IOS Application Penetration Testing (W30) - Pentestmag

IOS Application Penetration Testing (W30)


Out of stock

Category: Tags: , ,


An online video training course that will consisted of identifying and exploiting vulnerabilities in ios applications using various tools and methodologies. We will start with the Basics of ios architectures, security models, attacks and defenses.

The course is available only for premium subscribers.


You will learn:

  • Highly practical
  • Drives through the process of identifying and exploiting vulnerabilities in iOS Applications
  • Exercises
  • Learning approach that consisted of the following: Basics – Attacks – Defenses
  • iOS Traffic Analysis
  • Runtime analysis of iOS apps
  • Exploiting iOS Applications
  • iOS Forensics
  • Exploiting iDevices with Metasploit

You will need:

  • A Macbook with at least 4GB of RAM
  • iPhone or iPad : Need to be jailbroken though
  • USB cable to connect the iDevices to the machine
  • Wireless network( ideally but not required )
  • OS X is ideal but most of this will work with any *NIX type system

Before they join you should know:


Module 1:  iOS Applications Security: iOS Filesystems and Forensics

Module 1 description: We will be looking at the iOS filesystem, understand how the directories are organized, look at some important files, and look at how we can extract data from database and plist files. We will look at how applications store their data in their specific directories (sandbox) and how we can extract them.

Module 1 covered topics: Presenting how IOS Filesystems are organized and how to extract data from databases and Plist. Also how applications stores data on their sandboxes using tools like sqlite3, iExplorer,etc

Module 1 exercises: For this module, you will have to SSH to your iDevice ( Assuming that you already changed the root password )

  • SSH to your iphone

  • As root, perform the “ps aux” to find out about the different users involved

  • Find –name *.db ( to see all databases on your iDevice )

  • Select one database and extract data ( as seen on this module training )

  • Choose your favor text editor and display the plist files, modify it and save it

  • Use iExplorer to view the plist files

  • Transfer files from your iPhone to your local machine for further analysis using sftp

Module 2: Runtime analysis of IOS Apps using Cycript and GNU debugger

Module 2 description: In Depth analysis of application runtime using cycript and GNU debugger. With cycript we can hook into the application runtime, access & modify the instance variables, invoke the instance methods and override the existing methods.

Module 2 covered topics:

  • In depth Runtime analysis with Cycript

  • Authentication bypass using cycript

  • Access & modify the instance variables

  • Clutch to decrypt applications

  • Debugging with GDB by hooking into applications

  • Invoke the instance methods and override the existing methods

Module 2 exercises: TBD

Module 3 title: Insecure Local Data Storage

Module 3 description: Different types of files stored/created in the application’s home directory and other insecure data storage locations. IOS apps stored data locally using various method such as:

  • SQLite databases
  • PLIST files
  • Keychain

Module 3 covered topics:

  • Sensitive data in Keychains

  • Installing keychains_dumper onto the iPhone

  • SQLite databases manipulations

  • PLIST files

  • Unintended data leakage

Module 3 exercises: TBD

Module 4 title: IOS Application Traffic Analysis

Module 4 description: Intercepting and Monitoring HTTP / HTTPS Traffic with Burp Suite and Wireshark

Module 4 covered topics:

  • Browser based mobile apps

  • Intercepting HTTP / HTTPS sensitive data in clear text

  • Performing traffic analysis

  • Installing tcpdump on iPhone

  • Using Wireshark to open pcap file

  • Download filename.pcap from iPhone to local machine

  • Connect your laptop and your iDevices on the same Wi-Fi network

  • Configure Burp and your iPhone as well

  • Tampering data

Module 4 exercises: TBD

Your Instructor:  John Ilboudo

profile pic

  • 5 Years of Cyber Security Penetration Testing
  • Android and iPhone researcher
  • Certified Ethical Hacker
  • Reverse Engineering Enthusiast
  • WordPress Hacking & Security Measures

Questions? Reach out to us at [email protected]

1 review for IOS Application Penetration Testing (W30)

  1. Maryellen Stapley

    It’s a shame you don’t have a donate button! I’d without a doubt donate to this fantastic blog! I suppose for now i’ll settle for bookmarking and adding your RSS feed to my Google account. I look forward to new updates and will talk about this site with my Facebook group. Talk soon!

Only logged in customers who have purchased this product may leave a review.

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2023