Środowisko testowe iOS

Tip

Ucz się i ćwicz Hacking AWS:HackTricks Training AWS Red Team Expert (ARTE)
Ucz się i ćwicz Hacking GCP: HackTricks Training GCP Red Team Expert (GRTE) Ucz się i ćwicz Hacking Azure: HackTricks Training Azure Red Team Expert (AzRTE)

Wsparcie dla HackTricks

Apple Developer Program

A provisioning identity to zbiór kluczy publicznych i prywatnych powiązanych z kontem dewelopera Apple. Aby sign apps musisz zapłacić 99$/year i zarejestrować się w Apple Developer Program, aby uzyskać swoją provisioning identity. Bez tego nie będziesz w stanie uruchomić aplikacji ze źródła na fizycznym urządzeniu. Inną opcją jest użycie jailbroken device.

Od Xcode 7.2 Apple udostępniło opcję tworzenia free iOS development provisioning profile, która pozwala pisać i testować aplikację na prawdziwym iPhone. Przejdź do Xcode –> Preferences –> Accounts –> + (Add new Appli ID you your credentials) –> Click on the Apple ID created –> Manage Certificates –> + (Apple Development) –> Done
__Then, in order to run your application in your iPhone you need first to indicate the iPhone to trust the computer. Then, you can try to run the application in the mobile from Xcode, but and error will appear. So go to Settings –> General –> Profiles and Device Management –> Select the untrusted profile and click “Trust”.

On iOS 16+, Developer Mode musi być również włączony na urządzeniu zanim lokalnie zainstalowane aplikacje podpisane rozwojowo (lub aplikacje przepisane z get-task-allow) będą działać. Ta opcja pojawia się tylko po sparowaniu urządzenia z Xcode lub po jednokrotnym zainstalowaniu aplikacji podpisanej rozwojowo. Przebieg: sparuj urządzenie, wywołaj instalację z Xcode, potem włącz Settings –> Privacy & Security –> Developer Mode, zrestartuj urządzenie i potwierdź monit po odblokowaniu.

Zauważ, że aplikacje podpisane tym samym certyfikatem mogą bezpiecznie współdzielić zasoby, np. elementy keychain.

Pliki provisioning profiles są przechowywane na telefonie w /Library/MobileDevice/ProvisioningProfiles

Modern host-side device tooling

Dla współczesnych testów iOS, narzędzia po stronie hosta są coraz bardziej podzielone na:

  • xcrun simctl do zarządzania simulatorami
  • xcrun xctrace list devices do enumeracji simulatorów i urządzeń fizycznych
  • xcrun devicectl (Xcode 15+) do interakcji z sparowanymi urządzeniami fizycznymi z linii poleceń

Przydatne przykłady:

# List booted simulators
xcrun simctl list | grep Booted

# List all visible devices/simulators
xcrun xctrace list devices

# List paired physical devices (Xcode 15+)
xcrun devicectl list devices

devicectl jest szczególnie przydatne w pipeline’ach automatyzacji, gdy trzeba zainstalować lub uruchomić test build bez otwierania Xcode:

xcrun devicectl device install app --device <udid> <path_to_app_or_ipa>
xcrun devicectl device launch app --terminate-existing --device <udid> <bundle_id>

Keep Xcode updated when testing iOS 17+ devices. Apple moved developer services to the CoreDevice stack and also changed how Developer Disk Images are handled, so outdated host tooling frequently fails with pairing, image-mounting, or app-launch errors.

Simulator

Tip

Zwróć uwagę, że simulator nie jest tym samym co emulator. Simulator jedynie symuluje zachowanie urządzenia i funkcji, ale faktycznie z nich nie korzysta.

Simulator

Pierwsza rzecz, którą musisz wiedzieć, to że przeprowadzanie pentestu w simulatorze jest znacznie bardziej ograniczone niż na urządzeniu z jailbreakiem.

Wszystkie narzędzia potrzebne do budowy i wsparcia aplikacji iOS są oficjalnie wspierane tylko na Mac OS.
De facto narzędziem Apple do tworzenia/debugowania/instrumentacji aplikacji iOS jest Xcode. Może być używane do pobierania innych komponentów, takich jak simulators i różne SDK versions wymagane do zbudowania i testowania aplikacji.
Zdecydowanie zaleca się pobieranie Xcode z oficjalnego App Store. Inne wersje mogą zawierać malware.

The simulator files can be found in /Users/<username>/Library/Developer/CoreSimulator/Devices

Simulator jest nadal bardzo przydatny do szybkiego testowania artefaktów systemu plików, NSUserDefaults, parsowania plist, własnych schematów URL oraz podstawowej instrumentacji w czasie wykonania. Jednak pamiętaj, że nie emuluje kilku właściwości bezpieczeństwa urządzenia fizycznego, które są często istotne podczas pentestu, takich jak Secure Enclave, baseband, niektóre zachowania kontroli dostępu keychain, realistyczne przepływy biometryczne, oraz warunki wykonania specyficzne dla jailbreak.

To open the simulator, run Xcode, then press in the Xcode tab –> Open Developer tools –> Simulator
__W poniższym obrazie klikając w “iPod touch […]” możesz wybrać inne urządzenie do testów:

Aplikacje w Simulatorze

Inside /Users/<username>/Library/Developer/CoreSimulator/Devices you may find all the installed simulators. If you want to access the files of an application created inside one of the emulators it might be difficult to know in which one the app is installed. A quick way to find the correct UID is to execute the app in the simulator and execute:

xcrun simctl list | grep Booted
iPhone 8 (BF5DA4F8-6BBE-4EA0-BA16-7E3AFD16C06C) (Booted)

Once you know the UID the apps installed within it can be found in /Users/<username>/Library/Developer/CoreSimulator/Devices/{UID}/data/Containers/Data/Application

However, surprisingly you won’t find the application here. You need to access /Users/<username>/Library/Developer/Xcode/DerivedData/{Application}/Build/Products/Debug-iphonesimulator/

And in this folder you can find the package of the application.

Emulator

Corellium is the only publicly available iOS emulator. It is an enterprise SaaS solution with a per user license model and does not offer any trial license.

Jailbreak nie jest wymagany

Sprawdź ten wpis na blogu o tym, jak pentestować aplikację iOS na urządzeniu bez Jailbreak:

iOS Pentesting withuot Jailbreak

Jailbreaking

Apple strictly requires that the code running on the iPhone must be signed by a certificate issued by Apple. Jailbreaking is the process of actively circumventing such restrictions and other security controls put in places by the OS. Therefore, once the device is jailbroken, the integrity check which is responsible for checking apps being installed is patched so it is bypassed.

Tip

Unlike Android, you cannot switch to “Developer Mode” in iOS to run unsigned/untrusted code on the device.

Android Rooting vs. iOS Jailbreaking

While often compared, rooting on Android and jailbreaking on iOS are fundamentally different processes. Rooting Android devices might involve installing the su binary or replacing the system with a rooted custom ROM, which doesn’t necessarily require exploits if the bootloader is unlocked. Flashing custom ROMs replaces the device’s OS after unlocking the bootloader, sometimes requiring an exploit.

In contrast, iOS devices cannot flash custom ROMs due to the bootloader’s restriction to only boot Apple-signed images. Jailbreaking iOS aims to bypass Apple’s code signing protections to run unsigned code, a process complicated by Apple’s continuous security enhancements.

Jailbreaking Challenges

Jailbreaking iOS is increasingly difficult as Apple patches vulnerabilities quickly. Downgrading iOS is only possible for a limited time after a release, making jailbreaking a time-sensitive matter. Devices used for security testing should not be updated unless re-jailbreaking is guaranteed.

iOS updates are controlled by a challenge-response mechanism (SHSH blobs), allowing installation only for Apple-signed responses. This mechanism, known as a “signing window”, limits the ability to store and later use OTA firmware packages. The IPSW Downloads website is a resource for checking current signing windows.

Jailbreak Varieties

  • Tethered jailbreaks require a computer connection for each reboot.
  • Semi-tethered jailbreaks allow booting into non-jailbroken mode without a computer.
  • Semi-untethered jailbreaks require manual re-jailbreaking without needing a computer.
  • Untethered jailbreaks offer a permanent jailbreak solution without the need for re-application.

Jailbreaking Tools and Resources

Jailbreaking tools vary by iOS version and device. Resources such as Can I Jailbreak?, The iPhone Wiki, and Reddit Jailbreak provide up-to-date information. Examples include:

  • Checkra1n for older A7-A11/iOS 12-14 era research devices.
  • Palera1n for checkm8-compatible devices (A8-A11) on iOS/iPadOS 15+.
  • Dopamine for many arm64/arm64e devices on iOS 15/16 using a modern rootless jailbreak.
  • Unc0ver remains relevant mainly for older iOS versions up to 14.8.

Modyfikowanie urządzenia wiąże się z ryzykiem i do jailbreaking należy podchodzić ostrożnie.

Rootless jailbreaks

Modern iOS 15+ jailbreaks are commonly rootless instead of rootful. From a tester perspective, this matters because a lot of older guides still assume that jailbreak files live directly under / or /Library/..., which is no longer true on many current setups.

  • Rootless jailbreaks avoid modifying the sealed system volume directly.
  • On palera1n, jailbreak files are typically stored under a randomized path in /private/preboot/... and exposed through the stable symlink /var/jb.
  • Tweaks, launch daemons, and helper binaries might therefore exist under /var/jb instead of the legacy rootful locations.

This has a direct impact on environment validation, Frida setup, and jailbreak detection bypass:

  • When checking whether your tooling installed correctly, inspect both legacy paths and /var/jb.
  • When reviewing jailbreak detection logic in an app, remember that modern checks often look for rootless artifacts and symlinks in addition to classic indicators like Cydia.app.
  • If a third-party script or tweak assumes a rootful filesystem layout, it may fail silently on a rootless device.

Jailbreaking Benefits and Risks

Jailbreaking removes OS-imposed sandboxing, allowing apps to access the entire filesystem. This freedom enables the installation of unapproved apps and access to more APIs. However, for regular users, jailbreaking is not recommended due to potential security risks and device instability.

After Jailbreaking

iOS Basic Testing Operations

Jailbreak Detection

Several applications will try to detect if the mobile is jailbroken and in that case the application won’t run

  • After jailbreaking an iOS files and folders are usually installed, these can be searched to determine if the device is jailbroken.
  • In modern rootless jailbreaks, those files may appear under /var/jb or resolve through symlinks into /private/preboot/... instead of only in classic rootful locations.
  • In a jailbroken device applications get read/write access to new files outside the sandbox
  • Some API calls will behave differently
  • The presence of the OpenSSH service
  • Calling /bin/sh will return 1 instead of 0

More information about how to detect jailbreaking here.

You can try to avoid this detections using objection’s ios jailbreak disable

Jailbreak Detection Bypass

  • You can try to avoid this detections using objection’s ios jailbreak disable
  • You could also install the tool Liberty Lite (https://ryleyangus.com/repo/). Once the repo is added, the app should appear in the ‘Search’ tab

References

Tip

Ucz się i ćwicz Hacking AWS:HackTricks Training AWS Red Team Expert (ARTE)
Ucz się i ćwicz Hacking GCP: HackTricks Training GCP Red Team Expert (GRTE) Ucz się i ćwicz Hacking Azure: HackTricks Training Azure Red Team Expert (AzRTE)

Wsparcie dla HackTricks