Using iGoat to Explore Mobile Application Security Weaknesses

Monday, December 16, 2013

Michael Smith


iGoat v2.0 ( is a program that demonstrates common iOS mobile application security weaknesses and their remediation.  There are other resources that show the use of this tool. One example,, is the OWASP Top 10 entry for Insecure Data Storage (which is the exercise we are going to do).
The purpose of this post is to walk through all the steps needed to get iGoat setup “Soup to Nuts”. There is nothing here that is too difficult, but there are a few pitfalls in making this work, so I thought it might be nice to provide some simple steps that take you from having nothing setup to being able to test the iGoat application for Local Data Storage weaknesses (and then be setup to work through the rest of the exercises included in iGoat).
OK, here we go!
Install and Setup Software

  • Download and install xcode from the app store.  Note that you need to be sure to install the command line tools (you will need these in order to be able to install the ruby gems needed to run the iGoat web server). To make sure that you have command line tools installed, open xcode and navigate xcode-> preferences, select the downloads tab if not selected by default, and make sure that Command Line Tools has been installed.
  • Install necessary ruby gems with the following command: sudo gem install sinatra json

Run the Local Data Storage Application

  • Run the web server with the following command: ./igoat_server.rb. Please note that you do not need this for the exercise we are going to do, but you will need it for later exercises; so let’s make sure that it works.
  • Run the iGoat iOS application on a simulated device.   You should be able to open the project file,iGoat.xcodeproj, with xcode.   If you are new to xcode, remember to set your scheme to the appropriate simulator.  Once the application is running, you should be presented with a welcome screen.  Dismiss this and select Data Protection (Rest) and then Local Data Storage


View the Insecure Data
Enter any user name and password of your choice into the application and click the login button.
Now all we have to do is view the insecure local storage.  Finding the virtual file system of the simulated device is not quite as straightforward as we might hope.  My virtual device is located here:
/Users/mike/Library/Application Support/iPhone Simulator/6/1/Applications/A02E4E0C-AA84-4408-9006-7B85D25374C6
Yours should be in a similar location (/Users/your_name/etc).
From here,  /Documents/credenitals.sqlite is where the file in question is located. 
Below I use strings to see that there is an issue (in this example I used the fantastic username/password combo of mike/test):


strings is nice, but in a larger application, this might be difficult to read.  Here is a screen shot using SQLite Manager (a super cool Firefox Add-on).  Just open SQLite Manager and use it to open the credentials.sqlite file.

SQLite Manager.png

So there you have it.  You now have iGoat setup and have worked through an exercise!  There are a number of additional exercises you can try in order to better understand mobile application security weaknesses and their remediation.
Bonus: Understand the Code behind the  ‘Remember Me’ Slider
If you take a look at LocalDataStorageExcerciseController.m in xcode you will see this code:
    if (credentialStorageSwitch.on) {
        [self storeCredentialsForUsername:username withPassword:password];

This does exactly what you think it might, if the application has the ‘Remember Me’ slider set to ON then the credentials are written to the SQLite database.  If the slider is set to OFF then the credentials are not written to local storage.  Test it out, it works!  Additionally, once you are examining the source code of iGoat, you can scroll down in the relevant file to see comments that explain a possible solution approach. 

Wrap Up
iGoat is a great tool to help developers understand basic security concerns in iOS applications.  The exercise that we used to demonstrate iGoat and make sure that it was setup maps to the OWASP Mobile Top Ten Mobile Risks M1 - Insecure Data Storage.  I strongly encourage you to check out the rest of the OWASP Top Ten and also to try out the rest of the exercises in iGoat! 

Cross Posted from the Symantec Cyber Readiness and Response Blog

Possibly Related Articles:
Security mobile iGoat
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.