Wiki
  • Introduction
  • πŸ‘ΎPenetration Testing
    • Application Security
      • Mobile App Security
        • Android Application Testing
          • Security Checklist
          • SSL Pinning Bypasses
          • Non-Proxy Aware Applications
            • Setting up VPN Server
            • Bypasses
          • Common Proxying Issues
          • Android Local Storage Checks
          • Android Task Hijacking
          • Kiosk Mode / Breakout Testing
          • Magisk on GenyMotion
        • iOS Application Testing
          • iOS Testing Using Objection
          • IPA Analysis Using MobSF
          • iOS Jailbreak Bypass
          • Decrypting iOS Apps
          • iOS Reverse Engineering
          • Jailbreak Detection Bypasses
          • iOS Local Storage Checks
          • Installing IPA
          • ATS Auditing
          • iOS Jailbreaking
          • Frida Pinning Bypasses
          • iOS Jailbreaking
        • Code Security
        • Frida on Windows
      • Web Application Security
        • Web Shells
        • CSV Injection
        • Measure Response Time using CURL
        • OSINT
          • EyeWitness
        • GraphQL Hacking
      • API Security
        • Security Checklist
        • Postman and Burp
        • CURL via BurpSuite
        • SOAP API Pentesting
    • Infrastructure Security
      • Network Infrastructure
        • Red Team Powershell Scripts
        • Mounting NFS Shares
        • Password Cracking/Auditing
        • Remote Access Sheet
        • Password Cracking Using Hashcat
        • Calculate IP Addresses from CIDR
        • Grep IP addresses or IP Ranges from a File
        • Default Credentials Checking
        • Check SSL/TLS Certificates
        • Log a terminal session
        • Unauthenticated Mongo DB
        • Microsoft SQL Server (MSSQL)
        • NTP Mode 6 Vulnerabilities
        • BloodHound
        • AD Offensive Testing
        • CrackMapExec
        • Select all IP addresses in Sublime Text
        • Convert CIDRs to an IP address list
        • Microsoft Exchange Client Access Server Information Disclosure
        • Web Server HTTP Header Internal IP Disclosure
        • smbclient.py
        • GetUserSPNs.py
        • Get-GPPPassword.py
        • SMBMap
        • Mounting Shares
        • mitm6
        • AD Attacks
        • Weak IKE Security Configurations
        • Locked BIOS Password Bypass
      • Wireless Security
        • Cached Wireless Keys
        • Aircrack Suite
    • SSL/TLS Security
    • Secure Code Review
      • Python
      • Semgrep
        • Semgrep to HTML Report
    • Cloud Security
      • Cloud Penetration Testing
    • Social Engineering
      • Simulated Phishing
        • GoPhish
    • Tool Usage
      • Docker
      • Split
      • PhantomJS
      • Aquatone
      • Tmux
      • Ipainstaller
      • Public IP From Command Line
      • Wifite
      • IKE Scan
      • Grep
      • Pulling APKs
      • Bitsadmin
      • Drozer
      • Iptables
      • Python Web Server
      • Crackmapexec
      • Impacket
      • Nessus
      • Adding SUDO User
      • Nmap
      • Metasploit Payloads
      • SMTP Open Relay
      • SQLMap
      • Screen
      • Remove All After Colon
      • Remove Old Linux Kernels
      • CURL
      • Hashcat
      • Secure Copy Protocol (SCP)
      • SSH & PGP Tools
      • IP Calculator
      • BloodHound
      • Netcat File Transfer
      • OpenVAS
      • BurpSuite
      • Exiftool
      • Python Virtual Environments
    • Errors and Solutions
      • Kill Process On Specific Port
      • Kill SSH Port Forwarding
      • SSH Key
      • Expanding Disk on Kali VM
    • Scoping
      • Scoping Questionnaires
        • Mobile App Testing
    • OSINT
      • Dark Web OSINT
      • Certificate Chain Check
      • EyeWitness - Web Service Screenshot
      • Tor to Browse Onion Links
      • DarkDump - Scan Dark Web for Onion Links
      • Domain related File Search
      • Google Dorking
      • IP / Network Blocks owned by a Company
  • ⌨️Programming
    • Automation
      • Running a Service at Boot
      • Network Connectivity Cron
    • Python
      • Adding Columns in Pandas
      • Copy Entire Column Data To New Column Pandas
      • Loading Progress Bar
      • Reorder Columns in Pandas
      • Filename with Date/Time Stamp
      • Command Line Arguments
      • Changing Date Format
      • Removing Index Column Pandas
      • Regex - Remove HTML Tags
      • Column Header Mapping
  • 🌐Miscellaneous
    • Scripts
      • Clickjacking Checker
      • Bulk WHOIS
      • SMB Signing Check
      • FDQN to IP Address
      • Grep IP Addresses
      • Nessus Parser
      • Build Review Audit
      • Nessus Merger
      • Nmap2CSV
      • Remove Audio From Videos
    • Favourite Reads/Links
    • Hacking Posters
    • Windows Developer VMs
    • Windows Workspaces
    • GitHub Pages
    • Interview Prep
      • Senior Penetration Tester
    • CVSS Formula
    • Android Rooting
      • Lineage OS 18.1 on OnePlus X
      • TWRP Recover on OnePlus X
      • Magisk Rooting
    • Presentation Slides
      • BlackHat - USA [2022]
  • 🐞Vulnerability Wiki
    • 🌐APPLICATION LEVEL
      • πŸ”’AUTHENTICATION
        • Authentication Bypass
        • Lack of Password Confirmation
        • 2FA Code Brute-forceable
        • Lack of Verification
        • Lack of Throttling on Form Submissions
        • Lack of Rate Limiting on Login
        • Weak Password Complexity Rules
        • πŸ–₯️SESSION MANAGEMENT
        • πŸ”‘ACCESS CONTROL
      • πŸ”’INPUT VALIDATION
      • βž—CRYPTOGRAPHY
      • πŸ“‰LOGGING
      • πŸ“•DATA PROTECTION
      • πŸ“²COMMUNICATION
      • πŸ‘¨β€πŸ’»MALICIOUS CODE
      • πŸ’‘LOGIC
      • πŸ—„οΈFILE UPLOAD
      • βš™οΈAPI ISSUES
      • πŸ”CONFIGURATIONS
    • πŸ’ΎINFRASTRUCTURE LEVEL
      • ICMP Timestamp Request Remote Date Disclosure (CVE-1999-0524)
      • ASP.NET Debug Mode Validation
Powered by GitBook
On this page
  • Pulling IPA from iOS Device:
  • Frida on iOS:
  • Troubleshooting:
  • Dumping Decrypted IPA using Frida IOS Dumper:
  • Multiple Frida Bypasses in Conjunction:

Was this helpful?

  1. Penetration Testing
  2. Application Security
  3. Mobile App Security

iOS Application Testing

PreviousMagisk on GenyMotionNextiOS Testing Using Objection

Last updated 4 months ago

Was this helpful?

Jailbreaking iOS Device:

After iOS Device is Jailbroken, Cydia is installed on the device. This can be used to install multiple testing tools like:

  • MTerminal

  • IPA Installer

  • Frida Server

Installing SSL Kill Switch 2:

Sequrus-iPad:~ root# wget <https://github.com/nabla-c0d3/ssl-kill-switch2/releases/download/0.14/com.nablac0d3.sslkillswitch2_0.14.debSequrus-iPad:~> root# dpkg --install com.nablac0d3.sslkillswitch2_0.14.deb
Sequrus-iPad:~ root# dpkg --install com.nablac0d3.sslkillswitch2_0.14.deb
Sequrus-iPad:~ root# killall -HUP SpringBoard

Now SSL Kill Switch 2 will appear in Settings, you just need to toggle it on!

Pulling IPA from iOS Device:

Sequrus-iPad:~ root# ipainstaller -l
Sequrus-iPad:~ root# ipainstaller -b <package-name>
The application has been backed up as /private/var/mobile/Documents/Package-Name.ipa.

Now Connect to the iOS Device IP address using FileZilla to download the IPA from the above Location. This IPA can be used on tools like MobSF for static analysis

Frida on iOS:

If Frida Server doesn't start through Cydia, Start is manually:

Sequrus-iPad:/usr/bin root# frida-server -l 192.168.0.135

List devices:

C:\\Users\\sequr>frida-ls-devices

List Installed Applications:

frida-ps -Uai

Connect to the iOS Device Using USB:

C:\\Users\\sequr>frida-ps -Ua
Waiting for USB device to appear...

Connect to the iOS Device Remotely Using its IP Address:

C:\\Users\\sequr>frida-ps -H 192.168.0.135

Using a Codeshare Script via USB Connection:

C:\\Users\\sequr>frida --codeshare federicodotta/ios13-pinning-bypass -f <package-name> --no-pause -Ua

using Codeshare Script via Remote IP Connection:

C:\\Users\\sequr>frida --codeshare federicodotta/ios13-pinning-bypass -f <package-name> --no-pause -H 192.168.0.135

Troubleshooting:

Unable to connect to remote frida-server / Waiting for USB device to appear...

Server Side - On iOS Device by SSH-ing to the device

/usr/bin/frida-server -l <iOS Device IP Address>

Client side - on Testing Machine with Frida:

frida-ps -H <iOS Device IP Address>

Dumping Decrypted IPA using Frida IOS Dumper:

Make sure Frida is installed and running and usable before using this repo. This repo uses Frida so will need that setup and installed.

First clone the repo:

Reference Video here:

Clone the repo:

git clone https://github.com/AloneMonkey/frida-ios-dump
cd frida-ios-dump
sudo pip install -r requirements.txt --upgrade

In another Terminal open a ssh proxy and run the following:

iproxy 2222 22

Make sure the credentials in the dump.py file are root:alpine (unless you have changed them on your iOS jailbroken device):

Now list all the application packages using the -l flag:

β”Œβ”€β”€(rootγ‰Ώkali)-[~/Downloads/frida-ios-dump]
└─# python3 dump.py -l
PID  Name           Identifier                     
-  -------------  -------------------------------
-  App Store      com.apple.AppStore             
-  Camera         com.apple.camera               
-  Chrome         com.google.chrome.ios   

Now without the -l flag dump the package of your choice as decrypted IPA. I'm using -o to output a different file name but can also just dump without changing the name:

β”Œβ”€β”€(rootγ‰Ώkali)-[~/Downloads/frida-ios-dump]
└─# python3 dump.py com.my.sample.app
Start the target app com.my.sample.app
Dumping Incode Omni to /tmp
start dump /private/var/containers/Bundle/Application/0000-00000-00000-00000/my.sample.app/
myapp.fid: 100%|β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆ| 16.8M/16.8M [00:00<00:00, 33.9MB/s]
AppIcon60x60@2x.png: 26.1MB [00:04, 5.89MB/s]                                                                     
0.00B [00:00, ?B/s]
Generating "My App.ipa"

The File saves on your machine.

Specify output file name:

python3 dump.py -o MyDecryped-App com.my.sample.app
──(rootγ‰Ώkali)-[~/Downloads/frida-ios-dump]
└─# python3 dump.py                            
usage: dump.py [-h] [-l] [-o OUTPUT_IPA] [-H SSH_HOST] [-p SSH_PORT] [-u SSH_USER] [-P SSH_PASSWORD]
               [-K SSH_KEY_FILENAME]
               [target]

frida-ios-dump (by AloneMonkey v2.0)

positional arguments:
  target                Bundle identifier or display name of the target app

optional arguments:
  -h, --help            show this help message and exit
  -l, --list            List the installed apps
  -o OUTPUT_IPA, --output OUTPUT_IPA
                        Specify name of the decrypted IPA
  -H SSH_HOST, --host SSH_HOST
                        Specify SSH hostname
  -p SSH_PORT, --port SSH_PORT
                        Specify SSH port
  -u SSH_USER, --user SSH_USER
                        Specify SSH username
  -P SSH_PASSWORD, --password SSH_PASSWORD
                        Specify SSH password
  -K SSH_KEY_FILENAME, --key_filename SSH_KEY_FILENAME
                        Specify SSH private key file path

Multiple Frida Bypasses in Conjunction:

β”Œβ”€β”€(kaliγ‰Ώkali)-[~]
└─$ frida -f my.package.com -U -l /home/kali/Downloads/root.js -l /home/kali/Downloads/pinning.js

πŸ‘Ύ
https://www.youtube.com/watch?v=m0FF8xcyGew
checkra1ncheckra1n
Ref
7MB
checkra1n beta 0.12.4.dmg
Logo
https://github.com/AloneMonkey/frida-ios-dump