Greetings to all from Porta Petrion,
In this article, I would like to tell you how I determined the username from a file I encountered during mobile security tests and then took over the developer’s account.
1. I received the necessary information from our project manager that the security tests of the mobile application belonging to the “private” company will be carried out by me.
2. First, I verified the scope form and provided the necessary application files.
3. By installing the application files on my device, I started to perform the steps of the security test, as the first step, I started the discovery steps.
4. In the light of the information I obtained during the exploration phase, I continued the security test by focusing on dynamic tests. After the dynamic tests were finished, I started to apply static-sided operations. After detecting various vulnerabilities, I started my iOS device to check the physical files of the relevant application.
5. While I was doing the necessary security steps on the physical files, I logged into the “/private/var/containers/Bundle/Application/<id>/SC_Info/” directory where the details of the IPA file are stored and in the directory “.sinf/.supf/etc…” I started to examine the files in detail.
6. So what is *.sinf file?
Data file used by iOS apps; Contains DRM data about iTunes authorization such as username. — Ref : https://fileinfo.com/extension/sinf
7. In the light of this information, I started to examine the relevant file more carefully, but I preferred to use the “hex editor” to analyze this format better.
8. So what is the output we expect to get after the analysis?
We hope to obtain the “Username” information from the relevant file.
9. After analyzing the required file with the Hex editor, it has been determined that the username information of the developer of the relevant application is stored.
10. With the detected information, I switched to the dynamic side again and created a password list for the relevant “username” on the login screen and started to perform a brute force attack by taking advantage of the rate limiting deficiency, and I was able to successfully detect the password information of the relevant user.
11. And after the password information was determined, it was possible to switch to the user account belonging to the developer.
12. The vulnerability has been recorded in the security report, along with the necessary evidence and explanations.
By investigating what the files you come across do and what information they contain, you can analyze how the relevant file can be abused in security tests, and at the end of the day, you can detect critical vulnerabilities.