├── Pentesting iOS apps without jailbreak - SecuRing - Medium.pdf ├── README.md └── iOS instrumentation without jailbreak.pdf /Pentesting iOS apps without jailbreak - SecuRing - Medium.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/psychsecurity/iOS-Pentesting/f2a78d6c1cc4c2095523b95db1f9494aebfadf6f/Pentesting iOS apps without jailbreak - SecuRing - Medium.pdf -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | Welcome to the iOS-Pentesting wiki! 2 | 3 | # JB Testing 4 | 5 | ## Re-sign using applesign 6 | 7 | List identities 8 | 9 | `./applesign.js -L` 10 | 11 | Re-sign 12 | 13 | `./applesign.js -i ABCDEFGHIJKLMNOPQRST /blah/blah.ipa` 14 | 15 | ## Re-sign using ios-app-signer 16 | 17 | https://github.com/DanTheMan827/ios-app-signer/releases/tag/1.14 18 | 19 | ## Deploy using xcode 20 | 21 | https://slashedm.gitbook.io/xcode-app-signing/where-do-we-go-now/newer-versions 22 | 23 | Xcode + iOS App Signer 24 | 25 | Install Xcode, open it, and agree to the license agreement. 26 | Plug in your iOS device and select it as the build target. 27 | Open Xcode and create a new iOS Application. 28 | Type a name and identifier. 29 | Xcode will complain about the lack of a provisioning profile. Click fix issue. 30 | Sign into an Apple ID when prompted. 31 | Download iOS App Signer 32 | Download the latest version of unc0ver from above. 33 | Open iOS App Signer. 34 | Select the ipa you just downloaded as an input file. 35 | Click start. 36 | Return to Xcode. Go to the menu bar. Click Window → Devices. 37 | Find your device, click the plus, and select the file created by iOS App Signer. 38 | 39 | Objection 40 | 41 | frida-ps -Uia 42 | `objection --gadget "com.apple.AppStore" explore` 43 | 44 | `objection explore --startup-command 'ios jailbreak simulate'` 45 | 46 | 47 | 48 | #Get IPA - frida-iOS-dump 49 | 50 | `sudo iproxy 2222 22` 51 | 52 | `python3 dump.py com.blah -H 127.0.0.1 -p 2222 -u mobile -P password -o blah.ipa` 53 | 54 | 55 | # Non-JB Testing 56 | 57 | Connect phone to Mac - run a test app in xcode and fix signing certificates. This should generate a provisioning file. 58 | 59 | Find code sigs 60 | 61 | `security find-identity -p codesigning -v` 62 | 63 | Patch Frida dylib to ipa 64 | 65 | `objection patchipa --source blah.ipa --codesign-signature 1234BLAH` 66 | 67 | `objection patchipa --source blah.ipa --codesign-signature 39AAAAAAAAAAAAAAAAAAAAAAAA29 -P '~/Library/MobileDevice/Provisioning Profiles/blah.mobileprovision'` 68 | 69 | Deploy in debugging mode 70 | 71 | `ios-deploy --bundle blah.app -W -d` 72 | {this might take a while - be patient - lldb will load} 73 | Run in debug mode without installing again 74 | 75 | `ios-deploy -b blah.app -W -m` 76 | 77 | Use objection 78 | 79 | `objection explore` 80 | 81 | 82 | 83 | # Reversing/Patching - use Hopper 84 | -------------------------------------------------------------------------------- /iOS instrumentation without jailbreak.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/psychsecurity/iOS-Pentesting/f2a78d6c1cc4c2095523b95db1f9494aebfadf6f/iOS instrumentation without jailbreak.pdf --------------------------------------------------------------------------------