iOS okruženje za testiranje

Tip

Učite i vežbajte AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Učite i vežbajte GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Učite i vežbajte Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Podržite HackTricks

Apple Developer Program

A provisioning identity je skup javnih i privatnih ključeva povezanih sa Apple developer nalogom. Da biste potpisali aplikacije morate platiti 99$/year da se registrujete u Apple Developer Program i dobijete svoj provisioning identity. Bez toga nećete moći da pokrećete aplikacije iz izvornog koda na fizičkom uređaju. Druga opcija je korišćenje jailbroken device.

Starting in Xcode 7.2 Apple has provided an option to create a free iOS development provisioning profile that allows to write and test your application on a real iPhone. Go to Xcode –> Preferences –> Accounts –> + (Add new Appli ID you your credentials) –> Click on the Apple ID created –> Manage Certificates –> + (Apple Development) –> Done
__Then, in order to run your application in your iPhone you need first to indicate the iPhone to trust the computer. Then, you can try to run the application in the mobile from Xcode, but and error will appear. So go to Settings –> General –> Profiles and Device Management –> Select the untrusted profile and click “Trust”.

On iOS 16+, Developer Mode must also be enabled on the device before locally installed development-signed applications (or apps re-signed with get-task-allow) will run. This option only appears after pairing the device with Xcode or after installing a development-signed app once. The flow is: pair the device, trigger an install from Xcode, then enable Settings –> Privacy & Security –> Developer Mode, reboot, and confirm the prompt after unlock.

Note that applications signed by the same signing certificate can share resources on a secure manner, like keychain items.

The provisioning profiles are stored inside the phone in /Library/MobileDevice/ProvisioningProfiles

Modern host-side device tooling

For current iOS testing, the host tooling is increasingly split between:

  • xcrun simctl for simulator management
  • xcrun xctrace list devices to enumerate simulators and physical devices
  • xcrun devicectl (Xcode 15+) to interact with paired physical devices from the command line

Useful examples:

# List booted simulators
xcrun simctl list | grep Booted

# List all visible devices/simulators
xcrun xctrace list devices

# List paired physical devices (Xcode 15+)
xcrun devicectl list devices

devicectl je posebno koristan u automatizovanim pipeline-ima kada trebate da instalirate ili pokrenete test verziju bez otvaranja Xcode-a:

xcrun devicectl device install app --device <udid> <path_to_app_or_ipa>
xcrun devicectl device launch app --terminate-existing --device <udid> <bundle_id>

Keep Xcode updated when testing iOS 17+ devices. Apple moved developer services to the CoreDevice stack and also changed how Developer Disk Images are handled, so outdated host tooling frequently fails with pairing, image-mounting, or app-launch errors.

Simulator

Tip

Note that a simulator isn’t the same as en emulator. The simulator just simulates the behaviour of the device and functions but don’t actually use them.

Simulator

Prva stvar koju treba da znate je da je performing a pentest inside a simulator will much more limited than doing it in a jailbroken device.

Svi alati potrebni za build i podršku iOS aplikacije su only officially supported on Mac OS.
Apple-ov de facto alat za creating/debugging/instrumenting iOS applications je Xcode. Može se koristiti za preuzimanje drugih komponenti kao što su simulators i različite SDK versions potrebne za build i test vaše aplikacije.
Preporučuje se da download Xcode iz official app store. Druge verzije mogu sadržati malware.

The simulator files can be found in /Users//Library/Developer/CoreSimulator/Devices

Simulator je i dalje vrlo koristan za brzo testiranje filesystem artifacts, NSUserDefaults, plist parsing, custom URL schemes, i basic runtime instrumentation. Međutim, imajte na umu da on ne emulira nekoliko sigurnosnih svojstava fizičkog uređaja koja su često relevantna tokom pentest-a, kao što su Secure Enclave, baseband, određena keychain access-control behaviours, realistično biometric flows, i uslovi izvršavanja specifični za jailbreak.

To open the simulator, run Xcode, then press in the Xcode tab –> Open Developer tools –> Simulator
__U sledećoj slici klikom na “iPod touch […]” možete izabrati drugi uređaj za testiranje:

Applications in the Simulator

Inside /Users//Library/Developer/CoreSimulator/Devices you may find all the installed simulators. If you want to access the files of an application created inside one of the emulators it might be difficult to know in which one the app is installed. A quick way to find the correct UID is to execute the app in the simulator and execute:

xcrun simctl list | grep Booted
iPhone 8 (BF5DA4F8-6BBE-4EA0-BA16-7E3AFD16C06C) (Booted)

Once you know the UID the apps installed within it can be found in /Users/<username>/Library/Developer/CoreSimulator/Devices/{UID}/data/Containers/Data/Application

However, surprisingly you won’t find the application here. You need to access /Users/<username>/Library/Developer/Xcode/DerivedData/{Application}/Build/Products/Debug-iphonesimulator/

And in this folder you can find the package of the application.

Emulator

Corellium is the only publicly available iOS emulator. It is an enterprise SaaS solution with a per user license model and does not offer any trial license.

Nije potreban Jailbreak

Pročitajte ovu objavu na blogu o tome kako pentestirati iOS aplikaciju na non jailbroken device:

iOS Pentesting withuot Jailbreak

Jailbreaking

Apple strictly requires that the code running on the iPhone must be signed by a certificate issued by Apple. Jailbreaking is the process of actively circumventing such restrictions and other security controls put in places by the OS. Therefore, once the device is jailbroken, the integrity check which is responsible for checking apps being installed is patched so it is bypassed.

Tip

Unlike Android, you cannot switch to “Developer Mode” in iOS to run unsigned/untrusted code on the device.

Android Rooting vs. iOS Jailbreaking

While often compared, rooting on Android and jailbreaking on iOS are fundamentally different processes. Rooting Android devices might involve installing the su binary or replacing the system with a rooted custom ROM, which doesn’t necessarily require exploits if the bootloader is unlocked. Flashing custom ROMs replaces the device’s OS after unlocking the bootloader, sometimes requiring an exploit.

In contrast, iOS devices cannot flash custom ROMs due to the bootloader’s restriction to only boot Apple-signed images. Jailbreaking iOS aims to bypass Apple’s code signing protections to run unsigned code, a process complicated by Apple’s continuous security enhancements.

Jailbreaking Challenges

Jailbreaking iOS is increasingly difficult as Apple patches vulnerabilities quickly. Downgrading iOS is only possible for a limited time after a release, making jailbreaking a time-sensitive matter. Devices used for security testing should not be updated unless re-jailbreaking is guaranteed.

iOS updates are controlled by a challenge-response mechanism (SHSH blobs), allowing installation only for Apple-signed responses. This mechanism, known as a “signing window”, limits the ability to store and later use OTA firmware packages. The IPSW Downloads website is a resource for checking current signing windows.

Jailbreak Varieties

  • Tethered jailbreaks require a computer connection for each reboot.
  • Semi-tethered jailbreaks allow booting into non-jailbroken mode without a computer.
  • Semi-untethered jailbreaks require manual re-jailbreaking without needing a computer.
  • Untethered jailbreaks offer a permanent jailbreak solution without the need for re-application.

Jailbreaking Tools and Resources

Jailbreaking tools vary by iOS version and device. Resources such as Can I Jailbreak?, The iPhone Wiki, and Reddit Jailbreak provide up-to-date information. Examples include:

  • Checkra1n for older A7-A11/iOS 12-14 era research devices.
  • Palera1n for checkm8-compatible devices (A8-A11) on iOS/iPadOS 15+.
  • Dopamine for many arm64/arm64e devices on iOS 15/16 using a modern rootless jailbreak.
  • Unc0ver remains relevant mainly for older iOS versions up to 14.8.

Modifying your device carries risks, and jailbreaking should be approached with caution.

Rootless jailbreaks

Modern iOS 15+ jailbreaks are commonly rootless instead of rootful. From a tester perspective, this matters because a lot of older guides still assume that jailbreak files live directly under / or /Library/..., which is no longer true on many current setups.

  • Rootless jailbreaks avoid modifying the sealed system volume directly.
  • On palera1n, jailbreak files are typically stored under a randomized path in /private/preboot/... and exposed through the stable symlink /var/jb.
  • Tweaks, launch daemons, and helper binaries might therefore exist under /var/jb instead of the legacy rootful locations.

This has a direct impact on environment validation, Frida setup, and jailbreak detection bypass:

  • When checking whether your tooling installed correctly, inspect both legacy paths and /var/jb.
  • When reviewing jailbreak detection logic in an app, remember that modern checks often look for rootless artifacts and symlinks in addition to classic indicators like Cydia.app.
  • If a third-party script or tweak assumes a rootful filesystem layout, it may fail silently on a rootless device.

Jailbreaking Benefits and Risks

Jailbreaking removes OS-imposed sandboxing, allowing apps to access the entire filesystem. This freedom enables the installation of unapproved apps and access to more APIs. However, for regular users, jailbreaking is not recommended due to potential security risks and device instability.

After Jailbreaking

iOS Basic Testing Operations

Jailbreak Detection

Several applications will try to detect if the mobile is jailbroken and in that case the application won’t run

  • After jailbreaking an iOS files and folders are usually installed, these can be searched to determine if the device is jailbroken.
  • In modern rootless jailbreaks, those files may appear under /var/jb or resolve through symlinks into /private/preboot/... instead of only in classic rootful locations.
  • In a jailbroken device applications get read/write access to new files outside the sandbox
  • Some API calls will behave differently
  • The presence of the OpenSSH service
  • Calling /bin/sh will return 1 instead of 0

More information about how to detect jailbreaking here.

You can try to avoid this detections using objection’s ios jailbreak disable

Jailbreak Detection Bypass

  • You can try to avoid this detections using objection’s ios jailbreak disable
  • You could also install the tool Liberty Lite (https://ryleyangus.com/repo/). Once the repo is added, the app should appear in the ‘Search’ tab

References

Tip

Učite i vežbajte AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Učite i vežbajte GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Učite i vežbajte Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Podržite HackTricks