Awesome

Awesome Apple Security List

Curated list of tools, techniques and resources related to Apple Security (macOS, iOS, iPadOS, tvOS, watchOS) aimed to help people with an interest in Apple related cyber security topics to gain a foothold in this field.

Contents

• Awesome Apple Security List
  • Contents
  • Forensics
    • Acquisition and Evidence Collection
  • Apple Guidance
  • Attack Vectors and Adversary Techniques
  • Blogs
  • Articles
  • Books and Magazines
  • People
  • Software Collections
  • Malware
  • Hardware Information
  • Log Analysis
  • Processes
  • Persistence
  • Tools
    • Process Viewer
    • File System
    • Offensive Tools
    • Reverse Engineering Tools
    • Dynamic Analysis Tools
    • Static Analysis Tools
    • Frida
  • Conferences
  • Trainings
  • Videos
  • Contributing

Forensics

Acquisition and Evidence Collection

• Cellebrite Digital Collector (Former Macquisition) - Commercial Tooling for Acquisition of macOS Forensic Images.
• mac_apt - Plugin based forensics framework for quick mac triage that works on live machines, disk images or individual artifact files.
• Auditor - Deprecated macOS DFIR tool for older systems.
• Collector - macOS offshoot for live response.
• The ESF Playground - A tool to view the events in Apple Endpoint Security Framework (ESF) in real time.

Apple Guidance

• Developers Documentation - Developer Documentation for reference.
• Security Documentation - Security Documentation of Apple Products.
• Report Vulnerabilities - In case you want to submit a vulnerability to Apple.
• Apple Security Bounty - Apple's Bug Bounty Program information.
• Apple Platform Security - Apple Information on Platform Security.
• Apple File System - Documentation on the filesystem.

Attack Vectors and Adversary Techniques

• MITRE ATT&CK - macOS Matrix - Tools, Techniques and Attack Vectors used by adversaries to target macOS devices.
• Sandbox Evasion Macros - How to evade the sandbox with MS Office Macros.

Blogs

• Mac Security Blog - Generic Blog on macOS Security.
• Wojciech Regula's Blog - Wojciech's macOS Related blog.
• Cedric Owens Medium Blog - Cedric Owens Blog on macOS Security.
• Objective-See by Patrick Wardle - Patrick Wardle's Website.
• Mac4n6 - Mac Forensics.
• Mandiant - Mandiant macOS Articles.

Articles

• RE Cocoa Applications -
• Office365 Sanbox Escape - Sandbox Escape macOS for Office365.

Books and Magazines

• The Art of Mac Malware - Primer on malware on macOS by Patrick Wardle.
• macOS Incident Response - macOS Incident Response primer (2017).
• Kernel Book - Book in three parts about the macOS Kernel.
• macOS Internals - Internals of macOS (2007).
• Kernel Programming - Kernel Programming reference for macOS / iOS.
• eForensics Magazine - Magazine for (macOS) Forensics.
• iOS Forensics for Investigators - iOS Forensics Book.
• iOS Hacking Guide - By Security Innovation.
• iOS Application Security: The Definitive Guide for Hackers and Developers - By David Thiel.
• iOS Penetration Testing: A Definitive Guide to iOS Security - By Kunal Relan.
• Learning iOS Penetration Testing - By Swaroop Yermalkar.
• Hacking and Securing iOS Applications - By Jonathan Zdziarski.
• iOS Hacker's Handbook - By Charlie Miller.

People

• Cedric Owens - X - macOS Security Researcher and Purple Teamer.
• Csaba Fitzl - X - Hungarian Researcher specialized on macOS Security.
• Patrick Wardle - X - Founder of Objective-see, and Security Researcher.
• Sarah Edwards - X - Security Researcher and Trainer of SANS 518 Course.
• Cody Thomas - GitHub - Developer of Mythic C2.
• Regula Wojciech - X - macOS Security Researcher.
• Alexis Brignoni - X - DFIR Researcher, iLEAPP Developer.

Software Collections

• Macintosh Repository - Repository of old macOS Software.

Malware

• The Safe Mac - Older macOS Malware Catalogue.
• VX-Underground - Malware Collection (various OS).
• VX-Underground Malware Source Code - Malware Sourcecode collection (various OS).
• Objective-See Malware - Malware Collection by Patrick Wardle.

Hardware Information

• Hardware Database - Lookup hardware specifications of every mac model.
• M1 Chip Safe Mode - Blogpost on M1 Chipset Safe Mode.

Log Analysis

• Unified Log - A primer on macOS Unified Log.
• Unified Log in Incident Response - Using the Unified Log for Incident Response.

Processes

• True Tree - Improved process tree.
• Process and File Monitor - Command Line Utilit(ies) to monitor processes and files.

Persistence

• Persistence Samples - Collection of persistence methods and samples used.
• Knockknock - Displays persistence items in macOS.
• PersistentJXA - Collection of macOS persistence methods in JXA.
• Apple Persistence Mechanisms - Persistence Mechanisms.

Tools

Process Viewer

• Process Tree - Process tree Repository.

File System

• iOS FS Event Parser - Parsing filesystem events.
• FS Monitor - FS Monitor to view live file system changes.
• macOS FS Events Parser - FS Events Parser.

Offensive Tools

• Mythic C2 - Mythic C2 Framework Documentation.
• VOODOO - Browser Attack Framework for macOS.
• SwiftSpy - macOS Keyloger written in Swift.

Reverse Engineering Tools

• Hopper - A reverse engineering tool that will assist you in your static analysis of executable files.
• Ghidra - A software reverse engineering (SRE) framework created and maintained by the National Security Agency Research Directorate.
• Radare2 - UNIX-like reverse engineering framework and command-line toolset.
• Cutter - Free and Open Source Reverse Engineering Platform powered by rizin.
• frida-ios-dump - A tool to pull a decrypted IPA from a jailbroken device.
• bagbak - Yet another frida based App decryptor. Requires jailbroken iOS device and frida.re.
• flexdecrypt - An iOS App & Mach-O binary decryptor.
• bfdecrypt - Utility to decrypt App Store apps on jailbroken iOS 11.x.
• bfinject - Easy dylib injection for jailbroken 64-bit iOS 11.0 - 11.1.2. Compatible with Electra and LiberiOS jailbreaks.
• r2flutch - Yet another tool to decrypt iOS apps using r2frida.
• Clutch - A high-speed iOS decryption tool.
• dsdump - An improved nm + objc/swift class-dump tool.
• class-dump - A command-line utility for examining the Objective-C segment of Mach-O files.
• SwiftDump - A command-line tool for retriving the Swift Object info from Mach-O file.
• jtool - An app inspector, disassembler, and signing utility for the macOS, iOS.
• Sideloadly - An app to sideload your favorite games and apps to Jailbroken & Non-Jailbroken iOS devices.
• Cydia Impactor - A GUI tool for sideloading iOS application.
• AltStore - Allows to sideload other apps (.ipa files) onto iOS device.
• iOS App Signer - An app for macOS that can (re)sign apps and bundle them into ipa files that are ready to be installed on an iOS device.

Dynamic Analysis Tools

• Corellium - The only platform offering ARM-based mobile device virtualization using a custom-built hypervisor for real-world accuracy and high performance.
• Frida - Dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers.
• frida-gum - Cross-platform instrumentation and introspection library written in C.
• Fridax - Fridax enables you to read variables and intercept/hook functions in Xamarin/Mono JIT and AOT compiled iOS/Android applications.
• r2frida - Radare2 and Frida better together.
• r2ghidra - An integration of the Ghidra decompiler for radare2.
• iproxy - A utility allows binding local TCP ports so that a connection to one (or more) of the local ports will be forwarded to the specified port (or ports) on a usbmux device.
• itunnel - Use to forward SSH via USB.
• objection - A runtime mobile exploration toolkit, powered by Frida, built to help you assess the security posture of your mobile applications, without needing a jailbreak.
• Grapefruit - Runtime Application Instruments for iOS.
• Passionfruit - Simple iOS app blackbox assessment tool, powered by frida 12.x and vuejs.
• Runtime Mobile Security (RMS) - Runtime Mobile Security (RMS), powered by FRIDA, is a powerful web interface that helps you to manipulate Android and iOS Apps at Runtime.
• membuddy - Dynamic memory analysis & visualisation tool for security researchers.
• unidbg - Allows you to emulate an Android ARM32 and/or ARM64 native library, and an experimental iOS emulation.
• Qiling - An advanced binary emulation framework.
• fishhook - A library that enables dynamically rebinding symbols in Mach-O binaries running on iOS.
• Dwarf - Full featured multi arch/os debugger built on top of PyQt5 and frida.
• FridaHookSwiftAlamofire - A frida tool that capture GET/POST HTTP requests of iOS Swift library 'Alamofire' and disable SSL Pinning.
• ios-deploy - Install and debug iOS apps from the command line. Designed to work on un-jailbroken devices.
• aah - Run iOS arm64 binaries on x86_64 macOS, with varying degrees of success.
• LLDB - A next generation, high-performance debugger.
• mitmproxy - A free and open source interactive HTTPS proxy.
• Burp Suite - An advanced HTTPS proxy software.

Static Analysis Tools

• iLEAPP - An iOS Logs, Events, And Plist Parser.
• Keychain Dumper - A tool to check which keychain items are available to an attacker once an iOS device has been jailbroken.
• BinaryCookieReader - A tool to read the binarycookie format of Cookies on iOS applications.
• PList Viewer - Gtk application to view property list files.
• XMachOViewer - A Mach-O viewer for Windows, Linux and macOS.
• MachO-Explorer - A graphical Mach-O viewer for macOS. Powered by Mach-O Kit.
• iFunbox - A general file management software for iPhone and other Apple products.
• 3uTools - An All-in-One management software for iOS devices.
• iTools - An All-in-One solution for iOS devices management.

Frida

• FridaSwiftDump - A Frida script for retriving the Swift Object info from an running app.
• iOS 13 SSL Bypass - SSL Pinning Bypass for iOS 13.
• iOS 12 SSL Bypass - SSL Pinning Bypass for iOS 12.
• iOS Jailbreak Detection Bypass - A Frida script used for bypass iOS jailbreak detection by hooking some methods and functions.
• iOS App Static Analysis - Script for iOS app's static analysis.
• Touch ID Bypass - A Frida script for iOS Touch/Face ID Bypass.

Conferences

• MacDevOps YVR
• OBTS

Trainings

• OffSec EXP-312 - Advanced macOS Control Bypass Trainin by OffSec's @theevilbit.
• Sumuri - Forensics Training in two parts for macOS, to gain Certified Forensic Mac Examiner Certification.
• SANS 518 - Course at SANS for macOS and iOS Forensics.
• Objective-by-the-sea - Security Conference (macOS) organized by Patrick Wardle.
• SpecterOPS - SPECTEROPS macOS Adversary Tactics.
• Pentesting iOS Applications - By PentesterAcademy.
• iOS Pentesting - By Mantis.
• iOS Application Pentesting Series - By Sateesh Verma.
• IOS: Penetration Testing - By Noisy Hacker.

Videos

• Curated YouTube Playlist - Curated YouTube playlist with macOS/iOS Security Topics.

Contributing

Your contributions are always welcome! Please read the contribution guidelines first.