f

Author: carlospolop

src/mobile-pentesting/ios-pentesting/README.md

@@ -136,6 +136,26 @@ Identification of **protections are present in the binary**:
   grep -iER "_vsprintf"
   ```
 
+#### Common Jailbreak detection methods
+
+- **File System Checks**: Look for the presence of common jailbreak files and directories, such as `/Applications/Cydia.app` or `/Library/MobileSubstrate/MobileSubstrate.dylib`.
+- **Sandbox Violations**: Attempt to access restricted areas of the file system, which should be blocked on non-jailbroken devices.
+- **API Checks**: Check if it's possible to use forbidden calls like `fork()` to create a child process or `system()` to see if /bin/sh exists.
+- **Process Checks**: Monitor for the presence of known jailbreak-related processes, such as `Cydia`, `Substrate`, or `ssh`.
+- **Kernel Exploits**: Check for the presence of kernel exploits that are commonly used in jailbreaks.
+- **Environment Variables**: Inspect environment variables for signs of a jailbreak, such as `DYLD_INSERT_LIBRARIES`.
+- **Libraries Check**: Check the libs that are loaded into the app process.
+- **Check schemes**: Like `canOpenURL(URL(string: "cydia://"))`.
+
+#### Common Anti-Debugging detection methods
+
+- **Check for Debugger Presence**: Use `sysctl` or other methods to check if a debugger is attached.
+- **Anti-Debugging APIs**: Look for calls to anti-debugging APIs like `ptrace` or `SIGSTOP` like `ptrace(PT_DENY_ATTACH, 0, 0, 0)`.
+- **Timing Checks**: Measure the time taken for certain operations and look for discrepancies that may indicate debugging.
+- **Memory Checks**: Inspect memory for known debugger artifacts or modifications.
+- **Environment Variables**: Check for environment variables that may indicate a debugging session.
+- **Mach Ports**: Detect if mach exception ports are being used by debuggers.
+
 ### Basic Dynamic Analysis
 
 Check out the dynamic analysis that [**MobSF**](https://github.com/MobSF/Mobile-Security-Framework-MobSF) perform. You will need to navigate through the different views and interact with them but it will be hooking several classes on doing other things and will prepare a report once you are done.

src/mobile-pentesting/ios-pentesting/ios-basics.md

@@ -2,6 +2,30 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
+## Filesystem Folders
+
+- `/Applications`: Contains all the installed native applications on the device (e.g. `/Applications/Calculator.app`)
+- `/var/containers/Bundle/application/[uuid]`: Contains the application bundles for installed apps.
+- `/var/mobile/Containers/Data/Application/[uuid]`: Contains the data for the installed applications.
+- `/System`: Contains the core system files and libraries.
+- `/Library`: Contains system-wide resources and settings.
+- `/User`: Contains user-specific data and settings.
+- `/Development`: Empty unless you press the "Use for development" button
+- `/dev`: Contains device files.
+- `/Core`: Contains OS core dumps.
+- `/private/var/mobile/Library/Logs/CrashReporter/<appname-date>*`: Contains crash logs for the specified application.
+- Many other common unix folders...
+
+### SQLite DBs
+
+SQLite DBs are widely used in iOS and Android applications for local data storage. They provide a lightweight, serverless database solution that is easy to integrate and use within mobile apps.
+
+A SQLite DB usually generates 3 files:
+- `<name>.db`: The main database file.
+- `<name>.db-shm`: The journal file which stores data before a transaction change (for DB restoration if needed).
+- `<name>.db-wal`: The write-ahead log file which stores the new data until it's ready to commit to the DB for faster processing.
+
+
 ## Privilege Separation and Sandbox
 
 In iOS, a distinction in privilege exists between the user-accessible applications and the system's core processes. Applications run under the **`mobile`** user identity, while the crucial system processes operate as **`root`**. This separation is enhanced by a sandbox mechanism, which imposes strict limitations on what actions applications can undertake. For instance, even if applications share the same user identity, they are prohibited from accessing or modifying each other's data.