iOS Pentesting bila Jailbreak

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Angalia mpango wa usajili!

Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.

Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Wazo kuu

Applications signed with the entitlement get_task_allow zinawaruhusu third party applications kuendesha function inayoitwa task_for_pid() kwa process ID ya application ya awali kama argument ili kupata task port juu yake (kuwa na uwezo wa kuidhibiti na kufikia memory yake).

Hata hivyo, si rahisi kama kuvuta IPA tu, kuisaini tena na entitlement, na kui-flash tena kwenye kifaa chako. Hii ni kwa sababu ya ulinzi wa FairPlay. Wakati signature ya app inabadilika, key ya DRM (Digital Rights Management) inabatilishwa na app haitafanya kazi.

Kwa kifaa cha zamani kilicho jailbroken, inawezekana kusakinisha IPA, kuifungua (decrypt) kwa kutumia zana yako unayoipenda (kama Iridium au frida-ios-dump), na kuirudisha kutoka kwenye kifaa. Ingawa, inapowezekana, inashauriwa kutumia client kwa ajili ya decrypted IPA.

Obtain decrypted IPA

Get it from Apple

Sakinisha app unayotaka pentest kwenye iPhone
Install and launch Apple Configurator inside your macos
Open Terminal on your Mac, and cd to /Users/[username]/Library/Group\\ Containers/K36BKF7T3D.group.com.apple.configurator/Library/Caches/Assets/TemporaryItems/MobileApps. The IPA will appear in this folder later.
You should see your iOS device. Double-click on it, and then click Add + → Apps from the top menu bar.
After clicking Add, Configurator will download the IPA from Apple, and attempt to push it to your device. If you followed my recommendation earlier and installed the IPA already, a prompt asking you to reinstall the app will appear.
The IPA should be downloaded inside /Users/[username]/Library/Group\\ Containers/K36BKF7T3D.group.com.apple.configurator/Library/Caches/Assets/TemporaryItems/MobileAppsfrom where you can grab it

Check https://dvuln.com/blog/modern-ios-pentesting-no-jailbreak-needed for more detailed information about this process.

Decrypting the app

Ili ku-decrypt IPA tutasakinisha. Hata hivyo, ikiwa una iPhone ya zamani iliyo jailbroken, inawezekana toleo lake halitaungwa mkono na application kwa sababu kawaida apps zinaunga mkono tu matoleo mapya.

Hivyo, ili kuisakinisha, fungua tu IPA kwa unzip:

unzip redacted.ipa -d unzipped

Angalia Info.plist kwa toleo la chini kabisa linaloungwa mkono; ikiwa kifaa chako ni cha zamani kuliko hilo, badilisha thamani ili liungwe mkono.

Zipia IPA tena:

cd unzipped
zip -r ../no-min-version.ipa *

Kisha, sakinisha IPA kwa mfano kwa kutumia:

ideviceinstaller -i no-min-version.ipa -w

Kumbuka kwamba unaweza kuhitaji AppSync Unified tweak kutoka Cydia ili kuzuia makosa yoyote ya invalid signature.

Baada ya kusakinishwa, unaweza kutumia Iridium tweak kutoka Cydia ili kupata decrypted IPA.

Patch entitlements & re-sign

Ili ku-re-sign application na entitlement ya get-task-allow kuna zana kadhaa zinazopatikana kama app-signer, codesign, na iResign. app-signer ina interface rafiki kwa mtumiaji inayoruhusu kwa urahisi ku-resign faili ya IPA kwa kuonyesha IPA ya ku-re-sign, kuweka get-taks-allow pamoja na certificate na provisioning profile ya kutumia.

Kuhusu certificate na signing profiles, Apple inatoa free developer signing profiles kwa akaunti zote kupitia Xcode. Tengeneza app tu na usanidi moja. Kisha, weka iPhone to trust the developer apps kwa kwenda Settings → Privacy & Security, na bonyeza Developer Mode.

Kwa re-signed IPA, ni wakati wa kuiweka kwenye kifaa ili ku-pentest.

ideviceinstaller -i resigned.ipa -w

IPA patching + DYLIB injection + free Apple ID re-sign (CLI)

Ikiwa tayari una decrypted IPA, unaweza kui-patch ili i-load custom DYLIB, kuongeza entitlements (mfano, network), na ku-re-sign without Xcode ukitumia free Apple ID. Hii ni muhimu kwa in-app instrumentation kwenye non-jailbroken devices.

Mtiririko wa kawaida:

# Build the implant (macOS for build step)
make

# Patch the IPA to inject the DYLIB
python3 tools/patcher.py patch --ipa MyApp.ipa --dylib libShell.dylib
# -> MyApp_patched.ipa

# Patch + sign + install in one step (free Apple ID)
python3 tools/patcher.py full \
--ipa MyApp.ipa \
--dylib libShell.dylib \
--apple-id user@example.com \
--install \
--udid <device-udid>

Vidokezo:

Kusaini kwa Apple ID kwa bure kwa kawaida huhitimishwa baada ya 7 days na kumewekwa kikomo kwa 3 App IDs/week na 10 sideloaded apps.
Tool inaweza kusaini tena kwa mifumo mbalimbali kwa kuthibitisha na Apple kupitia SRP na kutengeneza free dev certificate + provisioning profile. Apple’s anisette headers zinashughulikiwa kwa kila platform (macOS via AOSKit.framework, Linux via Anisette.py, Windows via an external anisette server).
Hii haiwezi kupitisha sandbox. Code iliyoinjeka inaendesha ndani ya mchakato wa app na inaweza kufikia tu sandbox ya app na keychain access groups.

USB-only access to the injected implant

Ikiwa DYLIB iliyoinjeka inaonyesha local TCP control channel, unaweza kuweka trafiki off Wi-Fi/cellular na kuisafirisha kupitia USB:

# Forward device-local TCP port to host
iproxy 8080 8080

# Example client commands (host side)
python3 client.py "ls"
python3 client.py "pwd"
python3 client.py "scp -r Documents host:./downloads"

Ikiwa implant inajumuisha keychain helpers, unaweza dump items zinazopatikana kwa app hiyo:

python3 client.py "keychain dump"
python3 client.py "keychain dump --filter self"
python3 client.py "keychain dump --class generic"

Wezesha Developer Mode (iOS 16+)

Tangu iOS 16 Apple ilianzisha Developer Mode: binary yoyote inayobeba get_task_allow au iliyosainiwa na development certificate haitataka kuanzishwa hadi Developer Mode iwe imewezeshwa kwenye kifaa. Hutaweza pia ku-attach Frida/LLDB isipokuwa flag hii iwe imewashwa.

Install au push IPA yoyote iliyosainiwa na developer kwenye simu.
Navigate to Settings → Privacy & Security → Developer Mode na i-toggle ili iwe on.
Kifaa kitatumia boot tena; baada ya kuingiza passcode utaombwa Turn On Developer Mode.

Developer Mode inabaki ikiendesha hadi utakapoizima au kufuta simu, kwa hivyo hatua hii inabidi ifanywe mara moja tu kwa kila kifaa. Apple documentation inaeleza athari za usalama.

Modern sideloading options

Kuna sasa njia kadhaa zilizoendelezwa za kusideload na kuendelea kuweka re-signed IPAs hadi za kisasa bila jailbreak:

Zana	Mahitaji	Faida	Mipaka
AltStore 2 / SideStore	mtegemezi wa macOS/Windows/Linux unaojisaini IPA kila baada ya siku 7 kwa profaili ya maendeleo isiyolipishwa	Reload ya otomatiki kupitia Wi‑Fi, inafanya kazi hadi iOS 17	Inahitaji kompyuta kwenye mtandao uleule, kikomo cha programu 3 kilichowekwa na Apple
TrollStore 1/2	Kifaa kwenye iOS 14 – 15.4.1 kilichoathirika na CoreTrust bug	Permanent signing (hakuna kikomo cha siku 7); hakuna kompyuta inayohitajika mara baada ya kusakinishwa	Haitegemezwi kwenye iOS 15.5+ (bug imerekebishwa)

Kwa pentests za kawaida kwenye toleo za sasa za iOS Alt/Side-Store kwa kawaida ndizo chaguo zinazoendana zaidi.

Hooking / dynamic instrumentation

Unaweza hook app yako hasa kama kwenye kifaa kilichojailbreak mara tu imewekwa saini na get_task_allow na Developer Mode iko on:

# Spawn & attach with objection
objection -g "com.example.target" explore

# Or plain Frida
frida -U -f com.example.target -l my_script.js --no-pause

Matoleo ya hivi karibuni ya Frida (>=16) hushughulikia kiotomatiki pointer authentication na tahadhari nyingine za iOS 17, hivyo scripts nyingi zilizopo hufanya kazi bila marekebisho.

Frida Gadget injection in non-jailbroken IPAs (listen mode)

Ikiwa unaweza kubadilisha na kusaini tena IPA, unaweza kuingiza Frida Gadget na kurekebisha Mach-O ili iipakishe kupitia @rpath wakati wa kuanzisha. Hii inaiwezesha kutumia Frida/Objection bila jailbreak (kifaa lazima kikubali IPA iliyosainiwa tena).

Mtiririko wa kazi wa vitendo ni kutumia GadgetInjector (zana ya Python) kuingiza FridaGadget.dylib na kuunda usanidi wa listen-mode:

python3 gadget_injector.py MyApp.ipa
# Output: MyApp-frida-listen.ipa

Re-signing constraints (muhimu kwa non-jailbroken installs):

Saini all embedded dylibs kwa same Team ID.
Usiongeze entitlements za ziada kwa FridaGadget.dylib.

Baada ya ku-re-sign na kusakinisha IPA, attach katika listen mode:

# (Optional) start the app paused
xcrun devicectl device process launch \
--device <UDID> \
--start-stopped <bundle-id>

# Forward Frida listen port over USB (default 27042)
pymobiledevice3 usbmux forward 27042 27042

# Objection
objection -g <bundle-id> explore

# Or Frida CLI
frida -H 127.0.0.1:27042 -n MyApp

Automated dynamic analysis with MobSF (no jailbreak)

MobSF inaweza ku-instrument dev-signed IPA kwenye kifaa halisi ikitumia mbinu ile ile (get_task_allow) na inatoa web UI yenye filesystem browser, traffic capture na Frida console【】. Njia ya haraka zaidi ni kuendesha MobSF katika Docker kisha kuunganisha iPhone yako kupitia USB:

docker pull opensecurity/mobile-security-framework-mobsf:latest
docker run -p 8000:8000 --privileged \
-v /var/run/usbmuxd:/var/run/usbmuxd \
opensecurity/mobile-security-framework-mobsf:latest
# Browse to http://127.0.0.1:8000 and upload your resigned IPA

MobSF itapeleka binary kiotomatiki, itawasha Frida server ndani ya app sandbox na itaunda ripoti ya kiingiliano.

iOS 17 & Lockdown Mode mambo ya kuzingatia

Lockdown Mode (Settings → Privacy & Security) huzuia dynamic linker ku-load dynamic libraries zisizosainiwa au zilizosainiwa kwa nje. Unapofanyia majaribio vifaa vinavyoweza kuwa na mode hii imewezeshwa, hakikisha imezimwa au vikao vyako vya Frida/objection vitaisha mara moja.
Pointer Authentication (PAC) inafuatwa katika mfumo mzima kwenye vifaa vya A12+. Frida ≥16 inashughulikia kwa uwazi PAC stripping — hakikisha tu frida-server na Python/CLI toolchain zote ziko za kisasa wakati toleo kuu jipya la iOS linapotoka.

Marejeo

https://dvuln.com/blog/modern-ios-pentesting-no-jailbreak-needed
Nyaraka za Apple developer – Kuamsha Developer Mode kwenye kifaa: https://developer.apple.com/documentation/xcode/enabling-developer-mode-on-a-device
Mobile Security Framework (MobSF): https://mobsf.github.io/Mobile-Security-Framework-MobSF/
https://github.com/test1ng-guy/iOS-sandbox-explorer
https://github.com/Saurabh221662/GadgetInjector

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Angalia mpango wa usajili!

Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.

Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.