In 2013, assessing the security of iOS applications still involves a lot of manual, time-consuming tasks - especially when performing a black-box assessment. Without access to source code, a comprehensive review of these application currently requires in-depth knowledge of various APIs and the ability to use relatively complex, generic tools such as Cycript, or Mobile Substrate - or just jump straight into the debugger.
To simplify this process, we are releasing Introspy - an open-source security profiler for iOS. Introspy is designed to help penetration testers understand what an application does at runtime.
The tool comprises two separate components: an iOS tracer and an analyzer.
The iOS tracer can be installed on a jailbroken iOS device. It will hook security-sensitive APIs called by a given application, including functions related to cryptography, IPCs, data storage / protection, networking, and user privacy. The call details are all recorded and persisted in a SQLite database on the device
This database can then be fed to the Introspy analyzer, which generates an HTML report displaying all recorded calls, plus a list of potential vulnerabilities affecting the application.
Once installed, the tracer will store in a SQLite database all calls made by iOS applications to security-sensitive APIs.
The tracer lets the user choose which iOS App should be monitored:
The tracer lets the user choose which APIs should be recorded:
The tracer can be configured to log all profiled calls to the console in real time:
The analyzer is a Python script that can process a SQLite database generated by the tracer and output various information about the traced calls or generate an HTML report.
The analyzer can connect to a device over SSH and recover DB files generated by the tracer:
$ python introspy.py 192.168.1.127 --outdir e-bank email@example.com's password: 0. ./Applications/94656731-0259-4AE9-9EEE-BADC9244AD82/introspy-com.isecpartners.e-bank.db 1. ./introspy-com.apple.mobilemail.db 2. ./introspy-com.isecpartners.introspytestapp.db Select the database to analyze: 0
The analyzer can generate HTML reports displaying the list of all traced calls, including arguments and return values:
The analyzer will also explicitly flag potentially dangerous or interesting function calls:
Instructions are available in the project's README on Introspy's Github repo.