├── pdf ├── Mobile_Hacking_iOS_cheatsheet_v0.1.pdf ├── Mobile_Hacking_iOS_cheatsheet_v1.0.pdf ├── Mobile_Hacking_Android_cheatsheet_v0.1.pdf └── Mobile_Hacking_Android_cheatsheet_v1.0.pdf ├── pics ├── Mobile_Hacking_iOS_cheatsheet_v0.1_slide1.png ├── Mobile_Hacking_iOS_cheatsheet_v0.1_slide2.png ├── Mobile_Hacking_iOS_cheatsheet_v1.0_slide1.png ├── Mobile_Hacking_iOS_cheatsheet_v1.0_slide2.png ├── Mobile_Hacking_Android_cheatsheet_v0.1_slide1.png ├── Mobile_Hacking_Android_cheatsheet_v0.1_slide2.png ├── Mobile_Hacking_Android_cheatsheet_v1.0_slide1.png └── Mobile_Hacking_Android_cheatsheet_v1.0_slide2.png ├── LEGACY.md └── README.md /pdf/Mobile_Hacking_iOS_cheatsheet_v0.1.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/e1abrador/MobileHackingCheatSheet/master/pdf/Mobile_Hacking_iOS_cheatsheet_v0.1.pdf -------------------------------------------------------------------------------- /pdf/Mobile_Hacking_iOS_cheatsheet_v1.0.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/e1abrador/MobileHackingCheatSheet/master/pdf/Mobile_Hacking_iOS_cheatsheet_v1.0.pdf -------------------------------------------------------------------------------- /pdf/Mobile_Hacking_Android_cheatsheet_v0.1.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/e1abrador/MobileHackingCheatSheet/master/pdf/Mobile_Hacking_Android_cheatsheet_v0.1.pdf -------------------------------------------------------------------------------- /pdf/Mobile_Hacking_Android_cheatsheet_v1.0.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/e1abrador/MobileHackingCheatSheet/master/pdf/Mobile_Hacking_Android_cheatsheet_v1.0.pdf -------------------------------------------------------------------------------- /pics/Mobile_Hacking_iOS_cheatsheet_v0.1_slide1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/e1abrador/MobileHackingCheatSheet/master/pics/Mobile_Hacking_iOS_cheatsheet_v0.1_slide1.png -------------------------------------------------------------------------------- /pics/Mobile_Hacking_iOS_cheatsheet_v0.1_slide2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/e1abrador/MobileHackingCheatSheet/master/pics/Mobile_Hacking_iOS_cheatsheet_v0.1_slide2.png -------------------------------------------------------------------------------- /pics/Mobile_Hacking_iOS_cheatsheet_v1.0_slide1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/e1abrador/MobileHackingCheatSheet/master/pics/Mobile_Hacking_iOS_cheatsheet_v1.0_slide1.png -------------------------------------------------------------------------------- /pics/Mobile_Hacking_iOS_cheatsheet_v1.0_slide2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/e1abrador/MobileHackingCheatSheet/master/pics/Mobile_Hacking_iOS_cheatsheet_v1.0_slide2.png -------------------------------------------------------------------------------- /pics/Mobile_Hacking_Android_cheatsheet_v0.1_slide1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/e1abrador/MobileHackingCheatSheet/master/pics/Mobile_Hacking_Android_cheatsheet_v0.1_slide1.png -------------------------------------------------------------------------------- /pics/Mobile_Hacking_Android_cheatsheet_v0.1_slide2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/e1abrador/MobileHackingCheatSheet/master/pics/Mobile_Hacking_Android_cheatsheet_v0.1_slide2.png -------------------------------------------------------------------------------- /pics/Mobile_Hacking_Android_cheatsheet_v1.0_slide1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/e1abrador/MobileHackingCheatSheet/master/pics/Mobile_Hacking_Android_cheatsheet_v1.0_slide1.png -------------------------------------------------------------------------------- /pics/Mobile_Hacking_Android_cheatsheet_v1.0_slide2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/e1abrador/MobileHackingCheatSheet/master/pics/Mobile_Hacking_Android_cheatsheet_v1.0_slide2.png -------------------------------------------------------------------------------- /LEGACY.md: -------------------------------------------------------------------------------- 1 | # Android CheatSheet 2 | You can get the pdf [here](https://github.com/randorisec/MobileHackingCheatSheet/blob/master/pdf/Mobile_Hacking_Android_cheatsheet_v1.0.pdf). 3 | 4 | Or the png here: 5 | [![Android CheatSheet slide 1](https://github.com/randorisec/MobileHackingCheatSheet/blob/master/pics/Mobile_Hacking_Android_cheatsheet_v1.0_slide1.png)](https://github.com/randorisec/MobileHackingCheatSheet/blob/master/pics/Mobile_Hacking_Android_cheatsheet_v1.0_slide1.png) 6 | [![Android CheatSheet slide 2](https://github.com/randorisec/MobileHackingCheatSheet/blob/master/pics/Mobile_Hacking_Android_cheatsheet_v1.0_slide2.png)](https://github.com/randorisec/MobileHackingCheatSheet/blob/master/pics/Mobile_Hacking_Android_cheatsheet_v1.0_slide2.png) 7 | 8 | # iOS CheatSheet 9 | You can get the pdf [here](https://github.com/randorisec/MobileHackingCheatSheet/blob/master/pdf/Mobile_Hacking_iOS_cheatsheet_v1.0.pdf). 10 | 11 | Or the png here: 12 | [![iOS CheatSheet slide 1](https://github.com/randorisec/MobileHackingCheatSheet/blob/master/pics/Mobile_Hacking_iOS_cheatsheet_v1.0_slide1.png)](https://github.com/randorisec/MobileHackingCheatSheet/blob/master/pics/Mobile_Hacking_iOS_cheatsheet_v1.0_slide1.png) 13 | 14 | [![iOS CheatSheet slide 2](https://github.com/randorisec/MobileHackingCheatSheet/blob/master/pics/Mobile_Hacking_iOS_cheatsheet_v1.0_slide2.png)](https://github.com/randorisec/MobileHackingCheatSheet/blob/master/pics/Mobile_Hacking_iOS_cheatsheet_v1.0_slide2.png) 15 | 16 | # License 17 | The Mobile Hacking CheatSheet is an open source project released under the [CC-BY-SA 4.0](https://creativecommons.org/licenses/by-sa/4.0/deed.fr) licence. 18 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # The Mobile Hacking CheatSheet 2 | 3 | The Mobile Hacking CheatSheet is an attempt to summarise a few interesting basics info regarding tools and commands needed to assess the security of Android and iOS mobile applications. 4 | 5 | You can get the PDF versions: 6 | 7 | * [Mobile Hacking iOS CheatSheet](https://github.com/randorisec/MobileHackingCheatSheet/blob/master/pdf/Mobile_Hacking_iOS_cheatsheet_v1.0.pdf) 8 | * [Mobile Hacking Android CheatSheet](https://github.com/randorisec/MobileHackingCheatSheet/blob/master/pdf/Mobile_Hacking_Android_cheatsheet_v1.0.pdf) 9 | 10 | And the PNG versions: 11 | 12 | * [Mobile Hacking iOS CheatSheet](https://github.com/randorisec/MobileHackingCheatSheet/blob/master/LEGACY.md#ios-cheatsheet) 13 | * [Mobile Hacking Android CheatSheet](https://github.com/randorisec/MobileHackingCheatSheet/blob/master/LEGACY.md#android-cheatsheet) 14 | 15 | ## Main Steps 16 | 17 | 1. Review the codebase 18 | 2. Run the app 19 | 3. Dynamic instrumentation 20 | 4. Analyze network communications 21 | 22 | ## OWASP Mobile Security Testing Project 23 | 24 | ### Mobile Security Testing Guide 25 | 26 | [https://github.com/OWASP/owasp-mstg](https://github.com/OWASP/owasp-mstg) 27 | 28 | ### Mobile Application Security Verification Standard 29 | 30 | [https://github.com/OWASP/owasp-masvs](https://github.com/OWASP/owasp-masvs) 31 | 32 | ### Mobile Security Checklist 33 | 34 | [https://github.com/OWASP/owasp-mstg/tree/master/Checklists](https://github.com/OWASP/owasp-mstg/tree/master/Checklists) 35 | 36 | ## Android CheatSheet 37 | 38 | ### APK Structure 39 | 40 | * __META-INF__: Files related to the signature scheme (v1 scheme only) 41 | * __lib__: Folder containing native libraries (ARM, MIPS, x86, x64) 42 | * __assets__: Folder containing application specific files 43 | * __res__: Folder containing all the resources files (layouts, strings, etc.) of the application 44 | * __classes.dex [classes2.dex] ...__: Dalvik bytecode of the application 45 | * __AndroidManifest.xml__: Manifest file describing essential information about the app (permissions, components, etc.) 46 | 47 | ### Package Name 48 | 49 | The package name represents the app’s unique identifier (e.g. for YouTube): 50 | 51 | ``` 52 | com.google.android.youtube 53 | ``` 54 | 55 | ### Data Storage 56 | 57 | User applications 58 | 59 | ```bash 60 | /data/data// 61 | ``` 62 | 63 | Shared Preferences Files 64 | 65 | ```bash 66 | /data/data//shared_prefs/ 67 | ``` 68 | 69 | SQLite Databases 70 | 71 | ```bash 72 | /data/data//databases/ 73 | ``` 74 | 75 | Internal Storage 76 | 77 | ```bash 78 | /data/data//files/ 79 | ``` 80 | 81 | ### adb 82 | 83 | Connect throug USB 84 | 85 | ```bash 86 | adb -d shell 87 | ``` 88 | 89 | Connect through TCP/IP 90 | 91 | ```bash 92 | adb -e shell 93 | ``` 94 | 95 | Get a shell or execute the specified command 96 | 97 | ```bash 98 | adb shell [cmd] 99 | ``` 100 | 101 | List processes 102 | 103 | ```bash 104 | adb shell ps 105 | ``` 106 | 107 | List Android devices connected to your machine 108 | 109 | ```bash 110 | adb devices 111 | ``` 112 | 113 | Dump the log messages from Android system 114 | 115 | ```bash 116 | adb logcat 117 | ``` 118 | 119 | Copy local file to Android device 120 | 121 | ```bash 122 | adb push 123 | ``` 124 | 125 | Copy file from the Android device 126 | 127 | ```bash 128 | adb pull 129 | ``` 130 | 131 | Install APK file on the Android device 132 | 133 | ```bash 134 | adb install 135 | ``` 136 | 137 | Install an App Bundle 138 | 139 | ```bash 140 | adb install-multiple ... 141 | ``` 142 | 143 | Set-up port forwarding using TCP protocol from host to Android device 144 | 145 | ```bash 146 | adb forward tcp: tcp:remote_port 147 | ``` 148 | 149 | List all packages on the device 150 | 151 | ```bash 152 | adb shell pm list packages 153 | ``` 154 | 155 | Find the path where the APK is stored for the selected package name 156 | 157 | ```bash 158 | adb shell pm path 159 | ``` 160 | 161 | List only installed apps (not system apps) and the associated path 162 | 163 | ```bash 164 | adb shell pm list packages -f -3 165 | ``` 166 | 167 | List packages names matching the specified pattern 168 | 169 | ```bash 170 | adb shell pm list packages -f -3 [pattern] 171 | ``` 172 | 173 | ### Application Signing 174 | 175 | For signing your APK file, you have 2 options 176 | 177 | * [jarsigner](https://docs.oracle.com/javase/7/docs/technotes/tools/windows/jarsigner.html): Only supports v1 signature scheme (JAR signature) 178 | 179 | ```terminal 180 | jarsigner -verbose -keystore -storepass 181 | ``` 182 | 183 | * [apksigner](https://developer.android.com/studio/command-line/apksigner): Official tool from Android SDK (since version 24.0.3), which supports all the signature schemes (from v1 to v4) 184 | 185 | ```terminal 186 | apksigner sign --ks --ks-pass pass: 187 | ``` 188 | 189 | To create your own keystore, the following one-liner can be used: 190 | 191 | ```bash 192 | keytool -genkeypair -dname "cn=John Doe, ou=Security, o=Randorisec, c=FR" -alias 193 | -keystore -storepass -validity -keyalg RSA -keysize 2048 -sigalg SHA1withRSA 194 | ``` 195 | 196 | ### Code Tampering 197 | 198 | To tamper an APK file, the foolowing steps should be performed: 199 | 200 | 1. Disassemble the app with `apktool` and save the smali code into output directory 201 | 202 | ```bash 203 | apktool d -o 204 | ``` 205 | 206 | 1. Modify the smali code of your app (or the resource files if needed) 207 | 208 | 1. Build the modified APK with `apktool` 209 | 210 | ```bash 211 | apktool b -o 212 | ``` 213 | 214 | 1. Sign the APK (see [Application Signing](#application-signing)) 215 | 216 | 1. (Optional) Use `zipalign` to provide optimization to the APK file 217 | 218 | ```bash 219 | zipalign -fv 4 220 | ``` 221 | 222 | ### Frida 223 | 224 | #### Installation 225 | 226 | Install Frida and Python bindings on your system using `pip` 227 | 228 | ```bash 229 | pip install frida frida-tools 230 | ``` 231 | 232 | Download the Frida server binary matching the targeted architecture and your Frida version 233 | 234 | ```bash 235 | VER=`frida --version` 236 | ABI=`adb shell getprop ro.product.cpu.abi` 237 | wget https://github.com/frida/frida/releases/download/$VER/frida-server-$VER-android-$ABI.xz 238 | xz -d frida-server-$VER-android-$ABI.xz 239 | ``` 240 | 241 | Upload and execute the Frida server binary on your Android device (root privileges are needed) 242 | 243 | ```bash 244 | VER=`frida --version` 245 | ABI=`adb shell getprop ro.product.cpu.abi` 246 | adb root 247 | adb push frida-server-$VER-android-$ABI /data/local/tmp/frida 248 | adb shell "chmod 755 /data/local/tmp/frida" 249 | adb shell "/data/local/tmp/frida" 250 | ``` 251 | 252 | #### Tools 253 | 254 | List running processes (emulators or devices connected through USB) 255 | 256 | ```bash 257 | frida-ps -U 258 | ``` 259 | 260 | List only installed applications 261 | 262 | ```bash 263 | frida-ps -U -i 264 | ``` 265 | 266 | Attach Frida client to the specified application (emulator or device connected through USB) 267 | 268 | ```bash 269 | frida -U 270 | ``` 271 | 272 | Spawn the specified application (emulator or device connected through USB) 273 | 274 | ```bash 275 | frida -U -f 276 | ``` 277 | 278 | Spawn the specified application without any pause at the beginning (emulator or device connected through USB) 279 | 280 | ```bash 281 | frida -U -f --no-pause 282 | ``` 283 | 284 | Load a Frida script when attaching to the specified application 285 | 286 | ```bash 287 | frida -U -l 288 | ``` 289 | 290 | ### Objection 291 | 292 | Inject Frida Gadget library inside an APK file by specifying the targeted architecture (if emulator not running or device not connected) 293 | 294 | ```bash 295 | objection patchapk --source -V --architecture 296 | ``` 297 | 298 | Inject Frida Gadget library inside an APK file using lastest Frida version available on Github (if emulator running or device connected to the device) 299 | 300 | ```bash 301 | objection patchapk --source 302 | ``` 303 | 304 | ### SSL/TLS Interception with BurpSuite 305 | 306 | #### Before Android 7 307 | 308 | 1. Launch `BurpSuite` and modify Proxy settings in order to listen on "All interfaces" (or a specific interface) 309 | 1. Edit the Wireless network settings in your device or the emulator proxy settings (Android Studio) 310 | 1. Export the CA certificate from Burp and save it with ".cer" extension 311 | 1. Push the exported certificate on the device with adb (into the SD card) 312 | 1. Go to "Settings->Security" and select "Install from device storage" 313 | 1. Select for "Credentials use" select "VPN and apps" 314 | 315 | References: 316 | 317 | * [Configuring an Android device to work with Burp](https://portswigger.net/support/configuring-an-android-device-to-work-with-burp) 318 | * [Installing BurpSuite's CA certificate in an Android device](https://portswigger.net/support/installing-burp-suites-ca-certificate-in-an-android-device) 319 | 320 | #### After Android 7 321 | 322 | From Android 7, the Android system no longer trusts the user supplied CA certificates. To be able to intercept SSL/TLS communication, you have 3 options: 323 | 324 | 1. Use an older version of Android 325 | 1. Use a rooted device and install the BurpSuite CA certificate inside the sytem store certificate 326 | 1. Tamper the targeted application in order to re-enable the user store certificate 327 | 328 | In order to tamper the targeted Android application, we are going to add or modify the network security configuration file. This file on recent Android versions allows to force the application to trust the user supplied CA certificates. The following steps should be performed: 329 | 330 | 1. Install the Burpsuite's CA certificate on your Android device (see [Before Android 7](#before-android-7)) 331 | 1. Disassemble the targeted app (APK file) with `apktool` 332 | 1. Add or modify the `network_security_config.xml` file (usually on `res/xml/` folder). The content of the file should be: 333 | 334 | ```xml 335 | 336 | 337 | 338 | 339 | 340 | 341 | 342 | 343 | 344 | 345 | 1. If the `network_security_config.xml` file is not present on your app, the `AndroidManifest.xml`also need to be modified by adding the `networkSecurityConfig` tag as follow: 346 | 347 | ```xml 348 | 349 | ``` 350 | 351 | 1. Build the modified app with `apktool` and then sign the newly created APK file (see [Application Signing](#application-signing)) 352 | 353 | ### Content Provider 354 | 355 | Query a Content Provider 356 | 357 | ```bash 358 | adb shell content query --uri content:/// 359 | ``` 360 | 361 | Insert an element on a Content Provider 362 | 363 | ```bash 364 | adb shell content insert --uri content:/// 365 | --bind :: 366 | ``` 367 | 368 | Delete a row on a Content Provider 369 | 370 | ```bash 371 | adb shell content delete --uri content:/// 372 | --where "=''" 373 | ``` 374 | 375 | ### Activity Manager 376 | 377 | Start an Activity with the specified Intent 378 | 379 | ```bash 380 | adb shell am start -n -a 381 | ``` 382 | 383 | Start an Activity with the specified Intent and extra parameters 384 | 385 | ```bash 386 | adb shell am start -n -a --es --ez --ei … 387 | ``` 388 | 389 | ## iOS CheatSheet 390 | 391 | ### Filesystem 392 | 393 | App list database 394 | 395 | ```bash 396 | /User/Library/FrontBoard/applicationState.db 397 | ``` 398 | 399 | Binary directory: include all the static resources of the app 400 | 401 | ```bash 402 | /private/var/containers/Bundle/Application/UUID/App.app 403 | ``` 404 | 405 | Path of the binary (executable) 406 | 407 | ```bash 408 | /private/var/containers/Bundle/Application/UUID/App.app/App 409 | ``` 410 | 411 | App metadata: configuration of the app (icon to display, supported document types, etc.) 412 | 413 | ```bash 414 | /private/var/containers/Bundle/Application/UUID/App.app/Info.plist 415 | ``` 416 | 417 | Data directory 418 | 419 | ```bash 420 | /private/var/mobile/Containers/Data/Application/Data-UUID 421 | ``` 422 | 423 | *UUID (Universally Unique Identifier): random 36 alphanumeric characters string unique to the app* 424 | *Data-UUID: random 36 alphanumeric characters string unique to the app* 425 | 426 | ### Default password 427 | 428 | By default the root password on your jailbroken iOS device is ```alpine``` 429 | 430 | If you've changed it and want to reset it: 431 | 432 | 1. Open ```/etc/passwd``` or ```/private/etc/master.passwd``` with a file manager app (e.g. iFile/Fileza) 433 | 2. Change the hash to: ```/smx7MYTQIi2M``` 434 | 3. root password will be ```alpine``` 435 | 436 | ### Bundle ID 437 | 438 | The bundle ID (aka package name) represents the app’s unique identifier (e.g. for YouTube) 439 | 440 | ``` 441 | com.google.ios.youtube 442 | ``` 443 | 444 | ### How to find the data and binary directories 445 | 446 | Grep is the not-so-quick ‘n dirty way to find where are the data and binary directories of your app 447 | 448 | ```bash 449 | iPhone:~ root# grep -r /private/var/* 450 | ``` 451 | 452 | ### How to find the data and binary directories and the Bundle ID 453 | 454 | By launching Frida with the ios-app-info script 455 | 456 | ```bash 457 | frida -U -c dki/ios-app-info 458 | ``` 459 | 460 | And then 461 | 462 | ```bash 463 | [iPhone::App]-> appInfo() 464 | ``` 465 | 466 | Or manually by opening the app list database 467 | 468 | ```bash 469 | iPhone:~ root# sqlite3 /User/Library/FrontBoard/applicationState.db 470 | ``` 471 | 472 | And displaying the key_tab table to get the binary directories 473 | 474 | ```bash 475 | sqlite> select * from key_tab; 476 | ``` 477 | 478 | Or displaying the application_identifier_tab table to get the bundle IDs 479 | 480 | ```bash 481 | sqlite> select * from application_identifier_tab; 482 | ``` 483 | 484 | ### App decryption 485 | 486 | 1. Add [https://level3tjg.xyz/repo/](https://level3tjg.xyz/repo/) src to Cydia and install bfdecrypt tool 487 | 2. Go to bfdecrypt pref pane in Settings and set the app to decrypt 488 | 3. Launch the app to decrypt: decrypted IPA is stored in the Documents folder of the app 489 | 490 | ### Dynamic analysis with Frida 491 | 492 | List running processes 493 | 494 | ```bash 495 | frida-ps –U 496 | ``` 497 | 498 | Analyse the calls to a method by launching Frida with the objc-method-observer script 499 | 500 | ```bash 501 | frida -U –c mrmacete/objc-method-observer 502 | ``` 503 | 504 | And then using the command ```observeSomething``` 505 | 506 | ```bash 507 | [iPhone::App]-> observeSomething('*[* **]’); 508 | ``` 509 | 510 | Hook the calls to the method 511 | 512 | ```bash 513 | frida-trace -U -m "-[* *]" 514 | ``` 515 | 516 | Then open the JavaScript handler file to edit the ```onEnter``` or ```onLeave``` functions to manipulate the behavior of the app 517 | 518 | ### Dynamic analysis with Objection 519 | 520 | Inject objection 521 | 522 | ```bash 523 | objection -g "" explore 524 | ``` 525 | 526 | List the classes (output will contain thousands of lines) 527 | 528 | ```bash 529 | ios hooking list classes 530 | ``` 531 | 532 | List the methods of a class 533 | 534 | ```bash 535 | ios hooking list class_methods 536 | ``` 537 | 538 | Search for classes|methods names containing 539 | 540 | ```bash 541 | ios hooking search classes|methods 542 | ``` 543 | 544 | Analyse the calls to the method 545 | 546 | ```bash 547 | ios hooking watch method "-[ ]" 548 | ``` 549 | 550 | Hook the and return true to each call 551 | 552 | ```bash 553 | ios hooking set return_value "-[ ]" true 554 | ``` 555 | 556 | ### Get the NSLog (syslog) 557 | 558 | Impactor (http://www.cydiaimpactor.com) let you display the NSLog (syslog) on command line 559 | 560 | ```bash 561 | ./Impactor idevicesyslog -u 562 | ``` 563 | 564 | ### SSL Interception with BurpSuite 565 | 566 | 1. Launch Burp and modify proxy settings in order to listen on “All interfaces” 567 | 2. Browse to the IP/port of your Burp proxy using Safari 568 | 3. Tap on the “CA Certificate” at the top right of the screen 569 | 4. Tap on “Allow” on the pop-up asking to download a configuration profile 570 | 5. Go to “Settings->Profile Downloaded” and select the “PortSwigger CA” profile 571 | 6. Tap on “Install” then “Install” again and then “Install” one last time 572 | 7. Edit the wireless network settings on your device to set a proxy (“Settings->Wi-Fi” then tap on the blue “i”, slide to the bottom of the screen and tap on “Configure Proxy”) 573 | 8. Tap on ”Manual”, set the IP/port of your Burp proxy, tap on “Save” 574 | 9. Go to “Settings->General->About->Certificate Trust Settings” & toggle on the PortSwiggerCA 575 | 576 | ### Bypass SSL Pinning using SSL Kill Switch 2 577 | 578 | Download and install SSL Kill Switch 2 tweak 579 | 580 | ```bash 581 | wget https://github.com/nabla-c0d3/ssl-kill-switch2/releases/download/0.14/com.nablac0d3.sslkillswitch2_0.14.deb 582 | dpkg -i com.nablac0d3.sslkillswitch2_0.14.deb 583 | killall -HUP SpringBoard 584 | ``` 585 | 586 | Go to “Settings->SSL Kill Switch 2” to ”Disable Certificate Validation” 587 | 588 | ### UDID (Unique Device Identifier) 589 | 590 | UDID is a string that is used to identify a device. Needed for some operations like signature, app installation, network monitoring. 591 | 592 | * Get the UDID with MacOS 593 | 594 | ```bash 595 | idevice_id –l 596 | ``` 597 | 598 | or 599 | 600 | ```bash 601 | ioreg -p IOUSB -l | grep "USB Serial" 602 | ``` 603 | 604 | or by launching Impactor without parameters 605 | 606 | * Get the UDID with Linux 607 | 608 | ```bash 609 | usbfluxctl list 610 | ``` 611 | 612 | or 613 | 614 | ```bash 615 | lsusb -s :`lsusb | grep iPhone | cut -d ' ' -f 4 | sed 's/://'` -v | grep iSerial | awk '{print $3}' 616 | ``` 617 | 618 | or by launching Impactor without parameters 619 | 620 | ### Network capture (works also on non jailbroken devices) 621 | 622 | * With MacOS (install Xcode and additional tools and connect the device with USB) 623 | 624 | ```bash 625 | rvictl -s 626 | tcpdump or tshark or wireshark –i rvi0 627 | ``` 628 | 629 | * With Linux or Windows (get https://github.com/gh2o/rvi_capture and connect the device with USB) 630 | 631 | ```bash 632 | ./rvi_capture.py --udid iPhone.pcap 633 | ``` 634 | 635 | ### Sideloading an app 636 | 637 | Sideloading an app including an instrumentation library like Frida let you interact with the app even if it’s installed on a non jailbroken device. 638 | 639 | #### With IPAPatch 640 | 641 | Here’s the process to do it with IPAPatch: 642 | Clone the IPAPatch project 643 | 644 | ```bash 645 | git clone https://github.com/Naituw/IPAPatch 646 | ``` 647 | 648 | Move the IPA of the app you want to sideload to the Assets directory 649 | 650 | ```bash 651 | mv IPAPatch/Assets/ 652 | ``` 653 | 654 | Download the FridaGadget library (in Assets/Dylibs/FridaGadget.dylib) 655 | 656 | ```bash 657 | curl -O https://build.frida.re/frida/ios/lib/FridaGadget.dylib 658 | ``` 659 | 660 | Select the identity to sign the app 661 | 662 | ```bash 663 | security find-identity -p codesigning –v 664 | ``` 665 | 666 | Sign FridaGadget library 667 | 668 | ```bash 669 | codesign -f -s FridaGadget.dylib 670 | ``` 671 | 672 | Then open IPAPatch Xcode project, Build and Run. 673 | 674 | #### With Objection 675 | 676 | Here’s the process to do it with Objection (detailed steps on https://github.com/sensepost/objection/wiki/Patching-iOS-Applications) 677 | 678 | ```bash 679 | security find-identity -p codesigning –v 680 | objection patchipa --source --codesign-signature 681 | unzip 682 | ios-deploy --bundle Payload/my-app.app -W –d 683 | objection explore 684 | ``` 685 | 686 | ### Data Protection Class 687 | 688 | Four levels are provided by iOS to encrypt automatically files on the device: 689 | 690 | * ```NSProtectionComplete```: file is only accessible when device is unlocked (files are encrypted with a key derived from the user PIN code & an AES key generated by the device) 691 | * ```NSProtectionCompleteUntilFirstUserAuthentication```: (defaut class) same except as before, but the decryption key is not deleted when the device is locked 692 | * ```ProtectedUnlessOpen```: file is accessible until open 693 | * ```NoProtection```: file is accessible even if device is locked 694 | 695 | ### Get Data Protection Class 696 | 697 | By launching Frida with the ios-dataprotection script 698 | 699 | ```bash 700 | frida -U -c ay-kay/ios-dataprotection 701 | ``` 702 | 703 | ## License 704 | 705 | The Mobile Hacking CheatSheet is an open source project released under the [CC-BY-SA 4.0](https://creativecommons.org/licenses/by-sa/4.0/deed.fr) licence. 706 | --------------------------------------------------------------------------------