diff --git a/tests/ios/MASVS-STORAGE/MASTG-TEST-0052.md b/tests/ios/MASVS-STORAGE/MASTG-TEST-0052.md index 9a178eec2e..0d0b4e38b5 100644 --- a/tests/ios/MASVS-STORAGE/MASTG-TEST-0052.md +++ b/tests/ios/MASVS-STORAGE/MASTG-TEST-0052.md @@ -100,3 +100,123 @@ Note: You may be asked to authenticate using the devices passcode or TouchID Save the output by adding `--json keychain.json` to this command Dumping the iOS keychain... Created Accessible ACL Type Account Service Data +------------------------- ------------------------------ ----- -------- ------------------------- ------------------------------------------------------------- ------------------------------------ +2020-02-11 13:26:52 +0000 WhenUnlocked None Password keychainValue com.highaltitudehacks.DVIAswiftv2.develop mysecretpass123 +``` + +#### Searching for Binary Cookies + +iOS applications often store binary cookie files in the application sandbox. Cookies are binary files containing cookie data for application WebViews. You can use objection to convert these files to a JSON format and inspect the data. + +```bash +...itudehacks.DVIAswiftv2.develop on (iPhone: 13.2.3) [usb] # ios cookies get --json +[ + { + "domain": "highaltitudehacks.com", + "expiresDate": "2051-09-15 07:46:43 +0000", + "isHTTPOnly": "false", + "isSecure": "false", + "name": "username", + "path": "/", + "value": "admin123", + "version": "0" + } +] +``` + +#### Searching for Property List Files + +iOS applications often store data in property list (plist) files that are stored in both the application sandbox and the IPA package. Sometimes these files contain sensitive information, such as usernames and passwords; therefore, the contents of these files should be inspected during iOS assessments. Use the `ios plist cat plistFileName.plist` command to inspect the plist file. + +To find the file userInfo.plist, use the `env` command. It will print out the locations of the applications Library, Caches and Documents directories: + +```bash +...itudehacks.DVIAswiftv2.develop on (iPhone: 13.2.3) [usb] # env +Name Path +----------------- ------------------------------------------------------------------------------------------- +BundlePath /private/var/containers/Bundle/Application/B2C8E457-1F0C-4DB1-8C39-04ACBFFEE7C8/DVIA-v2.app +CachesDirectory /var/mobile/Containers/Data/Application/264C23B8-07B5-4B5D-8701-C020C301C151/Library/Caches +DocumentDirectory /var/mobile/Containers/Data/Application/264C23B8-07B5-4B5D-8701-C020C301C151/Documents +LibraryDirectory /var/mobile/Containers/Data/Application/264C23B8-07B5-4B5D-8701-C020C301C151/Library +``` + +Go to the Documents directory and list all files using `ls`. + +```bash +...itudehacks.DVIAswiftv2.develop on (iPhone: 13.2.3) [usb] # ls +NSFileType Perms NSFileProtection Read Write Owner Group Size Creation Name +------------ ------- ------------------------------------ ------ ------- ------------ ------------ -------- ------------------------- ------------------------ +Directory 493 n/a True True mobile (501) mobile (501) 192.0 B 2020-02-12 07:03:51 +0000 default.realm.management +Regular 420 CompleteUntilFirstUserAuthentication True True mobile (501) mobile (501) 16.0 KiB 2020-02-12 07:03:51 +0000 default.realm +Regular 420 CompleteUntilFirstUserAuthentication True True mobile (501) mobile (501) 1.2 KiB 2020-02-12 07:03:51 +0000 default.realm.lock +Regular 420 CompleteUntilFirstUserAuthentication True True mobile (501) mobile (501) 284.0 B 2020-05-29 18:15:23 +0000 userInfo.plist +Unknown 384 n/a True True mobile (501) mobile (501) 0.0 B 2020-02-12 07:03:51 +0000 default.realm.note + +Readable: True Writable: True +``` + +Execute the `ios plist cat` command to inspect the content of userInfo.plist file. + +```bash +...itudehacks.DVIAswiftv2.develop on (iPhone: 13.2.3) [usb] # ios plist cat userInfo.plist +{ + password = password123; + username = userName; +} +``` + +#### Searching for SQLite Databases + +iOS applications typically use SQLite databases to store data required by the application. Testers should check the data protection values of these files and their contents for sensitive data. Objection contains a module to interact with SQLite databases. It allows to dump the schema, their tables and query the records. + +```bash +...itudehacks.DVIAswiftv2.develop on (iPhone: 13.2.3) [usb] # sqlite connect Model.sqlite +Caching local copy of database file... +Downloading /var/mobile/Containers/Data/Application/264C23B8-07B5-4B5D-8701-C020C301C151/Library/Application Support/Model.sqlite to /var/folders/4m/dsg0mq_17g39g473z0996r7m0000gq/T/tmpdr_7rvxi.sqlite +Streaming file from device... +Writing bytes to destination... +Successfully downloaded /var/mobile/Containers/Data/Application/264C23B8-07B5-4B5D-8701-C020C301C151/Library/Application Support/Model.sqlite to /var/folders/4m/dsg0mq_17g39g473z0996r7m0000gq/T/tmpdr_7rvxi.sqlite +Validating SQLite database format +Connected to SQLite database at: Model.sqlite + +SQLite @ Model.sqlite > .tables ++--------------+ +| name | ++--------------+ +| ZUSER | +| Z_METADATA | +| Z_MODELCACHE | +| Z_PRIMARYKEY | ++--------------+ +Time: 0.013s + +SQLite @ Model.sqlite > select * from Z_PRIMARYKEY ++-------+--------+---------+-------+ +| Z_ENT | Z_NAME | Z_SUPER | Z_MAX | ++-------+--------+---------+-------+ +| 1 | User | 0 | 0 | ++-------+--------+---------+-------+ +1 row in set +Time: 0.013s +``` + +#### Searching for Cache Databases + +By default NSURLSession stores data, such as HTTP requests and responses in the Cache.db database. This database can contain sensitive data, if tokens, usernames or any other sensitive information has been cached. To find the cached information open the data directory of the app (`/var/mobile/Containers/Data/Application/`) and go to `/Library/Caches/`. The WebKit cache is also being stored in the Cache.db file. Objection can open and interact with the database with the command `sqlite connect Cache.db`, as it is a normal SQLite database. + +It is recommended to disable Caching this data, as it may contain sensitive information in the request or response. The following list below shows different ways of achieving this: + +1. It is recommended to remove Cached responses after logout. This can be done with the provided method by Apple called [`removeAllCachedResponses`](https://developer.apple.com/documentation/foundation/urlcache/1417802-removeallcachedresponses "URLCache removeAllCachedResponses") + You can call this method as follows: + + `URLCache.shared.removeAllCachedResponses()` + + This method will remove all cached requests and responses from Cache.db file. + +2. If you don't need to use the advantage of cookies it would be recommended to just use the [.ephemeral](https://developer.apple.com/documentation/foundation/urlsessionconfiguration/1410529-ephemeral "urlsessionconfiguration ephemeral") configuration property of URLSession, which will disable saving cookies and Caches. + + [Apple documentation](https://developer.apple.com/documentation/foundation/urlsessionconfiguration/1410529-ephemeral "urlsessionconfiguration ephemeral"): + + ```An ephemeral session configuration object is similar to a default session configuration (see default), except that the corresponding session object doesn’t store caches, credential stores, or any session-related data to disk. Instead, session-related data is stored in RAM. The only time an ephemeral session writes data to disk is when you tell it to write the contents of a URL to a file.``` + +3. Cache can be also disabled by setting the Cache Policy to [.notAllowed](https://developer.apple.com/documentation/foundation/urlcache/storagepolicy/notallowed "URLCachePolicy notAllowed"). It will disable storing Cache in any fashion, either in memory or on disk.