mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-13 10:55:17 +03:00
187 lines
6.4 KiB
Markdown
187 lines
6.4 KiB
Markdown
---
|
|
name: analyzing-ios-app-security-with-objection
|
|
description: >
|
|
Performs runtime mobile security exploration of iOS applications using Objection, a Frida-powered
|
|
toolkit that enables security testers to interact with app internals without jailbreaking. Use when
|
|
assessing iOS app security posture, bypassing client-side protections, dumping keychain items,
|
|
inspecting filesystem storage, and evaluating runtime behavior. Activates for requests involving
|
|
iOS security testing, Objection runtime analysis, Frida-based iOS assessment, or mobile runtime
|
|
exploration.
|
|
domain: cybersecurity
|
|
subdomain: mobile-security
|
|
author: mahipal
|
|
tags: [mobile-security, ios, objection, frida, owasp-mobile, penetration-testing]
|
|
version: 1.0.0
|
|
license: Apache-2.0
|
|
---
|
|
# Analyzing iOS App Security with Objection
|
|
|
|
## When to Use
|
|
|
|
Use this skill when:
|
|
- Performing runtime security assessment of iOS applications during authorized penetration tests
|
|
- Inspecting iOS keychain, filesystem, and memory for sensitive data exposure
|
|
- Bypassing client-side security controls (SSL pinning, jailbreak detection) during security testing
|
|
- Evaluating iOS app behavior at runtime without access to source code
|
|
|
|
**Do not use** this skill on production devices without explicit authorization -- Objection modifies app runtime behavior and may trigger security monitoring.
|
|
|
|
## Prerequisites
|
|
|
|
- Python 3.10+ with pip
|
|
- Objection installed: `pip install objection`
|
|
- Frida installed: `pip install frida-tools`
|
|
- Target iOS device (jailbroken with Frida server, or non-jailbroken with repackaged IPA)
|
|
- For non-jailbroken: `objection patchipa` to inject Frida gadget into IPA
|
|
- macOS recommended for iOS testing (Xcode, ideviceinstaller)
|
|
- USB connection to target device or network Frida server
|
|
|
|
## Workflow
|
|
|
|
### Step 1: Prepare the Testing Environment
|
|
|
|
**For jailbroken devices:**
|
|
```bash
|
|
# Install Frida server on device via Cydia/Sileo
|
|
# SSH to device and start Frida server
|
|
ssh root@<device_ip> "/usr/sbin/frida-server -D"
|
|
|
|
# Verify Frida connectivity
|
|
frida-ps -U # List processes on USB-connected device
|
|
```
|
|
|
|
**For non-jailbroken devices (authorized testing):**
|
|
```bash
|
|
# Patch IPA with Frida gadget
|
|
objection patchipa --source target.ipa --codesign-signature "Apple Development: test@example.com"
|
|
|
|
# Install patched IPA
|
|
ideviceinstaller -i target-patched.ipa
|
|
```
|
|
|
|
### Step 2: Attach Objection to Target App
|
|
|
|
```bash
|
|
# Attach to running app by bundle ID
|
|
objection --gadget "com.target.app" explore
|
|
|
|
# Or spawn the app fresh
|
|
objection --gadget "com.target.app" explore --startup-command "ios hooking list classes"
|
|
```
|
|
|
|
Once attached, Objection provides an interactive REPL for runtime exploration.
|
|
|
|
### Step 3: Assess Data Storage Security (MASVS-STORAGE)
|
|
|
|
```bash
|
|
# Dump iOS Keychain items accessible to the app
|
|
ios keychain dump
|
|
|
|
# List files in app sandbox
|
|
ios plist cat Info.plist
|
|
env # Show app environment paths
|
|
|
|
# Inspect NSUserDefaults for sensitive data
|
|
ios nsuserdefaults get
|
|
|
|
# List SQLite databases
|
|
sqlite connect app_data.db
|
|
sqlite execute query "SELECT * FROM credentials"
|
|
|
|
# Check for sensitive data in pasteboard
|
|
ios pasteboard monitor
|
|
```
|
|
|
|
### Step 4: Evaluate Network Security (MASVS-NETWORK)
|
|
|
|
```bash
|
|
# Disable SSL/TLS certificate pinning
|
|
ios sslpinning disable
|
|
|
|
# Verify pinning is bypassed by observing traffic in Burp Suite proxy
|
|
# Monitor network-related class method calls
|
|
ios hooking watch class NSURLSession
|
|
ios hooking watch class NSURLConnection
|
|
```
|
|
|
|
### Step 5: Inspect Authentication and Authorization (MASVS-AUTH)
|
|
|
|
```bash
|
|
# List all Objective-C classes
|
|
ios hooking list classes
|
|
|
|
# Search for authentication-related classes
|
|
ios hooking search classes Auth
|
|
ios hooking search classes Login
|
|
ios hooking search classes Token
|
|
|
|
# Hook authentication methods to observe parameters
|
|
ios hooking watch method "+[AuthManager validateToken:]" --dump-args --dump-return
|
|
|
|
# Monitor biometric authentication calls
|
|
ios hooking watch class LAContext
|
|
```
|
|
|
|
### Step 6: Assess Binary Protections (MASVS-RESILIENCE)
|
|
|
|
```bash
|
|
# Check jailbreak detection implementation
|
|
ios jailbreak disable
|
|
|
|
# Simulate jailbreak detection bypass
|
|
ios jailbreak simulate
|
|
|
|
# List loaded frameworks and libraries
|
|
memory list modules
|
|
|
|
# Search memory for sensitive strings
|
|
memory search "password" --string
|
|
memory search "api_key" --string
|
|
memory search "Bearer" --string
|
|
|
|
# Dump specific memory regions
|
|
memory dump all dump_output/
|
|
```
|
|
|
|
### Step 7: Review Platform Interaction (MASVS-PLATFORM)
|
|
|
|
```bash
|
|
# List URL schemes registered by the app
|
|
ios info binary
|
|
ios bundles list_frameworks
|
|
|
|
# Hook URL scheme handlers
|
|
ios hooking watch method "-[AppDelegate application:openURL:options:]" --dump-args
|
|
|
|
# Monitor clipboard access
|
|
ios pasteboard monitor
|
|
|
|
# Check for custom keyboard restrictions
|
|
ios hooking search classes UITextField
|
|
```
|
|
|
|
## Key Concepts
|
|
|
|
| Term | Definition |
|
|
|------|-----------|
|
|
| **Objection** | Runtime mobile exploration toolkit built on Frida that provides pre-built scripts for common security testing tasks |
|
|
| **Frida Gadget** | Shared library injected into app process to enable Frida instrumentation without jailbreak |
|
|
| **Keychain** | iOS secure credential storage system; Objection can dump items accessible to the target app's keychain access group |
|
|
| **SSL Pinning Bypass** | Runtime modification of certificate validation logic to allow proxy interception of HTTPS traffic |
|
|
| **Method Hooking** | Intercepting Objective-C/Swift method calls at runtime to observe arguments, return values, and modify behavior |
|
|
|
|
## Tools & Systems
|
|
|
|
- **Objection**: High-level Frida-powered mobile security exploration toolkit with pre-built commands
|
|
- **Frida**: Dynamic instrumentation framework providing JavaScript injection into native app processes
|
|
- **Frida-tools**: CLI utilities for Frida including frida-ps, frida-trace, and frida-discover
|
|
- **ideviceinstaller**: Cross-platform tool for installing/managing iOS apps via USB
|
|
- **Burp Suite**: HTTP proxy for intercepting traffic after SSL pinning bypass
|
|
|
|
## Common Pitfalls
|
|
|
|
- **App crashes on attach**: Some apps implement Frida detection. Use `--startup-command` to hook anti-Frida checks early in the app lifecycle.
|
|
- **Keychain access scope**: Objection can only dump keychain items within the app's access group. System keychain items require separate jailbreak-level tools.
|
|
- **Swift name mangling**: Swift method names are mangled in the runtime. Use `ios hooking list classes` with grep to find demangled names.
|
|
- **Non-persistent changes**: All Objection modifications are runtime-only and reset on app restart. Document findings immediately.
|