile (501) mobile (501) 16.0 KiB 2020-02-12 07:03:51 +0000 default.realm +Regular 420 CompleteUntilFirstUserAuthentication True True mobile (501) mobile (501) 1.2 KiB 2020-02-12 07:03:51 +0000 default.realm.lock +Regular 420 CompleteUntilFirstUserAuthentication True True mobile (501) mobile (501) 284.0 B 2020-05-29 18:15:23 +0000 userInfo.plist +Unknown 384 n/a True True mobile (501) mobile (501) 0.0 B 2020-02-12 07:03:51 +0000 default.realm.note + +Readable: True Writable: True +``` + +Execute the *ios plist cat userInfo.plist* command to inspect the content of userInfo.plist file. ```bash -[needle] > use storage/data/files_cachedb -[needle][files_cachedb] > run +...itudehacks.DVIAswiftv2.develop on (iPhone: 13.2.3) [usb] # ios plist cat userInfo.plist +{ + password = password123; + username = userName; +} ``` ###### Searching for SQLite Databases -iOS applications typically use SQLite databases to store data required by the application. Testers should check the data protection values of these files and their contents for sensitive data. Use the following Needle module, which searches for SQLite databases stored in the application container, lists their data protection values, and gives the user the options to inspect or download the file: +iOS applications typically use SQLite databases to store data required by the application. Testers should check the data protection values of these files and their contents for sensitive data. Objection contains a module to interact with SQLite databases. It allows to dump the schema, their tables and query the records. ```bash -[needle] > use storage/data/files_sql -[needle][files_sql] > +...itudehacks.DVIAswiftv2.develop on (iPhone: 13.2.3) [usb] # sqlite connect Model.sqlite +Caching local copy of database file... +Downloading /var/mobile/Containers/Data/Application/264C23B8-07B5-4B5D-8701-C020C301C151/Library/Application Support/Model.sqlite to /var/folders/4m/dsg0mq_17g39g473z0996r7m0000gq/T/tmpdr_7rvxi.sqlite +Streaming file from device... +Writing bytes to destination... +Successfully downloaded /var/mobile/Containers/Data/Application/264C23B8-07B5-4B5D-8701-C020C301C151/Library/Application Support/Model.sqlite to /var/folders/4m/dsg0mq_17g39g473z0996r7m0000gq/T/tmpdr_7rvxi.sqlite +Validating SQLite database format +Connected to SQLite database at: Model.sqlite + +SQLite @ Model.sqlite > .tables ++--------------+ +| name | ++--------------+ +| ZUSER | +| Z_METADATA | +| Z_MODELCACHE | +| Z_PRIMARYKEY | ++--------------+ +Time: 0.013s + +SQLite @ Model.sqlite > select * from Z_PRIMARYKEY ++-------+--------+---------+-------+ +| Z_ENT | Z_NAME | Z_SUPER | Z_MAX | ++-------+--------+---------+-------+ +| 1 | User | 0 | 0 | ++-------+--------+---------+-------+ +1 row in set +Time: 0.013s ``` +###### Searching for Cache Databases + +iOS applications can store data in cache databases. These databases contain data such as web requests and responses. This data can be sensitive, if tokens, usernames or other information is cached. To display the cache go to the app path and go to `/Library/Caches/{Bundle Identifier}`. The WebKit cache is being stored in the Cache.db file. Objection can interact with it, as it is a normal SQLite database. + ### Checking Logs for Sensitive Data (MSTG-STORAGE-3) There are many legitimate reasons for creating log files on a mobile device, including keeping track of crashes or errors that are stored locally while the device is offline (so that they can be sent to the app's developer once online), and storing usage statistics. However, logging sensitive data, such as credit card numbers and session information, may expose the data to attackers or malicious applications. diff --git a/Document/0x06f-Testing-Local-Authentication.md b/Document/0x06f-Testing-Local-Authentication.md index 1c1d45b053..ca5804fac7 100644 --- a/Document/0x06f-Testing-Local-Authentication.md +++ b/Document/0x06f-Testing-Local-Authentication.md @@ -207,33 +207,17 @@ is accessible. #### Dynamic Analysis -On a jailbroken device tools like [Swizzler2](https://github.com/vtky/Swizzler2 "Swizzler2") and [Needle](https://github.com/mwrlabs/needle "Needle") can be used to bypass LocalAuthentication. Both tools use Frida to instrument the `evaluatePolicy` function so that it returns `True` even if authentication was not successfully performed. Follow the steps below to activate this feature in Swizzler2: - -- **Settings** -> **Swizzler** -- Enable **Inject Swizzler into Apps** -- Enable **Log Everything to Syslog** -- Enable **Log Everything to File** -- Enter the submenu **iOS Frameworks** -- Enable **LocalAuthentication** -- Enter the submenu **Select Target Apps** -- Enable the target app -- Close the app and start it again -- When the Touch ID prompt shows click **cancel** -- If the application flow continues without requiring the Touch ID then the bypass has worked. - -If you're using Needle, run the `hooking/frida/script_touch-id-bypass` module and follow the prompts. This will spawn the application and instrument the `evaluatePolicy` function. When prompted to authenticate via Touch ID, tap cancel. If the application flow continues, then you have successfully bypassed Touch ID. A similar module (hooking/cycript/cycript_touchid) that uses Cycript instead of Frida is also available in Needle. - -Alternatively, you can use [objection to bypass Touch ID](https://github.com/sensepost/objection/wiki/Understanding-the-Touch-ID-Bypass "Understanding the Touch ID Bypass") (this also works on a non-jailbroken device), patch the app, or use Cycript or similar tools to instrument the process. - -Needle can be used to bypass insecure biometric authentication in iOS platforms. Needle utilizes Frida to bypass login forms developed using `LocalAuthentication.framework` APIs. The following module can be used to test for insecure biometric authentication: +[Objection Biometrics Bypass](https://github.com/sensepost/objection/wiki/Understanding-the-iOS-Biometrics-Bypass "Understanding the iOS Biometrics Bypass") can be used to bypass LocalAuthentication. Objection uses Frida to instrument the `evaluatePolicy` function so that it returns `True` even if authentication was not successfully performed. Use the `ios ui biometrics_bypass` command to bypass the insecure biometric authentication. Objection will register a job, which will replace the `evaluatePolicy` result. It will work in both, Swift and Objective-C implementations. ```bash -[needle][container] > use hooking/frida/script_touch-id-bypass -[needle][script_touch-id-bypass] > run +...itudehacks.DVIAswiftv2.develop on (iPhone: 13.2.3) [usb] # ios ui biometrics_bypass +(agent) Registering job 3mhtws9x47q. Type: ios-biometrics-disable +...itudehacks.DVIAswiftv2.develop on (iPhone: 13.2.3) [usb] # (agent) [3mhtws9x47q] Localized Reason for auth requirement: Please authenticate yourself +(agent) [3mhtws9x47q] OS authentication response: false +(agent) [3mhtws9x47q] Marking OS response as True instead +(agent) [3mhtws9x47q] Biometrics bypass hook complete ``` -If vulnerable, the module will automatically bypass the login form. - ### Note regarding temporariness of keys in the Keychain Unlike macOS and Android, iOS currently (at iOS 12) does not support temporariness of an item's accessibility in the keychain: when there is no additional security check when entering the keychain (e.g. `kSecAccessControlUserPresence` or similar is set), then once the device is unlocked, a key will be accessible. diff --git a/Document/0x06j-Testing-Resiliency-Against-Reverse-Engineering.md b/Document/0x06j-Testing-Resiliency-Against-Reverse-Engineering.md index 76aa193a28..cf96edc0e2 100644 --- a/Document/0x06j-Testing-Resiliency-Against-Reverse-Engineering.md +++ b/Document/0x06j-Testing-Resiliency-Against-Reverse-Engineering.md @@ -582,7 +582,7 @@ Both would _help_ to detect Substrate or Frida's Interceptor but, for example, w #### Effectiveness Assessment -Launch the app with various reverse engineering tools and frameworks installed on your test device. Include at least the following: Frida, Cydia Substrate, Cycript, SSL Kill Switch and the Needle Agent. +Launch the app with various reverse engineering tools and frameworks installed on your test device. Include at least the following: Frida, Cydia Substrate, Cycript and SSL Kill Switch. The app should respond in some way to the presence of those tools. For example by: diff --git a/Document/0x08-Testing-Tools.md b/Document/0x08-Testing-Tools.md index 4f519fc1af..3f06596f0d 100644 --- a/Document/0x08-Testing-Tools.md +++ b/Document/0x08-Testing-Tools.md @@ -112,7 +112,6 @@ Once you are able to SSH into your jailbroken iPhone you can use an FTP client l - Introspy-iOS: Blackbox tool to help understand what an iOS application is doing at runtime and assist in the identification of potential security issues - - keychaindumper: A tool to check which keychain items are available to an attacker once an iOS device has been jailbroken - - lldb: A debugger by Apple’s Xcode used for debugging iOS applications - -- Needle: A modular framework to conduct security assessments of iOS apps including Binary Analysis, Static Code Analysis and Runtime Manipulation - - Passionfruit: Simple iOS app blackbox assessment tool with Fully web based GUI. Powered by frida.re and vuejs - #### Bypassing Jailbreak Detection and SSL Pinning