iOS Basic Testing Operations
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
To identify an iOS device uniquely, a 40-digit sequence known as the UDID is used. On macOS Catalina or newer, this can be found in the Finder app, as iTunes is no longer present. The device, once connected via USB and selected in Finder, reveals its UDID among other information when the details under its name are clicked through.
For versions of macOS prior to Catalina, iTunes facilitates the discovery of the UDID. Detailed instructions can be found here.
Command-line tools offer alternative methods for retrieving the UDID:
Using I/O Registry Explorer tool ioreg:
Using ideviceinstaller for macOS (and Linux):
Utilizing system_profiler:
Employing instruments to list devices:
SSH access is enabled by installing the OpenSSH package post-jailbreak, allowing connections via ssh root@<device_ip_address>. It's crucial to change the default passwords (alpine) for users root and mobile to secure the device.
SSH over USB becomes necessary in the absence of Wi-Fi, using iproxy to map device ports for SSH connections. This setup enables SSH access through USB by running:
On-device shell applications, like NewTerm 2, facilitate direct device interaction, especially useful for troubleshooting. Reverse SSH shells can also be established for remote access from the host computer.
To reset a forgotten password back to the default (alpine), editing the /private/etc/master.passwd file is necessary. This involves replacing the existing hash with the hash for alpine next to the root and mobile user entries.
Archiving and Retrieval via SSH and SCP: It's straightforward to archive the application's Data directory using tar and then transfer it using scp. The command below archives the Data directory into a .tgz file, which is then pulled from the device:
Using iFunbox and iExplorer: These GUI tools are useful for managing files on iOS devices. However, starting with iOS 8.4, Apple restricted these tools' access to the application sandbox unless the device is jailbroken.
Interactive Shell with Objection: Launching objection provides access to the Bundle directory of an app. From here, you can navigate to the app's Documents directory and manage files, including downloading and uploading them to and from the iOS device.
Over-The-Air (OTA) Distribution Link: Apps distributed for testing via OTA can be downloaded using the ITMS services asset downloader tool, which is installed via npm and used to save the IPA file locally.
From an IPA: Unzip the IPA to access the decrypted app binary.
From a Jailbroken Device: Install the app and extract the decrypted binary from memory.
Manual Decryption Overview: iOS app binaries are encrypted by Apple using FairPlay. To reverse-engineer, one must dump the decrypted binary from memory. The decryption process involves checking for the PIE flag, adjusting memory flags, identifying the encrypted section, and then dumping and replacing this section with its decrypted form.
Checking and Modifying PIE Flag:
Identifying Encrypted Section and Dumping Memory:
Determine the encrypted section's start and end addresses using otool and dump the memory from the jailbroken device using gdb.
Overwriting the Encrypted Section:
Replace the encrypted section in the original app binary with the decrypted dump.
Finalizing Decryption: Modify the binary's metadata to indicate the absence of encryption using tools like MachOView, setting the cryptid to 0.
The frida-ios-dump tool is employed for automatically decrypting and extracting apps from iOS devices. Initially, one must configure dump.py to connect to the iOS device, which can be done through localhost on port 2222 via iproxy or directly via the device's IP address and port.
Applications installed on the device can be listed with the command:
To dump a specific app, such as Telegram, the following command is used:
This command initiates the app dump, resulting in the creation of a Telegram.ipa file in the current directory. This process is suitable for jailbroken devices, as unsigned or fake-signed apps can be reinstalled using tools like ios-deploy.
The flexdecrypt tool, along with its wrapper flexdump, allows for the extraction of IPA files from installed applications. Installation commands for flexdecrypt on the device include downloading and installing the .deb package. flexdump can be used to list and dump apps, as shown in the commands below:
bagbak, another Frida-based tool, requires a jailbroken device for app decryption:
r2flutch, utilizing both radare and frida, serves for app decryption and dumping. More information can be found on its GitHub page.
Sideloading refers to installing applications outside the official App Store. This process is handled by the installd daemon and requires apps to be signed with an Apple-issued certificate. Jailbroken devices can bypass this through AppSync, enabling the installation of fake-signed IPA packages.
Cydia Impactor: A tool for signing and installing IPA files on iOS and APK files on Android. Guides and troubleshooting can be found on yalujailbreak.net.
libimobiledevice: A library for Linux and macOS to communicate with iOS devices. Installation commands and usage examples for ideviceinstaller are provided for installing apps over USB.
ipainstaller: This command-line tool allows direct app installation on iOS devices.
ios-deploy: For macOS users, ios-deploy installs iOS apps from the command line. Unzipping the IPA and using the -m flag for direct app launch are part of the process.
Xcode: Utilize Xcode to install apps by navigating to Window/Devices and Simulators and adding the app to Installed Apps.
To install iPad-specific applications on iPhone or iPod touch devices, the UIDeviceFamily value in the Info.plist file needs to be changed to 1. This modification, however, requires re-signing the IPA file due to signature validation checks.
Note: This method might fail if the application demands capabilities exclusive to newer iPad models while using an older iPhone or iPod touch.
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
