Sign in Subscribe

Lab for pentesting iOS applications. Part 1

Lab for pentesting iOS applications. Part 1

Introduction

Goal: prepare a lab for pentesting iOS applications and MiTM traffic using Frida and BurpSuite.


This step-by-step guide consists of two parts. The first part is dedicated to preparing the equipment (installing the requ*ired software and jailbreaking multiple versions of iOS), while the second part covers some basic features of Frida and practical penetration testing of the DVIA-v2 test application as a demonstration.

Required equipment:

  • MacBook Air M1 with MacOS 14.1 (Install Frida with the following command: pip install frida-tools)
  • Adapter OTG USB-C to USB Type-A (mandatory for Checkra1n and Palera1n)

The instructions provide information on jailbreaking three different versions of iOS to demonstrate the differences in the jailbreak process on real devices.

Target Devices:

  • iPhone 6 (model A1586) - iOS 12.4.5
  • iPhone 8 (model A1905) - iOS 14.7.1
  • iPhone 8 (model A1905) - iOS 16.7.2

About iOS jailbreaking

iOS jailbreaking is a process of removing software restrictions imposed by Apple on its iOS operating system, typically to gain root-level access and allow users to install unauthorized third-party applications and make system-level modifications. We aim to gain root access to the system and interact with an application using Frida.

Types of jailbreaks:

  • Untethered: the device remains jailbroken even after a reboot or power-off. Users can freely enjoy the extended capabilities, install third-party apps, modify the operating system, and make other changes without worrying about losing the jailbreak upon device restart;
  • Semi-Untethered: requires executing an exploit each time you reboot or power off your device, and the jailbreak is accomplished by running the exploit using an app or website directly on the device;
  • Semi-Tethered: requires the execution of an exploit whenever you reboot or power off your device, and the jailbreak is achieved by running the exploit using a computer or external tool connected to the device;
  • Tethered: the device must be connected to a computer or an external tool, and an exploit needs to be executed each time the device is rebooted or powered off in order to maintain the jailbreak. This type of jailbreak necessitates a computer-based jailbreak application and a physical cable connection between the device and the computer after each device shutdown.
    The most accessible and popular jailbreaks are Semi-Untethered and Semi-Tethered. Untethered jailbreaks have not been seen for the past few years, and Tethered jailbreaks are both riskier for the device and more complex to apply than others.

Jailbreaking iOS 12.4.5 (iPhone 6)

List of Necessary Devices and Apps:

  • iPhone 6 (model A1586) with iOS 12.4.5
  • Jailbreak using Checkra1n

Checkra1n is a semi-tethered jailbreak, requiring one to re-apply the exploit after a reboot of the iPhone. The tool is compatible with jailbreaking old devices (A7 to A11 SoC) on iOS versions 12.0 to 14.8.1*.

*A11 devices on iOS 14.0 and above require removing the passcode and enabling “Skip A11 BPR check” in the options.

Stage 1: Jailbreak (Checkra1n)

  1. Go to https://checkra.in/#release and install the macOS version;
  2. On the first launch of Checkra1n, you may encounter an error; see the 'Troubleshooting' section;
  3. Connect your iPhone 6 to your MacBook using an OTG adapter and run Checkra1n app;
  1. Click “Start” and follow the instructions in the application;

After launching iOS, a new application, Checkra1n, becomes available, allowing for the installation of Cydia, which serves as a package manager for installing applications on jailbroken iPhones.

Stage 2: Install Frida over Cydia

1. Open Checkra1n app and install Cydia on your iPhone;
2. Run Cydia, go to Sources, tap “Edit” -> “Add” and add a new source: https://build.frida.re/

  1. After updating the list of repositories, use the search function to find the package named "Frida" and proceed to install it.

To check the successful installation of Frida, you can execute the following command on macOS: frida-ls-devices or frida-ps -Uia (the iPhone with Frida must be connected to the MacBook via USB).

Jailbreaking iOS 14.7.1 (iPhone 8)

List of Necessary Devices and Apps:
* iPhone 8 (model A1905) with iOS 14.7.1
* Jailbreak using Taurine and Sideloadly

Taurine is a semi-untethered jailbreak, requiring an app to re-apply the exploit after a reboot. The tool is compatible with jailbreaking all devices on iOS/iPadOS versions 14.0 to 14.8.1. We will use Sideloadly to install the Taurine jailbreak application to your iOS device for use in the next step.

Stage 1: Install Taurine over Sideloadly

1. Disable your passcode on your iPhone;
2. Go to https://sideloadly.io/#download and install the macOS version;
3. On the first launch of Sideloadly, you may encounter an error; see the 'Troubleshooting' section;
4. Go to https://taurine.app/#download and download .ipa (Taurine.1.1.7-3.ipa);
5. Connect your iPhone 8 to your MacBook using an OTG adapter;
6. Launch Sideloadly, select your iPhone, drag and drop the "Taurine.1.1.7-3.ipa" file into the Sideloadly window, and enter the Apple ID associated with your iPhone into the corresponding field:

7. Click “Start” and enter your Apple ID password if prompted. If you encounter error 401 or 500 at this stage, go to “System Settings” -> “Internet Accounts” on MacOS and add a new “iCloud” account, then try the operation again:

8. After installing the application, you must grant it permission to run. To do this, go to your iPhone's settings, navigate to "General" -> "Device Management" -> "" -> Tap "Trust ":

Taurine has been successfully installed, and you can proceed to Stage 2.


Stage 2: Jailbreak with Taurine and install Frida

1. Reboot your iPhone (This is not necessary but recommended);
2. Open the Taurine application, tap “Settings” -> “Exploit” and set “kfd (smith)” as active;

3. Tap "Jailbreak" and wait for reboot;
4. Launch Taurine again, and you will see the button label change to “Jailbroken”:

5. After a successful jailbreak, you should see another application: Sileo. Launch it, go to the “Sources” section, and add a new source (the “+” icon in the upper right corner): https://build.frida.re/

6. In the Sileo app, use the search function to find and install the following packages:
* libiosexec1
* libhooker (common)
* PreferenceLoader
* RocketBootstrap
* Frida
7. Once finished, tap “Restart SpringBoard”

Additionally, because of how semi-untethered jailbreaks work, you'll need to re-sign the app every 7 days. However, you have the option of installing a permanently signed Taurine app after jailbreaking, which allows you to avoid the need to reinstall Taurine using Sideloadly every 7 days. You can achieve this by installing “taurine-permanent” via Sileo.

To check the successful installation of Frida, you can execute the following command on macOS: frida-ls-devices or frida-ps -Uia (the iPhone with Frida must be connected to the MacBook via USB).

Jailbreaking iOS 16.7.2 (iPhone 8)

List of Necessary Devices and Apps:
* iPhone 8 (model A1905) with iOS 16.7.2
* Jailbreak using Palera1n

Checkra1n is a semi-tethered jailbreak, which requires reapplying the exploit after rebooting the iPhone. This tool is compatible with jailbreaking A8-A11 SoC devices running iOS versions 15.0* and later.

If your iPhone is running iOS 16 and you have already set a passcode, you will need to erase all data and settings and NOT SET A PASSCODE in order to jailbreak.

Stage 1: Jailbreak (Palera1n)

1. Erase all data and settings if you have ever installed a passcode;
2. Connect your iPhone to your MacBook using an OTG adapter;
3. Open a terminal window no your MacBook and enter for install Palera1n:

sudo /bin/sh -c "$(curl -fsSL https://static.palera.in/scripts/install.sh)"

4. Run on terminal: /usr/local/bin/palera1n
5. While your iPhone is entering DFU mode, press 'Enter' in the terminal session;
6. In DFU mode, after pressing the 'Enter' button, you will need first to hold the 'volume down + side button,' then release the 'side button' but continue to hold the 'volume down' button. Follow the instructions that will appear in the terminal;
7. Reconnect your iPhone to your MacBook when you see the message: Device should now reconnect in download mode, DFU mode device disconnected…

After launching iOS, a new application, Palera1n, becomes available, allowing for the installation of Sileo, which serves as a package manager for installing applications on jailbroken iPhones.

Stage 2: Install Frida over Sileo

To check the successful installation of Frida, you can execute the following command on macOS: frida-ls-devices or frida-ps -Uia (the iPhone with Frida must be connected to the MacBook via USB).

1. After a successful jailbreak, launch the Palera1n application and install Sileo;

  1. Open Sileo, navigate to the "Sources" section, and add a new source by clicking the "+" icon in the upper right corner: https://build.frida.re/
  1. In the Sileo app, use the search function to find and install Frida package

4. Once finished, tap “Restart SpringBoard”

To check the successful installation of Frida, you can execute the following command on macOS: frida-ls-devices or frida-ps -Uia (the iPhone with Frida must be connected to the MacBook via USB).

Troubleshooting

Error when launching an application on MacOS
Problem: In macOS, when launching the application, you receive the following error: “... cannot be opened because the developer cannot be verified”

Solution:
1. Tap “Cancel”;
2. Go to “System Settings” -> “Privacy & Security” on macOS and confirm the application's launch

Author: @resource_not_found