The iOS Buster is a groundbreaking penetration testing tool for iOS, capable of performing both static and dynamic testing. It provides detailed reports, including STR, highlighting discovered vulnerabilities. It serves as a valuable addition to MobSF.
Application Allows Custom Keyboards On Sensitive Fields
Application Binary Is Not Obfuscated [Need to improve]
Application Minimum OS Version Is Vulnerable
Application Not Disabled Sensitive Data From Being Copied
ARC Not Enabled
ATS Configuration Is Insecure
Biometric Authentication Bypass
Certificate Pinning Bypass
Certificate Pinning Not Implemented
Checking Symbol Information
Improper Application Cookie Policy
Integrity Check Not Implemented On WebView Content
Internal IP Discovered
Jailbreak Detection Bypass
Lack of Authentication After Background Resume
Login Credential Found In Device Memory Dump
Misconfigured Access Origin In Cordova Or PhoneGap
Missing Anti Debugging Mechanism
Missing Security Checks on the Enrollment of Additional Biometrics
No Jailbreak Detection
PIE ASLR Not Implemented
Screenshot Disclosing Sensitive Information
Security Access Control Missing From iOS Keychain
Stack Canaries Not Enabled
Unmasked Sensitive Data
Use Of Insecure Random Function
Use Of Vulnerable Cordova or PhoneGap Framework Version
User Related Data Cached In WebView
User Related Data Captured In System Logs
User Related Data In Devie Local Storage
User Related Data Stored in Device Keychain
User Related Data Stored In Plist
Misconfigured Firebase [Need to improve]
Scanning DeepLinks [Need to improve]
-
On your laptop, download the latest release of the iOS-Buster tool
https://github.com/darklotuskdb/ios-buster/releases/latests
-
Download 3uTools from the below link:
https://www.3u.com/productsWin
-
Click on the 'Files' option located in the bottom-left corner of the iDevice section (landing page) in 3uTools.
-
Click on 'File System (User)', then select 'Downloads' and drag-and-drop the tool's zip file into the downloads directory.
-
In the 'ToolBox' section of 3uTools, search and enable the SSH Tunnel.
-
Launch Windows CMD and execute the following command to connect via SSH:
Note: Avoid using the Putty SSH client via 3uTools. In that terminal, the history is limited, and scrolling may be improper, leading to potential loss of initial output.
ssh root@127.0.0.1
Note: If you get an error while connecting such as
WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!
then simply go to theC:\Users\<username>\
and delete the.ssh
folder and then try to reconnect. -
Execute the following command to unzip the contents:
unzip iOS-Buster*.zip
-
Execute the following commands to give the executable permission:
cd iOS-Buster-KDBhati/iOS
chmod +x *.sh
-
We need some tools to be installed before running the iOS Buster tool as listed below:
gawk nano unzip coreutils tree libplist-utils cycript lldb darwintools
To install these tools run the Install-Setup.sh file:
./Install-Setup.sh
-
The tool is ready to use now. Check the Usage section to get proper instructions:
./ios-buster.sh
-
Install the target application you want to pentest using the iOS Buster tool, or alternatively, use 3uTools to install the IPA file.
-
Launch the application and thoroughly navigate through all functionalities, including submitting forms and updating items such as user profile picture, change password, etc. This action is essential for generating data in both the device's local storage and system logs, thereby facilitating improved output from the tool. These steps are critical, as approximately 90% of dynamic test cases rely on this process. Failure to properly navigate the application may result in data not being stored in the local storage.
Note: If the application has a PIN login functionality, please avoid using common values like "00000" or "123456". Instead, consider using unique values such as "113377" to prevent false positives in the tool's output.
-
In many applications, you will encounter numerous user input fields such as address, comment boxes, support forms, etc. Instead of providing random data in each of these fields, consider using a consistent keyword like 'iOSTest' or 'ipaTest'. You can create your own keyword, For example your name. This approach simplifies the process as you only need to search for one keyword rather than multiple ones.
-
First perform the following test-cases in the order as mentioned below using
iOS_Buster-Win.bat
and manually. The tool will prompt for the pass or fail status of these test cases in order to include the findings in the Report file generated by the main tool.Jailbreak Detection Bypass Lack of Certificate Pinning (iOS) Certificate Pinning Bypass Application Not Disabled Sensitive Data From Being Copied Screenshot Disclosing Sensitive Information Application Allows Custom Keyboards On Sensitive Fields Biometric Authentication Bypass Missing Security Checks On The Enrollment Of Additional Biometrics Unmasked Sensitive Data Lack of Authentication After Background Resume
Note: Must try the Universal Jailbreak Bypass tool made my @rsbarsania
https://github.com/rsbarsania/Universal-JailBreak-Bypass
-
After completing the aforementioned steps, log out from the application and wait for at least 10 minutes. Then, utilize the iOS_Buster-Win.bat script on Windows to perform keychain and memory dump.
Note: "Utilize 'iOS_Buster-Win.bat' to generate these two files. It's crucial that the filenames remain the same; otherwise, the tool might overlook findings. If you're manually creating them, ensure proper naming convention by using all lowercase letters. For the keychain file, the name must be 'keychain.json', and for the memory dump file, it must be 'strings.txt'.
-
For the
keychain.json
file, select the option "2" and provide the applicationIdentifier
from the Frida output. -
For the
strings.txt
file, select option "6" and provide the applicationName
(without double/single quotes) from the Frida output. -
Now on your laptop, create a directory with any name. Let's say the application name is 'DVIA v2'. Then, simply create a folder named 'dvia'. Inside the 'dvia' folder, create a file named
keywords.txt
. Additionally, create a folder namedinput
and copy thekeychain.json
file andstrings.txt
file inside theinput
folder.Note: Ensure that every file or folder name is in lowercase letters.
-
Open the
keywords.txt
file in a text editor like Notepad, and input all sensitive data as keywords for the searching process, such as username, password, email, pin, etc.Note: Be very careful when adding data in the 'keywords.txt' file. Ensure there are no empty lines, especially at the end. Sometimes, the application URL-encodes special characters, so make sure to repeat the keyword by converting it into URL-encoded form. For example, as shown in the image below, 'Password@123' is provided and repeated by URL encoding the '@' symbol, making it 'Password%40123'.
-
Using 3utools, just drag and drop the
dvia
folder in theapplications
folder present in theiOS
directory of the iOS Buster tool.Note: 'a-sample-folder' directory is present inside the 'applications' directory for your reference, providing information on the necessary files and folders.
-
Now we are all set to execute our iOS Buster tool. Launch the target application, in our case, it is 'DVIA v2', but do not log in. Connect the iOS device via SSH and execute the following command:
ios-buster.sh -a "<app-name>" -d applications/<folder-name>
./ios-buster.sh -a dvia -d applications/dvia
-
The following pop-up will appear on your iOS device screen once the iOS Buster starts the penetration test.
-
The tool will cover more than 30 test cases, including both static and dynamic assessments, in less than 2 minutes. Additionally, it will provide a report detailing all discovered vulnerabilities.
-
Export the Logs-.zip folder from the "app-name" directory present inside the "applications" folder of the iOS Buster tool. These files contain all the detailed logs of the tool scan activities. Additionally, the best part is that you will receive a
report
of all the findings, including vulnerability descriptions, locations, steps to reproduce, and remediation for all the discovered issues, saving a lot of time. -
In the report file, i.e.
3-Report.txt
, you have to select the value and perform a 'replace all' operation. For example, just copy the "<----IPA-File---->" placeholder and replace it with the IPA target application file name. This value will then be updated in all the STRs. Similarly, repeat the process for other placeholders.
This tool is still under development and is intended solely for ethical hackers to conduct white hat security penetration testing. If you misuse this tool, I will not be responsible for any consequences. Please inform me if you encounter any errors while using it, and also suggest additional findings to include in this tool.
- DarkLotus - Cyber Security Researcher - DarkLotusKDB
BuyMeACoffee If you like my work <3