# iOS Pentesting Checklist
\
Use [**Trickest**](https://trickest.com/?utm_campaign=hacktrics\&utm_medium=banner\&utm_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
Get Access Today:
{% embed url="" %}
{% hint style="success" %}
Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %}
### Preparation
* [ ] Read [**iOS Basics**](https://angelica.gitbook.io/hacktricks/mobile-pentesting/ios-pentesting/ios-basics)
* [ ] Prepare your environment reading [**iOS Testing Environment**](https://angelica.gitbook.io/hacktricks/mobile-pentesting/ios-pentesting/ios-testing-environment)
* [ ] Read all the sections of [**iOS Initial Analysis**](https://angelica.gitbook.io/hacktricks/ios-pentesting#initial-analysis) to learn common actions to pentest an iOS application
### Data Storage
* [ ] [**Plist files**](https://angelica.gitbook.io/hacktricks/ios-pentesting#plist) can be used to store sensitive information.
* [ ] [**Core Data**](https://angelica.gitbook.io/hacktricks/ios-pentesting#core-data) (SQLite database) can store sensitive information.
* [ ] [**YapDatabases**](https://angelica.gitbook.io/hacktricks/ios-pentesting#yapdatabase) (SQLite database) can store sensitive information.
* [ ] [**Firebase**](https://angelica.gitbook.io/hacktricks/ios-pentesting#firebase-real-time-databases) miss-configuration.
* [ ] [**Realm databases**](https://angelica.gitbook.io/hacktricks/ios-pentesting#realm-databases) can store sensitive information.
* [ ] [**Couchbase Lite databases**](https://angelica.gitbook.io/hacktricks/ios-pentesting#couchbase-lite-databases) can store sensitive information.
* [ ] [**Binary cookies**](https://angelica.gitbook.io/hacktricks/ios-pentesting#cookies) can store sensitive information
* [ ] [**Cache data**](https://angelica.gitbook.io/hacktricks/ios-pentesting#cache) can store sensitive information
* [ ] [**Automatic snapshots**](https://angelica.gitbook.io/hacktricks/ios-pentesting#snapshots) can save visual sensitive information
* [ ] [**Keychain**](https://angelica.gitbook.io/hacktricks/ios-pentesting#keychain) is usually used to store sensitive information that can be left when reselling the phone.
* [ ] In summary, just **check for sensitive information saved by the application in the filesystem**
### Keyboards
* [ ] Does the application [**allow to use custom keyboards**](https://angelica.gitbook.io/hacktricks/ios-pentesting#custom-keyboards-keyboard-cache)?
* [ ] Check if sensitive information is saved in the [**keyboards cache files**](https://angelica.gitbook.io/hacktricks/ios-pentesting#custom-keyboards-keyboard-cache)
### **Logs**
* [ ] Check if [**sensitive information is being logged**](https://angelica.gitbook.io/hacktricks/ios-pentesting#logs)
### Backups
* [ ] [**Backups**](https://angelica.gitbook.io/hacktricks/ios-pentesting#backups) can be used to **access the sensitive information** saved in the file system (check the initial point of this checklist)
* [ ] Also, [**backups**](https://angelica.gitbook.io/hacktricks/ios-pentesting#backups) can be used to **modify some configurations of the application**, then **restore** the backup on the phone, and the as the **modified configuration** is **loaded** some (security) **functionality** may be **bypassed**
### **Applications Memory**
* [ ] Check for sensitive information inside the [**application's memory**](https://angelica.gitbook.io/hacktricks/ios-pentesting#testing-memory-for-sensitive-data)
### **Broken Cryptography**
* [ ] Check if yo can find [**passwords used for cryptography**](https://angelica.gitbook.io/hacktricks/ios-pentesting#broken-cryptography)
* [ ] Check for the use of [**deprecated/weak algorithms**](https://angelica.gitbook.io/hacktricks/ios-pentesting#broken-cryptography) to send/store sensitive data
* [ ] [**Hook and monitor cryptography functions**](https://angelica.gitbook.io/hacktricks/ios-pentesting#broken-cryptography)
### **Local Authentication**
* [ ] If a [**local authentication**](https://angelica.gitbook.io/hacktricks/ios-pentesting#local-authentication) is used in the application, you should check how the authentication is working.
* [ ] If it's using the [**Local Authentication Framework**](https://angelica.gitbook.io/hacktricks/ios-pentesting#local-authentication-framework) it could be easily bypassed
* [ ] If it's using a [**function that can dynamically bypassed**](https://angelica.gitbook.io/hacktricks/ios-pentesting#local-authentication-using-keychain) you could create a custom frida script
### Sensitive Functionality Exposure Through IPC
* [**Custom URI Handlers / Deeplinks / Custom Schemes**](https://angelica.gitbook.io/hacktricks/ios-pentesting#custom-uri-handlers-deeplinks-custom-schemes)
* [ ] Check if the application is **registering any protocol/scheme**
* [ ] Check if the application is **registering to use** any protocol/scheme
* [ ] Check if the application **expects to receive any kind of sensitive information** from the custom scheme that can be **intercepted** by the another application registering the same scheme
* [ ] Check if the application **isn't checking and sanitizing** users input via the custom scheme and some **vulnerability can be exploited**
* [ ] Check if the application **exposes any sensitive action** that can be called from anywhere via the custom scheme
* [**Universal Links**](https://angelica.gitbook.io/hacktricks/ios-pentesting#universal-links)
* [ ] Check if the application is **registering any universal protocol/scheme**
* [ ] Check the `apple-app-site-association` file
* [ ] Check if the application **isn't checking and sanitizing** users input via the custom scheme and some **vulnerability can be exploited**
* [ ] Check if the application **exposes any sensitive action** that can be called from anywhere via the custom scheme
* [**UIActivity Sharing**](https://angelica.gitbook.io/hacktricks/mobile-pentesting/ios-pentesting/ios-uiactivity-sharing)
* [ ] Check if the application can receive UIActivities and if it's possible to exploit any vulnerability with specially crafted activity
* [**UIPasteboard**](https://angelica.gitbook.io/hacktricks/mobile-pentesting/ios-pentesting/ios-uipasteboard)
* [ ] Check if the application if **copying anything to the general pasteboard**
* [ ] Check if the application if **using the data from the general pasteboard for anything**
* [ ] Monitor the pasteboard to see if any **sensitive data is copied**
* [**App Extensions**](https://angelica.gitbook.io/hacktricks/mobile-pentesting/ios-pentesting/ios-app-extensions)
* [ ] Is the application **using any extension**?
* [**WebViews**](https://angelica.gitbook.io/hacktricks/mobile-pentesting/ios-pentesting/ios-webviews)
* [ ] Check which kind of webviews are being used
* [ ] Check the status of **`javaScriptEnabled`**, **`JavaScriptCanOpenWindowsAutomatically`**, **`hasOnlySecureContent`**
* [ ] Check if the webview can **access local files** with the protocol **file://** **(**`allowFileAccessFromFileURLs`, `allowUniversalAccessFromFileURLs`)
* [ ] Check if Javascript can access **Native** **methods** (`JSContext`, `postMessage`)
### Network Communication
* [ ] Perform a [**MitM to the communication**](https://angelica.gitbook.io/hacktricks/ios-pentesting#network-communication) and search for web vulnerabilities.
* [ ] Check if the [**hostname of the certificate**](https://angelica.gitbook.io/hacktricks/ios-pentesting#hostname-check) is checked
* [ ] Check/Bypass [**Certificate Pinning**](https://angelica.gitbook.io/hacktricks/ios-pentesting#certificate-pinning)
### **Misc**
* [ ] Check for [**automatic patching/updating**](https://angelica.gitbook.io/hacktricks/ios-pentesting#hot-patching-enforced-updateing) mechanisms
* [ ] Check for [**malicious third party libraries**](https://angelica.gitbook.io/hacktricks/ios-pentesting#third-parties)
{% hint style="success" %}
Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %}
\
Use [**Trickest**](https://trickest.com/?utm_campaign=hacktrics\&utm_medium=banner\&utm_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
Get Access Today:
{% embed url="" %}
.png?alt=media)
[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)
[**HackTricks Training GCP Red Team Expert (GRTE)**