mirror of
https://github.com/carlospolop/hacktricks
synced 2024-12-24 03:53:29 +00:00
159 lines
11 KiB
Markdown
159 lines
11 KiB
Markdown
|
# iOS Testing Environment
|
|||
|
|
|||
|
{% hint style="success" %}
|
|||
|
Learn & practice AWS Hacking:<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">\
|
|||
|
Learn & practice GCP Hacking: <img src="../../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
|||
|
|
|||
|
<details>
|
|||
|
|
|||
|
<summary>Support HackTricks</summary>
|
|||
|
|
|||
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
|||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
|||
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
|||
|
|
|||
|
</details>
|
|||
|
{% endhint %}
|
|||
|
|
|||
|
## Apple Developer Program
|
|||
|
|
|||
|
A **provisioning identity** is a collection of public and private keys that are associated an Apple developer account. In order to **sign apps** you need to pay **99$/year** to register in the **Apple Developer Program** to get your provisioning identity. Without this you won't be able to run applications from the source code in a physical device. Another option to do this is to use a **jailbroken device**.
|
|||
|
|
|||
|
Starting in Xcode 7.2 Apple has provided an option to create a **free iOS development provisioning profile** that allows to write and test your application on a real iPhone. Go to _Xcode_ --> _Preferences_ --> _Accounts_ --> _+_ (Add new Appli ID you your credentials) --> _Click on the Apple ID created_ --> _Manage Certificates_ --> _+_ (Apple Development) --> _Done_\
|
|||
|
\_\_Then, in order to run your application in your iPhone you need first to **indicate the iPhone to trust the computer.** Then, you can try to **run the application in the mobile from Xcode,** but and error will appear. So go to _Settings_ --> _General_ --> _Profiles and Device Management_ --> Select the untrusted profile and click "**Trust**".
|
|||
|
|
|||
|
Note that **applications signed by the same signing certificate can share resources on a secure manner, like keychain items**.
|
|||
|
|
|||
|
The provisioning profiles are stored inside the phone in **`/Library/MobileDevice/ProvisioningProfiles`**
|
|||
|
|
|||
|
## **Simulator**
|
|||
|
|
|||
|
{% hint style="info" %}
|
|||
|
Note that a **simulator isn't the same as en emulator**. The simulator just simulates the behaviour of the device and functions but don't actually use them.
|
|||
|
{% endhint %}
|
|||
|
|
|||
|
### **Simulator**
|
|||
|
|
|||
|
The first thing you need to know is that **performing a pentest inside a simulator will much more limited than doing it in a jailbroken device**.
|
|||
|
|
|||
|
All the tools required to build and support an iOS app are **only officially supported on Mac OS**.\
|
|||
|
Apple's de facto tool for creating/debugging/instrumenting iOS applications is **Xcode**. It can be used to download other components such as **simulators** and different **SDK** **versions** required to build and **test** your app.\
|
|||
|
It's highly recommended to **download** Xcode from the **official app store**. Other versions may be carrying malware.
|
|||
|
|
|||
|
The simulator files can be found in `/Users/<username>/Library/Developer/CoreSimulator/Devices`
|
|||
|
|
|||
|
To open the simulator, run Xcode, then press in the _Xcode tab_ --> _Open Developer tools_ --> _Simulator_\
|
|||
|
\_\_In the following image clicking in "iPod touch \[...]" you can select other device to test in:
|
|||
|
|
|||
|
![](<../../.gitbook/assets/image (270).png>)
|
|||
|
|
|||
|
![](<../../.gitbook/assets/image (520).png>)
|
|||
|
|
|||
|
### Applications in the Simulator
|
|||
|
|
|||
|
Inside `/Users/<username>/Library/Developer/CoreSimulator/Devices` you may find all the **installed simulators**. If you want to access the files of an application created inside one of the emulators it might be difficult to know **in which one the app is installed**. A quick way to **find the correct UID** is to execute the app in the simulator and execute:
|
|||
|
|
|||
|
```bash
|
|||
|
xcrun simctl list | grep Booted
|
|||
|
iPhone 8 (BF5DA4F8-6BBE-4EA0-BA16-7E3AFD16C06C) (Booted)
|
|||
|
```
|
|||
|
|
|||
|
Once you know the UID the apps installed within it can be found in `/Users/<username>/Library/Developer/CoreSimulator/Devices/{UID}/data/Containers/Data/Application`
|
|||
|
|
|||
|
However, surprisingly you won't find the application here. You need to access `/Users/<username>/Library/Developer/Xcode/DerivedData/{Application}/Build/Products/Debug-iphonesimulator/`
|
|||
|
|
|||
|
And in this folder you can **find the package of the application.**
|
|||
|
|
|||
|
## Emulator
|
|||
|
|
|||
|
Corellium is the only publicly available iOS emulator. It is an enterprise SaaS solution with a per user license model and does not offer any trial license.
|
|||
|
|
|||
|
## No Jailbreak needed
|
|||
|
|
|||
|
Check this blog post about how to pentest an iOS application in a **non jailbroken device**: [https://dvuln.com/blog/modern-ios-pentesting-no-jailbreak-needed](https://dvuln.com/blog/modern-ios-pentesting-no-jailbreak-needed)
|
|||
|
|
|||
|
## Jailbreaking
|
|||
|
|
|||
|
Apple strictly requires that the code running on the iPhone must be **signed by a certificate issued by Apple**. **Jailbreaking** is the process of actively **circumventing such restrictions** and other security controls put in places by the OS. Therefore, once the device is jailbroken, the **integrity check** which is responsible for checking apps being installed is patched so it is **bypassed**.
|
|||
|
|
|||
|
{% hint style="info" %}
|
|||
|
Unlike Android, **you cannot switch to "Developer Mode"** in iOS to run unsigned/untrusted code on the device.
|
|||
|
{% endhint %}
|
|||
|
|
|||
|
### Android Rooting vs. iOS Jailbreaking
|
|||
|
|
|||
|
While often compared, **rooting** on Android and **jailbreaking** on iOS are fundamentally different processes. Rooting Android devices might involve **installing the `su` binary** or **replacing the system with a rooted custom ROM**, which doesn't necessarily require exploits if the bootloader is unlocked. **Flashing custom ROMs** replaces the device's OS after unlocking the bootloader, sometimes requiring an exploit.
|
|||
|
|
|||
|
In contrast, iOS devices cannot flash custom ROMs due to the bootloader's restriction to only boot Apple-signed images. **Jailbreaking iOS** aims to bypass Apple's code signing protections to run unsigned code, a process complicated by Apple's continuous security enhancements.
|
|||
|
|
|||
|
### Jailbreaking Challenges
|
|||
|
|
|||
|
Jailbreaking iOS is increasingly difficult as Apple patches vulnerabilities quickly. **Downgrading iOS** is only possible for a limited time after a release, making jailbreaking a time-sensitive matter. Devices used for security testing should not be updated unless re-jailbreaking is guaranteed.
|
|||
|
|
|||
|
iOS updates are controlled by a **challenge-response mechanism** (SHSH blobs), allowing installation only for Apple-signed responses. This mechanism, known as a "signing window", limits the ability to store and later use OTA firmware packages. The [IPSW Downloads website](https://ipsw.me) is a resource for checking current signing windows.
|
|||
|
|
|||
|
### Jailbreak Varieties
|
|||
|
|
|||
|
* **Tethered jailbreaks** require a computer connection for each reboot.
|
|||
|
* **Semi-tethered jailbreaks** allow booting into non-jailbroken mode without a computer.
|
|||
|
* **Semi-untethered jailbreaks** require manual re-jailbreaking without needing a computer.
|
|||
|
* **Untethered jailbreaks** offer a permanent jailbreak solution without the need for re-application.
|
|||
|
|
|||
|
### Jailbreaking Tools and Resources
|
|||
|
|
|||
|
Jailbreaking tools vary by iOS version and device. Resources such as [Can I Jailbreak?](https://canijailbreak.com), [The iPhone Wiki](https://www.theiphonewiki.com), and [Reddit Jailbreak](https://www.reddit.com/r/jailbreak/) provide up-to-date information. Examples include:
|
|||
|
|
|||
|
* [Checkra1n](https://checkra.in/) for A7-A11 chip devices.
|
|||
|
* [Palera1n](https://palera.in/) for Checkm8 devices (A8-A11) on iOS 15.0-16.5.
|
|||
|
* [Unc0ver](https://unc0ver.dev/) for iOS versions up to 14.8.
|
|||
|
|
|||
|
Modifying your device carries risks, and jailbreaking should be approached with caution.
|
|||
|
|
|||
|
### Jailbreaking Benefits and Risks
|
|||
|
|
|||
|
Jailbreaking **removes OS-imposed sandboxing**, allowing apps to access the entire filesystem. This freedom enables the installation of unapproved apps and access to more APIs. However, for regular users, jailbreaking is **not recommended** due to potential security risks and device instability.
|
|||
|
|
|||
|
### **After Jailbreaking**
|
|||
|
|
|||
|
{% content-ref url="basic-ios-testing-operations.md" %}
|
|||
|
[basic-ios-testing-operations.md](basic-ios-testing-operations.md)
|
|||
|
{% endcontent-ref %}
|
|||
|
|
|||
|
### **Jailbreak Detection**
|
|||
|
|
|||
|
**Several applications will try to detect if the mobile is jailbroken and in that case the application won't run**
|
|||
|
|
|||
|
* After jailbreaking an iOS **files and folders are usually installed**, these can be searched to determine if the device is jailbroken.
|
|||
|
* In a jailbroken device applications get **read/write access to new files** outside the sandbox
|
|||
|
* Some **API** **calls** will **behave differently**
|
|||
|
* The presence of the **OpenSSH** service
|
|||
|
* Calling `/bin/sh` will **return 1** instead of 0
|
|||
|
|
|||
|
**More information about how to detect jailbreaking** [**here**](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/jailbreak-detection-methods/)**.**
|
|||
|
|
|||
|
You can try to avoid this detections using **objection's** `ios jailbreak disable`
|
|||
|
|
|||
|
## **Jailbreak Detection Bypass**
|
|||
|
|
|||
|
* You can try to avoid this detections using **objection's** `ios jailbreak disable`
|
|||
|
* You could also install the tool **Liberty Lite** (https://ryleyangus.com/repo/). Once the repo is added, the app should appear in the ‘Search’ tab
|
|||
|
|
|||
|
## References
|
|||
|
|
|||
|
* [https://mas.owasp.org/MASTG/iOS/0x06b-iOS-Security-Testing/](https://mas.owasp.org/MASTG/iOS/0x06b-iOS-Security-Testing/)
|
|||
|
|
|||
|
{% hint style="success" %}
|
|||
|
Learn & practice AWS Hacking:<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">\
|
|||
|
Learn & practice GCP Hacking: <img src="../../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
|||
|
|
|||
|
<details>
|
|||
|
|
|||
|
<summary>Support HackTricks</summary>
|
|||
|
|
|||
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
|||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
|||
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
|||
|
|
|||
|
</details>
|
|||
|
{% endhint %}
|