Assessing Security Risks of Local Storage on Non-Jailbroken iOS Devices

Hello everyone, while doing iOS application penetration testing you may have come across a situation where you don’t have the jailbroken iDevice. In such cases, a question always arises in the mind that How can we check Local Storage related vulnerabilities on the non-jailbroken iDevice? The solution is FilzaEscaped. In this article, I’ll explain how can we access the iDevice’s root filesystem without jailbreaking the iDevice and check for the Local Storage related vulnerabilities.

What is FilzaEscaped?:

• FizaEscaped is an iOS File Manager with Root Access. With the help of the FilzaEscaped iOS application, you can access the device’s root filesystem without jailbreaking the iDevice. Also, utilizing it does not violate your warranty. Without jailbreaking the phone or iPad, you can still make the changes in the iPhone or iPad root filesystem you need to.
• FilzaEscaped app is packed with file viewers including a Media player, Hex editor, Text editor, SQLite Editor, IPA Installer, DEB Installer, Web viewer, Terminal, etc. Use the app to compress files to ZIP format, and decompress ZIP, 7, RAR, TAR, TAR.GZ, and GZ archives. FilzaEscaped can also extract DEB/IPA files, view DEB/IPA file information, download a normal file, and copy the HTML link to Pasteboard

By using this FilzaEscaped we can perform the testing against the following vulnerabilities without Jailbreaking the iDevice:

1. Local Data Storage
2. Excessive Permissions
3. Binary Protection
4. Side Channel Data Leakage

How to install FilzaEscaped on a Non-Jailbroken device: (Currently using FilzaEscaped16): (Perfectly working till iOS version 16.1.1):

• Download FilzaEscaped from the below-mentioned link:
• https://basvtdevelopments.com/filzaescaped or https://drive.google.com/file/d/1RbyOw9WdARdIggEqL9lG23RhXLviW8wa/view?usp=sharing
• Download Sideloadly using the below-mentioned link:
• https://sideloadly.io/
• Launch Sideloadly and install FilzaEscaped16.ipa on your non-jailbroken iDevice.

• Navigate to Settings -> General -> Device Management and trust the developer of the FILZAESCAPED application.
• Launch the “FilzaEscaped” application.
• Give access to Read Write permission access to FilzaEscaped (“REQUEST_ACCESS_SERVICE_com.apple.app-sandbox.read-write”).

• Now you can access all the iOS directories your required directories to perform above mentioned test cases:

• Visit Directories and check if are you able to access it or not:
• App Store Applications are installed in the below-mentioned directory:
• /var/containers/Bundle/Application/<UID>/
• Data Directory:
• /var/mobile/Containers/Data/Application/<UID>/
• Shared Data Directory:
• /var/mobile/Containers/Shared/AppGroup/<UID>/

For Example:

• Download the “DVIA-v2” application using the below-mentioned link:
• https://github.com/prateek147/DVIA-v2/releases
• Install it using “Sideloadly”.
• Go to Settings -> General -> Device Management and trust the developer of the “DVIA-v2” application.
• Launch the “DVIA-v2” application.
• Click on the left side “humberburg menu” and select Local Data Storage to add some data.

• Navigate to /var/mobile/Containers/Data/Application/<UID>/Documents/userInfo.plist

• Click on the userinfo.plist and you can see the saved data in the file.

• Through this, we can access any files and check for all the local storage information, and files sensitive information.

Pulling Out the application binary using FilzaEscaped in case the application is installed from the AppStore or TestFlight and the client hasn’t provided you the .ipa file:

• Navigate to the below-mentioned functional Path:
• /var/containers/Bundle/Application/<APP_UUID>/DVIA-v2.app

• Follow the below-mentioned functional path to login into your OneDrive/google drive account:
• Settings -> Accounts -> Add Accounts -> OneDrive
• Log in using your OneDrive/google drive account.
• Repeat Step 1, select the binary file, and click on the copy button. Or if you want to you can zip the entire folder and transfer it also.

• Repeat Step 2, select the account, and click on the Pasteboard button to upload the binary to OneDrive/google drive.

• Observe that the binary file has been uploaded on the drive.
• On your pc log in using OneDrive or google drive and download the uploaded binary.
• Transfer this binary to any jailbroken device into any path or you can create the same path as non-jb in the jailbroken device like below or run can use MacBook to run otool, nm, strings related test cases:
• /var/containers/Bundle/Application/<APP_UUID>/DVIA-v2.app
• Follow this page to get to know how to install DarwinCC Tools on a jailbroken device and run otool, nm, strings related commands without MacBook.

In this way, you can copy all the contents from Data Directory and check that is there any Sensitive Data is getting Stored in an Unencrypted manner in User Defaults Plist files, WebView Cache files, Local Storage, etc. Once the application’s binary is pulled out, can also check whether the binary-related protection has been enabled or not like:

• Application binary compiled without Stack Canaries, stack smashing protection, or not
• Application binary compiled without ARC flag or not
• Application binary compiled without PIE ASLR flag or not
• Use of any weak hashing algorithm in the binary like MD5 and SHA1
• Use of Banned/Deprecated APIs have been used or not
• Application Binary is encrypted or not
• You can run the strings command on the application binary and check for Sensitive Data in Strings
• You can run the nm command on the application binary and check for Symbol Information available or not
• You can also check for any Unnecessary permissions requested by the application

Can use the Ghidra/hopper/radare2/IDAPro disassembler tools to check for vulnerabilities like:

• Binary Obfuscation is implemented or not
• Pseudo-Random Number Generator Used or not

can pull out .db, .txt, .pdf, .plist, .js, screenshot, cache, and cookies, and you can open these files using respective tools like the DB Browser for SQLite, notepad, plist editor, to check if any sensitive data getting stored in the application Local Storage.

Thank you for taking the time to read this article. Your engagement is truly appreciated! If you encounter any challenges, please feel free to share them in the comments section. I’m here to assist and will work towards addressing them in the Troubleshooting section. Your applause and support are welcomed and valued!

Linkedin: https://www.linkedin.com/in/akash-katare-382802117

Twitter: https://twitter.com/AkashKatare18