Wiki
  • Introduction
  • 👾Penetration Testing
    • Application Security
      • Mobile App Security
        • Android Application Testing
          • Security Checklist
          • SSL Pinning Bypasses
          • Non-Proxy Aware Applications
            • Setting up VPN Server
            • Bypasses
          • Common Proxying Issues
          • Android Local Storage Checks
          • Android Task Hijacking
          • Kiosk Mode / Breakout Testing
          • Magisk on GenyMotion
        • iOS Application Testing
          • iOS Testing Using Objection
          • IPA Analysis Using MobSF
          • iOS Jailbreak Bypass
          • Decrypting iOS Apps
          • iOS Reverse Engineering
          • Jailbreak Detection Bypasses
          • iOS Local Storage Checks
          • Installing IPA
          • ATS Auditing
          • iOS Jailbreaking
          • Frida Pinning Bypasses
          • iOS Jailbreaking
        • Code Security
        • Frida on Windows
      • Web Application Security
        • Web Shells
        • CSV Injection
        • Measure Response Time using CURL
        • OSINT
          • EyeWitness
        • GraphQL Hacking
      • API Security
        • Security Checklist
        • Postman and Burp
        • CURL via BurpSuite
        • SOAP API Pentesting
    • Infrastructure Security
      • Network Infrastructure
        • Red Team Powershell Scripts
        • Mounting NFS Shares
        • Password Cracking/Auditing
        • Remote Access Sheet
        • Password Cracking Using Hashcat
        • Calculate IP Addresses from CIDR
        • Grep IP addresses or IP Ranges from a File
        • Default Credentials Checking
        • Check SSL/TLS Certificates
        • Log a terminal session
        • Unauthenticated Mongo DB
        • Microsoft SQL Server (MSSQL)
        • NTP Mode 6 Vulnerabilities
        • BloodHound
        • AD Offensive Testing
        • CrackMapExec
        • Select all IP addresses in Sublime Text
        • Convert CIDRs to an IP address list
        • Microsoft Exchange Client Access Server Information Disclosure
        • Web Server HTTP Header Internal IP Disclosure
        • smbclient.py
        • GetUserSPNs.py
        • Get-GPPPassword.py
        • SMBMap
        • Mounting Shares
        • mitm6
        • AD Attacks
        • Weak IKE Security Configurations
        • Locked BIOS Password Bypass
      • Wireless Security
        • Cached Wireless Keys
        • Aircrack Suite
    • SSL/TLS Security
    • Secure Code Review
      • Python
      • Semgrep
        • Semgrep to HTML Report
    • Cloud Security
      • Cloud Penetration Testing
    • Social Engineering
      • Simulated Phishing
        • GoPhish
    • Tool Usage
      • Docker
      • Split
      • PhantomJS
      • Aquatone
      • Tmux
      • Ipainstaller
      • Public IP From Command Line
      • Wifite
      • IKE Scan
      • Grep
      • Pulling APKs
      • Bitsadmin
      • Drozer
      • Iptables
      • Python Web Server
      • Crackmapexec
      • Impacket
      • Nessus
      • Adding SUDO User
      • Nmap
      • Metasploit Payloads
      • SMTP Open Relay
      • SQLMap
      • Screen
      • Remove All After Colon
      • Remove Old Linux Kernels
      • CURL
      • Hashcat
      • Secure Copy Protocol (SCP)
      • SSH & PGP Tools
      • IP Calculator
      • BloodHound
      • Netcat File Transfer
      • OpenVAS
      • BurpSuite
      • Exiftool
      • Python Virtual Environments
    • Errors and Solutions
      • Kill Process On Specific Port
      • Kill SSH Port Forwarding
      • SSH Key
      • Expanding Disk on Kali VM
    • Scoping
      • Scoping Questionnaires
        • Mobile App Testing
    • OSINT
      • Dark Web OSINT
      • Certificate Chain Check
      • EyeWitness - Web Service Screenshot
      • Tor to Browse Onion Links
      • DarkDump - Scan Dark Web for Onion Links
      • Domain related File Search
      • Google Dorking
      • IP / Network Blocks owned by a Company
  • ⌨️Programming
    • Automation
      • Running a Service at Boot
      • Network Connectivity Cron
    • Python
      • Adding Columns in Pandas
      • Copy Entire Column Data To New Column Pandas
      • Loading Progress Bar
      • Reorder Columns in Pandas
      • Filename with Date/Time Stamp
      • Command Line Arguments
      • Changing Date Format
      • Removing Index Column Pandas
      • Regex - Remove HTML Tags
      • Column Header Mapping
  • 🌐Miscellaneous
    • Scripts
      • Clickjacking Checker
      • Bulk WHOIS
      • SMB Signing Check
      • FDQN to IP Address
      • Grep IP Addresses
      • Nessus Parser
      • Build Review Audit
      • Nessus Merger
      • Nmap2CSV
      • Remove Audio From Videos
    • Favourite Reads/Links
    • Hacking Posters
    • Windows Developer VMs
    • Windows Workspaces
    • GitHub Pages
    • Interview Prep
      • Senior Penetration Tester
    • CVSS Formula
    • Android Rooting
      • Lineage OS 18.1 on OnePlus X
      • TWRP Recover on OnePlus X
      • Magisk Rooting
    • Presentation Slides
      • BlackHat - USA [2022]
  • 🐞Vulnerability Wiki
    • 🌐APPLICATION LEVEL
      • 🔒AUTHENTICATION
        • Authentication Bypass
        • Lack of Password Confirmation
        • 2FA Code Brute-forceable
        • Lack of Verification
        • Lack of Throttling on Form Submissions
        • Lack of Rate Limiting on Login
        • Weak Password Complexity Rules
        • 🖥️SESSION MANAGEMENT
        • 🔑ACCESS CONTROL
      • 🔢INPUT VALIDATION
      • ➗CRYPTOGRAPHY
      • 📉LOGGING
      • 📕DATA PROTECTION
      • 📲COMMUNICATION
      • 👨‍💻MALICIOUS CODE
      • 💡LOGIC
      • 🗄️FILE UPLOAD
      • ⚙️API ISSUES
      • 🔍CONFIGURATIONS
    • 💾INFRASTRUCTURE LEVEL
      • ICMP Timestamp Request Remote Date Disclosure (CVE-1999-0524)
      • ASP.NET Debug Mode Validation
Powered by GitBook
On this page
  • Scenario
  • Instruments
  • Overview
  • How Tools Work
  • How to Use "frida-ios-decrypt"
  • How to Use "Clutch"
  • How to Use "dumpdecrypted.dylib"
  • How to Jailbreak iPhone 12.x
  • How to Fix Entitlements

Was this helpful?

  1. Penetration Testing
  2. Application Security
  3. Mobile App Security
  4. iOS Application Testing

Decrypting iOS Apps

PreviousiOS Jailbreak BypassNextiOS Reverse Engineering

Last updated 3 years ago

Was this helpful?

This Writeup belongs to: (its just pasted here for my quick reference, I dont own this writeup)

Scenario

jailbreak -> select tool -> dump

Instruments

You have 3 options:

Additionally, you need SSH (OpenSSH) installed on a jailbroken iPhone to be able to copy dumped files.

Overview

An application from Apple App Store is encrypted with a hardware-backed cryptographic scheme. More precisely, an executable section of the O-Mach binary inside the IPA package is encrypted, and the decryption key is accessible only on a particular device on the hardware level (Secure Enclave). But if you wonder whether it is possible to decipher an application downloaded from Apple App Store to carry out static analysis - yes, it is possible.

How Tools Work

All tools leverage a simple principle: these tools dump a decrypted binary from the running context in the memory. It is possible because the binary MUST be decrypted before it could be even run, and the binary is dumped into a file.

You MUST jailbreak iPhone to dump decrypted executable region to the filesystem. There is no way to easily decrypt an application by any kind of magic tool on a personal computer.

There are 2 approaches to dump deciphered executable region from memory to the filesystem. All of them require superuser privileges either to trace a process, or to inject a dynamic library.

Approach #1: attach to a process

  1. The tool (tracer) attaches to a running process (tracee).

  2. The deciphered executable is dumped from the memory into a file.

Step 1 (tracing the process) needs superuser privileges, that's why iPhone must be jailbroken.

Approach #2: library injection

  1. An application starts with a dynamic library linked into it.

  2. The dynamic library dumps decrypted executable right from the application user space memory.

Superuser privilege is needed to inject a custom dynamic library into the process memory.

How to Use "frida-ios-decrypt"

Prepare USB and SSH

The main script of "frida-ios-decrypt" dump.py uses the frida package which communicates with the device via USB. When the application is successfully dumped, files will have been copied from the device via SSH (scp) to the temporary folder. To summarize, your iPhone must be accessible via both USB and SSH.

An official guide suggests to set up SSH over USB, but that way seems to be a bit complicated. I found the easier way which is to connect an iPhone to your local network (connect to the same WiFi network) and modify dump.py as the following to allow the script to connect to the phone directly over your local network:

User = 'root'
Password = 'alpine'
Host = '192.168.88.102' # Fix the Host IP to a real iPhone IP
Port = 22

Steps

  1. frida-ios-dump looks for a device using SSH. Use "SSH over USB" approach, or connect your device to a local network and fix dump.py (see Preparation above).

  2. List running processes:

    python2 ./frida-ios-dump-master/dump.py -l
  3. Dump the target process:

    python2 ./frida-ios-dump-master/dump.py "TargetApp"

    or

    python2 ./frida-ios-dump-master/dump.py <pid>

Successful log

Start the target app TargetApp
Dumping TargetApp to /some/temp/path
[frida-ios-dump]: libswiftUIKit.dylib has been dlopen.
[frida-ios-dump]: libswiftIntents.dylib has been dlopen.
[frida-ios-dump]: libswiftCoreImage.dylib has been dlopen.
...
...A lot of noisy log may follow here
...
Generating "TargetApp.ipa"

Troubleshooting

Device is not found via USB

Waiting for USB device...

Ensure that you installed USB drivers for iPhone.

Also, if you're on Windows Subsystem for Linux (WSL), you would be unable to run "frida-ios-dump", because there is no USB drivers for iPhone under WSL, therefore iPhone cannot be enumerated. (Not sure about WSL 2 though).

Device is not found via SSH

Either way, if dump.py cannot connect to a device, you will see the following error:

*** Caught exception: <class 'socket.error'>: [Errno 11] Resource temporarily unavailable

or

*** Caught exception: <class 'socket.error'>: [Errno 10060] A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond

Check whether you use a correct IP address in dump.py for your iPhone.

  1. On iPhone: go to Settings -> WiFi -> (i) -> get the IP.

  2. Verify the connection:ssh root@192.168.88.101

  3. Password: alpine

How to Use "Clutch"

  1. List the processes:

    Clutch -i
  2. Dump the process obtaining decrypted binaries:

    Clutch -d 3

    "3" is the number of the application from the Clutch -i output.

How to Use "dumpdecrypted.dylib"

  1. Copy dumpdecrypted.dylib to the system path on the phone via SSH using scp tool:

    scp dumpdecrypted.dylib root@192.168.88.101:/usr/lib/dumpdecrypted.dylib

    Choose a path, kind of /usr/lib, not $HOME, to evade problems with kernel sandboxing.

  2. Run the application with dumpdecrypted.dylib:

    DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/mobile/Containers/Bundle/Application/BFED82A3-3238-4F41-B797-C1CB584CBE05/targetapp/targetapp

How to Jailbreak iPhone 12.x

Sileo marketplace app appears after the jailbreak is installed.

  1. Go to the Sileo application.

  2. Find and install Frida and OpenSSH (sshd).

How to Fix Entitlements

The big advantage of "frida-ios-dump" against the "Clutch" and "dumpdecrypt.dylib" is that it doesn't need to fix entitlements of the target app.

Entitlements are special properties assigned to each application in iOS. Entitlements are signed and basically, it's not possible to change them without a jailbreak.

In iOS 12.x default entitlements of application don't allow tracing. In the case of Clutch you are going to see the following error:

Could not obtain mach port, either the process is dead (codesign error?) or entitlements were not properly signed!

Steps to fix entitlements:

  1. Dump the current entitlements of the target application:

    ldid -e /var/containers/Bundle/Application/F8809B92-7794-4540-A4E2-0F541D78CF5A/TaretApp.app/TargetApp > ~/targetapp-ent.xml
  2. Fix entitlements adding the following line to targetapp-ent.xml:

    <key>platform-application</key>
    <true/>
    <key>get-task-allow</key>
    <true/>
    <key>run-unsigned-code</key>
    <true/>
    <key>com.apple.private.skip-library-validation</key>
    <true/>
    <key>com.apple.private.security.no-container</key>
    <true/>
  3. Assign new entitlements:

    ldid -S~/targetapp-ent.xml /var/containers/Bundle/Applicati

(jump to ")

(jump to )

(jump to )

In the annex, you can find and .

and work this way.

works this way (through DYLD_INSERT_LIBRARIES).

Follow the .

IMPORTANT: On iPhone 12.x you need to .

Build and install the tool.

IMPORTANT: On iPhone 12.x you need to ➡️.

Download to a computer.

Download .

Download .

Deploy Chimera package to iPhone using the Cydia tool (it will ask your Apple ID, it can be ANY free Apple ID).

On the iPhone: go to the Chimera and press a button "Jailbreak".

Install OpenSSH in the Sileo application

👾
frida-ios-decrypt
How to Use "frida-ios-decrypt
Clutch
How to Use "Clutch"
dumpdecrypted.dylib
How to Use "dumpdecrypted.dylib"
How To Jailbreak iPhone 12.x
How to Fix Entitlements
Clutch
frida-ios-decrypt
dumpdecrypted.dylib
frida-ios-dump installation guide
fix entitlements ⬇️
Clutch
fix entitlements
️
dumpdecrypted.dylib
Chimera IPA package
Cydia Impactor
Using Cydia To Install Any Package
iOS Application Decryption (IPA decryption)
Install OpenSSH in Sileo application
Chimera Jailbreak
💉 Decrypt iOS Applications: 3 MethodsAlexander Fadeev's Blog
Logo