Creating a mobile penetration testing environment can be extremely time consuming. Frequent device inactivity, DHCP lease renewals, and web proxy configurations can all waste valuable testing hours. We will go over some simple steps to configure an iPhone or iPad for application vulnerability assessments. 1) Jailbreak the Device This is a requirement for all the steps listed here. Since this is an extremely common and well documented procedure we will not cover the details here. iOS 6.x devices can be jailbroken by following the steps at http://evasi0n.com/. Changes made by the jailbreak are persistent until the device firmware is upgraded. 2) Install OpenSSH For much of our penetration testing we will be using the command line of the device itself. While some people use terminal emulators on the device, we prefer to use SSH and an SSH client on a laptop. The iOS OpenSSH daemon can be found by searching ‘openssh’ within the Cydia App Store. The evasion jailbreak software will install Cydia for you. 3) Configure Static IP Addresses In the admin console of our WiFi router we will configure static IP addresses for the iPad and our laptop. A static IP address for the iPad ensures we can quickly SSH from our laptop without checking the configuration of the device. The static IP address of our laptop ensures the iPad can always connect to our web proxy running on our laptop.
4) Install classdump-z The original Classdump is packaged with Cydia, however, is several years out of date. Classdump-z is the most current tool for enumerating Objective-C interfaces. Classdump-z can be found at https://code.google.com/p/networkpx/wiki/class_dump_z
5) Install Useful Tool Packages One package we find essential for testing is the BigBoss Recommended Tools. This can be found in Cydia on your device. This will install otool and many other useful tools during testing.
6) Install Insomnia Insomnia can be found in Cydia and is a vital application during a pen test. Insomnia will keep the device active while it’s plugged into a power source. This will prevent your SSH session from disconnecting as the device sleeps during a period of inactivity. While this is a very small step to take, this is a huge time saver during a lengthy assessment. Insomnia can be invoked as a normal application from SpringBoard.
7) Install Proxy Certificates To avoid common SSL validation errors while using proxies such as burp, the proxy CA certificate should be installed as a trusted CA on the testing device. The certificate can be easily exported from your web browser, copied to a web browser, then installed via Safari on the device. Below shows the certificate installed:
8) Install iOS SSL Kill Switch You may not have an immediate need for this tool, but this is something every tester will encounter at some point. Applications using HTTPS commonly have certificates “pinned” within the application itself. This is done to harden the SSL security model, however, can prevent a web proxy from being able to man in the middle the application. iOS SSL Kill Switch is developed by iSECPartners and uses Mobile Substrate to replace system level certificate validation with NSURLConnection and other functions. iOS SSL Kill Switch can be found at https://github.com/iSECPartners/ios-ssl-kill-switch