At the time of writing this there is no public jailbreak for iOS 7.0.4, but the requests for testing applications within iOS still keep coming in. While the best approach to this request is to test the application on an older device that you have root on and analyze any difference iOS 7 may introduce but some customers just don’t want to take that approach. Finding myself in many of these situations I wanted to document the approach I took to testing iOS applications without root. Without root you are extremely limited to what you can or cannot do to access the application. Below I break it down into basically three different steps Console Messages, Browse Filesystem, and Intercept Communication.
While very trivial it has provided me with some results. Just physically attach the phone to your Mac with Xcode open and monitor the console while you browse around the app on the phone. Since these messages are written to the console in an unencrypted fashion nothing should be sensitive here. You would be amazed how many apps are logging the user & password within a URL string while it authenticates back to the server. This type of information has lead me to some pretty nice attacks.
Another very trivial thing to do. While the phone is connected use your favorite file system browser to see if anything is exposed. If everything was done correctly within the application nothing of value should be able to be accessed by this method. Again you will be amazed of what some applications allow you to have access to simply by connecting via USB. I use DiskAid below and many people also like iExplorer. You could also forensically recover the file system and attempt to recover some older versions of the files you find.
Something that can usually be pretty fruitful is intercepting the application traffic and begin to test the client/server traffic just as you would any other web application. From my experience many apps are not expecting you to get in the middle so some basic security measures may not have been implemented. This approach definitely lets you see under the hood a bit more but from here on it essentially ends up being just like any other web based penetration test. I won’t go into how to web test but I will show you how to setup Burp to get in the middle of your app. The best part about this is once you have it all setup you don’t need to go through this whole process again. Whenever I want to test an app now I just enable the proxy on the phone and fire up Burp.
1. Setup Burp & Export Burp Certificate
On your machine setup Burp to listen on all interfaces like below. We also need to export the Burp CA certificate so we can import it into the iPhone. Now if DNS pinning is used you can stop here because this will not work.
Export Certificate in DER format and save it to a working directory that is easy to get at.
2. Setup your iPhone
First install the Burp certificate that was just exported. The easiest way is to start a simple python HTTP server and browse to that on your iPhone. To start the HTTP server go to the certificate location you just exported and run the following command.
python -m SimpleHTTPServer
Now you can browse to your machine via the iPhone and simply click on the Burp CA certificate to start the install process. You should see similar screens like below. Note the default port is 8000.
Now that we have the Burp CA installed we just need to set the iPhone proxy to point to our machine which has the Burp proxy listening. This can be done by going to the following.
Settings > Wi-Fi > SSID > HTTP PROXY
3. Start Testing!
Note: Make sure you install your target app before you MITM. The app store doesn’t like it so much when you do that.
So that is pretty much what you are limited to if you do not have a jailbreak handy or your customer insists you test on iOS 7(This is pre public jailbreak) I personally would try and convince them otherwise. Now depending on the app you may be able to use it a bit and see various misconfigurations(back up to iCloud, screenshots, etc) but that will vary app to app. If anyone else has ran into similar situations I would love to hear if you had any other methods of attacking the app without root on the phone.