❗ Always refer to a HackerOne Bug Bounty program to find valid targets
- 🧪
e.g.
- 1.1.1.1 - com.cloudflare.1dot1dot1dot1 Cloudflare iOS is in scope
Static Analysis
Install the app on the iPhone via the App Store
Pull the ipa
from the App Store via AnyTrans
or iMazing
tools (Apple ID login necessary)
Import the .ipa
into MobSF and analyze it
Rename the .ipa
file to .zip
, unzip it and look at the content
iTunesMetadata.plist
- general information, app name, etc- Open the
.app
and look for the application contentInfo.plist
- look for URLs, api keys, IDs, strings etc.plist
,.json
, config filesManifest.plist
Dynamic Analysis
Jailbreak the iPhone, run the app and try to intercept its traffic using a proxy (BurpSuite, Proxyman for MacOS, Zaproxy, etc)
Proceed with SSL Unpinning using Objection
if necessary
Dynamically test the app by joining an account, signing in and navigating the entire app
- Two accounts to test with are suggested, to test auth tokens, access to the other account, and different parts of the app