iOS Test Ortamı

Tip

AWS Hacking’i öğrenin ve pratik yapın:HackTricks Training AWS Red Team Expert (ARTE)
GCP Hacking’i öğrenin ve pratik yapın: HackTricks Training GCP Red Team Expert (GRTE) Azure Hacking’i öğrenin ve pratik yapın: HackTricks Training Azure Red Team Expert (AzRTE)

HackTricks'i Destekleyin

Apple Developer Program

Bir provisioning identity, bir Apple developer hesabıyla ilişkilendirilmiş açık ve özel anahtarların bir koleksiyonudur. Uygulamaları imzalamak için provisioning identity almak amacıyla Apple Developer Program’a kayıt olup yıllık 99$/year ödemeniz gerekir. Bunun olmadan, kaynak koddan derlenen uygulamaları fiziksel bir cihazda çalıştıramazsınız. Bunun bir diğer yolu jailbroken device kullanmaktır.

Xcode 7.2’den itibaren Apple, gerçek bir iPhone’da uygulamanızı yazıp test etmenize izin veren free iOS development provisioning profile oluşturma seçeneği sundu. Go to Xcode –> Preferences –> Accounts –> + (Kimlik bilgilerinizi kullanarak yeni Apple ID ekleyin) –> Click on the Apple ID created –> Manage Certificates –> + (Apple Development) –> Done
__Uygulamayı iPhone’unuzda çalıştırabilmek için önce iPhone’un bilgisayara güvenmesini sağlamanız gerekir. Ardından Xcode’dan uygulamayı mobilde çalıştırmayı deneyebilirsiniz; ancak bir hata görünebilir. Bu yüzden Settings –> General –> Profiles and Device Management yolunu izleyin, güvensiz profili seçin ve “Trust“e tıklayın.

iOS 16+’da, yerel olarak yüklenen development-signed uygulamaların (veya get-task-allow ile yeniden imzalanmış uygulamaların) çalışması için cihazda Developer Mode ayrıca etkinleştirilmelidir. Bu seçenek yalnızca after pairing the device with Xcode veya bir kez development-signed uygulama yükledikten sonra görünür. Akış: pair the device, Xcode’dan kurulum tetikleyin, sonra Settings –> Privacy & Security –> Developer Mode’u etkinleştirin, cihazı yeniden başlatın ve kilit açıldıktan sonra çıkan istemi onaylayın.

Aynı imza sertifikasıyla imzalanmış uygulamaların keychain öğeleri gibi kaynakları güvenli bir şekilde paylaşabileceğini unutmayın.

Provisioning profilleri telefonun içinde /Library/MobileDevice/ProvisioningProfiles yolunda saklanır.

Modern host-side device tooling

Güncel iOS testlerinde, host araçları giderek şunlara ayrılıyor:

  • xcrun simctl simülatör yönetimi için
  • xcrun xctrace list devices simülatörleri ve fiziksel cihazları listelemek için
  • xcrun devicectl (Xcode 15+) eşleştirilmiş fiziksel cihazlarla komut satırından etkileşim için

Faydalı örnekler:

# List booted simulators
xcrun simctl list | grep Booted

# List all visible devices/simulators
xcrun xctrace list devices

# List paired physical devices (Xcode 15+)
xcrun devicectl list devices

devicectl Xcode’u açmadan bir test build’i yüklemeniz veya başlatmanız gereken otomasyon pipeline’larında özellikle kullanışlıdır:

xcrun devicectl device install app --device <udid> <path_to_app_or_ipa>
xcrun devicectl device launch app --terminate-existing --device <udid> <bundle_id>

Keep Xcode updated when testing iOS 17+ devices. Apple moved developer services to the CoreDevice stack and also changed how Developer Disk Images are handled, so outdated host tooling frequently fails with pairing, image-mounting, or app-launch errors.

Simulator

Tip

Bir simulator’ın bir emulator ile aynı şey olmadığını unutmayın. Simulator, cihazın ve fonksiyonların davranışını simüle eder ancak bunları gerçekten kullanmaz.

Simulator

Bilmeniz gereken ilk şey, bir simulator içinde performing a pentest’in jailbroken bir cihazda yapmaktan çok daha sınırlı olduğudur.

All the tools required to build and support an iOS app are only officially supported on Mac OS.
Apple’ın iOS uygulamaları oluşturmak/debug etmek/instrument etmek için fiilen kullandığı araç Xcode’dur. Xcode, simulators ve uygulamanızı build edip test etmek için gereken farklı SDK versions gibi diğer bileşenleri indirmek için kullanılabilir.
Xcode’u official App Store’dan download etmeniz kuvvetle tavsiye edilir. Diğer sürümler kötü amaçlı yazılım barındırıyor olabilir.

The simulator files can be found in /Users/<username>/Library/Developer/CoreSimulator/Devices

Simulator, filesystem artifacts, NSUserDefaults, plist parsing, custom URL schemes, ve basic runtime instrumentation gibi öğeleri hızlıca test etmek için hâlâ çok kullanışlıdır. Ancak, Secure Enclave, baseband, bazı keychain access-control davranışları, gerçekçi biometric flows ve jailbreak-specific execution koşulları gibi pentest sırasında genellikle önemli olan birkaç fiziksel cihaz güvenlik özelliğini emulate etmediğini aklınızda bulundurun.

To open the simulator, run Xcode, then press in the Xcode tab –> Open Developer tools –> Simulator
__In the following image clicking in “iPod touch […]” you can select other device to test in:

Applications in the Simulator

Inside /Users/<username>/Library/Developer/CoreSimulator/Devices you may find all the installed simulators. If you want to access the files of an application created inside one of the emulators it might be difficult to know in which one the app is installed. A quick way to find the correct UID is to execute the app in the simulator and execute:

xcrun simctl list | grep Booted
iPhone 8 (BF5DA4F8-6BBE-4EA0-BA16-7E3AFD16C06C) (Booted)

Once you know the UID the apps installed within it can be found in /Users/<username>/Library/Developer/CoreSimulator/Devices/{UID}/data/Containers/Data/Application

However, surprisingly you won’t find the application here. You need to access /Users/<username>/Library/Developer/Xcode/DerivedData/{Application}/Build/Products/Debug-iphonesimulator/

And in this folder you can find the package of the application.

Emülatör

Corellium is the only publicly available iOS emulator. It is an enterprise SaaS solution with a per user license model and does not offer any trial license.

Jailbreak gerekli değil

Check this blog post about how to pentest an iOS application in a jailbroken olmayan cihaz:

iOS Pentesting withuot Jailbreak

Jailbreaking

Apple strictly requires that the code running on the iPhone must be signed by a certificate issued by Apple. Jailbreaking is the process of actively circumventing such restrictions and other security controls put in places by the OS. Therefore, once the device is jailbroken, the integrity check which is responsible for checking apps being installed is patched so it is bypassed.

Tip

Unlike Android, you cannot switch to “Developer Mode” in iOS to run unsigned/untrusted code on the device.

Android Rooting vs. iOS Jailbreaking

While often compared, rooting on Android and jailbreaking on iOS are fundamentally different processes. Rooting Android devices might involve installing the su binary or replacing the system with a rooted custom ROM, which doesn’t necessarily require exploits if the bootloader is unlocked. Flashing custom ROMs replaces the device’s OS after unlocking the bootloader, sometimes requiring an exploit.

In contrast, iOS devices cannot flash custom ROMs due to the bootloader’s restriction to only boot Apple-signed images. Jailbreaking iOS aims to bypass Apple’s code signing protections to run unsigned code, a process complicated by Apple’s continuous security enhancements.

Jailbreaking Challenges

Jailbreaking iOS is increasingly difficult as Apple patches vulnerabilities quickly. Downgrading iOS is only possible for a limited time after a release, making jailbreaking a time-sensitive matter. Devices used for security testing should not be updated unless re-jailbreaking is guaranteed.

iOS updates are controlled by a challenge-response mechanism (SHSH blobs), allowing installation only for Apple-signed responses. This mechanism, known as a “signing window”, limits the ability to store and later use OTA firmware packages. The IPSW Downloads website is a resource for checking current signing windows.

Jailbreak Varieties

  • Tethered jailbreaks require a computer connection for each reboot.
  • Semi-tethered jailbreaks allow booting into non-jailbroken mode without a computer.
  • Semi-untethered jailbreaks require manual re-jailbreaking without needing a computer.
  • Untethered jailbreaks offer a permanent jailbreak solution without the need for re-application.

Jailbreaking Tools and Resources

Jailbreaking tools vary by iOS version and device. Resources such as Can I Jailbreak?, The iPhone Wiki, and Reddit Jailbreak provide up-to-date information. Examples include:

  • Checkra1n for older A7-A11/iOS 12-14 era research devices.
  • Palera1n for checkm8-compatible devices (A8-A11) on iOS/iPadOS 15+.
  • Dopamine for many arm64/arm64e devices on iOS 15/16 using a modern rootless jailbreak.
  • Unc0ver remains relevant mainly for older iOS versions up to 14.8.

Modifying your device carries risks, and jailbreaking should be approached with caution.

Rootless jailbreaks

Modern iOS 15+ jailbreaks are commonly rootless instead of rootful. From a tester perspective, this matters because a lot of older guides still assume that jailbreak files live directly under / or /Library/..., which is no longer true on many current setups.

  • Rootless jailbreaks avoid modifying the sealed system volume directly.
  • On palera1n, jailbreak files are typically stored under a randomized path in /private/preboot/... and exposed through the stable symlink /var/jb.
  • Tweaks, launch daemons, and helper binaries might therefore exist under /var/jb instead of the legacy rootful locations.

This has a direct impact on environment validation, Frida setup, and jailbreak detection bypass:

  • When checking whether your tooling installed correctly, inspect both legacy paths and /var/jb.
  • When reviewing jailbreak detection logic in an app, remember that modern checks often look for rootless artifacts and symlinks in addition to classic indicators like Cydia.app.
  • If a third-party script or tweak assumes a rootful filesystem layout, it may fail silently on a rootless device.

Jailbreaking Benefits and Risks

Jailbreaking removes OS-imposed sandboxing, allowing apps to access the entire filesystem. This freedom enables the installation of unapproved apps and access to more APIs. However, for regular users, jailbreaking is not recommended due to potential security risks and device instability.

After Jailbreaking

iOS Basic Testing Operations

Jailbreak Detection

Several applications will try to detect if the mobile is jailbroken and in that case the application won’t run

  • After jailbreaking an iOS files and folders are usually installed, these can be searched to determine if the device is jailbroken.
  • In modern rootless jailbreaks, those files may appear under /var/jb or resolve through symlinks into /private/preboot/... instead of only in classic rootful locations.
  • In a jailbroken device applications get read/write access to new files outside the sandbox
  • Some API calls will behave differently
  • The presence of the OpenSSH service
  • Calling /bin/sh will return 1 instead of 0

More information about how to detect jailbreaking here.

You can try to avoid this detections using objection’s ios jailbreak disable

Jailbreak Detection Bypass

  • You can try to avoid this detections using objection’s ios jailbreak disable
  • You could also install the tool Liberty Lite (https://ryleyangus.com/repo/). Once the repo is added, the app should appear in the ‘Search’ tab

Referanslar

Tip

AWS Hacking’i öğrenin ve pratik yapın:HackTricks Training AWS Red Team Expert (ARTE)
GCP Hacking’i öğrenin ve pratik yapın: HackTricks Training GCP Red Team Expert (GRTE) Azure Hacking’i öğrenin ve pratik yapın: HackTricks Training Azure Red Team Expert (AzRTE)

HackTricks'i Destekleyin