Some notes for my mobile pentest guidance for both Android and iOS. Read below-->
- Mobile forensics and data recovery
- Network, web services and API testing
- Server-side penetration testing
- Reverse engineering and code analysis
a) Where can be found:
- Private application folder - folder that created when installing apps
- SD card - another storage for android
- system log files - generated for application logs and the device its self including the debugging
- keychain - IFP chain store sensitive data
- ram - temp stored data
- source code(hardcoded) - sensitive password and other values inside the code itself
- web cache/history(hybrid/web-wrapper apps) - have data store on browser
b) Tools for data recovery and analysis:
File system
Android -- debug bridge("adb pull" command)
iOS -- libimobiledevice
System Log Files
Android -- logcat command-line-tool
iOS -- Syslog (instruction for non-developers)
iOS Keychain
iOS Keychain analyzer
RAM
Android -- Android debug bridge("adb dumpsys meminfo")
iOS -- heapdump-ios
a) locate your app(adb)
adb shell //access the device shell
cd data/data //locate the app data directory
ls //find the app private directory
b) pull app data off phone
adb pull data/data/com/anydo AnyDo //adb pull <data-path-source> <destination>
c) Analyze app data
sqliteman - see stored data
a) locate your app(adb)
#App bundle data location:
cd /private/var/mobile/Containers/
ls
#App bundle location:
cd Application/
ls
#App data locations:
cd Application/
ls
#Sort by most recently installed:
ls -lat
#change directory to the latest app(the one you just installed for testing):
cd 983FCV4-........./
cd Library/Preferences/
ls
#make note of full path from previous step:
/private/var/mobile/Containers/Application/983FCV4-........./(for example)
#Scp command to copy file from app folder:
~/Desktop scp -r root@192.168.xx.xx://private/var/mobile/Containers/Application/983FCV4-......... App-Files/
b)Analyze the file
- SQLite database
- plist
- xml files
- Look for data stored as common hashes/encoding(base64,md5,sha256,etc)
- when searching for data in large files, command line tools are best: try grep
- don't limit yourself: explore storage locations from common one
- iOS app use the "Cache.db" file, which often large amount of data