Damn Vulnerable iOS Application
This website was born from the need to have a tool where a user can test their iOS penetration testing skills in a safe and legal environment. Also, this application can be used by mobile security enthusiasts and students to learn or review the basics of mobile application security.
Vulnerabilities and Challenges Include …
Insecure Data Storage
Transport Layer Security
Client Side Injection
Security Decisions via Untrusted input
Side channel data leakage
The app also contains a section on iOS Application Security Tutorials for those who want to learn iOS Application Pentesting. Every challenge/vulnerability has a link for a tutorial that users can read to learn more on that topic.
This app will only run on devices running iOS 7 or later. Users can download the source code and run the application on previous versions of iOS as well.
Foundstone’s iOSKeychain Analyzer is intended for mobile application security penetration testers to evaluate the security of an iOS application within the iOS simulator. It allows for viewing the contents of the iOS “keychain” to identify the secrets being stored as well as analyzes these secrets from a security standpoint.
To use the iOSKeychain binary follow the steps below:
- If iOS Keychain Analyzer is not installed within the simulator then install it by copying the “01EFB1DB-4A47-45A1-B692-F88996FAC4F8” directory to “/Users/[User_Name]/Library/Application Support/iPhone Simulator/5.1/Applications”
- Install and run the target application within the iOS simulator.
- Launch the iOS Keychain Analyzer (within the simulator) and export/analyze the keychain data.
- The following directory should be created in the application folder: /[iOS_Keychain_Analyzer_Installation_Folder]/Library/Caches/DataAndAnalysisReports E.g. /Users/someuser /Library/Application Support/iPhone Simulator/5.1/Applications/01EFB1DB-4A47-45A1-B692-F88996FAC4F8/Library/Caches/DataAndAnalysisReports/
- Within the DataAndAnaylsis Reports directory, iOSKeychain Analyzer will create the following reports:
- iOSKeychainDataViewer.htm – Displays the entire contents of the keychain in a readable format. The raw keychain contents are stored in JSONP format in the “KeychainDataExport.jsonp” file
- OSKeychainAnalysisReportViewer.htm – Displays the keychain data analysis report in a readable format. The raw analysis report can be found in the “KeychainAnalysisReport.jsonp”
Mac OS X 10.7.4+ and iOS Simulator 5.0+
How to configure our iDevice in order to perform pen-testing of iOS applications.
iOS Security Wiki
Another large iOS pentesting wiki that includes other tools and information.
Mobile Security Wiki
One LARGE iOS security resource for all kinds of environments. Be sure to click the Apple logo at the top of the page to get iOS specific tools.