Jailbreak and stuff!! Kickstart tools and techniques for iOS application pentesting
What’s up ninjas,
In this article, I have covered most of the tools and techniques required for kickstarting your iOS applications pentesting. This article will focus on iOS from version 12.1–12.4. Suggestions and feedback will be much appreciated.
This article will cover:
- Awesome starter tools.
- Jailbreaking iOS 12.4 device
- Jailbreak detection bypass using Liberty Lite
- SSL pinning bypass for iOS 12.4
- Install the terminal app (M-Terminal)
- Connect the iOS device via SSH
- Browse application files in iOS device with iMazing
- Extract .ipa file from iOS device with iMazing
- Pentesting with Objection
- Files to be looked into for extracting sensitive information
- Awesome Frida Scripts
1. Awesome starter tools.
These are some awesome tools useful for performing different tasks during iOS pentesting. Have a look:
- LonelyScreen: LonelyScreen is a screen mirroring application can be used to mirror the iOS device’s screen on the computer system. You can download LonelyScreen from below:
2. iMazing: iMazing tool is an amazing tool can be used for multiple purposes which includes browsing file systems of iOS devices in much better GUI. Also, you can take the backup of any application including their file system. iMazing lets the user download all application data into the computer’s local storage. We see the application of iMazing in later part of this blog. Find iMazing here.
iMazing | iPhone, iPad & iPod Manager for Mac & PC
Get a trusted software to transfer and save your music, messages, files and data. Safely back up any iPhone, iPad or…
3. plist viewer/editor: Plist editor pro is a tool to view and edit .plist files extracted from the application’s local storage e.g. info.plist, nsuserdefaults.plist, etc. You can browse and view .plist file in a well-structured format.
plist Editor - reading and edit plist files for Windows
In the Mac OS X and iPhone OS, property list files are files that store serialized objects. Property list files use the…
4. DBBrowser: With DBBrowser we can open and view .sqlite files in extracted from iOS application’s local filesystem. The application has better GUI to browse tables and columns to find sneaky information application is storing in iOS device’s local filesystem
DB Browser for SQLite
DB Browser for SQLite (DB4S) is a high quality, visual, open source tool to create, design, and edit database files…
5. Cydia Impactor: Cydia Impactor can be used to install .ipa files into an iOS device directly from the computer. You can directly drag and drop install patched .ipa into Cydia impactor which will further push and install file in iOS device. I have described how to install apps using Cydia impactor in this article below.
Cydia Impactor is a GUI tool for working with mobile devices. It has features already, but is still very much a…
6. M-terminal: M-terminal from BigBoss repo of Cydia is a command-line tool can be used to run commands on iOS device. M-terminal can be installed directly by adding bigboss repo in Cydia. Find how to install M-terminal in this article below.
Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.
Version: v3.0 beta Mobile Security Framework (MobSF) is an automated, all-in-one mobile application…
npm install -g passionfruit
WIP] Crappy iOS app analyzer. Contribute to chaitin/passionfruit development by creating an account on GitHub.
Make sure you have installed Node.js and npm on the system.
SSH is one of the first things you should install and set up on your jailbroken iOS device because it makes securely transferring files to and from your device very easy. I have explained how to connect via ssh in the later part of the blog.
10. Binary Cookie reader:
BinaryCookieReader is used to dump all the cookies from the binary Cookies.binarycookies file.
2. Jailbreaking iOS 12.1–12.4 device:
1. Open “ https://iosninja.io/ipa-library/download-unc0ver-jailbreak-ios-12-iphone-ipad-ipod" from your iOS device
2. Click on “ Tap to install on the device (v4.0.2)” and install the application.
3. Open Unc0ver application
4. If the error “Untrusted Enterprise Developer” occurs, goto system settings
5. Goto “General”
6. Scroll down to “Profile and Device Management”
7. In Enterprise apps click on “TOYOTA MOTOR FINANCE (CHINA) CO. LTD.”
8. Click on Trust “TOYOTA MOTOR FINANCE (CHINA) CO. LTD.”
9. Now open Unc0ver application and click on “Jailbreak”.
10. This may take some time and your device will respring several times. If jailbreak fails, try the same process again.
11. Once all things go well, the device will jailbreak and Cydia will get sideloaded on the device.
3. Jailbreak detection bypass using Liberty Lite
1. Open Cydia on your iOS device.
2. Tap on “Sources >Edit>Add”
3. Type “http://ryleyangus.com/repo/" in the URL input box
4. It will add a repo in sources. Now open the source and open search.
5. Search and install “Liberty Lite”, make sure to delete any earlier versions from your device first if installed.
6. Open “Settings>Liberty Lite” to apply the patches and configure the tweak. 7. Tap on “Block Jailbreak Detection” toggle for your target iOS application.
4. SSL pinning bypass for iOS 12.4
1. Open Cydia in your iOS device and goto “Search”
2. Search for “Filza” and install Filza
3. Now goto “https://github.com/nabla-c0d3/ssl-kill-switch2/releases/download/0.13/com.nablac0d3.sslkillswitch2_0.13.deb" from your iOS device and download debian script.
4. Open filza and navigate to .deb file downloaded in step 3.
5. Click on .deb file and the script will get installed in the device.
6. Configure device with burpsuite to intercept iOS device HTTP traffic.
7. Now open System settings and scroll down to “SSL Kill Switch 2” and turn on “Disable Certificate Validation” toggle.
8. Open target application and you can intercept HTTP traffic in BurpSuite
5. Install the terminal app (M-Terminal)
1. Open “Cydia” and goto Search
2. Type “Mterminal”
3. Click on install on top right-hand side.
4. MTerminal will get installed on iOS device.
5. You can open MTerminal directly from the device.
6. Connect the iOS device via SSH:
1. Open Cydia from jailbroken iOS device and goto search tab
2. Search for “OpenSSH” and click on the first result.
3. Click on Install and “OpenSSH” Cydia repo will get install into the device.
4. Now from the system, open an SSH connection client and add wifi IP address of iOS device
5. The default username is “root” and password is “alpine”
6. Your iOS device will get connected to the system via ssh.
7. Browse application files in iOS device with iMazing
1. Install iMazing application in pc from here “https://imazing.com/”
2. Connect iOS device to pc with cable and open iMazing application.
3. Click on Backup now if prompted.
4. Goto device name and Navigate to “File System”
5. Browse any root folder along with all application’s root files and data files.
8. Extract .ipa file from iOS device with iMazing:
1. Install iMazing application in pc from here “https://imazing.com/"
2. Connect iOS device to pc with cable and open iMazing application.
3. Click on Backup now if prompted.
4. Right-click on the device name and select “Manage Apps”
5. Click on the “Device” tab
6. Now right click and select “Install .IPA file”
7. Select .ipa file and click open.
8. Application from .ipa will get installed into iOS device.
9. Pentesting with Objection:
I have covered “how to setup objection into system” in this article:
A run-time approach for penetration testing of iOS apps Part-I
Hello everybody, This article will cover dynamic run-time penetration testing of iOS applications using objection…
We will see explore some good test cases with objection. After configuring objection, connect iOS device to system via usb cable and run following command to list out all running processes on iOS device:
Now find your application’s package name and run following command:
objection -g YOUR-APPLICATION-NAME explore
i. SSL pinning bypass:
ii. Browse application files stored on local device:
iii. Memory dump:
We will download and save memory dump into json file:
memory list modules --json memory.json
It will list memory modules and store in “memory.json” To read memory.json
iv. Dump Keychain data:
ios keychain dump
10. Files to be looked into for extracting sensitive information:
NSUserDefaults uses no encryption and is part of your app's sandbox. Thus will be removed once the app is removed. Other application. Everyone with access to a device can open or copy the file and read the information without encryption.
ii .sqlite files:
SQLite library that comes with iOS is a lightweight and powerful relational database engine that can be easily embedded into an application. The library provides fast access to database records. Unencrypted sensitive information stored in an SQLite file can be stolen easily by gaining physical access to the device or from the device backup. In addition, if an entry is deleted, SQLite tags the records as deleted but not purge them. Therefore, in case an application temporarily stores and removes the sensitive data from an SQLite file, deleted data can be recovered easily by reading the SQLite Write Ahead Log
iii .plist files:
.plist Files is another method of storing information onto the device unencrypted. That data is easily accessible, so it should not be used to store sensitive data like Access tokens, Usernames or passwords. Also, check if the application’s local authentication password/pin getting stored in these files.
iv. Server-related sensitive information in client-side files:
Application some times stores server-specific information in files which are not intended for user. This information includes Oauth tokens, api keys, encryption keys, unencrypted access credentials, error logs, admin panel credentials, etc.
11. Awesome frida scripts:
i. dump-ios-url-scheme.js: Dump iOS url scheme when “openURL” is called.
ii. ios-app-static-analysis.js: iOS app static analysis
iii. read-nsuserdefaults.js: Show contents fo NSUserDefaults
iv. show-all-methods-of-specific-class.js: Dump all methods of a particular class
v. show_binarycookies.js: Show contents of Cookies.binarycookies file
Find these and more at https://github.com/interference-security/frida-scripts/tree/master/iOS