Paul De Baldo V
Technical Engagement Manager

Pentesting for iOS Mobile Applications

Pentesting for iOS Mobile Applications

From private messaging to mobile banking, billions of people around the world rely on iOS applications to provide real-time access to services while protecting their most sensitive data — data highly sought after by attackers. To safeguard these applications, HackerOne offers a methodology-driven penetration testing (pentesting) solution delivered via a Pentest as a Service (PTaaS) model. This approach connects organizations with a heavily vetted cohort of a global ethical hacker community for comprehensive, end-to-end pentesting. Frequently performing dedicated pentesting, using a community-driven PTaaS is crucial to finding vulnerabilities in your mobile applications and quickly remediating them to reduce risk.

Pentest reports are a requirement for many security compliance certifications (such as GDPR and HIPAA), and having regular pentest reports on hand can also signal to high-value customers that you care about the security of your mobile applications, boosting customer trust and brand loyalty.

In this blog, we’ll cover some of the most important aspects of pentesting for iOS mobile applications. Jump to a topic using the links below:

iOS Testing Methodologies

HackerOne's iOS testing methodologies are informed by established standards such as the PTESOWASP Mobile Top 10, and the OWASP Mobile Application Security Testing Guide (MASTG). Additionally, our testing processes adhere to the standards required for CREST certification/accreditation, ensuring comprehensive and reliable assessments across various application types, including mobile applications.

Our methodology is continuously evolving to ensure comprehensive coverage for each pentesting engagement. This approach stems from:

  • Consultations with both internal and external industry experts.
  • Leveraging and adhering to recognized industry standards.
  • Incorporating feedback and insights from our pentesters, who bring valuable experience from their full-time roles outside of HackerOne, enabling us to deliver highly technical, in-depth testing.
  • Gleaning insights from a vast array of global customer programs, spanning both time-bound and ongoing engagements.
  • Detailed analysis of millions of vulnerability reports we receive through our platform (see the Hacktivity page for details).

Threats are constantly evolving, so our methodology can't remain stagnant. HackerOne’s Delivery team, including experienced Technical Engagement Managers (TEMs), constantly refine and adapt based on feedback and real-world experiences, delivering unparalleled security assurance.

Common iOS Vulnerabilities

Improper Credential Usage

Improper credential usage is very common in mobile applications, particularly those with backend APIs or databases that require authentication. This often results in credentials being hardcoded within the application. Improper credential usage also includes the insecure transmission of authentication materials, such as the lack of TLS encryption during transit, and the insecure storage of user credentials, such as failing to use the iOS sandbox model to secure data access against other apps.

For example, hardcoded API keys like AWS access keys or Google Maps API keys can be easily extracted from the application package. An attacker who obtains these keys could interact with backend services, potentially exposing sensitive data about other users, initiating unauthorized transactions, or even compromising the organization’s cloud infrastructure. If an AWS key is exposed, the attacker could gain access to cloud resources, modify configurations, or extract critical data, leading to significant financial and reputational damage.

Additionally, some applications store sensitive information, like OAuth tokens or user credentials, in insecure storage areas such as plain text files or unprotected databases. Mobile malware can exploit these weaknesses to harvest credentials, allowing attackers to impersonate users or gain unauthorized access to private information, leading to data breaches or identity theft.

Testing for improper credential usage is straightforward and typically involves scanning extracted application files for secrets, analyzing the source code for where credentials are transmitted or stored, and checking for the use of secure channels like TLS. This vulnerability is particularly prevalent in untested applications, where significant credential misuse is often uncovered during the first test. The discovery of hardcoded credentials, insecure storage practices, and unencrypted transmission underscores the critical importance of regular pentesting for mobile applications.

Insecure Authentication or Authorization

Mobile applications often serve as a front end for APIs and web services, making insecure authentication or authorization issues prevalent. If a mobile app acts as an authorized agent to query backend data without proper security, an attacker could mimic this interaction to access sensitive data or execute actions anonymously. This risk increases when the associated API is also in scope, as vulnerabilities in the API can directly affect the mobile app's security.

Third-party authentication mechanisms, like signing in with Apple ID or social media accounts, introduce additional attack surfaces, particularly in account creation and recovery flows. For example, flaws in OAuth implementation or token validation could allow unauthorized access.

Mobile apps may also include local authentication methods, such as user-specified PINs or passwords. Vulnerabilities in-app logic or misuse of iOS native APIs could lead to bypassing these protections. Ensuring both local and remote access controls are tested and secured is crucial.

Inadequate Privacy Controls

Getting privacy rights is important, but even more so on mobile applications, as mobile devices contain a lot of Personally Identifiable Information (PII). Operating systems like iOS place a strong emphasis on privacy, constantly updating their controls to ensure that data access is granted only with explicit user consent. If your application isn’t tested for compliance with legal privacy regulations like GDPR, CCPA, or emerging laws such as India’s Digital Personal Data Protection Act (DPDPA), it could face regulatory penalties or struggle to access the data necessary for its functionality.

Inadequate privacy controls can also intersect with other vulnerabilities, such as insecure authentication or authorization, or improper storage of credentials. For example, if broken access controls in the backend API allow a user to access another user’s sensitive data, or if sensitive data is improperly cached on the device, it could lead to a serious data breach. Such incidents not only violate privacy regulations but can also severely damage an organization’s reputation.

We've seen reports of specific privacy-impacting vulnerabilities, including improper handling of OAuth tokens, lack of encryption for sensitive data stored on devices, and insufficient user consent mechanisms for accessing personal data. Addressing privacy control issues requires expert knowledge of mobile operating systems, application data handling, privacy policies, and relevant regulatory frameworks. Testing for these issues is crucial to ensure compliance and protect user data.

iOS Best Practices

Careful Scoping

Having the right scope is crucial to a successful pentest—what is being tested can be just as important as how it is done. Modern iOS applications can be complex, with various features, frameworks, APIs, and integrations.

With limited time and resources for each pentest, selecting critical targets within the iOS application can make the difference between a low-value report and a successful pentest with high-impact findings. For instance, focusing on testing complex authentication mechanisms, data storage, inter-app communication, and the APIs that the iOS app interfaces with can yield more significant results than testing superficial UI elements. HackerOne evaluates your assets to accurately determine the needed pentest size and provides a customized quote tailored to your specific pentest requirements.

Read the Pre-Pentest Checklist Series Part 1 and Part 2 to address crucial questions before your next pentest.

Skills-Based Tester Matching

Traditional consultancies often rely on in-house pentesters with general skills. However, iOS pentesting requires specialized knowledge of iOS architecture, Swift/Objective-C coding, and mobile security practices, which many firms lack.

With HackerOne Pentest, delivered via a Pentest as a Service (PTaaS) model, customers gain access to a diverse pool of elite, vetted security researchers who bring a wide range of skills, certifications, and experience. The HackerOne platform keeps track of each researcher's skill set based on their track record and matches the most suitable researchers for each engagement. The community-driven PTaaS approach delivers comprehensive coverage, versatility, and the highest-quality results tailored to the types of assets and technology stacks of your mobile applications.  

Case Study: Doorbell Camera App Leaks User Location

Amazon's Ring Neighbours app allows users to publicly share Ring camera feeds online. In 2021, the organization had a data breach that leaked the precise location and home address of its users. Although the precise location was not visible in the application, the underlying API responses of the users' posts leaked the longitude, latitude and home addresses of users who posted through the app. Even though not all posts were displayed to the user, the ID number of each post was incremental — meaning that an attacker could query the same API for all existing posts by changing the post number, and get more sensitive data. At the time, there were about 4 million posts in total - that's a lot of home addresses.

Ring Neighbors app code

Inspecting and manipulating API requests is often the first or second step taken in a mobile application pentest, meaning that given a thorough pentest of this mobile application, the vulnerability would've easily been found and the data breach avoided. Privacy issues like these have been found and disclosed on HackerOne's programs, such as when Nextcloud's mobile application leaked file search records to the server during a local search, or the lack of anonymization of analytics data on the Nord VPN app. 

Both of those reports demonstrated that the researcher had an in-depth understanding of the application's data and privacy model, and hackers like them will be pentesting iOS applications for your organization.

Why HackerOne is the Best Option for iOS Pentests

By choosing HackerOne as your partner in pentesting, your organization can fully benefit from the community-driven PTaaS model. The HackerOne Platform simplifies pentest requests, asset onboarding, and researcher enlistment, making the process swift and efficient. 

Our community of iOS experts brings deep knowledge of Apple's ecosystem, Swift, Objective-C, and the iOS platform, providing comprehensive coverage of OWASP Mobile Top 10 risks and additional concerns like app extension vulnerabilities and iCloud data syncing issues. Utilizing advanced tools such as Frida and Objection, manual testing techniques, and custom scripts, HackerOne Pentests simulate real-world attack scenarios going beyond automated scans. 

HackerOne's pentest reports help executives and cybersecurity engineers harden iOS apps against breaches that could lead to fines or penalties under GDPR and CCPA. Our iOS pentests offer critical protection in an evolving threat landscape by providing guidance on implementing Apple's latest security features. With the rapid setup, effective assessments, and prompt retesting, HackerOne supports organizations in reducing breach risks and helping fulfill compliance.

With the right blend of crowdsourced security, technical expertise, and technology, HackerOne is the ideal choice for your iOS mobile application pentests. To learn more or get started on your first pentest with HackerOne, contact our team of experts today.

The 8th Annual Hacker-Powered Security Report

HPSR blog ad image