Lab for pentesting iOS applications. Part 2
In this part of the guide, we'll walk through setting up the environment and interacting with iOS applications.
Target application: DVIA-v2
Preparation
At this point, your iPhone should already be jailbroken, and Frida should be installed. You can easily verify this by connecting your phone to your MacBook via USB and running the following command: frida-ps -Uia (this will display a list of available applications on your iPhone).
Preparing iPhone and BurpSuite:
- Download DVIA-v2-swift.ipa from the repository
Install the application on your jailbroken iPhone.
Installation using Sideloadly is detailed in the first part of the article, using the example of installing Taurine.
Make sure to specify in the "VPN & Device Management" section that you trust the developer with your Apple ID. As of November 2023, this is the only known working method for IPA installation that I'm aware of. Ideviceinstaller, iOS-deploy, and installation through Apple Configurator end in failure.
- Set up the Burp Proxy listener and add the Burp Suite certificate to trusted certificates following this guide
- Verify the correctness of the installation and configuration: launch the DVIA-v2 app on your iPhone, go to the sections list, activate the "Network Layer Security" section, fill in the data, and send a request through "SEND OVER HTTP." In the Burp Suite request history, you should see the request that passed through the proxy.
Bypassing Certificate Pinning
SSL pinning (or SSL certificate pinning) is a security mechanism used in applications to establish trust relationships with specific SSL/TLS certificates, aiming to counteract MITM attacks.
From a pentesting perspective, it's precious to have the ability to "listen" to the traffic between the application and the backend service for request analysis (implementing MITM). Since we have control over a jailbroken iPhone, we can influence the mobile application and bypass SSL pinning mechanisms, for example, using Frida – a tool for dynamic analysis and interaction with applications on Android and iOS platforms.
There are numerous ways to bypass certificate verification, but within the scope of this article, I'll describe two of the simplest methods: using a script from the Frida repository and the Objection tool. However, first, we need to find out the name/ID of the application we will be interacting with. To do this, launch DVIA-v2 on your phone, and in the terminal, execute the following command: frida-ps -Ua
| PID | Name | Identifier |
|---|---|---|
| 825 | Calendar | com.apple.mobilecal |
| 2937 | DVIA-v2 | com.highaltitudehacks.DVIAswiftv2.UG25CAXF7Z |
| 2916 | Telegram | ph.telegra.Telegraph |
Bypass SSL Pinning with Frida CodeShare
Frida CodeShare is a hub of ready-to-use scripts for running with Frida: https://codeshare.frida.re/browse
Projects posted on CodeShare can be executed directly by specifying the name when launching Frida. For example, to run DVIA-v2 through Frida with a script to bypass SSL pinning, simply execute the following command in the terminal:
frida --codeshare <project name> -U -f '<app ID>'
Example for the DVIA-v2 application:
frida --codeshare federicodotta/ios13-pinning-bypass -U -f 'com.highaltitudehacks.DVIAswiftv2.UG25CAXF7Z'
Although the script is labeled IOS13, it effectively works on IOS 16.7.2 as well. From the moment the script is launched, it will dynamically replace certificate check requests, and in the Burp Suite history, you will see requests from the application over HTTPS connections.
Bypassing SSL Pinning with Objection
Objection is a dynamic mobile device analysis tool built on the Frida framework.
Project on Github.
I highly recommend exploring this tool independently. It's a valuable asset in penetration testing scenarios involving mobile applications.
Installation:
pip3 install -U objection
SSL pinning bypass is already integrated into the utility, eliminating the need to search for additional projects/scripts as in the previous example. There are two ways to launch an application through Objection and activate the SSL pinning bypass. The first option:
objection -g 'com.highaltitudehacks.DVIAswiftv2.UG25CAXF7Z' explore -s '
After launching the application, enter the command:
ios sslpinning disable
The second option is to pass the command as an argument during launch:
objection -g 'com.highaltitudehacks.DVIAswiftv2.UG25CAXF7Z' explore -s 'ios sslpinning disable'
Each time "Send over HTTPS" or "Send using certificate/public key pinning" is activated, the terminal will display the intercepted function name and its return value. Intercepted requests will appear in the BurpSuite request history.
Obtaining IPA from the App Store
Currently, there is no direct way to retrieve an iOS App Store Package (IPA) file directly from the App Store. However, if you have a jailbroken iPhone with Frida, you can install the app from the App Store on your phone and use Frida to generate an IPA file for the installed application. The tool frida-ios-dump is well-suited for this purpose.
- Due to the nature of IPA file create, SSH access to the iPhone is required. In a separate terminal, run the command: iproxy 2222 22
Note: iproxy will redirect requests on port 2222 over USB to the sshd daemon on the iPhone;
a. Installation of frida-ios-dump:
git clone https://github.com/AloneMonkey/frida-ios-dump.git
cd frida-ios-dump
sudo pip install -r requirements.txt --upgrade
b. Check the list of installed and running applications and copy the name of the application whose IPA you want to obtain: frida-ps -Uia
c. Initiate the IPA file extraction by running the utility and specifying the application: python3 dump.py <name>
Now, you can perform static analysis of the application, for example, by analyzing the file using MobSF.
Author: @resource_not_found
,