igoat: A Deliberately Insecure Application to learn iOS App Pentesting and Defense
OWASP iGoat – A Learning Tool for iOS App Pentesting and Security
iGoat is a learning tool for iOS developers (iPhone, iPad, etc.) and mobile app pentesters. It was inspired by the WebGoat project and has a similar conceptual flow to it.
As such, iGoat is a safe environment where iOS developers can learn about the major security pitfalls they face as well as how to avoid them. It is made up of a series of lessons that each teach a single (but vital) security lesson.
The lessons are laid out in the following steps:
- Brief introduction to the problem.
- Verify the problem by exploiting it.
- Brief description of available remediations to the problem.
- Fix the problem by correcting and rebuilding the iGoat program.
Step 4 is optional but highly recommended for all iOS developers. Assistance is available within iGoat if you don’t know how to fix a specific problem.
Vulnerabilities Covered (version 3.0):
- Key Management
- Hardcoded Encryption Keys
- Key Storage Server Side
- Random Key Generation
- URL Scheme Attack
- Social Engineering
- Reverse Engineering
- String Analysis
- Data Protection (Rest)
- Local Data Storage (SQLite)
- Plist Storage
- Keychain Usage
- NSUserDefaults Storage
- Data Protection (Transit)
- Server Communication
- Public Key Pinning
- Authentication
- Remote Authentication
- Side Channel Data Leaks
- Device Logs
- Cut-and-Paste
- Backgrounding
- Keystroke Logging
- Tampering
- Method Swizzling
- Injection Flaws
- SQL Injection
- Cross Site Scripting
- Broken Cryptography
Download
Setup
Copyright (C) 2016 Swaroop Yermalkar
Source: https://github.com/OWASP/
