Threat actor simulation scope included reviewing by installing the IPA binary supplied by the client. The application was successfully installed and launched on a jailbroken device indicating the first weakness during this assessment. By allowing an application to be used on a jailbroken device would allow a threat actor to gain insights into internal workings of an application. Further this provides reverse engineering opportunities to gain inside knowledge of the application code. This includes analysing network traffic between the device and the server.
Additionally, it was possible to route the iPad traffic from the consultants laptop. This allowed replaying and fuzzing the API parameters to identify additional vulnerabilities including lack of API throttling on API end-points.
Binary analysis of the iPad app revealed a backdoor password used by internal support team to reset locked user accounts. This password was hard-coded within the binary of the application provided for analysis.
Upon communication this issue, we were made aware that in-house support team had decided not to develop 'forgotten password' module due to going live deadline pressure.