iOS Application Testing

Jailbreaking iOS Device:

After iOS Device is Jailbroken, Cydia is installed on the device. This can be used to install multiple testing tools like:

  • MTerminal

  • IPA Installer

  • Frida Server

Installing SSL Kill Switch 2:

Sequrus-iPad:~ root# wget <https://github.com/nabla-c0d3/ssl-kill-switch2/releases/download/0.14/com.nablac0d3.sslkillswitch2_0.14.debSequrus-iPad:~> root# dpkg --install com.nablac0d3.sslkillswitch2_0.14.deb
Sequrus-iPad:~ root# dpkg --install com.nablac0d3.sslkillswitch2_0.14.deb
Sequrus-iPad:~ root# killall -HUP SpringBoard

Now SSL Kill Switch 2 will appear in Settings, you just need to toggle it on!

Pulling IPA from iOS Device:

Sequrus-iPad:~ root# ipainstaller -l
Sequrus-iPad:~ root# ipainstaller -b <package-name>
The application has been backed up as /private/var/mobile/Documents/Package-Name.ipa.

Now Connect to the iOS Device IP address using FileZilla to download the IPA from the above Location. This IPA can be used on tools like MobSF for static analysis

Frida on iOS:

If Frida Server doesn't start through Cydia, Start is manually:

Sequrus-iPad:/usr/bin root# frida-server -l 192.168.0.135

List devices:

C:\\Users\\sequr>frida-ls-devices

List Installed Applications:

frida-ps -Uai

Connect to the iOS Device Using USB:

C:\\Users\\sequr>frida-ps -Ua
Waiting for USB device to appear...

Connect to the iOS Device Remotely Using its IP Address:

C:\\Users\\sequr>frida-ps -H 192.168.0.135

Using a Codeshare Script via USB Connection:

C:\\Users\\sequr>frida --codeshare federicodotta/ios13-pinning-bypass -f <package-name> --no-pause -Ua

using Codeshare Script via Remote IP Connection:

C:\\Users\\sequr>frida --codeshare federicodotta/ios13-pinning-bypass -f <package-name> --no-pause -H 192.168.0.135

Troubleshooting:

Unable to connect to remote frida-server / Waiting for USB device to appear...

Server Side - On iOS Device by SSH-ing to the device

/usr/bin/frida-server -l <iOS Device IP Address>

Client side - on Testing Machine with Frida:

frida-ps -H <iOS Device IP Address>

Dumping Decrypted IPA using Frida IOS Dumper:

Make sure Frida is installed and running and usable before using this repo. This repo uses Frida so will need that setup and installed.

First clone the repo:

Reference Video here:

Clone the repo:

git clone https://github.com/AloneMonkey/frida-ios-dump
cd frida-ios-dump
sudo pip install -r requirements.txt --upgrade

In another Terminal open a ssh proxy and run the following:

iproxy 2222 22

Make sure the credentials in the dump.py file are root:alpine (unless you have changed them on your iOS jailbroken device):

Now list all the application packages using the -l flag:

β”Œβ”€β”€(rootγ‰Ώkali)-[~/Downloads/frida-ios-dump]
└─# python3 dump.py -l
PID  Name           Identifier                     
-  -------------  -------------------------------
-  App Store      com.apple.AppStore             
-  Camera         com.apple.camera               
-  Chrome         com.google.chrome.ios

Now without the -l flag dump the package of your choice as decrypted IPA. I'm using -o to output a different file name but can also just dump without changing the name:

β”Œβ”€β”€(rootγ‰Ώkali)-[~/Downloads/frida-ios-dump]
└─# python3 dump.py com.my.sample.app
Start the target app com.my.sample.app
Dumping Incode Omni to /tmp
start dump /private/var/containers/Bundle/Application/0000-00000-00000-00000/my.sample.app/
myapp.fid: 100%|β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆ| 16.8M/16.8M [00:00<00:00, 33.9MB/s]
AppIcon60x60@2x.png: 26.1MB [00:04, 5.89MB/s]                                                                     
0.00B [00:00, ?B/s]
Generating "My App.ipa"

The File saves on your machine.

Specify output file name:

python3 dump.py -o MyDecryped-App com.my.sample.app
──(rootγ‰Ώkali)-[~/Downloads/frida-ios-dump]
└─# python3 dump.py                            
usage: dump.py [-h] [-l] [-o OUTPUT_IPA] [-H SSH_HOST] [-p SSH_PORT] [-u SSH_USER] [-P SSH_PASSWORD]
               [-K SSH_KEY_FILENAME]
               [target]

frida-ios-dump (by AloneMonkey v2.0)

positional arguments:
  target                Bundle identifier or display name of the target app

optional arguments:
  -h, --help            show this help message and exit
  -l, --list            List the installed apps
  -o OUTPUT_IPA, --output OUTPUT_IPA
                        Specify name of the decrypted IPA
  -H SSH_HOST, --host SSH_HOST
                        Specify SSH hostname
  -p SSH_PORT, --port SSH_PORT
                        Specify SSH port
  -u SSH_USER, --user SSH_USER
                        Specify SSH username
  -P SSH_PASSWORD, --password SSH_PASSWORD
                        Specify SSH password
  -K SSH_KEY_FILENAME, --key_filename SSH_KEY_FILENAME
                        Specify SSH private key file path

Multiple Frida Bypasses in Conjunction:

β”Œβ”€β”€(kaliγ‰Ώkali)-[~]
└─$ frida -f my.package.com -U -l /home/kali/Downloads/root.js -l /home/kali/Downloads/pinning.js
PreviousKiosk Mode / Breakout TestingNextiOS Testing Using Objection

Last updated