diff --git a/src/mobile-pentesting/ios-pentesting/README.md b/src/mobile-pentesting/ios-pentesting/README.md index fc432cd9465..ba30ac2e9a7 100644 --- a/src/mobile-pentesting/ios-pentesting/README.md +++ b/src/mobile-pentesting/ios-pentesting/README.md @@ -517,6 +517,41 @@ It's common for applications to create their own sqlite database. They may be ** find ./ -name "*.sqlite" -or -name "*.db" ``` +### Automated extraction and triage of app storage + +When you have **privileged filesystem access** to the test device, it can be useful to automate the repetitive part of the storage review and then spend time on the findings instead of on file conversion and copy/paste work. + +- **iOS**: pull the **bundle** and **data** directories over **SSH** from a **jailbroken** device. +- **Android**: pull the app directories over **ADB** from a **rooted** device. A practical split is: + - **`data/`** for the application's private sandbox + - **`storage/`** for files exposed to other apps / shared storage + +A useful pattern is to stage the extracted files on the workstation and immediately classify them with **`libmagic`**-backed type detection. This lets you generate inventories such as: + +- **`plist_files.txt`** for identified plist files +- **`DB_files.txt`** for identified SQLite databases +- **`db_extracted_plists/`** for plist blobs carved from SQLite databases + +This is specially useful in iOS reviews because many interesting artifacts are **binary plists** or **plists nested inside other containers**. After extraction: + +- Convert every plist to **XML** to make manual review and diffing easier. +- Parse each plist for **embedded / nested plists** and write them next to the parent artifact so hidden configuration or cached tokens aren't missed. +- Treat SQLite databases as containers too and carve plist blobs out of columns/BLOBs before triage. + +The [**Mobile Data Extractor**](https://github.com/Tsynack/Mobile-Data-Extractor) workflow is a good example of this approach. It supports interactive extraction from **jailbroken iOS (SSH)** and **rooted Android (ADB)**, classifies files with `python-magic`/`libmagic`, converts extracted plists to XML, and logs the discovered plist / SQLite paths for follow-up: + +```bash +pip install -r requirements.txt +python3 mobile_extractor.py +``` + +After the pull, add deterministic "quick win" searches over the extracted dataset: + +- Search by **extension** to find common secret-bearing artifacts and log the results in **`extension_search.txt`**. +- Search all extracted files for **case-insensitive plaintext strings** such as `password`, tokens, API keys, account identifiers, or test credentials and log matches in **`string_search.txt`**. + +Persisting the search results is useful operationally because it preserves analyst context if the session dies or the review is resumed later. + ### Firebase Real-Time Databases Developers are enabled to **store and sync data** within a **NoSQL cloud-hosted database** through Firebase Real-Time Databases. Stored in JSON format, the data gets synchronized to all connected clients in real time. @@ -1237,6 +1272,8 @@ zero-click-messaging-image-parser-chains.md - OWASP iGoat [_https://github.com/OWASP/igoat_](https://github.com/OWASP/igoat) <<< Objective-C version [_https://github.com/OWASP/iGoat-Swift_](https://github.com/OWASP/iGoat-Swift) <<< Swift version - [https://github.com/authenticationfailure/WheresMyBrowser.iOS](https://github.com/authenticationfailure/WheresMyBrowser.iOS) - [https://github.com/nabla-c0d3/ssl-kill-switch2](https://github.com/nabla-c0d3/ssl-kill-switch2) +- [https://trustedsec.com/blog/reduce-repetition-and-free-up-time-with-mobile-file-extractor](https://trustedsec.com/blog/reduce-repetition-and-free-up-time-with-mobile-file-extractor) +- [https://github.com/Tsynack/Mobile-Data-Extractor](https://github.com/Tsynack/Mobile-Data-Extractor) {{#include ../../banners/hacktricks-training.md}}