Mobile Application Analysis: iOS

Forensic data highlights a list of the potential behaviors that might have been observed while interacting with the application. A brief description of each behavior, potential use, and the applicable architecture (MACH–O slice) in which that behavior was detected are included.

Analysis Type: Static
Severity (CVSS): Informational (0)

Debug logs are designed to detect and correct application flaws. Detected Apple System Logger (ASL) messages while performing dynamic analysis are presented as forensic data. These messages were written to specific locations on the disk (such as /etc/system.log) and can leak sensitive information that might allow an attacker to carry out a more powerful attack.

Analysis Type: Dynamic
Severity (CVSS): Informational (0)

Any certificates used by the application are displayed as forensic data, covering the type of key, number of bits, serial number, URL, and common name associated with each certificate.

Analysis Type: Dynamic
Severity (CVSS): Informational (0)

Confers specific capabilities or security permissions to an iOS application. Forensic data show specific entitlements along with associated values.

Analysis Type: Static
Severity (CVSS): Informational (0)

Network communications are monitored as the application is running to locate where the application is sending its data.

Analysis Type: Dynamic
Severity (CVSS): Informational (0)

Highlights any activity where the app calls the iOS Keychain, indicating when keychain items were created, deleted, or queried.

Analysis Type: Dynamic
Severity (CVSS): Informational (0)

CommonCrypto calls are analyzed to determine if any sensitive data is protected using symmetric encryption, hash-based message authentication codes, and digests.

Analysis Type: Dynamic
Severity (CVSS): Informational (0)

Analysis Type: Dynamic
Severity (CVSS): Informational (0)

Informational details about the compiled binary that were observed during dynamic analysis of the application. Example metadata includes the supported app versions, various flags set in the application, bundle information, identified behaviors, important libraries, and more. Many of these items are already being analyzed and separated out into their own individual checks and results.

Analysis Type: Static
Severity (CVSS): Informational (0)

CFURLConnection requests are analyzed to determine if any sensitive data is transmitted over the network.

Analysis Type: Dynamic
Severity (CVSS): Informational (0)

Related to the hostname verification issue, sensitive data that can be intercepted over the network due to improper certificate validation and/or hostname verification is searched. Sensitive data includes usernames, passwords, GPS coordinates, wi-fi MAC address, International Mobile Equipment Identity (IMEI), device serial number, and phone number.

Analysis Type: Dynamic
Severity (CVSS): High (7.7)

This test uses methods that proxy all TLS/SSL communications sent by the application. During this process, we search the traffic for sensitive search values, including username, password, GPS coordinates, wi-fi Mac address, International Mobile Equipment Identity (IMEI), serial number, and phone number.

Analysis Type: Dynamic
Severity (CVSS): Informational (0)

Traffic is analyzed to determine if the advertising ID (AdID) is insecurely transmitted over the network without encryption.

Analysis Type: Dynamic
Severity (CVSS): High (7.1)

Traffic is analyzed to determine if custom terms are insecurely transmitted over the network without encryption.

Analysis Type: Dynamic
Severity (CVSS): High (8.1)

Traffic is analyzed to determine if device information is insecurely transmitted over the network without encryption.

Analysis Type: Dynamic
Severity (CVSS): Medium (5.3)

Traffic is analyzed to determine if any email addresses are insecurely transmitted over the network without encryption.

Analysis Type: Dynamic
Severity (CVSS): High (7.1)

Traffic is analyzed to determine if the user’s first name is insecurely transmitted over the network without encryption.

Analysis Type: Dynamic
Severity (CVSS): High (7.1)

Traffic is analyzed to determine if the user’s GPS latitude coordinate is insecurely transmitted over the network without encryption.

Analysis Type: Dynamic
Severity (CVSS): High (8.1)

Traffic is analyzed to determine if the user’s GPS longitude coordinate is insecurely transmitted over the network without encryption.

Analysis Type: Dynamic
Severity (CVSS): High (8.1)

Traffic is analyzed to determine if the Identifier for Vendors (IDFV) is insecurely transmitted over the network without encryption.

Analysis Type: Dynamic
Severity (CVSS): High (7.1)

Traffic is analyzed to determine if the user’s last name is insecurely transmitted over the network without encryption.

Analysis Type: Dynamic
Severity (CVSS): High (7.1)

Traffic is analyzed to determine if the local wi-fi MAC address is insecurely transmitted over the network without encryption.

Analysis Type: Dynamic
Severity (CVSS): Medium (4.3)

Traffic is analyzed to determine if the user’s password is insecurely transmitted over the network without encryption.

Analysis Type: Dynamic
Severity (CVSS): High (8.1)

Traffic is analyzed to determine if the user’s phone number is insecurely transmitted over the network without encryption.

Analysis Type: Dynamic
Severity (CVSS): High (7.1)

Traffic is analyzed to determine if the surrounding wi-fi MAC address is insecurely transmitted over the network without encryption.

Analysis Type: Dynamic
Severity (CVSS): Medium (4.3)

Traffic is analyzed to determine if the username is insecurely transmitted over the network without encryption.

Analysis Type: Dynamic
Severity (CVSS): High (7.1)

Traffic is analyzed to determine if any sensitive data is transmitted insecurely over the network without encryption. For this check, instances of the zip code were searched across any intercepted traffic.

Analysis Type: Dynamic
Severity (CVSS): Informational (0)

iOS keychain entries are monitored and custom terms are searched.

Analysis Type: Dynamic
Severity (CVSS): Low (3.8)

iOS keychain entries and values related to the instrumented test device (e.g., device ID, GPS coordinates, etc.) are searched.

Analysis Type: Dynamic
Severity (CVSS): Informational (0)

iOS Keychain entries are monitored and instances of the password are searched.

Analysis Type: Dynamic
Severity (CVSS): Low (3.8)

iOS keychain entries are monitored and instances of the username are searched.

Analysis Type: Dynamic
Severity (CVSS): Low (1.6)

Detects whether ZIP files are being sent by the application in transit over HTTP. ZIP files can lead to a remote arbitrary file write, which could allow an attacker remote code execution.

Analysis Type: Dynamic
Severity (CVSS): Informational (0)

Determines if ZIP files are being sent by the application over HTTPS. ZIP files can lead to a remote arbitrary file write, which could allow an attacker to carry out a remote code execution attack.

Analysis Type: Dynamic
Severity (CVSS): Informational (0)

ASL messages are analyzed for advertising ID (AdID) exposure. Debug logs, which are designed to detect and correct flaws in an application, can leak sensitive information that might help an attacker craft a more powerful attack.

Analysis Type: Dynamic
Severity (CVSS): Low (2.1)

ASL messages are analyzed for sensitive user or application data. Debug logs, which are designed to detect and correct flaws in an application, can leak sensitive information that might help an attacker craft a more powerful attack.

Analysis Type: Dynamic
Severity (CVSS): Medium (5.5)

ASL messages are analyzed for evidence of exposing the user’s email. Debug logs, which are designed to detect and correct flaws in an application, can leak sensitive information that might help an attacker craft a more powerful attack.

Analysis Type: Dynamic
Severity (CVSS): Low (3.3)

ASL messages are analyzed for evidence of exposing the user’s first name. Debug logs, which are designed to detect and correct flaws in an application, can leak sensitive information that might help an attacker craft a more powerful attack.

Analysis Type: Dynamic
Severity (CVSS): Low (3.3)

ASL messages are analyzed for exposure of the GPS latitude. Debug logs, which are designed to detect and correct flaws in an application, can leak sensitive information that might help an attacker craft a more powerful attack.

Analysis Type: Dynamic
Severity (CVSS): Low (3.3)

ASL messages are analyzed for exposure of the GPS longitude. Debug logs, which are designed to detect and correct flaws in an application, can leak sensitive information that might help an attacker craft a more powerful attack.

Analysis Type: Dynamic
Severity (CVSS): Low (3.3)

ASL messages are analyzed for Identifier for Vendors (IDFV) exposure. Debug logs, which are designed to detect and correct flaws in an application, can leak sensitive information that might help an attacker craft a more powerful attack.

Analysis Type: Dynamic
Severity (CVSS): Low (2.1)

ASL messages are analyzed for user last name exposure. Debug logs, which are designed to detect and correct flaws in an application, can leak sensitive information that might help an attacker craft a more powerful attack.

Analysis Type: Dynamic
Severity (CVSS): Low (3.3)

ASL messages are analyzed for local wi-fi MAC address exposure. Debug logs, which are designed to detect and correct flaws in an application, can leak sensitive information that might help an attacker craft a more powerful attack.

Analysis Type: Dynamic
Severity (CVSS): Low (2.1)

ASL messages are analyzed for exposure of the user’s name. Debug logs, which are designed to detect and correct flaws in an application, can leak sensitive information that might help an attacker craft a more powerful attack.

Analysis Type: Dynamic
Severity (CVSS): Low (3.3)

ASL messages are analyzed for password exposure. Debug logs, which are designed to detect and correct flaws in an application, can leak sensitive information that might help an attacker craft a more powerful attack.

Analysis Type: Dynamic
Severity (CVSS): Medium (5.5)

ASL messages are analyzed for phone number exposure. Debug logs, which are designed to detect and correct flaws in an application, can leak sensitive information that might help an attacker craft a more powerful attack.

Analysis Type: Dynamic
Severity (CVSS): Low (3.3)

ASL messages are analyzed for surrounding wi-fi MAC address exposure. Debug logs, which are designed to detect and correct flaws in an application, can leak sensitive information that might help an attacker craft a more powerful attack.

Analysis Type: Dynamic
Severity (CVSS): Low (2.1)

ASL messages are analyzed for username exposure. Debug logs, which are designed to detect and correct flaws in an application, can leak sensitive information that might help an attacker craft a more powerful attack.

Analysis Type: Dynamic
Severity (CVSS): Low (3.3)

Debug logs are generally designed to be used to detect and correct flaws in an application. These logs can leak sensitive information that may help an attacker create a more powerful attack. In this test, ASL messages are analyzed for the existence of sensitive user or application data.

Analysis Type: Dynamic
Severity (CVSS): Informational (0)

This check examines the compiled binary for libraries that do not have Automatic Reference Counting (ARC) enabled.

Analysis Type: Static
Severity (CVSS): Low (1.6)

This test checks if the individual components inside the compiled binary used stack canaries to prevent buffer overflows.

Analysis Type: Static
Severity (CVSS): Low (1.6)

This check only applies to iOS apps that use Touch ID for authentication. It determines if your application is using an insecure implementation of the Local Authentication framework, which makes it possible to bypass the authentication process through runtime analysis or patching the binary.

Analysis Type: Static
Severity (CVSS): Informational (0)

Any interaction with SQLite databases is monitored as the application is running to determine how the application interacts with its data.

Analysis Type: Dynamic
Severity (CVSS): Informational (0)

Network requests are evaluated for unencrypted (HTTP) connections. Any such detected endpoints are available in the forensic data.

Analysis Type: Static
Severity (CVSS): Informational (0)