DEV Community: Jr Carreiro

Deep Dive into Info.plist Security Flags for Penetration Testing

Jr Carreiro — Sun, 22 Jun 2025 23:28:15 +0000

When performing penetration tests or static analysis on iOS/macOS applications, one of the most overlooked but critical files is Info.plist. This file contains configuration keys that control behavior, privacy permissions, app transport security, input handling, and much more.

Many of these settings can unintentionally expose sensitive data, allow insecure communications, or increase the attack surface of an app. This article provides a detailed analysis of common Info.plist keys, explains their technical behavior, illustrates real-world abuse cases, and offers security best practices for each.

🔧 Debugging & Security Flags

Key	Technical Description	Usage in Development	Security Risk	Real-World Example	Best Practice
`UIFileSharingEnabled`	Boolean (`false` by default). If `true`, exposes the app’s `Documents/` directory to iTunes/Finder file sharing.	Apps that allow file import/export (e.g. document editors).	Attackers with physical access can extract SQLite databases, tokens, and logs stored in `Documents/`.	Productivity apps exposed sensitive files via this flag in earlier iOS versions.	Set to `false` for production; move sensitive data to `Library/Private`.
`LSSupportsOpeningDocumentsInPlace`	Allows editing files from external sources like iCloud without copying into the sandbox.	Used by code editors, drawing tools.	Malicious apps can overwrite or tamper with files through symbolic links or sandbox escapes.	Exploits have overwritten "in-place" Realm DB files to cause corruption or injection.	Use security-scoped bookmarks and validate file access repeatedly.
`UIApplicationExitsOnSuspend`	When `true`, the app terminates when backgrounded. Prevents lingering memory data.	Used by banking or password vaults to increase memory security.	If `false`, sensitive keys/tokens may stay in memory until system purges the app.	Trading apps leaked access tokens in suspended state.	Enable if the UX permits and wipe memory on background transition.
`UIBackgroundModes`	Allows specific background capabilities: `audio`, `fetch`, `location`, etc.	Messaging, music, or GPS apps.	Overused modes (like `location`) enable data exfiltration and power analysis attacks.	Citizen Lab reported spyware using `location` + `bluetooth-central` for passive surveillance.	Declare only necessary modes and monitor task lifetimes.
`ITSAppUsesNonExemptEncryption`	Indicates use of strong encryption (for export compliance).	Games or simple apps might set `false`.	Setting `false` while using TLS violates compliance (e.g. GDPR, PCI).	US lottery apps were delisted after audit revealed encrypted traffic but `false` flag.	Always set to `true` when using TLS, AES, or RSA.
`UIApplicationSupportsIndirectInputEvents`	Enables input from external devices like braille or USB keyboards.	Accessibility or point-of-sale apps.	Allows injection or keylogging via HID spoofing.	Black Hat 2021 showed USB devices injecting malicious sequences.	Only enable if needed and whitelist HID inputs.

🌐 Network & Data Security Flags

Key	Technical Description	Usage in Development	Security Risk	Real-World Example	Best Practice
`NSAllowsArbitraryLoads`	Disables ATS (App Transport Security) and allows insecure HTTP.	Used during HTTP-to-HTTPS migration.	Enables MITM attacks, downgrades, and data leakage.	Banking apps leaked analytics data over HTTP due to this setting.	Always `false`; use `NSExceptionDomains` for granular exceptions.
`NSExceptionDomains`	Specifies per-domain ATS exceptions like cipher suite or TLS version.	Whitelist legacy servers.	Wildcards (`NSIncludesSubdomains=true`) expose QA/staging to attack.	QA environments exposed via CDN wildcard subdomains.	Define exact hostnames and monitor for abuse.
`NSAllowsLocalNetworking`	Allows connections to `.local` or Bonjour services without TLS.	IoT configuration apps (e.g. smart devices).	App can scan internal network, pivot, or exploit devices.	PoC app extracted default credentials from IP cams on LAN.	Validate Bonjour targets and restrict protocols.
`NSAppTransportSecurity`	Master dictionary that controls ATS settings.	Required for modern iOS apps.	Weak or incomplete settings (e.g. RC4 cipher allowed) reduce security posture.	MOBIX identified apps allowing insecure TLS versions.	Enforce TLS 1.2+, perfect forward secrecy, and CT.
`NSContactsUsageDescription`	Custom prompt when accessing user contacts.	Social apps or calendars.	Poor justification leads to over-permission; can aid phishing or spam.	Casual games uploaded contact lists to ad brokers.	Use clear messages and encrypt data at rest.

🔒 Privacy & Data Exposure Risks

Key	Technical Description	Usage in Development	Security Risk	Real-World Example	Best Practice
`NSCameraUsageDescription`	Prompt shown when using the camera.	Document scanners, AR apps.	Can enable covert surveillance without feedback.	Zoom macOS bug kept camera active post-call.	Show visual indicators and pause when backgrounded.
`NSMicrophoneUsageDescription`	Prompt for microphone access.	VoIP or recording apps.	Eavesdropping or background recording.	Pegasus malware used microphone access post-jailbreak.	Disable session when inactive.
`NSPhotoLibraryUsageDescription`	Allows access to the user’s photo library.	Editors, uploaders, social media.	EXIF GPS metadata can reveal sensitive locations.	Ad SDKs used image hashes for fingerprinting.	Use `PHPickerViewController` to limit scope.
`NSLocationAlwaysUsageDescription`	Enables tracking even when the app is closed.	Navigation, delivery apps.	Tracking across time and space violates user expectations.	Data brokers bought GPS data from health-related apps.	Prefer `WhenInUse`; provide toggles for users.
`NSUserTrackingUsageDescription`	Required by AppTrackingTransparency (ATT) to access IDFA.	Ad monetization.	Apps that fingerprint users after denial violate ATT/GDPR.	Adjust SDK was rejected by Apple for ATT circumvention.	Only use when critical for ad revenue.

⚙️ App Execution & IPC Risks

Key	Technical Description	Usage in Development	Security Risk	Real-World Example	Best Practice
`CFBundleURLTypes` (Deep Linking)	Registers custom URL schemes (`myapp://`).	Password reset flows, login deep links.	Other apps can hijack and invoke these URLs with malicious input.	Health apps vulnerable to OAuth token theft via deep link hijacking.	Use `Universal Links` with HTTPS and signed association.
`CFBundleExecutable`	Defines the binary name.	Apps using multiple binaries.	Tampering attacks can replace the binary post-install.	Masque Attack (2014) exploited bundle executable swaps.	Validate executable hash in runtime.
`CFBundleIdentifier`	App’s unique reverse-DNS ID.	Build separation (prod, QA).	Identifier collisions allow data theft via malicious apps.	Masque Attack cloned bundle ID to extract Keychain data.	Only install from trusted sources; enforce code signing.
`UIRequiresFullScreen`	Forces full-screen mode.	Games and immersive apps.	Hides status bar or security indicators like mic/camera usage.	Lottery apps hid indicators using fullscreen overlays.	Allow multitasking unless UX absolutely requires fullscreen.
`LSApplicationQueriesSchemes`	Allows checking if other apps are installed.	Deep link logic or conditional flows.	Overuse creates fingerprinting vectors.	Some apps queried 50+ schemes for tracking.	Limit to critical schemes only.

✅ Final Thoughts

These Info.plist keys, while often viewed as just metadata, can have a massive impact on an app’s security posture. Static analysis of the Info.plist is a key part of mobile pentesting, jailbreak bypass detection, and compliance validation.

📫 About the Author

[Júnior Carreiro]
🔐 Mobile AppSec | iOS Security | Reverse Engineering
📍 Let's connect: [GitHub] · [Linkedin]

🔵 Chapter 02 – Ruby Language Fundamentals (Line by Line for Absolute Beginners)

Jr Carreiro — Thu, 08 May 2025 14:57:07 +0000

Welcome to Chapter 02 of my learning journey through scripting and offensive security.

I’m not just learning to code — I’m learning to build, document, and explain.
This series is based on Hacking with Go, but reimagined in Ruby and Swift, with step-by-step examples and real-world analogies to help anyone understand — even if you’ve never written a single line of code.

🧱 What we’ll cover in this chapter:

📦 Variables (how to store information)
🔁 Loops (how to repeat actions)
🔀 Conditionals (how to make decisions)
🧠 Functions (how to reuse logic)
💬 Input/Output (how to talk to the user)

💡 Variables – Giving names to values

name = "Alice"age = 30

🧠 Explanation

We’re storing data in memory using variables.

name holds the string "Alice"
age holds the number 30

Think of variables like stickers you put on boxes — the name tells you what’s inside.

🔁 Loops – Repeating things automatically

3.times do  puts "Knock knock!"end

🧠 Explanation

3.times runs the block three times
puts prints the message

This is like telling a kid: “Say ‘knock knock!’ three times” — and they’ll do it without question.

🔀 Conditionals – Making decisions

password = "swordfish"if password == "swordfish"  puts "Access granted!"else  puts "Access denied!"end

🧠 Explanation

We check a condition:
If the password matches, we let the person in. Otherwise, we block them.

It’s like checking someone’s ID before opening the door.

🧠 Methods – Reusable blocks of logic

def greet(name)
  "Hello, #{name}!"endputs greet("Alice")

🧠 Explanation

We’re defining a method (like a mini-program) that:

Takes one input: name
Returns a message using string interpolation

Calling greet("Alice") is like pushing a button labeled “Say hello to Alice.”

💬 User Input – Interacting with people

print "What's your name? "name = gets.chompputs "Welcome, #{name}!"

🧠 Explanation

print shows a prompt without a newline
gets waits for input from the user
chomp removes the trailing newline

This is how Ruby talks to the user — and listens back.

🧠 Final Recap

📦 Variables → Store information with names
🔁 Loops → Repeat things automatically
🔀 Conditionals → Make decisions
🧠 Methods → Reuse blocks of logic
💬 Input/Output → Talk to the user

✅ You’ve learned the building blocks

This chapter gave you everything you need to start writing real scripts.

Next up: we’ll dive into useful packages and Ruby gems to do powerful things like parsing files, automating tasks, and working with the web.

📫 About the Author

[Júnior Carreiro]
🔐 Mobile AppSec | iOS Security | Reverse Engineering
📍 Let's connect: [GitHub] · [Linkedin]

🧠 iOS Reverse Engineering: iOS SQL Injection Challenge

Jr Carreiro — Wed, 30 Apr 2025 12:34:05 +0000

A Technical Walkthrough from Binary Analysis to Runtime Query Manipulation

Welcome to this detailed walkthrough of the Flipcoin Wallet iOS challenge, part of the Mobile Hacking Lab training platform.

Our mission?

✅ Unpack and reverse the application.
✅ Identify insecure SQL query construction.
✅ Confirm the presence of a SQL Injection vulnerability.
✅ Bypass UI limitations using Frida instrumentation.
✅ Inject a custom SQL payload and extract the hidden flag — documenting every step with clarity.

🎯 Objective

This project aims to identify and exploit a SQL Injection vulnerability in the Flipcoin Wallet iOS application. We will demonstrate how a poorly constructed SQL query can be manipulated to extract sensitive data, even when there is no visible input from the user.

🛠 Tools Used

Tool	Purpose
Frida	Dynamic instrumentation and runtime memory manipulation
Radare2 / rabin2	Static analysis of the binary
TrollStore	Installing unsigned apps on a jailbroken iPhone
iPhone SE (jailbroken)	Target device used for dynamic testing
Terminal	Execution of analysis commands and scripts

🧩 Analysis Steps (In Detail)

1. IPA Extraction and Binary Inspection

We started by extracting the .ipa file:

unzip com.mobilehackinglab.Flipcoin-Wallet6.ipa -d flipcoin_wallet_lab

Inside the Payload/Flipcoin Wallet.app folder, we located the app binary. We used rabin2 to inspect embedded strings:

rabin2 -zqq Payload/Flipcoin\ Wallet.app/Flipcoin\ Wallet | grep -iE 'select|insert|update|delete|sqlite'

Key findings:

A SQLite file: your_database_name.sqlite
Table: wallet
SQL strings including INSERT OR IGNORE INTO wallet and SELECT * FROM wallet
The recovery key column contains the flag: FLAG{fl1p_d4_c01nz}}

This confirmed that the app interacts with a local SQLite database.

2. Function Discovery via Imports and Cross-references

We searched for imported SQLite functions:

rabin2 -i Payload/Flipcoin\ Wallet.app/Flipcoin\ Wallet | grep sqlite3

We found the app uses functions like sqlite3_prepare, sqlite3_exec, and sqlite3_column_text.

To locate where these were used in the binary:

r2 -A Payload/Flipcoin\ Wallet.app/Flipcoin\ Wallet
> axt sym.imp.sqlite3_prepare

Two key functions were identified: createWallets and getWallets. We disassembled getWallets:

s 0x10000f98c
pdf

We confirmed that it performs:

SELECT * FROM wallet

without using parameter binding — indicating potential for SQL Injection.

🔧 Why We Switched to Frida Instead of Manual Input

After installing the app using TrollStore on a jailbroken iPhone SE, the interface was completely broken: the layout was oversized and unusable.

We attempted several UI fix strategies:

Applying view scaling using Frida scripts
Iterating subviews to locate the root UIView

All failed due to the app likely being developed in Flutter or SwiftUI, where traditional UIKit methods no longer apply.

As we could not interact via the UI, we used Frida to simulate SQL Injection directly at the memory level.

⚔️ Simulating SQL Injection with Frida

We built a script to intercept and replace the vulnerable query at runtime.

Script: `extract_flag_sqlite.js`

// Intercept and replace vulnerable query
Interceptor.attach(Module.getExportByName(null, "sqlite3_prepare"), {
  onEnter: function (args) {
    const originalQuery = args[1].readUtf8String();
    if (originalQuery.includes("SELECT * FROM wallet")) {
      const newQuery = "SELECT 1, 2, 3, 4, recovery_key FROM wallet";
      Memory.writeUtf8String(args[1], newQuery);
      console.log("[+] SQL query replaced:", newQuery);
    }
  }
});

// Monitor data extraction from each column
Interceptor.attach(Module.getExportByName(null, "sqlite3_column_text"), {
  onEnter: function (args) {
    this.columnIndex = args[1].toInt32();
  },
  onLeave: function (retval) {
    const value = Memory.readUtf8String(retval);
    if (value && value.includes("FLAG{")) {
      console.warn("🚩 FLAG FOUND:", value);
    }
  }
});

How This Works (Line by Line)

sqlite3_prepare is called when SQL queries are constructed.
We check if the query contains SELECT * FROM wallet
If so, we replace the query string in memory with a malicious one that extracts the recovery_key column
When sqlite3_column_text is called, we read each column's content
If the result contains FLAG{, we print it

Note: The app must still execute the original function. We manually triggered it by interacting with whatever broken UI was visible, until getWallets was called.

Execution:

frida -U -n "Flipcoin Wallet" -l extract_flag_sqlite.js

Output:

[+] SQL query replaced: SELECT 1, 2, 3, 4, recovery_key FROM wallet
🚩 FLAG FOUND: FLAG{fl1p_d4_c01nz}}

🧠 Why This is SQL Injection

SQL Injection is not defined by typing a payload — it’s about injecting or modifying a SQL query due to poor query construction.

In this case:

The query is built as a static string without input sanitization
No parameter binding is used
Although we couldn’t inject via UI, we demonstrated the flaw by changing the query directly, proving it is vulnerable and exploitable

This is a valid example of SQL Injection — only the delivery method changed (from input field to in-memory injection).

📫 About the Author

[Júnior Carreiro]
🔐 Mobile AppSec | iOS Security | Reverse Engineering
📍 Let's connect: [GitHub] · [Linkedin]
🏷️ Tags: #ios #reverseengineering #frida #infosec #mobile

🧠 iOS Reverse Engineering: Defeating Anti-Debug

Jr Carreiro — Fri, 25 Apr 2025 17:50:23 +0000

A Technical Walkthrough from Static Reversing to Dynamic Hooking

Welcome to this advanced walkthrough of the Captain Nohook iOS challenge, part of the Mobile Hacking Lab training platform.

Our mission?

✅ Analyze the binary.
✅ Identify anti-debug and anti-Frida mechanisms.
✅ Patch them.
✅ Instrument the app dynamically.
✅ Retrieve the hidden flag — and document every single step.

🧭 Objective

Bypass anti-debug and anti-Frida protections, inject FridaGadget, hook runtime components, and dynamically retrieve a hidden flag from the binary.

🛠 Tools & Environment

Frida 16.6.6
Radare2
Rabin2 (from r2 toolset)
insert_dylib
TrollStore (for installing the patched .ipa)
Jailbroken iPhone
FridaGadget.dylib

📦 Step 1: Extracting the .IPA

We began by unzipping the provided .ipa file:

unzip com.mobilehackinglab.Captain-Nohook.ipa -d captain_nohook_dev-io

Result:

The app is extracted to:

captain_nohook_dev-io/Payload/Captain Nohook.app/

We now have access to the application bundle, which includes the binary Captain Nohook.

🔍 Step 2: Static String Inspection with Rabin2

We used the following command to find strings related to jailbreak, Frida, ptrace, and debug protection:

rabin2 -zq captain_nohook_dev-io/Payload/Captain\ Nohook.app/Captain\ Nohook | grep -iE 'frida|ptrace|sysctl|debug|jail|hook|flag'

Output (excerpt):

0x1001563a0 34 33 Arrr, find yerr hidden flag here!
0x10015641f 5 4 flag
0x100156450 22 21 T@"UILabel",N,W,Vflag
...
0x100157380 23 22 /usr/sbin/frida-server
0x1001573b8 12 11 FridaGadget
...

We found an interesting string at address 0x1001563a0 which is a candidate for the hidden flag.

🧠 Step 3: Analyzing the Binary with Radare2

We opened the binary with:

r2 -AAA captain_nohook_dev-io/Payload/Captain\ Nohook.app/Captain\ Nohook

To find references to the interesting string:

axt 0x1001563a0

Output:

sub.Captain_Nohook.ViewController.whereIsflag.allocator...ySo8UIButtonCF_100009e70 0x10000a284 [STRN:r--] add x0, x0, str.Arrr__find_yerr_hidden_flag_here_

This confirms that the string is used in a function associated with a button action. We now know what to hook dynamically.

📦 Step 4: Injecting FridaGadget (Dynamic Instrumentation)

After identifying anti-Frida protections and patching static binary checks, we instrumented the app with FridaGadget, a dynamic and injectable version of the Frida runtime.

FridaGadget is used to instrument iOS apps that cannot be easily hooked with frida-server, especially in non-jailbroken environments or when runtime detection is active. It works by being embedded into the app’s binary as a .dylib, which is automatically loaded on app launch and communicates with Frida via USB. This setup lets us inject scripts and hook into runtime behavior without triggering traditional detection.

🧩 Step-by-Step: Embedding FridaGadget

1. Copy the FridaGadget.dylib

We used the FridaGadget.dylib already available in our system (through Objection or manual download).

cp ~/.objection/ios/FridaGadget.dylib Captain\ Nohook.app

2. Insert the Gadget into the binary

insert_dylib --weak --all-yes @executable_path/FridaGadget.dylib Captain\ Nohook.app/Captain\ Nohook Captain\ Nohook.app/Captain\ Nohook_patched
mv Captain\ Nohook.app/Captain\ Nohook_patched Captain\ Nohook.app/Captain\ Nohook

📝 Why? This embeds the FridaGadget using a weak LC_LOAD_DYLIB command so it won’t crash if not present. It allows Frida to auto-attach once the app is started.

3. Repack the IPA

cd ..
zip -r CaptainNohook-Frida.ipa Payload

📲 4. Install the IPA on the iPhone via TrollStore

This step assumes a TrollStore-enabled device, allowing unsigned IPA installation.

scp CaptainNohook-Frida.ipa mobile@<iphone-ip>:/path/to/TrollStore/appgroup/

Once installed, the app can be launched, and Frida will auto-attach.

🧵 Frida Script: monitor_flag.js

We developed the following script to watch for UILabels and capture the real flag.

// monitor_flag.js
// This script is used to monitor a UILabel inside the Captain Nohook app and print whenever its text is updated.
// It relies on dynamic instrumentation using FridaGadget, allowing us to observe runtime behavior.

console.log("🛡️ Monitoring UILabels and checking for flag updates...");

// The Objective-C class we want to analyze is the ViewController defined in the Captain Nohook app.
const vcClass = "Captain_Nohook.ViewController";

// Schedule the script to run on the main thread, where UI updates occur.
ObjC.schedule(ObjC.mainQueue, function () {
    // Find all live instances of the ViewController class in memory.
    const instances = ObjC.chooseSync(ObjC.classes[vcClass]);
    if (instances.length === 0) {
        // If no instances were found, display an error and stop.
        console.error("❌ No ViewController instance found.");
        return;
    }

    // Use the first found instance of the ViewController.
    const viewController = instances[0];
    console.log("✅ ViewController found:", viewController);

    // Use Key-Value Coding (KVC) to access the UILabel that holds the flag text.
    // The property name "flag" was discovered through static analysis of the binary.
    // Specifically, we used the command:
    //    `axt 0x1001563a0`
    // which showed that the string "Arrr, find yerr hidden flag here!" was referenced inside the function:
    //    `sub.Captain_Nohook.ViewController.whereIsflag.allocator...ySo8UIButtonCF`
    // From there, we reverse engineered the relationship between the ViewController and the flag UILabel.

    const flagLabel = viewController.valueForKey_("flag");

    // Print the current UILabel state
    console.log("🏴‍☠️ UILabel da flag:");
    console.log("   ▪️ Text:", flagLabel.text().toString());
    console.log("   ▪️ Hidden?:", flagLabel.isHidden());

    // Intercept all calls to UILabel.setText to observe when any UILabel text is changed at runtime.
    Interceptor.attach(ObjC.classes.UILabel["- setText:"].implementation, {
        onEnter: function (args) {
            // `args[2]` contains the new NSString being set on the UILabel.
            const newText = new ObjC.Object(args[2]).toString();

            // Log the modification
            console.log("📢 UILabel modified:");
            console.log("   ▪️ Class: UILabel");
            console.log("   ▪️ New text:", newText);
        }
    });
});

🧪 Real-Time Output After Button Press

Once the user interacts with the app, we observed the following real output:

📢 UILabel modified:
   ▪️ Class: UILabel
   ▪️ New text: Noncompliant device detected!
📢 UILabel modified:
   ▪️ Class: UILabel
   ▪️ New text: Yerr hook won't work!
📢 UILabel modified:
   ▪️ Class: UILabel
   ▪️ New text: MHL{H00k_1n_Y0ur_D3bUgg3r}

The final line contains the hidden flag, dynamically generated and not statically embedded.

✅ Final Thoughts

This challenge tested binary analysis, anti-debug bypass, and live instrumentation — all essential skills for mobile offensive security professionals.

FridaGadget made it possible to bypass runtime checks and extract the hidden flag, even in a protected app.

📫 About the Author

[Júnior Carreiro]
🔐 Mobile AppSec | iOS Security | Reverse Engineering
📍 Let's connect: [GitHub] · [Linkedin]
🏷️ Tags: #ios #reverseengineering #frida #infosec #mobile

🔴 Chapter 01 – Setting Up a Ruby Environment (Line by Line for Beginners

Jr Carreiro — Mon, 14 Apr 2025 12:11:10 +0000

Before we write any code, we need a place to work.
Think of this like setting up your workshop before you build a robot.

Let’s organize our tools and build the simplest thing we can:
a script that says "Hello, Hacker!"

🧰 What are we building?

We’re creating a Ruby project with:

🗂️ Folders to keep things organized
🔁 Logic we can reuse later
🖥️ Scripts we can run from the terminal

🧃 Think of this like a kitchen:
You’ll have drawers (code) and buttons (scripts) that do things.

📦 Project Structure

ruby/
└── Chapter 01 – Setting Up a Ruby Environment/
    ├── bin/
    │   └── hello_world.rb
    └── lib/
        └── hacking/
            └── core.rb

💻 Installing Ruby

Choose the method for your OS:

✅ Option 1 – Using `rbenv` (Linux/macOS)

sudo apt update && sudo apt install -y git curl build-essential libssl-dev libreadline-dev zlib1g-dev
git clone https://github.com/rbenv/rbenv.git ~/.rbenv
cd ~/.rbenv && src/configure && make -C src
echo 'export PATH="$HOME/.rbenv/bin:$PATH"' >> ~/.bashrc
echo 'eval "$(rbenv init - bash)"' >> ~/.bashrc
source ~/.bashrc
git clone https://github.com/rbenv/ruby-build.git ~/.rbenv/plugins/ruby-build
rbenv install 3.3.5
rbenv global 3.3.5
ruby -v

✅ Option 2 – Using `rvm` (macOS or Linux)

sudo apt install curl gpg
curl -sSL https://rvm.io/mpapis.asc | gpg --import -
\curl -sSL https://get.rvm.io | bash -s stable --ruby
source ~/.rvm/scripts/rvm
rvm install 3.3.5
rvm use 3.3.5 --default
ruby -v

✅ Option 3 – Windows (RubyInstaller)

Download from https://rubyinstaller.org
Run installer (check "add to PATH")
Open PowerShell or CMD:

ruby -v

📄 lib/hacking/core.rb

module Hacking
  module Core
    def self.greet
      "Hello, Hacker! Ready to break things? 💥"
    end
  end
end

📄 bin/hello_world.rb

#!/usr/bin/env ruby
# frozen_string_literal: true

require_relative '../lib/hacking/core'

puts Hacking::Core.greet

▶️ Run it!

cd ruby/Chapter\ 01\ –\ Setting\ Up\ a\ Ruby\ Environment
ruby bin/hello_world.rb

✅ Output:

Hello, Hacker! Ready to break things? 💥

🧠 Final Recap

Concept	What it means
`rbenv` / `rvm` / RubyInstaller	Install Ruby safely
`bin/`	Where your scripts live
`lib/`	Where your logic lives
`module`	Group of code
`self.method`	Call a method directly
`require_relative`	Load local file
`puts`	Print message

✅ You now have:

Ruby installed (on any OS)
A clean project structure
Your first script up and running
The foundation for your Ruby offensive tools!

DEV Community: Jr Carreiro

Deep Dive into Info.plist Security Flags for Penetration Testing

🔧 Debugging & Security Flags

🌐 Network & Data Security Flags

🔒 Privacy & Data Exposure Risks

⚙️ App Execution & IPC Risks

✅ Final Thoughts

📫 About the Author

🔵 Chapter 02 – Ruby Language Fundamentals (Line by Line for Absolute Beginners)

🧱 What we’ll cover in this chapter:

💡 Variables – Giving names to values

🧠 Explanation

🔁 Loops – Repeating things automatically

🧠 Explanation

🔀 Conditionals – Making decisions

🧠 Explanation

🧠 Methods – Reusable blocks of logic

🧠 Explanation

💬 User Input – Interacting with people

🧠 Explanation

🧠 Final Recap

✅ You’ve learned the building blocks

Next up: we’ll dive into useful packages and Ruby gems to do powerful things like parsing files, automating tasks, and working with the web.

📫 About the Author

🧠 iOS Reverse Engineering: iOS SQL Injection Challenge

🎯 Objective

🛠 Tools Used

🧩 Analysis Steps (In Detail)

1. IPA Extraction and Binary Inspection

2. Function Discovery via Imports and Cross-references

🔧 Why We Switched to Frida Instead of Manual Input

⚔️ Simulating SQL Injection with Frida

Script: extract_flag_sqlite.js

How This Works (Line by Line)

Execution:

Output:

🧠 Why This is SQL Injection

📫 About the Author

🧠 iOS Reverse Engineering: Defeating Anti-Debug

🧭 Objective

🛠 Tools & Environment

📦 Step 1: Extracting the .IPA

🔍 Step 2: Static String Inspection with Rabin2

🧠 Step 3: Analyzing the Binary with Radare2

📦 Step 4: Injecting FridaGadget (Dynamic Instrumentation)

🧩 Step-by-Step: Embedding FridaGadget

1. Copy the FridaGadget.dylib

2. Insert the Gadget into the binary

3. Repack the IPA

📲 4. Install the IPA on the iPhone via TrollStore

🧵 Frida Script: monitor_flag.js

🧪 Real-Time Output After Button Press

✅ Final Thoughts

📫 About the Author

🔴 Chapter 01 – Setting Up a Ruby Environment (Line by Line for Beginners

🧰 What are we building?

📦 Project Structure

💻 Installing Ruby

✅ Option 1 – Using rbenv (Linux/macOS)

✅ Option 2 – Using rvm (macOS or Linux)

✅ Option 3 – Windows (RubyInstaller)

📄 lib/hacking/core.rb

📄 bin/hello_world.rb

▶️ Run it!

🧠 Final Recap

✅ You now have:

Script: `extract_flag_sqlite.js`

✅ Option 1 – Using `rbenv` (Linux/macOS)

✅ Option 2 – Using `rvm` (macOS or Linux)