Reference:
https://mobexler.com/checklist.htm https://enciphers.com/awesome-ios-application-security/ https://codifiedsecurity.com/mobile-app-security-testing-checklist-ios/ https://developer.apple.com/documentation/webkit/wkwebview https://github.com/tanprathan/MobileApp-Pentest-Cheatsheet https://medium.com/inbughunters/basic-ios-apps-security-testing-lab-1-2bf37c2a7d15
OWASP testing: https://docs.google.com/document/d/1N7zMXlFHtWfc00xa6lRHnVB60U4BZO4SbUrWYMbojVM/edit
http://damnvulnerableiosapp.com/#solutions
https://appsec-labs.com/iot-attacks-tests/
https://appsec-labs.com/portal/kb/
https://github.com/ashishb/osx-and-ios-security-awesome https://github.com/prateek147/DVIA-v2 https://github.com/ansjdnakjdnajkd/iOS https://github.com/ivRodriguezCA/RE-iOS-Apps
https://github.com/felixgr/secure-ios-app-dev https://github.com/kai5263499/osx-security-awesome https://www.theiphonewiki.com/ http://www.securitylearn.net/ https://support.apple.com/en-gb/guide/security/welcome/web https://support.apple.com/en-gb/guide/security/sec35dd877d0/1/web/1 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x06d-Testing-Data-Storage.md https://help.apple.com/xcode/mac/current/#/dev88ff319e7
https://github.com/rustymagnet3000/debugger_challenge#challenge-find-encryption-key
https://github.com/Siguza/ios-resources
Keychain touchid and face id: https://developer.apple.com/documentation/localauthentication/accessing_keychain_items_with_face_id_or_touch_id
http://iphonedevwiki.net/index.php/Main_Page
https://siguza.github.io/psychicpaper/
https://github.com/BishopFox/bfinject
Decrypt IPA: bfinject -P AppName -L decrypt
https://github.com/AloneMonkey/frida-ios-dump
SSL Pinning bypass: SSL kill switcher + mobile assistant Frida
SSL pinning bypass below ios 10 it will work: https://portswigger.net/burp/documentation/desktop/tools/mobile-assistant/installing
open info.plist and modify UIDeviceFamily to 1
install ipad apps on iphone
Memory corruption bugs:
memcpy, strcpy, sprintf etc.
Open info.plist it will contains information on URL schemes registered by application under the CFBundleURLTypes key
Reverse binary online:
SSL checklist for pentester manual testing:
http://www.exploresecurity.com/wp-content/uploads/custom/SSL_manual_cheatsheet.html
Reference:
https://codifiedsecurity.com/resources/
https://appsec-labs.com/iot-attacks-tests/