Basic iOS Testing Operations
Last updated
Last updated
Perform this actions having connected the device to the computer via USB and having the device unlocked.
The UDID is a 40-digit unique sequence of letters and numbers to identify an iOS device. You can find the UDID of your iOS device on macOS Catalina onwards in the Finder app, as iTunes is not available anymore in Catalina. Just select the connected iOS device in Finder and click on the information under the name of the iOS device to iterate through it. Besides the UDID, you can find the serial number, IMEI and other useful information.
If you are using a macOS version before Catalina, you can find the UDID of your iOS device via iTunes, by selecting your device and clicking on "Serial Number" in the summary tab. When clicking on this you will iterate through different metadata of the iOS device including its UDID.
It is also possible to get the UDID via various command line tools on macOS while the device is attached via USB:
By using the I/O Registry Explorer tool ioreg
:
By using ideviceinstaller (also available on Linux):
By using the system_profiler:
By using instruments:
After jailbreaking the device you should have installed some new app manager like Cydia.
In order to enable SSH access to your iOS device you can install the OpenSSH package. Once installed, you can access your device via ssh running ssh root@<device_ip_address>
, which will log you in as the root user:
When accessing your iOS device via SSH consider the following:
The default users are root
and mobile
.
The default password for both is alpine
.
Remember to change the default password for both users
root
andmobile
as anyone on the same network can find the IP address of your device and connect via the well-known default password, which will give them root access to your device.
****
During a real black box test, a reliable Wi-Fi connection may not be available. In this situation, you can use usbmuxd to connect to your device's SSH server via USB.
Connect macOS to an iOS device by installing and starting iproxy:
The above command maps port 22
on the iOS device to port 2222
on localhost. You can also make iproxy run automatically in the background if you don't want to run the binary every time you want to SSH over USB.
With the following command in a new terminal window, you can connect to the device:
Small note on USB of an iDevice: on an iOS device you cannot make data connections anymore after 1 hour of being in a locked state, unless you unlock it again due to the USB Restricted Mode, which was introduced with iOS 11.4.1
While usually using an on-device shell (terminal emulator) might be very tedious compared to a remote shell, it can prove handy for debugging in case of, for example, network issues or check some configuration. For example, you can install NewTerm 2 via Cydia for this purpose (it supports iOS 6.0 to 12.1.2 at the time of this writing).
In addition, there are a few jailbreaks that explicitly disable incoming SSH for security reasons. In those cases, it is very convenient to have an on-device shell app, which you can use to first SSH out of the device with a reverse shell, and then connect from your host computer to it.
Opening a reverse shell over SSH can be done by running the command ssh -R <remote_port>:localhost:22 <username>@<host_computer_ip>
.
On the on-device shell app run the following command and, when asked, enter the password of the mstg
user of the host computer:
On your host computer run the following command and, when asked, enter the password of the root
user of the iOS device:
If you forget your password and want to reset it to the default alpine
:
Edit the file /private/etc/master.password
on your jailbroken iOS device (using an on-device shell as shown below)
Find the lines:
Change xxxxxxxxx
to /smx7MYTQIi2M
(which is the hashed password alpine
)
Save and exit
As we know now, files from our app are stored in the Data directory. You can now simply archive the Data directory with tar
and pull it from the device with scp
:
****iFunbox is a GUI application that can be used for several things (uploading/downloading files among them). Another GUI tool for this purpose is iExplorer.
Starting in iOS version 8.4, Apple has restricted the third-party managers to access to the application sandbox, so tools like iFunbox and iExplorer no longer display/retrieve files from apps installed on the device if the device isn't jailbroken.
When you are starting objection (objection --gadget com.apple.mobilesafari explorer
) you will find the prompt within the Bundle directory.
Use the env
command to get the directories of the app and navigate to the Documents directory.
With the command file download <filename>
you can download a file from the iOS device to your host computer and can analyze it afterwards.
You can also upload files to the iOS device with file upload <local_file_path>
.
During development, apps are sometimes provided to testers via over-the-air (OTA) distribution. In that situation, you'll receive an itms-services link, such as the following:
You can use the ITMS services asset downloader tool to download the IPA from an OTA distribution URL. Install it via npm:
Save the IPA file locally with the following command:
From an IPA:
If you have the IPA (probably including an already decrypted app binary), unzip it and you are ready to go. The app binary is located in the main bundle directory (.app), e.g. Payload/Telegram X.app/Telegram X
. See the following subsection for details on the extraction of the property lists.
On macOS's Finder, .app directories are opened by right-clicking them and selecting "Show Package Content". On the terminal you can just
cd
into them.
From a Jailbroken device:
If you don't have the original IPA, then you need a jailbroken device where you will install the app (e.g. via App Store). Once installed, you need to extract the app binary from memory and rebuild the IPA file. Because of DRM, the app binary file is encrypted when it is stored on the iOS device, so simply pulling it from the Bundle (either through SSH or Objection) will not be sufficient to reverse engineer it (read next section).
Unlike an Android Application, the binary of an iOS app can only be disassembled and not decompiled. When an application is submitted to the app store, Apple first verifies the app conduct and before releasing it to the app-store, Apple encrypts the binary using FairPlay. So the binary download from the app store is encrypted complicating ting the reverse-engineering tasks.
However, note that there are other third party software that can be used to obfuscate the resulting binaries.
In order to run the encrypted binary, the device needs to decrypt it in memory. Then, it's possible to dump the decrypted binary from the memory.
First, check if the binary is compiled with the PIE (Position Independent Code) flag:
If it's set you can use the script change_macho_flags.py
to remove it with python2:
Now that the PIE flag isn't set, the OS will load the program at a fixed starting location every-time. In order to find this location you can use:
Then, it's necessary to extract the the memory range that needs to be dumped:
The value of cryptoff
indicated the starting address of the encrypted content and the cryptsize
indicates the size of the encrypted content.
So, the start address
to dump will be vmaddr + cryptoff
and the end address
will be the start address + cryptsize
In this case: start_address = 0x4000 + 0x4000 = 0x8000
__and end_address = 0x8000 + 0x109c000 = 0x10a4000
With this information it's just necessary to run the application in the jailbroken device, attach to the process with gdb (gdb -p <pid>
) and dump the memory:
Congrats! You have decrypted the encrypted section in dump.bin. Now transfer this dump to your computer and overwrite the encrypted section with the decrypted one:
There is one more step to complete. The application is still indicating in its metadata that it's encrypted, but it isn't. Then, when executed, the device will try to decrypt the already decrypted section and it's going to fail. However, you can use tools like MachOView to change this info. Just open the binary and set the cryptid to 0:
You can use tools like frida-ios-dump to automatically remove the encryption and an app.
First, make sure that the configuration in Frida-ios-dump dump.py
is set to either localhost with port 2222 when using iproxy, or to the actual IP address and port of the device from which you want to dump the binary.
Now you can safely use the tool to enumerate the apps installed:
and you can dump one of the listed binaries:
After this, the Telegram.ipa
file will be created in your current directory. You can validate the success of the dump by removing the app and reinstalling it (e.g. using ios-deploy ios-deploy -b Telegram.ipa
). Note that this will only work on jailbroken devices, as otherwise the signature won't be valid.
When you install an application without using Apple's App Store, this is called sideloading. There are various ways of sideloading which are described below. On the iOS device, the actual installation process is then handled by the installd daemon, which will unpack and install the application. To integrate app services or be installed on an iOS device, all applications must be signed with a certificate issued by Apple. This means that the application can be installed only after successful code signature verification. On a jailbroken phone, however, you can circumvent this security feature with AppSync, a package available in the Cydia store. It contains numerous useful applications that leverage jailbreak-provided root privileges to execute advanced functionality. AppSync is a tweak that patches installd, allowing the installation of fake-signed IPA packages.
Different methods exist for installing an IPA package onto an iOS device, which are described in detail below.
Please note that iTunes is no longer available in macOS Catalina. If you are using an older version of macOS, iTunes is still available but since iTunes 12.7 it is not possible to install apps.
Cydia Impactor was originally created to jailbreak iPhones, but has been rewritten to sign and install IPA packages to iOS devices via sideloading (and even APK files to Android devices). Cydia Impactor is available for Windows, macOS and Linux. A step by step guide and troubleshooting steps are available on yalujailbreak.net.
On Linux and also macOS, you can alternatively use libimobiledevice, a cross-platform software protocol library and a set of tools for native communication with iOS devices. This allows you to install apps over a USB connection by executing ideviceinstaller. The connection is implemented with the USB multiplexing daemon usbmuxd, which provides a TCP tunnel over USB.
The package for libimobiledevice will be available in your Linux package manager. On macOS you can install libimobiledevice via brew:
After the installation you have several new command line tools available, such as ideviceinfo
, ideviceinstaller
or idevicedebug
.
The IPA can also be directly installed on the iOS device via the command line with ipainstaller. After copying the file over to the device, for example via scp, you can execute ipainstaller with the IPA's filename:
On macOS you can also use the ios-deploy tool to install iOS apps from the command line. You'll need to unzip your IPA since ios-deploy uses the app bundles to install apps.
After the app is installed on the iOS device, you can simply start it by adding the -m
flag which will directly start debugging without installing the app again.
It is also possible to use the Xcode IDE to install iOS apps by doing the following steps:
Start Xcode
Select Window/Devices and Simulators
Select the connected iOS device and click on the + sign in Installed Apps.
Sometimes an application can require to be used on an iPad device. If you only have iPhone or iPod touch devices then you can force the application to accept to be installed and used on these kinds of devices. You can do this by changing the value of the property UIDeviceFamily to the value 1 in the Info.plist file.
It is important to note that changing this value will break the original signature of the IPA file so you need to re-sign the IPA, after the update, in order to install it on a device on which the signature validation has not been disabled.
This bypass might not work if the application requires capabilities that are specific to modern iPads while your iPhone or iPod is a bit older.
Possible values for the property UIDeviceFamily can be found in the Apple Developer documentation.