[OWASP-Delhi] iOS app pentest

Vishal A. vishal.asthana at owasp.org
Wed Aug 5 16:47:29 UTC 2015


Hi Reuben,

The following OWASP resource has quite a few pointers:
https://www.owasp.org/index.php/IOS_Application_Security_Testing_Cheat_Sheet

Can vouch for this as use it extensively while conducting native iOS app
assessments.

Vishal

On Wed, Aug 5, 2015 at 11:46 AM, reuben kurien <reubengkurien at gmail.com>
wrote:

> Hi Satya,
>
> Thanks for taking the time to write this response. It's certainly helpful.
>
> Also, do you by any chance know how to test out client side security
> issues on the iPhone in case of no jailbreak?
>
> Regards,
> Reuben
> On 4 Aug 2015 21:37, "Satya Sadhak" <dogged.learner at gmail.com> wrote:
>
>> Hi Reuben,
>>
>> You need:
>>
>>    1. An ios device
>>    2. A Laptop
>>    3. Wifi connecting both of above
>>
>>
>> In Wifi settings of device set up proxy manually to route data through a
>> specified port on the laptop
>> On the specified port of laptop intercept the traffic using something
>> like burp/charles/fiddler etc.. Do set up the intercepting proxy to listen
>> to data from all hosts; by default they may only intercept requests from
>> localhost.
>>
>> if the app you need to test works on https you may additionally need to
>> install the certificate of the intercepting proxy on ios device for which
>> you may refer to following links:
>>
>>    -
>>    https://support.portswigger.net/customer/portal/articles/1841109-Mobile%20Set-up_iOS%20Device%20-%20Installing%20CA%20Certificate.html
>>    - http://www.telerik.com/blogs/using-fiddler-with-apple-ios-devices
>>
>> Regards,
>> Satya.
>>
>> ---------- Forwarded message ----------
>> From: reuben kurien <reubengkurien at gmail.com>
>> Date: Tue, Aug 4, 2015 at 7:34 PM
>> Subject: [OWASP-Delhi] iOS app pentest
>> To: owasp-delhi at lists.owasp.org
>>
>>
>> Hi All,
>>
>> Can anyone provide me some pointers on how to perform iOS app pentest
>> when Jailbreak is not possible (due to legal issues)?
>>
>> I'm looking for test cases to be executed against native apps and methods
>> to perform them. I know that the options are greatly reduced without
>> jailbreak. But feel free to send across anything you think is relevant
>> since I'm a newbie to this.
>>
>> Thanks in advance.
>>
>> Regards,
>> Reuben
>>
>> _______________________________________________
>> OWASP-Delhi mailing list
>> OWASP-Delhi at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-delhi
>> LinkedIn Group: https://www.linkedin.com/groups?gid=89270
>> Twitter: https://twitter.com/OWASPdelhi
>>
>
> _______________________________________________
> OWASP-Delhi mailing list
> OWASP-Delhi at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-delhi
> LinkedIn Group: https://www.linkedin.com/groups?gid=89270
> Twitter: https://twitter.com/OWASPdelhi
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-delhi/attachments/20150805/52faad56/attachment.html>


More information about the OWASP-Delhi mailing list