01 Introduction

IOS
PENTESTNG
Course Name : Certified IOS Penetration Tester

Next Page
 TOPICS
OF MODULE 1
Basics and Course Outline & Lab Setup
Privilege Escalation or Jail breaking
Directory & Operation Structure

Next Page
 Search . . .

COURSE OUTLINE &

FLOW
Application Static Analysis
Application Storage Analysis
iOS Reverse Engineering
iOS Client-Side Injections
iOS Network Analysis
Runtime Analysis
Unintended Data Leakage
iOS Security Testing
Securing iOS Apps
Fundamental of iOS Forensics

Next Page
JAIL BREAKING
One of the programs that allow the Jailbreaking of iOS
devices is ‘checkra1n’. This method of jailbreaking
requires a host computer and a iOS device connected to
it. In this case, the host computer will be a Linux host,
being the recommended distribution a Debian-based
one. The steps to download it are listed in the website,
giving options of both using the repo or downloading
the app binary. I followed the repo method:

echo 'deb https://assets.checkra.in/debian /' | sudo tee /etc/apt/sources.list.d/checkra1n.list

sudo apt-key adv --fetch-keys https://assets.checkra.in/debian/archive.key Used Tool

Checkra1n
sudo apt-get update
sudo apt-get install checkra1n
sudo checkra1n --gui &

Next Page https://checkra.in/

Some of the key highlights are:
In a jailbroken device, all the files
and directories under ‘/’ have got
read and write access.
The directories directly found under
‘/’ can be categorised according to
their name as follows:
Directories similar to MacOS file
system: Applications, Library,
System, User.
Directories common to UNIX file
system: bin, boot, dev, etc, lib, mnt,
sbin, tmp, usr, var.
Directories unique to the iOS file
system: private, cores.
Other directories depending on the
jailbreaking tool used.
Some of the directories are symlinks
to other directories under the ‘/’.
The symlinks usually point to some
directory that comes directly or
indirectly under the /private
directory.
There may be also a file with the
name ‘.file’. It appears to have no
purpose, but it may be used for file
integrity checks to verify the
filesystem is not corrupt.
The iOS Application Environment
An iOS application has access to the following
directories/components to exchange data from:

Pre-installed Native iOS Application and Native Jailbreak Application Directory

/Applications/$app_name.app

App Store Application Directory

/var/containers/Bundle/Application/$uuid

Data Directory
/var/mobile/Containers/Data/Application/$uuid

Shared Data Directory

/var/mobile/Containers/Shared/AppGroup/$uuid

iOS Keychain
/var/Keychains/keychain-2.db

UIPasteboard
Clipboard of iPhone
 Apps

THANK YOU
We will see the jail breaking in action in Next Class