iOS TestCases
iOS Test Cases¶
- Root/Runtime Detection
- Jailbreak
- Checkrain
- Frida
- Theos
- Jailbreak
- Sensitive data
- HTTP Cache data should not be stored on the device. (Lower severity if does not contain sensitive information)
- Sensitive data should not be written to Plist files unencrypted.
- Sensitive data should not be written to unencrypted SQLite databases.
- Sensitive Cookies should not be stored in the Cookies.binary file
- Cookies should be contain HTTP only and Secure flags
- Sensitive data or Debug Info should not be in the IPA file.
- Sensitive data or Debug Info should not be in the Application.
- Application should remove cached documents on logout
- PDF files opened by the application should be deleted from the tmp directory when done
- Data Protection API
- Check each file in the data directory for information
- Crash Logs should not contain sensitive data
- IPC
- URL Schemes
- Sensitive data should not be passed in URL Schemes
- Application should validate bundle ID of source
- The Pasteboard should not be used as a IPC
- URL Schemes
-
iCloud
- Push Notifications
- Check Device Token is stored encrypted. didRegisterForRemoteNotificationsWithDeviceToken
- Check to make sure that Notifications do not contain sensitive information
- iCloud Backup
- Data in the /Documents folder will automatically be backed up
- This can be bypassed by NSURLIsExcludedFromBackupKey
- Keychain *ThisDeviceOnly Keys
- NSUbiquitousKeyValueStore data is automatically backed up to iCloud
- Data in the /Documents folder will automatically be backed up
- Push Notifications
- WebView
- Check for stringByEvaluatingJavaScriptFromString
- https://inappbrowser.com/
- Keyboard
- Prevent the Keyboard caching sensitive data.
- The application should not allow Third-Party Keyboards
- Check Device Logs
- Logs should not leak sensitive information
- Screenshot
- Contains sensitive data when backgrounded
- Network
- Connections using SSL
- Check NSAppTransportSecurity for exceptions
- Does the application use Certificate Pinning
- How easy is it to bypass
- Can you modify the Message
- Does the Request signed?
- What is the Session Token
- SSL Cipher Check on servers
- Authentication Bypass
- DeviceID should not be used as the only authentication
- How is the pin verified
- Is it stored on the device
- How are the secrets encrypted or validated
- Does the pin work if the device is offline
- Can it be bypassed
- Does the app reset the pin count when backgrounded or killed
- How hard to bruteforce
- If a Device Fingerprint is added does the flow change.
- How are the secrets encrypted or validated
- TouchID
- Do not use the Local Authentication framework
- Use a secret that has the kSecAccessControlUserPresence flag
- Lock
- Application is locked out when backgrounded
- Application is locked out when switching applications or after a maximum of 15 mins timeout
- Application is locked when device is locked
- Using Device Tokens
- Are these devices tokens revocable by the server?
- IPA
- Compiled with ARC enabled
- Compiled with ALSR enabled
- Compiled with Canary enabled
- Crypto
- Look at Block Size
- Look at Key Size
- Look at Cipher
- Look at API versions
- Application uses [secRandom CopyBytes] for cryptographic random data
- Key is not stored as a String
- Keychain
- What is stored in the keychain
- What Protection is provided
- Fingerprint Authentication
- Pin Authentication
- Application should be logged out after 10 mins
- Libraries
- Check Third party libraries for version and security vulnerabilities
- Can Userinput be provided to a dangerous function?
- Can Userinput be provided to fixed buffer?