maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
hacktricks/src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md
carlospolop c2b4010079 a
2025-05-11 17:04:20 +02:00

88 lines
4.1 KiB
Markdown
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# iOS Pentesting without Jailbreak
{{#include ../../banners/hacktricks-training.md}}
## Main idea
Applications signed with the **entitlement `get_task_allow`** allow third party applications to run a function called **`task_for_pid()`** with the process ID of the initial application as argument in order to get the task port over it (be able to control it and access it's memory).
However, its not as easy as just pulling the IPA, re-signing it with the entitlement, and flashing it back to your device. This is becasue of FairPlay protection. When the signature of the app changes, the DRM (Digital Rights Management) key is **invalidated and the app won't work**.
With an old jailbroken device, it's possible to install the IPA, **decrypt it using your favourite tool** (such as Iridium or frida-ios-dump), and pulling it back off the device. Although, if possible, it's recommended to just as the client for the decrypted IPA.
## Obtain decrypted IPA
### Get it from Apple
1. Install the app to pentest in the iPhone
2. Install and launch [Apple Configurator](https://apps.apple.com/au/app/apple-configurator/id1037126344?mt=12) inside your macos
3. Open `Terminal `on your Mac, and cd to `/Users/[username]/Library/Group\\ Containers/K36BKF7T3D.group.com.apple.configurator/Library/Caches/Assets/TemporaryItems/MobileApps`. The IPA will appear in this folder later.
4. You should see your iOS device. Double-click on it, and then click Add + → Apps from the top menu bar.
5. After clicking Add, Configurator will download the IPA from Apple, and attempt to push it to your device. If you followed my recommendation earlier and installed the IPA already, a prompt asking you to reinstall the app will appear.
6. The IPA should be downloaded inside `/Users/[username]/Library/Group\\ Containers/K36BKF7T3D.group.com.apple.configurator/Library/Caches/Assets/TemporaryItems/MobileApps`from where you can grab it
Check [https://dvuln.com/blog/modern-ios-pentesting-no-jailbreak-needed](https://dvuln.com/blog/modern-ios-pentesting-no-jailbreak-needed) for more detailed information about this process.
### Decrypting the app
In order to decrypt the IPA we are going to install it. However, if you have an old jailbroken iPhone, potentailly it's version is not going to be supported by the application as usually apps only suports latests versions.
So, in order to install it, just unzip the IPA:
```bash
unzip redacted.ipa -d unzipped
```
Check the `Info.plist` for the minimum supported versiona nd if your device is older than that, change the value so it's supported.
Zip back the IPA:
```bash
cd unzipped
zip -r ../no-min-version.ipa *
```
Then, install the IPA for example with:
```bash
ideviceinstaller -i no-min-version.ipa -w
```
Note that you might need **AppSync Unified tweak** from Cydia to prevent any `invalid signature` errors.
Once intalled, you can use **Iridium tweak** from Cydia in order to obtain the decrypted IPA.
### Patch entitlements & re-sign
In order to re-sign the application with the `get-task-allow` entitlement there are several tools available like `app-signer`, `codesign`, and `iResign`. `app-signer` has a very user-friendly interface that allows to very easily resing an IPA file indicating the IPA to re-sign, to **put it `get-taks-allow`** and the certificate and provisioning profile to use.
Regarding the certificate and signing profiles, Apple offers **free developer signing profiles** for all accounts through Xcode. Just create an app and configure one. Then, configure the **iPhone to trust the developer apps** by navigating to `Settings``Privacy & Security`, and click on `Developer Mode`.
With the re-signed IPA, it's time to install it in the device to pentest it:
```bash
ideviceinstaller -i resigned.ipa -w
```
### Hook
You could easily hook your app using common tools like frida an objection:
```bash
objection -g [your app bundle ID] explore
```
## References
- [https://dvuln.com/blog/modern-ios-pentesting-no-jailbreak-needed](https://dvuln.com/blog/modern-ios-pentesting-no-jailbreak-needed)
{{#include ../../banners/hacktricks-training.md}}
Reference in New Issue View Git Blame Copy Permalink