Mazingira ya Upimaji wa iOS

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Apple Developer Program

A provisioning identity ni mkusanyiko wa funguo za umma na za faragha zinazohusishwa na akaunti ya Apple developer. Ili sign apps unahitaji kulipa 99$/year kujiandikisha katika Apple Developer Program ili kupata provisioning identity yako. Bila hili hautaweza kuendesha applications kutoka kwa source code kwenye kifaa halisi. Chaguo jingine ni kutumia jailbroken device.

Kuanzia Xcode 7.2 Apple imetoa chaguo la kuunda free iOS development provisioning profile linalokuruhusu kuandika na kujaribu application yako kwenye iPhone halisi. Go to Xcode –> Preferences –> Accounts –> + (Add new Appli ID you your credentials) –> Click on the Apple ID created –> Manage Certificates –> + (Apple Development) –> Done
__Kisha, ili kuendesha application yako kwenye iPhone yako unahitaji kwanza kuonyesha iPhone inamwamini kompyuta. Kisha, unaweza kujaribu kuendesha application kwenye simu kutoka Xcode, lakini hitilafu itaonekana. Kwa hivyo nenda kwa Settings –> General –> Profiles and Device Management –> Chagua profile isiyothibitishwa na bonyeza “Trust”.

On iOS 16+, Developer Mode lazima pia iwezeshwe kwenye kifaa kabla ya applications zilizoinstalled kwa development-sign (au apps re-signed with get-task-allow) zitaweza kuendeshwa. Chaguo hili linaonekana tu after pairing the device with Xcode au baada ya kusakinisha development-signed app mara moja. Mtiririko ni: pair the device, chochea install kutoka Xcode, kisha wezesha Settings –> Privacy & Security –> Developer Mode, anzisha upya (reboot), na thibitisha onyo baada ya kufungua kifaa.

Kumbuka kuwa applications signed by the same signing certificate can share resources on a secure manner, like keychain items.

Provisioning profiles zimetunzwa ndani ya simu kwenye /Library/MobileDevice/ProvisioningProfiles

Zana za kisasa za upande wa mwenyeji kwa vifaa

Kwa upimaji wa iOS wa sasa, zana za upande wa mwenyeji zinagawanywa zaidi kati ya:

  • xcrun simctl for simulator management
  • xcrun xctrace list devices to enumerate simulators and physical devices
  • xcrun devicectl (Xcode 15+) to interact with paired physical devices from the command line

Mifano muhimu:

# List booted simulators
xcrun simctl list | grep Booted

# List all visible devices/simulators
xcrun xctrace list devices

# List paired physical devices (Xcode 15+)
xcrun devicectl list devices

devicectl inatumika hasa kwenye mnyororo wa otomatiki ambapo unahitaji kusakinisha au kuzindua test build bila kufungua Xcode:

xcrun devicectl device install app --device <udid> <path_to_app_or_ipa>
xcrun devicectl device launch app --terminate-existing --device <udid> <bundle_id>

Keep Xcode updated when testing iOS 17+ devices. Apple moved developer services to the CoreDevice stack and also changed how Developer Disk Images are handled, so outdated host tooling frequently fails with pairing, image-mounting, or app-launch errors.

Simulator

Tip

Kumbuka kwamba simulator si sawa na emulator. Simulator inasimulia tu tabia na kazi za kifaa lakini haitumii vifaa hivyo kwa kweli.

Simulator

Kitu cha kwanza unachopaswa kujua ni kwamba kufanya pentest ndani ya simulator kutakuwa na vikwazo vingi ikilinganishwa na kufanya kwenye kifaa kilicho jailbroken.

All the tools required to build and support an iOS app are only officially supported on Mac OS.
Apple’s de facto tool for creating/debugging/instrumenting iOS applications is Xcode. It can be used to download other components such as simulators and different SDK versions required to build and test your app.
It’s highly recommended to download Xcode from the official app store. Other versions may be carrying malware.

The simulator files can be found in /Users/<username>/Library/Developer/CoreSimulator/Devices

The simulator is still very useful for quickly testing filesystem artifacts, NSUserDefaults, plist parsing, custom URL schemes, and basic runtime instrumentation. However, keep in mind that it doesn’t emulate several physical-device security properties that are often relevant during a pentest, such as the Secure Enclave, baseband, certain keychain access-control behaviours, realistic biometric flows, and jailbreak-specific execution conditions.

To open the simulator, run Xcode, then press in the Xcode tab –> Open Developer tools –> Simulator
__In the following image clicking in “iPod touch […]” you can select other device to test in:

Applications in the Simulator

Inside /Users/<username>/Library/Developer/CoreSimulator/Devices you may find all the installed simulators. If you want to access the files of an application created inside one of the emulators it might be difficult to know in which one the app is installed. A quick way to find the correct UID is to execute the app in the simulator and execute:

xcrun simctl list | grep Booted
iPhone 8 (BF5DA4F8-6BBE-4EA0-BA16-7E3AFD16C06C) (Booted)

Mara tu unapojua UID, apps zilizowekwa ndani yake zinaweza kupatikana katika /Users/<username>/Library/Developer/CoreSimulator/Devices/{UID}/data/Containers/Data/Application

Hata hivyo, kwa mshangao hutapata application hapa. Unahitaji kufikia /Users/<username>/Library/Developer/Xcode/DerivedData/{Application}/Build/Products/Debug-iphonesimulator/

Na katika folda hii unaweza kupata kifurushi cha application.

Emulator

Corellium ni emulator pekee ya iOS inayopatikana hadharani. Ni suluhisho la enterprise SaaS lenye mfumo wa leseni kwa kila mtumiaji na halitoi leseni ya majaribio.

No Jailbreak needed

Tazama chapisho hili la blog kuhusu jinsi ya kufanya pentest ya application ya iOS kwenye kifaa kisicho jailbroken:

iOS Pentesting withuot Jailbreak

Jailbreaking

Apple inahitaji kwa ukali kwamba code inayotumika kwenye iPhone iwe imesainiwa na certificate iliyotolewa na Apple. Jailbreaking ni mchakato wa kwa makusudi kupitisha vizuizi hivyo na udhibiti mwingine wa usalama uliowekwa na OS. Hivyo, mara kifaa kinapojailbreak, integrity check inayohusika na kukagua apps zilizowekwa inarekebishwa ili iweze kuepukizwa.

Tip

Tofauti na Android, huwezi kubadili kwenda “Developer Mode” kwenye iOS ili kuendesha unsigned/untrusted code kwenye kifaa.

Android Rooting vs. iOS Jailbreaking

Wakati mara nyingi vinalinganishwa, rooting kwenye Android na jailbreaking kwenye iOS ni michakato tofauti kabisa kimsingi. Rooting ya vifaa vya Android inaweza kuhusisha kufunga binary ya su au kubadilisha system na custom ROM iliyopatikana kwa root, jambo ambalo halihitaji lazima exploits ikiwa bootloader imefunguliwa. Flashing custom ROMs huhifadhi OS mpya baada ya kufungua bootloader, wakati mwingine ikihitaji exploit.

Kinyume chake, vifaa vya iOS haviwezi kuflash ROM za kawaida kwa sababu bootloader inazuia kuanzisha picha isipokuwa zile zilizotumwa na Apple. Jailbreaking iOS inalenga kupitisha ulinzi wa code signing wa Apple ili kuendesha code zisizosainiwa, mchakato mgumu kutokana na maboresho ya usalama ya Apple yanayoendelea.

Jailbreaking Challenges

Kujailbreak iOS kunazidi kuwa ngumu wakati Apple inarekebisha vulnerabilities kwa haraka. Kushusha toleo la iOS kunapatikana kwa muda mfupi tu baada ya toleo kutolewa, hivyo kufanya jailbreaking kuwa suala la wakati. Vifaa vinavyotumika kwa upimaji wa usalama havipaswi kusasishwa isipokuwa kurekebishwa kuwa re-jailbreaking itawezekana.

Sasisho za iOS zinadhibitiwa na mechanism ya challenge-response (SHSH blobs), ikiruhusu ufungaji kwa ajili ya majibu yaliyofikiwa na Apple tu. Mchakato huu, unaojulikana kama “signing window”, unazuia uwezo wa kuhifadhi na baadaye kutumia vifurushi vya firmware vya OTA. Tovuti ya IPSW Downloads ni rasilimali ya kuangalia signing windows za sasa.

Jailbreak Varieties

  • Tethered jailbreaks zinahitaji muunganisho wa kompyuta kila wakati kifaa kinapoanzishwa upya.
  • Semi-tethered jailbreaks zinaruhusu kuanzisha katika hali isiyo jailbroken bila kompyuta.
  • Semi-untethered jailbreaks zinahitaji re-jailbreaking ya mkono bila kuhitaji kompyuta.
  • Untethered jailbreaks hutoa suluhisho la kudumu bila haja ya kurudisha utekelezaji.

Jailbreaking Tools and Resources

Zana za jailbreaking zinatofautiana kulingana na toleo la iOS na kifaa. Rasilimali kama Can I Jailbreak?, The iPhone Wiki, na Reddit Jailbreak hutoa taarifa za hivi punde. Mifano ni pamoja na:

  • Checkra1n kwa vifaa vya utafiti vya zamani A7-A11/iOS 12-14.
  • Palera1n kwa vifaa vinavyoungwa na checkm8 (A8-A11) kwenye iOS/iPadOS 15+.
  • Dopamine kwa vifaa vingi arm64/arm64e kwenye iOS 15/16 kwa kutumia modern rootless jailbreak.
  • Unc0ver bado inahitajika hasa kwa toleo za zamani za iOS hadi 14.8.

Kurekebisha kifaa chako kuna hatari, na jailbreaking inapaswa kuchukuliwa kwa tahadhari.

Rootless jailbreaks

Jailbreaks za kisasa za iOS 15+ kawaida huwa rootless badala ya rootful. Kwa mtazamo wa mtumiaji wa mtihani, hili lina maana kwa sababu miongozo mingi ya zamani bado inadhani kwamba faili za jailbreak zinaishi moja kwa moja chini ya / au /Library/..., ambayo si sahihi tena katika mipangilio mingi ya sasa.

  • Rootless jailbreaks huacha kuharibu sealed system volume moja kwa moja.
  • Kwenye palera1n, faili za jailbreak kwa kawaida huwa ziko chini ya path iliyobadilika katika /private/preboot/... na zinaonyeshwa kupitia symlink thabiti /var/jb.
  • Tweaks, launch daemons, na helper binaries zinaweza kwa hivyo kuwepo chini ya /var/jb badala ya maeneo ya kale ya rootful.

Hii ina athari ya moja kwa moja kwenye environment validation, Frida setup, na jailbreak detection bypass:

  • Unapokagua ikiwa tooling yako imewekwa kwa usahihi, angalia both legacy paths na /var/jb.
  • Unapotathmini mantiki ya ugunduzi wa jailbreak katika app, kumbuka kwamba ukaguzi wa kisasa mara nyingi unatafuta viashirio vya rootless na symlinks pamoja na viashirio vya jadi kama Cydia.app.
  • Ikiwa script ya mtu wa tatu au tweak inadhani muundo wa filesystem ya rootful, inaweza kushindwa kimya kimya kwenye kifaa cha rootless.

Jailbreaking Benefits and Risks

Jailbreaking huondoa sandboxing iliyowekwa na OS, ikiruhusu apps kufikia filesystem yote. Uhuru huu unaruhusu ufungaji wa apps zisizoidhinishwa na ufikiaji wa API zaidi. Hata hivyo, kwa watumiaji wa kawaida, jailbreaking hairuhusiwi kutokana na hatari za usalama na kutokuwa thabiti kwa kifaa.

After Jailbreaking

iOS Basic Testing Operations

Jailbreak Detection

Programu kadhaa zitajaribu kugundua ikiwa simu imejailbreak na katika hali hiyo application haitakimbia

  • Baada ya jailbreaking kwenye iOS faili na folda kwa kawaida huwekwa, hizi zinaweza kutafutwa ili kubaini kama kifaa kimejailbreak.
  • Katika jailbreaks za kisasa za rootless, faili hizo zinaweza kuonekana chini ya /var/jb au kutumika kupitia symlinks kwenda /private/preboot/... badala ya tu katika maeneo ya jadi ya rootful.
  • Kwenye kifaa kilichojailbreak, applications hupata read/write access kwa faili mpya nje ya sandbox
  • Baadhi ya API calls zitatenda kwa njia tofauti
  • Uwepo wa huduma ya OpenSSH
  • Kupiga /bin/sh kuta rudisha 1 badala ya 0

Taarifa zaidi kuhusu jinsi ya kugundua jailbreaking hapa.

Unaweza kujaribu kuepuka ugunduzi huu kwa kutumia objection’s ios jailbreak disable

Jailbreak Detection Bypass

  • Unaweza kujaribu kuepuka ugunduzi huu kwa kutumia objection’s ios jailbreak disable
  • Unaweza pia kufunga zana Liberty Lite (https://ryleyangus.com/repo/). Mara repo itaongezwa, app inapaswa kuonekana katika tab ya ‘Search’

References

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks