iOS App Pentesting Environment Setup

Apple Developer Program

  • Provisioning Identity: Requires a $99/year Apple Developer Program subscription to obtain a provisioning identity for signing apps. Necessary to run apps from source code on physical devices.

  • Free Provisioning Profile (Xcode 7.2+):

    • Create a free iOS development provisioning profile in Xcode:

      1. Go to Xcode → Preferences → Accounts → Add Apple ID → Manage Certificates → Add Apple Development certificate.

      2. Trust the computer on the iPhone, then trust the untrusted profile in Settings → General → Profiles and Device Management.

    • Allows testing on a real iPhone without jailbreaking.

  • Resource Sharing: Apps signed with the same certificate can securely share resources (e.g., keychain items).

  • Storage Location: Provisioning profiles are stored in /Library/MobileDevice/ProvisioningProfiles on the device.

Simulator

  • Simulator vs. Emulator: Simulators mimic device behavior but do not replicate exact hardware functionality, limiting pentesting capabilities compared to jailbroken devices.

  • Requirements: Xcode is the primary tool for creating, debugging, and instrumenting iOS apps. Only officially supported on macOS.

    • Download Xcode from the official App Store to avoid malware risks.

    • Xcode includes simulators and SDKs for building and testing apps.

  • Simulator Files: Located in /Users/<username>/Library/Developer/CoreSimulator/Devices.

  • Accessing Simulator:

    • Open Xcode → Xcode tab → Open Developer Tools → Simulator.

    • Select different devices (e.g., iPod touch, iPhone) from the simulator interface.

  • Application Files in Simulator:

    • Find installed simulators in /Users/<username>/Library/Developer/CoreSimulator/Devices.

    • Identify the correct simulator UID by running:

      xcrun simctl list | grep Booted

      Example output: iPhone 8 (BF5DA4F8-6BBE-4EA0-BA16-7E3AFD16C06C) (Booted).

    • App data is located in /Users/<username>/Library/Developer/CoreSimulator/Devices/{UID}/data/Containers/Data/Application.

    • App package is found in /Users/<username>/Library/Developer/Xcode/DerivedData/{Application}/Build/Products/Debug-iphonesimulator/.

Emulator

  • Corellium: The only publicly available iOS emulator. Enterprise SaaS solution with per-user licensing; no trial available.

Jailbreaking

  • Overview: Bypasses Apple’s code-signing restrictions to run unsigned code, disabling integrity checks.

  • Android vs. iOS:

    • Android rooting may involve su binary or custom ROMs, sometimes without exploits if the bootloader is unlocked.

    • iOS jailbreaking requires exploits to bypass code-signing protections; custom ROMs are not possible due to bootloader restrictions.

  • Challenges:

    • Apple patches vulnerabilities quickly, making jailbreaking difficult.

    • Downgrading iOS is limited by signing windows (SHSH blobs). Check current signing windows at IPSW Downloads.

    • Avoid updating devices used for testing unless re-jailbreaking is guaranteed.

  • Jailbreak Types:

    • Tethered: Requires a computer for each reboot.

    • Semi-tethered: Boots in non-jailbroken mode without a computer.

    • Semi-untethered: Requires manual re-jailbreaking without a computer.

    • Untethered: Permanent jailbreak without re-application.

  • Tools and Resources:

    • Tools: Checkra1n (A7-A11 chips), Palera1n (A8-A11, iOS 15.0-16.5), Unc0ver (up to iOS 14.8).

    • Caution: Jailbreaking carries risks of instability and security vulnerabilities.

Jailbreaking Benefits and Risks

  • Benefits:

    • Removes sandboxing, granting apps full filesystem access.

    • Allows installation of unapproved apps and access to additional APIs.

  • Risks:

    • Not recommended for regular users due to security risks and potential device instability.

Post-Jailbreaking

  • Jailbreak Detection:

    • Apps may detect jailbroken devices and refuse to run.

    • Indicators of jailbreaking:

      • Presence of jailbreak-related files/folders.

      • Read/write access outside the sandbox.

      • Altered API call behavior.

      • OpenSSH service presence.

      • /bin/sh returns 1 instead of 0.

  • Bypassing Jailbreak Detection:

    • Use objection command: ios jailbreak disable.

    • Install Liberty Lite via the repo’s Search tab.

References

Last updated

Was this helpful?