hacktricks/mobile-pentesting/ios-pentesting/basic-ios-testing-operations.md
Carlos Polop dc1a2bea04 b
2024-07-19 01:16:27 +02:00

12 KiB

iOS Basic Testing Operations

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks
{% endhint %}

Summary of iOS Device Identification and Access

Identifying the UDID of an iOS Device

To identify an iOS device uniquely, a 40-digit sequence known as the UDID is used. On macOS Catalina or newer, this can be found in the Finder app, as iTunes is no longer present. The device, once connected via USB and selected in Finder, reveals its UDID among other information when the details under its name are clicked through.

For versions of macOS prior to Catalina, iTunes facilitates the discovery of the UDID. Detailed instructions can be found here.

Command-line tools offer alternative methods for retrieving the UDID:

  • Using I/O Registry Explorer tool ioreg:
$ ioreg -p IOUSB -l | grep "USB Serial"
  • Using ideviceinstaller for macOS (and Linux):
$ brew install ideviceinstaller
$ idevice_id -l
  • Utilizing system_profiler:
$ system_profiler SPUSBDataType | sed -n -e '/iPad/,/Serial/p;/iPhone/,/Serial/p;/iPod/,/Serial/p' | grep "Serial Number:"
  • Employing instruments to list devices:
$ instruments -s devices

Accessing the Device Shell

SSH access is enabled by installing the OpenSSH package post-jailbreak, allowing connections via ssh root@<device_ip_address>. It's crucial to change the default passwords (alpine) for users root and mobile to secure the device.

SSH over USB becomes necessary in the absence of Wi-Fi, using iproxy to map device ports for SSH connections. This setup enables SSH access through USB by running:

$ iproxy 2222 22
$ ssh -p 2222 root@localhost

On-device shell applications, like NewTerm 2, facilitate direct device interaction, especially useful for troubleshooting. Reverse SSH shells can also be established for remote access from the host computer.

Resetting Forgotten Passwords

To reset a forgotten password back to the default (alpine), editing the /private/etc/master.passwd file is necessary. This involves replacing the existing hash with the hash for alpine next to the root and mobile user entries.

Data Transfer Techniques

Transferring App Data Files

Archiving and Retrieval via SSH and SCP: It's straightforward to archive the application's Data directory using tar and then transfer it using scp. The command below archives the Data directory into a .tgz file, which is then pulled from the device:

tar czvf /tmp/data.tgz /private/var/mobile/Containers/Data/Application/8C8E7EB0-BC9B-435B-8EF8-8F5560EB0693
exit
scp -P 2222 root@localhost:/tmp/data.tgz .

Graphical User Interface Tools

Using iFunbox and iExplorer: These GUI tools are useful for managing files on iOS devices. However, starting with iOS 8.4, Apple restricted these tools' access to the application sandbox unless the device is jailbroken.

Using Objection for File Management

Interactive Shell with Objection: Launching objection provides access to the Bundle directory of an app. From here, you can navigate to the app's Documents directory and manage files, including downloading and uploading them to and from the iOS device.

objection --gadget com.apple.mobilesafari explorer
cd /var/mobile/Containers/Data/Application/72C7AAFB-1D75-4FBA-9D83-D8B4A2D44133/Documents
file download <filename>

Obtaining and Extracting Apps

Acquiring the IPA File

Over-The-Air (OTA) Distribution Link: Apps distributed for testing via OTA can be downloaded using the ITMS services asset downloader tool, which is installed via npm and used to save the IPA file locally.

npm install -g itms-services
itms-services -u "itms-services://?action=download-manifest&url=https://s3-ap-southeast-1.amazonaws.com/test-uat/manifest.plist" -o - > out.ipa

Extracting the App Binary

  1. From an IPA: Unzip the IPA to access the decrypted app binary.
  2. From a Jailbroken Device: Install the app and extract the decrypted binary from memory.

Decryption Process

Manual Decryption Overview: iOS app binaries are encrypted by Apple using FairPlay. To reverse-engineer, one must dump the decrypted binary from memory. The decryption process involves checking for the PIE flag, adjusting memory flags, identifying the encrypted section, and then dumping and replacing this section with its decrypted form.

Checking and Modifying PIE Flag:

otool -Vh Original_App
python change_macho_flags.py --no-pie Original_App
otool -Vh Hello_World

Identifying Encrypted Section and Dumping Memory:

Determine the encrypted section's start and end addresses using otool and dump the memory from the jailbroken device using gdb.

otool -l Original_App | grep -A 4 LC_ENCRYPTION_INFO
dump memory dump.bin 0x8000 0x10a4000

Overwriting the Encrypted Section:

Replace the encrypted section in the original app binary with the decrypted dump.

dd bs=1 seek=<starting_address> conv=notrunc if=dump.bin of=Original_App

Finalizing Decryption: Modify the binary's metadata to indicate the absence of encryption using tools like MachOView, setting the cryptid to 0.

Decryption (Automatically)

frida-ios-dump

The frida-ios-dump tool is employed for automatically decrypting and extracting apps from iOS devices. Initially, one must configure dump.py to connect to the iOS device, which can be done through localhost on port 2222 via iproxy or directly via the device's IP address and port.

Applications installed on the device can be listed with the command:

$ python dump.py -l

To dump a specific app, such as Telegram, the following command is used:

$ python3 dump.py -u "root" -p "<PASSWORD>" ph.telegra.Telegraph

This command initiates the app dump, resulting in the creation of a Telegram.ipa file in the current directory. This process is suitable for jailbroken devices, as unsigned or fake-signed apps can be reinstalled using tools like ios-deploy.

flexdecrypt

The flexdecrypt tool, along with its wrapper flexdump, allows for the extraction of IPA files from installed applications. Installation commands for flexdecrypt on the device include downloading and installing the .deb package. flexdump can be used to list and dump apps, as shown in the commands below:

apt install zip unzip
wget https://gist.githubusercontent.com/defparam/71d67ee738341559c35c684d659d40ac/raw/30c7612262f1faf7871ba8e32fbe29c0f3ef9e27/flexdump -P /usr/local/bin; chmod +x /usr/local/bin/flexdump
flexdump list
flexdump dump Twitter.app

bagbak

bagbak, another Frida-based tool, requires a jailbroken device for app decryption:

bagbak --raw Chrome

r2flutch

r2flutch, utilizing both radare and frida, serves for app decryption and dumping. More information can be found on its GitHub page.

Installing Apps

Sideloading refers to installing applications outside the official App Store. This process is handled by the installd daemon and requires apps to be signed with an Apple-issued certificate. Jailbroken devices can bypass this through AppSync, enabling the installation of fake-signed IPA packages.

Sideloading Tools

  • Cydia Impactor: A tool for signing and installing IPA files on iOS and APK files on Android. Guides and troubleshooting can be found on yalujailbreak.net.

  • libimobiledevice: A library for Linux and macOS to communicate with iOS devices. Installation commands and usage examples for ideviceinstaller are provided for installing apps over USB.

  • ipainstaller: This command-line tool allows direct app installation on iOS devices.

  • ios-deploy: For macOS users, ios-deploy installs iOS apps from the command line. Unzipping the IPA and using the -m flag for direct app launch are part of the process.

  • Xcode: Utilize Xcode to install apps by navigating to Window/Devices and Simulators and adding the app to Installed Apps.

Allow Application Installation on Non-iPad Devices

To install iPad-specific applications on iPhone or iPod touch devices, the UIDeviceFamily value in the Info.plist file needs to be changed to 1. This modification, however, requires re-signing the IPA file due to signature validation checks.

Note: This method might fail if the application demands capabilities exclusive to newer iPad models while using an older iPhone or iPod touch.

References

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks
{% endhint %}