hacktricks/mobile-pentesting/ios-pentesting/ios-testing-environment.md
2024-12-12 11:39:29 +01:00

11 KiB
Raw Blame History

iOS Testing Environment

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks
{% endhint %}

Apple Developer Program

A provisioning identity is a collection of public and private keys that are associated an Apple developer account. In order to sign apps you need to pay 99$/year to register in the Apple Developer Program to get your provisioning identity. Without this you won't be able to run applications from the source code in a physical device. Another option to do this is to use a jailbroken device.

Starting in Xcode 7.2 Apple has provided an option to create a free iOS development provisioning profile that allows to write and test your application on a real iPhone. Go to Xcode --> Preferences --> Accounts --> + (Add new Appli ID you your credentials) --> Click on the Apple ID created --> Manage Certificates --> + (Apple Development) --> Done
__Then, in order to run your application in your iPhone you need first to indicate the iPhone to trust the computer. Then, you can try to run the application in the mobile from Xcode, but and error will appear. So go to Settings --> General --> Profiles and Device Management --> Select the untrusted profile and click "Trust".

Note that applications signed by the same signing certificate can share resources on a secure manner, like keychain items.

The provisioning profiles are stored inside the phone in /Library/MobileDevice/ProvisioningProfiles

Simulator

{% hint style="info" %} Note that a simulator isn't the same as en emulator. The simulator just simulates the behaviour of the device and functions but don't actually use them. {% endhint %}

Simulator

The first thing you need to know is that performing a pentest inside a simulator will much more limited than doing it in a jailbroken device.

All the tools required to build and support an iOS app are only officially supported on Mac OS.
Apple's de facto tool for creating/debugging/instrumenting iOS applications is Xcode. It can be used to download other components such as simulators and different SDK versions required to build and test your app.
It's highly recommended to download Xcode from the official app store. Other versions may be carrying malware.

The simulator files can be found in /Users/<username>/Library/Developer/CoreSimulator/Devices

To open the simulator, run Xcode, then press in the Xcode tab --> Open Developer tools --> Simulator
__In the following image clicking in "iPod touch [...]" you can select other device to test in:

Applications in the Simulator

Inside /Users/<username>/Library/Developer/CoreSimulator/Devices you may find all the installed simulators. If you want to access the files of an application created inside one of the emulators it might be difficult to know in which one the app is installed. A quick way to find the correct UID is to execute the app in the simulator and execute:

xcrun simctl list | grep Booted
    iPhone 8 (BF5DA4F8-6BBE-4EA0-BA16-7E3AFD16C06C) (Booted)

Once you know the UID the apps installed within it can be found in /Users/<username>/Library/Developer/CoreSimulator/Devices/{UID}/data/Containers/Data/Application

However, surprisingly you won't find the application here. You need to access /Users/<username>/Library/Developer/Xcode/DerivedData/{Application}/Build/Products/Debug-iphonesimulator/

And in this folder you can find the package of the application.

Emulator

Corellium is the only publicly available iOS emulator. It is an enterprise SaaS solution with a per user license model and does not offer any trial license.

No Jailbreak needed

Check this blog post about how to pentest an iOS application in a non jailbroken device: https://dvuln.com/blog/modern-ios-pentesting-no-jailbreak-needed

Jailbreaking

Apple strictly requires that the code running on the iPhone must be signed by a certificate issued by Apple. Jailbreaking is the process of actively circumventing such restrictions and other security controls put in places by the OS. Therefore, once the device is jailbroken, the integrity check which is responsible for checking apps being installed is patched so it is bypassed.

{% hint style="info" %} Unlike Android, you cannot switch to "Developer Mode" in iOS to run unsigned/untrusted code on the device. {% endhint %}

Android Rooting vs. iOS Jailbreaking

While often compared, rooting on Android and jailbreaking on iOS are fundamentally different processes. Rooting Android devices might involve installing the su binary or replacing the system with a rooted custom ROM, which doesn't necessarily require exploits if the bootloader is unlocked. Flashing custom ROMs replaces the device's OS after unlocking the bootloader, sometimes requiring an exploit.

In contrast, iOS devices cannot flash custom ROMs due to the bootloader's restriction to only boot Apple-signed images. Jailbreaking iOS aims to bypass Apple's code signing protections to run unsigned code, a process complicated by Apple's continuous security enhancements.

Jailbreaking Challenges

Jailbreaking iOS is increasingly difficult as Apple patches vulnerabilities quickly. Downgrading iOS is only possible for a limited time after a release, making jailbreaking a time-sensitive matter. Devices used for security testing should not be updated unless re-jailbreaking is guaranteed.

iOS updates are controlled by a challenge-response mechanism (SHSH blobs), allowing installation only for Apple-signed responses. This mechanism, known as a "signing window", limits the ability to store and later use OTA firmware packages. The IPSW Downloads website is a resource for checking current signing windows.

Jailbreak Varieties

  • Tethered jailbreaks require a computer connection for each reboot.
  • Semi-tethered jailbreaks allow booting into non-jailbroken mode without a computer.
  • Semi-untethered jailbreaks require manual re-jailbreaking without needing a computer.
  • Untethered jailbreaks offer a permanent jailbreak solution without the need for re-application.

Jailbreaking Tools and Resources

Jailbreaking tools vary by iOS version and device. Resources such as Can I Jailbreak?, The iPhone Wiki, and Reddit Jailbreak provide up-to-date information. Examples include:

  • Checkra1n for A7-A11 chip devices.
  • Palera1n for Checkm8 devices (A8-A11) on iOS 15.0-16.5.
  • Unc0ver for iOS versions up to 14.8.

Modifying your device carries risks, and jailbreaking should be approached with caution.

Jailbreaking Benefits and Risks

Jailbreaking removes OS-imposed sandboxing, allowing apps to access the entire filesystem. This freedom enables the installation of unapproved apps and access to more APIs. However, for regular users, jailbreaking is not recommended due to potential security risks and device instability.

After Jailbreaking

{% content-ref url="basic-ios-testing-operations.md" %} basic-ios-testing-operations.md {% endcontent-ref %}

Jailbreak Detection

Several applications will try to detect if the mobile is jailbroken and in that case the application won't run

  • After jailbreaking an iOS files and folders are usually installed, these can be searched to determine if the device is jailbroken.
  • In a jailbroken device applications get read/write access to new files outside the sandbox
  • Some API calls will behave differently
  • The presence of the OpenSSH service
  • Calling /bin/sh will return 1 instead of 0

More information about how to detect jailbreaking here.

You can try to avoid this detections using objection's ios jailbreak disable

Jailbreak Detection Bypass

  • You can try to avoid this detections using objection's ios jailbreak disable
  • You could also install the tool Liberty Lite (https://ryleyangus.com/repo/). Once the repo is added, the app should appear in the Search tab

References

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks
{% endhint %}