# iOS Application Testing

#### Jailbreaking iOS Device:

{% embed url="<https://checkra.in/>" %}

{% file src="<https://1450987373-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MPQCk3xB4es-GyiL5_P%2Fuploads%2Fmehx4HVlTnmILhRqmBSv%2Fcheckra1n%20beta%200.12.4.dmg?alt=media&token=2ca3a23d-b7fb-403a-9408-5eb418591554>" %}

After iOS Device is Jailbroken, Cydia is installed on the device. This can be used to install multiple testing tools like:

* MTerminal
* IPA Installer
* Frida Server

#### Installing SSL Kill Switch 2:

```
Sequrus-iPad:~ root# wget <https://github.com/nabla-c0d3/ssl-kill-switch2/releases/download/0.14/com.nablac0d3.sslkillswitch2_0.14.debSequrus-iPad:~> root# dpkg --install com.nablac0d3.sslkillswitch2_0.14.deb
```

```
Sequrus-iPad:~ root# dpkg --install com.nablac0d3.sslkillswitch2_0.14.deb
```

```
Sequrus-iPad:~ root# killall -HUP SpringBoard
```

Now SSL Kill Switch 2 will appear in Settings, you just need to toggle it on!

### Pulling IPA from iOS Device:

```
Sequrus-iPad:~ root# ipainstaller -l
```

```
Sequrus-iPad:~ root# ipainstaller -b <package-name>
The application has been backed up as /private/var/mobile/Documents/Package-Name.ipa.
```

Now Connect to the iOS Device IP address using FileZilla to download the IPA from the above Location. This IPA can be used on tools like MobSF for static analysis

### Frida on iOS:

If Frida Server doesn't start through Cydia, Start is manually:

```
Sequrus-iPad:/usr/bin root# frida-server -l 192.168.0.135
```

#### List devices:

```
C:\\Users\\sequr>frida-ls-devices
```

#### List Installed Applications:

```
frida-ps -Uai
```

#### Connect to the iOS Device Using USB:

```
C:\\Users\\sequr>frida-ps -Ua
Waiting for USB device to appear...
```

#### Connect to the iOS Device Remotely Using its IP Address:

```
C:\\Users\\sequr>frida-ps -H 192.168.0.135
```

#### Using a Codeshare Script via USB Connection:

```
C:\\Users\\sequr>frida --codeshare federicodotta/ios13-pinning-bypass -f <package-name> --no-pause -Ua
```

#### using Codeshare Script via Remote IP Connection:

```
C:\\Users\\sequr>frida --codeshare federicodotta/ios13-pinning-bypass -f <package-name> --no-pause -H 192.168.0.135
```

### Troubleshooting:

#### Unable to connect to remote frida-server / Waiting for USB device to appear...

#### Server Side - On iOS Device by SSH-ing to the device

```
/usr/bin/frida-server -l <iOS Device IP Address>
```

#### Client side - on Testing Machine with Frida:

```
frida-ps -H <iOS Device IP Address>
```

### Dumping Decrypted IPA using Frida IOS Dumper:

<mark style="color:red;">**Make sure Frida is installed and running and usable before using this repo. This repo uses Frida so will need that setup and installed.**</mark>

**First clone the repo:**

{% embed url="<https://github.com/AloneMonkey/frida-ios-dump>" %}
Ref
{% endembed %}

**Reference Video here:**

* <https://www.youtube.com/watch?v=m0FF8xcyGew>

**Clone the repo:**

```
git clone https://github.com/AloneMonkey/frida-ios-dump
```

```
cd frida-ios-dump
```

```
sudo pip install -r requirements.txt --upgrade
```

**In another Terminal open a ssh proxy and run the following:**

```
iproxy 2222 22
```

Make sure the credentials in the **dump.py** file are root:alpine (unless you have changed them on your iOS jailbroken device):

**Now list all the application packages using the -l flag:**

```
┌──(root㉿kali)-[~/Downloads/frida-ios-dump]
└─# python3 dump.py -l
PID  Name           Identifier                     
-  -------------  -------------------------------
-  App Store      com.apple.AppStore             
-  Camera         com.apple.camera               
-  Chrome         com.google.chrome.ios   
```

**Now without the -l flag dump the package of your choice as decrypted IPA. I'm using -o to output a different file name but can also just dump without changing the name:**

```
┌──(root㉿kali)-[~/Downloads/frida-ios-dump]
└─# python3 dump.py com.my.sample.app
Start the target app com.my.sample.app
Dumping Incode Omni to /tmp
start dump /private/var/containers/Bundle/Application/0000-00000-00000-00000/my.sample.app/
myapp.fid: 100%|██████████████████████████████████████████████████████████████| 16.8M/16.8M [00:00<00:00, 33.9MB/s]
AppIcon60x60@2x.png: 26.1MB [00:04, 5.89MB/s]                                                                     
0.00B [00:00, ?B/s]
Generating "My App.ipa"

```

<mark style="color:red;">**The File saves on your machine.**</mark>

**Specify output file name:**

```
python3 dump.py -o MyDecryped-App com.my.sample.app
```

```
──(root㉿kali)-[~/Downloads/frida-ios-dump]
└─# python3 dump.py                            
usage: dump.py [-h] [-l] [-o OUTPUT_IPA] [-H SSH_HOST] [-p SSH_PORT] [-u SSH_USER] [-P SSH_PASSWORD]
               [-K SSH_KEY_FILENAME]
               [target]

frida-ios-dump (by AloneMonkey v2.0)

positional arguments:
  target                Bundle identifier or display name of the target app

optional arguments:
  -h, --help            show this help message and exit
  -l, --list            List the installed apps
  -o OUTPUT_IPA, --output OUTPUT_IPA
                        Specify name of the decrypted IPA
  -H SSH_HOST, --host SSH_HOST
                        Specify SSH hostname
  -p SSH_PORT, --port SSH_PORT
                        Specify SSH port
  -u SSH_USER, --user SSH_USER
                        Specify SSH username
  -P SSH_PASSWORD, --password SSH_PASSWORD
                        Specify SSH password
  -K SSH_KEY_FILENAME, --key_filename SSH_KEY_FILENAME
                        Specify SSH private key file path

```

## Multiple Frida Bypasses in Conjunction:

```
┌──(kali㉿kali)-[~]
└─$ frida -f my.package.com -U -l /home/kali/Downloads/root.js -l /home/kali/Downloads/pinning.js

```