I really wanted to jot this down as a brain dump before I go to sleep and my volatile memory wipes forever.
iOS testing is not the same beast as Android. It’s a very complex procedure that requires a very careful and thought out process. I’m not really sure how I even want to show this stuff, so for now it’s just a mad brain dump as I recall my notes and memory.
Things you need
- Windows, Linux, MacOS – not kidding
- IPA file (iOS app install file, much like an APK for Android)
- Jailbroken device (can’t route traffic without one)
- Calm manner
Installing IPA files to the phone
iTunes 12.6.3 – The last version if iTunes that allowed you to install apps directly to the phone.
Cydia Impactor – A pain in the ass bit of software used to install jailbreak apps or any app really to the phone without jailbreak. Be warned it’s not without it’s issues as I’ve experienced.
Static Code Analysis
You need a Mac or MacOS VM (another post) and Xcode installed. MobSF doesn’t not run in docker even on a mac and will warn you that it cannot analyse IPA files without being run directly on the mac.
iOS Versions and Jailbreaks
OK THEE most annoying part of the process.
Don’t buy a 32bit device. That I can be sure of. Don’t get any device that hasn’t got support for iOS 11 at least. iOS 11.2 – 11.3.1 use the Electra (https://coolstar.org/electra/ )jailbreak so I’d advise going for a device with that specific range on it. Don’ think you can just get anyone and downgrade it, because Apple don’t sign the OS beyond the latest so you can’t downgrade in iTunes. You have been warned. If you really need to get an iOS 10 device, do not get iOS 10.2.1. Go for 10.3.3 if you can, cause that used the G0blin jailbreak and has more support for tools.
You’re going to need a lot of tools to get the job done. Cydia can help with a lot of the installs, but make sure you verify if it runs on 64 bit before you install it.
OpenSSH (on the device) – Most important one of the lot (install via Cydia)
IDB (On a Mac) – Older but useful in MacOS VM
Frida (on the device) – Add repository https://build.frida.re/ – add frida
Tools NOT to install
apt7-lib – DO NOT INSTALL this, or let it update if it is installed. It will break Cydia and you’ll be in a world of pain because you can’t just remove the app.
Manually uninstalling Cydia – Using SSH
If you’re like me and you broke your Cydia install, you’ll need to remove it manually. THIS MIGHT NOT WORK FOR YOU!! – It worked for me on my device so I give clear warning to google this process and test it yourself before blindly running it on your own device.
DPKG throws errors if you try and uninstall it directly, so here’s a wee tip.
dpkg -l | grep cydia
Should throw up the packages that are called cydia. Launching the command below will give you the next hint
dpkg -r –force-remove-essential cydia
The package installer will throw an error about package dependencies. Just run the above command on each package until they are all gone, then remove cydia. Run the command below to remove the app icon
killall -HUP SpringBoard
Routing traffic from the phone to Burp
So you have SSH on the phone, so what can you do? You can route the HTTP traffic from the phone to Burpsuite, that’s what!
In Burp set the proxy to listen on AllInterfaces:8080
In your computer terminal type:
ssh -R 8080:127.0.0.1:8080 root@iphone-ipaddress
On the iPhone, set a manual proxy to point to 127.0.0.1:8080
Go to http://Burp on your phone and install the burp certificate (don’t forget that bit)
If you are getting SSL errors in the Alerts tab, then the app could be cert pinning. Investigate, or use SSL passthrough if it’s not important so you can get it working.
Ooft, Objection by Sensepost is amazing. Worth downloading in my opinion. I’ll let you have fun doing that lol.
To run it though, it’s easy to just follow this. Make sure Frida is installed and the same versions on both the phone and the client.
Run this command client side:
This will print out the running apps installed in the device. You need the name variable for Objection.
Launch objection with this command:
objection –gadget name_of_app_process explore
The terminal will change to just a terminal prompt. Tab completion is enabled so have a play.
It does jailbreak bypass and cert unpinning. Easy as one command:
ios sslpinning disable
Submits to a job and test away
So there’s a few ways to bypass jailbreak protection
- Flex3 (didn’t like it)
- Objection (uses SSLKillSwitch)
- Manually debugging the app
Each have their own way of doing it, but worth reading up on it. The manual way takes more control of the process (DUH!) but takes more time.
You need an Apple developer account. Don’t listen to the people who say that the free account is fine. You’ll hit your 3 app limit really quickly in a day and the Immortal Cydia tweak doesn’t work (did for me) I just bit the bullet and paid the fee because I needed to work fast.
Testing iOS is a pain. Constant battle with Apple, the device and the developers of tools just dropping things and not finishing them. Bad updates by old developers too messing things up. Having a solid platform to test on is increasingly difficult the more Apple dig their claws in. The Electra JB for iOS 11 seems to be popular, so i’d focus on that. By the time you read this post, it’s probably all going to have changed.
Clients need their apps tested, and there doesn’t seem to be a solid dependable platform to test on. It’s a joke, because our job is hard enough.