Welcome back to the long awaited next entry in Brackish Security’s Mobile Application Penetration Testing series. When conducting mobile application penetration testing, inspecting logs on iOS and Android is a crucial step in understanding how an app behaves, particularly in how it handles sensitive data, error handling, and debugging information. Log files can provide insight into how the app interacts with the operating system, communicates with external services, and manages user data. Sometimes you’ll find new endpoints, sensitive information getting logged, or other errors indicating vulnerabilities in the application, and you know what this means? Some Critical or High findings and/or some of that sweet bug bounty money!
There are several ways to view iOS logs on MacOS. To start, attach your iOS device to your Mac.
Then, press Command + Space, search for console, then open the console. You should see your attached iOS device on the left hand side. Select your device, and then select Start Streaming.
The device logs should now stream in the console app. You can search on the top right to filter for whatever application you need to see the logs for.
In the image above, we are filtering for logs related to the Safari web browser.
Also, on MacOS or Linux you can install libimobiledevice to view the logs in a terminal.
In the above image, after install libimobiledevice, we can run the command
idevicesyslog –process Maps
which gives us the Maps application logs.
Viewing Android application logs is very simple. First you need to install ADB, if you haven’t already.
adb logcat | grep 'com.example.yourapp'And that is all you have to do. You logs should stream on the command line and be filtered as needed.
Check out the links below for more information on what you should actually be logging in an application and some OWASP Mobile Application Security Testing Guide techniques.
https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html
https://mas.owasp.org/MASTG/tests/android/MASVS-STORAGE/MASTG-TEST-0003
https://mas.owasp.org/MASTG/techniques/ios/MASTG-TECH-0060
The following links are some HackerOne reports of real world bugs found in mobile applications.