We were on June 17 at Hack In Paris for our presentation:

• Pentesting iPhone & iPad Applications

With live demonstrations of actual iPhone applications, we show some elements of this kind of penetration testing. Of course, due to time constrains, we talk only about some aspects. In particular, we talk only supercially about extracting and decrypting applications because it was already the subject of other presentations.

Our presentation was focused on the following points:

• How to prepare the penetration testing of an iPhone/iPad application
• Quick overview on previous papers on this suject or similar ones
• Our methodology
• Live demonstrations
• Illustrate with some concrete examples security vulnerabilities often found in iPad and iPhone applications

During our demonstations, we have used some of our own tools. There are not specific to iPhone and iPad but can be used in several situations:

• ADVsock2pipe, a Windows command line tool (.NET 4.0) used to connect a TCP socket to a named Windows pipe. ADVsock2pipe can be used for example to make a tcpdump capture on an iPhone (or a Linux, BSD, ...) and see in real-time the capture in Wireshark on a Windows station.
• ADVinteceptor, a Windows command line tool (.NET 4.0) used to intercept communications such as HTTP or HTTPS. ADVinterceptor does not replace tools such as Burp or Webscarab but is complementary. It happends (too often) that applications do not take into account proxy settings. In this situation, how to use your favorite tools like Burp? ADVinterceptor replaces the DNS server and redirects the communications onto itself. Then it makes a request to the actual server and return back the result to the application. Optionnally, it can use a proxy like Burp.

These tools will be published in the next weeks under GPLv3 licence.