Programu ya Maendeleo ya Apple

Kitambulisho cha utoaji ni mkusanyiko wa funguo za umma na za kibinafsi ambazo zinaunganishwa na akaunti ya msanidi programu wa Apple. Ili kuidhinisha programu unahitaji kulipa 99$/mwaka kujiandikisha kwenye Programu ya Maendeleo ya Apple ili upate kitambulisho chako cha utoaji. Bila hii hutaweza kukimbia programu kutoka kwa msimbo wa chanzo kwenye kifaa halisi. Chaguo lingine ni kutumia kifaa kilichovunjwa.

Kuanzia Xcode 7.2 Apple imeutoa chaguo la kuunda wasifu wa utoaji wa maendeleo ya iOS bure ambao unaruhusu kuandika na kujaribu programu yako kwenye iPhone halisi. Nenda kwa Xcode --> Mapendeleo --> Akaunti --> + (Ongeza Kitambulisho kipya cha Appli kwa maelezo yako) --> Bonyeza kwenye Kitambulisho cha Apple kilichoundwa --> Dhibiti Vyeti --> + (Maendeleo ya Apple) --> Imekamilika __Kisha, ili kukimbia programu yako kwenye iPhone yako unahitaji kwanza kuonyesha iPhone kuamini kompyuta. Kisha, unaweza kujaribu kukimbia programu kwenye simu kutoka Xcode, lakini hitilafu itaonekana. Kwa hivyo nenda kwa Vipimo --> Jumla --> Profaili na Usimamizi wa Kifaa --> Chagua wasifu usioaminika na bonyeza "Kuamini".

Tambua kwamba programu zilizoidhinishwa na cheti cha kuidhinisha sawa zinaweza kushiriki rasilimali kwa njia salama, kama vitu vya keychain.

Maelezo ya utoaji huo huo hujumuishwa kwenye simu katika /Library/MobileDevice/ProvisioningProfiles

Simulizi

Simulizi

Jambo la kwanza unalohitaji kujua ni kwamba kufanya ukaguzi wa usalama ndani ya simulizi kutakuwa na vizuizi zaidi kuliko kufanya hivyo kwenye kifaa kilichovunjwa.

Zana zote zinazohitajika kujenga na kusaidia programu ya iOS zinasaidiwa rasmi tu kwenye Mac OS. Zana ya msingi ya Apple ya kuunda/kudebugi/kufanya nyongeza kwenye programu za iOS ni Xcode. Inaweza kutumika kupakua vipengele vingine kama simulizi na toleo tofauti za SDK zinazohitajika kujenga na kujaribu programu yako. Inapendekezwa sana kupakua Xcode kutoka kwenye duka rasmi la programu. Toleo nyingine zinaweza kuwa na programu hasidi.

Faili za simulizi zinaweza kupatikana katika /Users/<username>/Library/Developer/CoreSimulator/Devices

Ili kufungua simulizi, zindua Xcode, kisha bonyeza kwenye Kichupo cha Xcode --> Fungua Zana za Msanidi programu --> Simulizi __Katika picha ifuatayo kwa kubonyeza "iPod touch [...]" unaweza kuchagua kifaa kingine cha kujaribu:

Programu kwenye Simulizi

Ndani ya /Users/<username>/Library/Developer/CoreSimulator/Devices unaweza kupata simulizi zilizosanikishwa zote. Ikiwa unataka kupata faili za programu iliyojengwa ndani ya moja ya simulizi inaweza kuwa ngumu kujua katika ipi programu imesanikishwa. Njia ya haraka ya kupata UID sahihi ni kuzindua programu kwenye simulizi na kutekeleza:

xcrun simctl list | grep Booted
iPhone 8 (BF5DA4F8-6BBE-4EA0-BA16-7E3AFD16C06C) (Booted)

Once you know the UID the apps installed within it can be found in /Users/<username>/Library/Developer/CoreSimulator/Devices/{UID}/data/Containers/Data/Application

However, surprisingly you won't find the application here. You need to access /Users/<username>/Library/Developer/Xcode/DerivedData/{Application}/Build/Products/Debug-iphonesimulator/

And in this folder you can find the package of the application.

Emulator

Corellium is the only publicly available iOS emulator. It is an enterprise SaaS solution with a per user license model and does not offer any trial license.

Jailbeaking

Apple strictly requires that the code running on the iPhone must be signed by a certificate issued by Apple. Jailbreaking is the process of actively circumventing such restrictions and other security controls put in places by the OS. Therefore, once the device is jailbroken, the integrity check which is responsible for checking apps being installed is patched so it is bypassed.

Android Rooting vs. iOS Jailbreaking

While often compared, rooting on Android and jailbreaking on iOS are fundamentally different processes. Rooting Android devices might involve installing the su binary or replacing the system with a rooted custom ROM, which doesn't necessarily require exploits if the bootloader is unlocked. Flashing custom ROMs replaces the device's OS after unlocking the bootloader, sometimes requiring an exploit.

In contrast, iOS devices cannot flash custom ROMs due to the bootloader's restriction to only boot Apple-signed images. Jailbreaking iOS aims to bypass Apple's code signing protections to run unsigned code, a process complicated by Apple's continuous security enhancements.

Jailbreaking Challenges

Jailbreaking iOS is increasingly difficult as Apple patches vulnerabilities quickly. Downgrading iOS is only possible for a limited time after a release, making jailbreaking a time-sensitive matter. Devices used for security testing should not be updated unless re-jailbreaking is guaranteed.

iOS updates are controlled by a challenge-response mechanism (SHSH blobs), allowing installation only for Apple-signed responses. This mechanism, known as a "signing window", limits the ability to store and later use OTA firmware packages. The IPSW Downloads website is a resource for checking current signing windows.

Jailbreak Varieties

• Tethered jailbreaks require a computer connection for each reboot.

• Semi-tethered jailbreaks allow booting into non-jailbroken mode without a computer.

• Semi-untethered jailbreaks require manual re-jailbreaking without needing a computer.

• Untethered jailbreaks offer a permanent jailbreak solution without the need for re-application.

Jailbreaking Tools and Resources

Jailbreaking tools vary by iOS version and device. Resources such as Can I Jailbreak?, The iPhone Wiki, and Reddit Jailbreak provide up-to-date information. Examples include:

• Checkra1n for A7-A11 chip devices.

• Palera1n for Checkm8 devices (A8-A11) on iOS 15.0-16.5.

• Unc0ver for iOS versions up to 14.8.

Modifying your device carries risks, and jailbreaking should be approached with caution.

Jailbreaking Benefits and Risks

Jailbreaking removes OS-imposed sandboxing, allowing apps to access the entire filesystem. This freedom enables the installation of unapproved apps and access to more APIs. However, for regular users, jailbreaking is not recommended due to potential security risks and device instability.

After Jailbreaking

Jailbreak Detection

Several applications will try to detect if the mobile is jailbroken and in that case the application won't run

• After jailbreaking an iOS files and folders are usually installed, these can be searched to determine if the device is jailbroken.

• In a jailbroken device applications get read/write access to new files outside the sandbox

• Some API calls will behave differently

• The presence of the OpenSSH service

• Calling /bin/sh will return 1 instead of 0

More information about how to detect jailbreaking here.

You can try to avoid this detections using objection's ios jailbreak disable

Jailbreak Detection Bypass

• You can try to avoid this detections using objection's ios jailbreak disable

• You could also install the tool Liberty Lite (https://ryleyangus.com/repo/). Once the repo is added, the app should appear in the ‘Search’ tab

References

• https://mas.owasp.org/MASTG/iOS/0x06b-iOS-Security-Testing/