iOS Application Testing

Jailbreaking iOS Device:

7MB

After iOS Device is Jailbroken, Cydia is installed on the device. This can be used to install multiple testing tools like:

MTerminal
IPA Installer
Frida Server

Installing SSL Kill Switch 2:

Sequrus-iPad:~ root# wget <https://github.com/nabla-c0d3/ssl-kill-switch2/releases/download/0.14/com.nablac0d3.sslkillswitch2_0.14.debSequrus-iPad:~> root# dpkg --install com.nablac0d3.sslkillswitch2_0.14.deb

Sequrus-iPad:~ root# dpkg --install com.nablac0d3.sslkillswitch2_0.14.deb

Sequrus-iPad:~ root# killall -HUP SpringBoard

Now SSL Kill Switch 2 will appear in Settings, you just need to toggle it on!

Pulling IPA from iOS Device:

Sequrus-iPad:~ root# ipainstaller -l

Sequrus-iPad:~ root# ipainstaller -b <package-name>
The application has been backed up as /private/var/mobile/Documents/Package-Name.ipa.

Now Connect to the iOS Device IP address using FileZilla to download the IPA from the above Location. This IPA can be used on tools like MobSF for static analysis

Frida on iOS:

If Frida Server doesn't start through Cydia, Start is manually:

Sequrus-iPad:/usr/bin root# frida-server -l 192.168.0.135

List devices:

C:\\Users\\sequr>frida-ls-devices

List Installed Applications:

frida-ps -Uai

Connect to the iOS Device Using USB:

C:\\Users\\sequr>frida-ps -Ua
Waiting for USB device to appear...

Connect to the iOS Device Remotely Using its IP Address:

C:\\Users\\sequr>frida-ps -H 192.168.0.135

Using a Codeshare Script via USB Connection:

C:\\Users\\sequr>frida --codeshare federicodotta/ios13-pinning-bypass -f <package-name> --no-pause -Ua

using Codeshare Script via Remote IP Connection:

C:\\Users\\sequr>frida --codeshare federicodotta/ios13-pinning-bypass -f <package-name> --no-pause -H 192.168.0.135

Troubleshooting:

Unable to connect to remote frida-server / Waiting for USB device to appear...

Server Side - On iOS Device by SSH-ing to the device

/usr/bin/frida-server -l <iOS Device IP Address>

Client side - on Testing Machine with Frida:

frida-ps -H <iOS Device IP Address>

Dumping Decrypted IPA using Frida IOS Dumper:

Make sure Frida is installed and running and usable before using this repo. This repo uses Frida so will need that setup and installed.

First clone the repo:

Reference Video here:

https://www.youtube.com/watch?v=m0FF8xcyGew

Clone the repo:

git clone https://github.com/AloneMonkey/frida-ios-dump

cd frida-ios-dump

sudo pip install -r requirements.txt --upgrade

In another Terminal open a ssh proxy and run the following:

iproxy 2222 22

Make sure the credentials in the dump.py file are root:alpine (unless you have changed them on your iOS jailbroken device):

Now list all the application packages using the -l flag:

┌──(root㉿kali)-[~/Downloads/frida-ios-dump]
└─# python3 dump.py -l
PID  Name           Identifier                     
-  -------------  -------------------------------
-  App Store      com.apple.AppStore             
-  Camera         com.apple.camera               
-  Chrome         com.google.chrome.ios

Now without the -l flag dump the package of your choice as decrypted IPA. I'm using -o to output a different file name but can also just dump without changing the name:

┌──(root㉿kali)-[~/Downloads/frida-ios-dump]
└─# python3 dump.py com.my.sample.app
Start the target app com.my.sample.app
Dumping Incode Omni to /tmp
start dump /private/var/containers/Bundle/Application/0000-00000-00000-00000/my.sample.app/
myapp.fid: 100%|██████████████████████████████████████████████████████████████| 16.8M/16.8M [00:00<00:00, 33.9MB/s]
[email protected]: 26.1MB [00:04, 5.89MB/s]                                                                     
0.00B [00:00, ?B/s]
Generating "My App.ipa"

The File saves on your machine.

Specify output file name:

python3 dump.py -o MyDecryped-App com.my.sample.app

──(root㉿kali)-[~/Downloads/frida-ios-dump]
└─# python3 dump.py                            
usage: dump.py [-h] [-l] [-o OUTPUT_IPA] [-H SSH_HOST] [-p SSH_PORT] [-u SSH_USER] [-P SSH_PASSWORD]
               [-K SSH_KEY_FILENAME]
               [target]

frida-ios-dump (by AloneMonkey v2.0)

positional arguments:
  target                Bundle identifier or display name of the target app

optional arguments:
  -h, --help            show this help message and exit
  -l, --list            List the installed apps
  -o OUTPUT_IPA, --output OUTPUT_IPA
                        Specify name of the decrypted IPA
  -H SSH_HOST, --host SSH_HOST
                        Specify SSH hostname
  -p SSH_PORT, --port SSH_PORT
                        Specify SSH port
  -u SSH_USER, --user SSH_USER
                        Specify SSH username
  -P SSH_PASSWORD, --password SSH_PASSWORD
                        Specify SSH password
  -K SSH_KEY_FILENAME, --key_filename SSH_KEY_FILENAME
                        Specify SSH private key file path

Multiple Frida Bypasses in Conjunction:

┌──(kali㉿kali)-[~]
└─$ frida -f my.package.com -U -l /home/kali/Downloads/root.js -l /home/kali/Downloads/pinning.js

PreviousMagisk on GenyMotion NextiOS Testing Using Objection

Last updated 1 year ago

hashtagJailbreaking iOS Device:

hashtagInstalling SSL Kill Switch 2:

hashtagPulling IPA from iOS Device:

hashtagFrida on iOS:

hashtagList devices:

hashtagList Installed Applications:

hashtagConnect to the iOS Device Using USB:

hashtagConnect to the iOS Device Remotely Using its IP Address:

hashtagUsing a Codeshare Script via USB Connection:

hashtagusing Codeshare Script via Remote IP Connection:

hashtagTroubleshooting:

hashtagUnable to connect to remote frida-server / Waiting for USB device to appear...

hashtagServer Side - On iOS Device by SSH-ing to the device

hashtagClient side - on Testing Machine with Frida:

hashtagDumping Decrypted IPA using Frida IOS Dumper:

hashtagMultiple Frida Bypasses in Conjunction: