11. iOS Bug Bounty

iOS Bug Bounty Hunt

❗ Always refer to a HackerOne Bug Bounty program to find valid targets
🔗 HackerOne iOS programs
🧪 e.g. - 1.1.1.1 - com.cloudflare.1dot1dot1dot1 Cloudflare iOS is in scope

Static Analysis

Install the app on the iPhone via the App Store

Pull the ipa from the App Store via AnyTrans or iMazing tools (Apple ID login necessary)

Import the .ipa into MobSF and analyze it

Rename the .ipa file to .zip, unzip it and look at the content

iTunesMetadata.plist - general information, app name, etc
Open the .app and look for the application content
- Info.plist - look for URLs, api keys, IDs, strings etc
- .plist, .json, config files
- Manifest.plist

Dynamic Analysis

Jailbreak the iPhone, run the app and try to intercept its traffic using a proxy (BurpSuite, Proxyman for MacOS, Zaproxy, etc)

Proceed with SSL Unpinning using Objection if necessary

Dynamically test the app by joining an account, signing in and navigating the entire app

Two accounts to test with are suggested, to test auth tokens, access to the other account, and different parts of the app

Previous10. iOS Dynamic Analysis NextMAPT References

Last updated 8 months ago