iOSVulnLab
Jun 15, 2023
iOSVulnLab
Intentionally Vulnerable Training App
A break-me-on-purpose playground that bundles the “greatest hits” of iOS security mistakes so engineers and pentesters can sharpen their claws—without risking a real production app.
The project is open-source on GitHub and in my mobile-security workshops and university courses that follow OWASP MASVS & MASTG curricula.
Overview
iOSVulnLab is a full-featured, but deliberately flawed, Swift app that mimics a real app. Every major layer (storage, networking, UI, auth, crypto) contains at least one exploitable weakness, giving learners a realistic, end-to-end target for:
Static analysis (code review, config inspection, secure-storage checks)
Dynamic analysis (runtime hooking, proxy interception, tampering)
MASVS mapping—each flaw is tagged to its corresponding control for easy reporting
Features & Built-In Vulnerabilities (spoiler alert)
Functional Area | Vulnerability Highlights |
|---|---|
Secure Storage | • Unprotected Keychain items • Secrets & feature flags in clear-text UserDefaults |
App Configuration | • API keys & endpoints exposed in Info.plist • Hard-coded credentials in source |
Networking | • ATS disabled • No SSL pinning on HTTPS calls |
Web Views | • Unrestricted SFSafariViewController redirects • Injectable JS in WKWebView |
Logging & Debug | • Verbose logs leaking PII • Hidden debug menus & back-door API endpoints |
Access Control | • Role checks bypassable via parameter tampering |
Easter Eggs | • Undocumented features & “flag” endpoints for CTF-style challenges |
Suggested Testing Scenarios
Static Analysis – grep for hard-coded secrets, inspect crypto misuse.
HTTP Interception – proxy traffic, confirm lack of ATS & certificate pinning.
Local Storage – dump UserDefaults, Keychain, SQLite for sensitive data.
Auth Bypass – tamper with payloads and in-app parameters to reach admin views.
Runtime Instrumentation – hook methods with Frida/Objection to force hidden flags.