This research was originally performed by researchers from iSec Partners (now NCC Group), and has been migrated to research.nccgroup.com for posterity.
iOS 7 tool updates
02 Jan 2014 – Alban Diquet
With the availability of the evasi0n7 jailbreak and the subsequent release two days ago of Cydia Substrate with support for iOS 7 and ARM64, a full-blown iOS 7 penetration testing environment can now be setup. To this extent, we’ve updated our publicly available iOS tools for blackbox testing in order to add support for iOS 7 and ARM64. We just released the two following updates:
- iOS SSL Kill Switch v0.5, our tool to disable SSL certificate verification/pinning.
- Introspy-iOS v0.4, our iOS Apps security profiler.
The pre-compiled packages for these tools now contain both an armv7 and an arm64 slice, which means that they will work on 64 bits iOS Apps for devices with an A7 chip (such as the iPhone 5s and the iPad Air).
Both tools were successfully tested on an iPhone 5s running iOS 7.0.4
Sandbox changes in iOS 7
While testing Introspy-iOS on iOS 7, I ran into issues with the sandboxd daemon denying write access to specific files the tool was trying to create. Interestingly enough, it seems like the Seatbelt profiles deployed on iOS 7 have been updated, compared to iOS 6. Specifically:
- AppStore Apps can no longer write to the root folder of their container directory, for example /var/mobile/Applications/3152B928-D771-424C-AE39-F79EC4A79EC5/
- System Apps can no longer write to /var/mobile/
Because of these changes, I had to modify the locations where Introspy-iOS stores its files, to the following paths:
- [App Container]/Library/ for AppStore Apps.
- /var/mobile/Library/Preferences/ for System Apps.
It is unclear why the Seatbelt profiles were changed, although the ability to write to these locations was not actually needed by Apps. More information regarding the Seatbelt profiles used for various iOS Apps is available on the iphonedev wiki.