iOS UIActivity Sharing

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Get the official PEASS & HackTricks swag
Discover The PEASS Family, our collection of exclusive NFTs
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @carlospolopm.
Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

From iOS 6 onwards, third-party applications have been enabled to share data such as text, URLs, or images using mechanisms like AirDrop, as outlined in Apple's Inter-App Communication guide. This feature manifests through a system-wide share activity sheet that surfaces upon interacting with the "Share" button.

A comprehensive enumeration of all the built-in sharing options is available at UIActivity.ActivityType. Developers may opt to exclude specific sharing options if they deem them unsuitable for their application.

Attention should be directed towards:

The nature of the data being shared.
The inclusion of custom activities.
The exclusion of certain activity types.

Sharing is facilitated through the instantiation of a UIActivityViewController, to which the items intended for sharing are passed. This is achieved by calling:

bash

$ rabin2 -zq Telegram\ X.app/Telegram\ X | grep -i activityItems
0x1000df034 45 44 initWithActivityItems:applicationActivities:

Developers should scrutinize the UIActivityViewController for the activities and custom activities it's initialized with, as well as any specified excludedActivityTypes.

How to Receive Data

The following aspects are crucial when receiving data:

The declaration of custom document types.
The specification of document types the app can open.
The verification of the integrity of the received data.

Without access to the source code, one can still inspect the Info.plist for keys like UTExportedTypeDeclarations, UTImportedTypeDeclarations, and CFBundleDocumentTypes to understand the types of documents an app can handle and declare.

A succinct guide on these keys is available on Stackoverflow, highlighting the importance of defining and importing UTIs for system-wide recognition and associating document types with your app for integration in the "Open With" dialogue.

Dynamic Testing Approach

To test sending activities, one could:

Hook into the init(activityItems:applicationActivities:) method to capture the items and activities being shared.
Identify excluded activities by intercepting the excludedActivityTypes property.

For receiving items, it involves:

Sharing a file with the app from another source (e.g., AirDrop, email) that prompts the "Open with..." dialogue.
Hooking application:openURL:options: among other methods identified during static analysis to observe the app's response.
Employing malformed files or fuzzing techniques to evaluate the app's robustness.

References

https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06h-testing-platform-interaction

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Get the official PEASS & HackTricks swag
Discover The PEASS Family, our collection of exclusive NFTs
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @carlospolopm.
Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

External Recon Methodology

Pentesting Network

Pentesting Wifi

Phishing Methodology

Basic Forensic Methodology

Memory dump analysis

Partitions/File Systems/Carving

Pcap Inspection

Specific Software/File-Type Tricks

Windows Artifacts

Python Sandbox Escape & Pyscript

Bypass Python sandboxes

Shells (Linux, Windows, MSFVenom)

Linux Privilege Escalation

Docker Security

Docker Breakout / Privilege Escalation

Namespaces

Interesting Groups - Linux Privesc

Bypass Linux Restrictions

Bypass FS protections: read-only / no-exec / Distroless

Linux Post-Exploitation

macOS Security & Privilege Escalation

macOS Apps - Inspecting, debugging and Fuzzing

macOS Kernel & System Extensions

macOS Files, Folders, Binaries & Memory

macOS Process Abuse

macOS IPC - Inter Process Communication

macOS Library Injection

macOS Security Protections

macOS Sandbox

macOS TCC

macOS FS Tricks

macOS Red Teaming

macOS MDM

Windows Local Privilege Escalation

Dll Hijacking

Active Directory Methodology

Abusing Active Directory ACLs/ACEs

AD Certificates

Windows Security Controls

NTLM

Lateral Movement

Stealing Windows Credentials

Basic PowerShell for Pentesters

Android Applications Pentesting

Drozer Tutorial

Frida Tutorial

iOS Pentesting

Pentesting VoIP

Basic VoIP Protocols

21 - Pentesting FTP

25,465,587 - Pentesting SMTP/s

80,443 - Pentesting Web Methodology

Buckets

Drupal

Electron Desktop Apps

PHP Tricks

PHP - Useful Functions & disable_functions/open_basedir bypass

Tomcat

88tcp/udp - Pentesting Kerberos

139,445 - Pentesting SMB

161,162,10161,10162/udp - Pentesting SNMP

1433 - Pentesting MSSQL - Microsoft SQL Server

11211 - Pentesting Memcache

Reflecting Techniques - PoCs and Polygloths CheatSheet

Browser Extension Pentesting Methodology

Cache Poisoning and Cache Deception

Content Security Policy (CSP) Bypass

Cookies Hacking

Dangling Markup - HTML scriptless injection

Deserialization

NodeJS - __proto__ & prototype Pollution

File Inclusion/Path traversal

File Upload

HTTP Request Smuggling / HTTP Desync Attack

Login Bypass

PostMessage Vulnerabilities

SAML Attacks

SQL Injection

MySQL injection

NodeJS - proto & prototype Pollution

UIActivity Sharing Simplified

How to Share Data

How to Receive Data

Dynamic Testing Approach

References