Setting Up an iOS Pentesting Lab on a Non-Jailbroken iDevice
2024-2-8 18:27:18 Author:查看原文) 阅读量:10 收藏

1. Apple Developer Account

  1. Open Xcode.
  2. Navigate to Xcode > Preferences.
  3. In the “Accounts” section, click the ‘+’ icon at the bottom left to add your Apple Developer account.

2. Create a Sample Application

  1. Open Xcode and go to File > New > Project.
  2. Select the “App” template.
  3. Once the project is created, navigate to Signing & Capabilities.
  4. Verify that your developer account has been added, and you can see the signing certificate.

3. Check Provisioning Profile

  1. Click on the information icon next to the developer account in Signing & Capabilities.
  2. Review the properties of the provisioning profile.

4. Provisioning Profile Path

The path for the provisioning profile is ~/Library/MobileDevice/Provisioning Profiles.

5. Check Signing Identity

Check your signing identity on this device using the command:

applesign -L

6. Patch the App

With all dependencies in place, patching an actual IPA is straightforward:

objection patchipa --source my-app.ipa --codesign-signature AD18F146xxxx -P e0456ee9-XX.mobileprovision

This command will extract the IPA, locate the app binary, patch it to load the FridaGadget.dylib, codesign the dylib and applications binary and repackage it for you.

Now, Objection will patch and sign the IPA file, generating a new IPA file named XXX-frida-codesigned.ipa.

7. Rename and Execute

  1. Rename the newly generated IPA file and change its extension to .zip.
  2. Unzip the file to access its contents.
  3. Navigate to the Payload directory within the unzipped content.
  4. Inside the Payload directory, you will see [bundle-ID].app, where [bundle-ID].app is the folder where your application lives.

Now, we will deploy this application onto the device using a utility called ios-deploy:

  1. Connect your iPhone to your MacBook.
  2. Execute the following command in the terminal:
ios-deploy --bundle [bundle-ID].app --debug -W

Note: If you encounter the error “error: process launch failed,” it indicates that your iPhone hasn’t trusted the developer certificate. To resolve this:

  1. Go to General > Device Management on your iPhone.
  2. Tap on “Trust Apple Development” certificate.
  3. Reinstall the app using ios-deploy, and it should now launch without any issues.
  4. You should see the lldb debugger pop up and print out a ‘success’ message.
error: process launch failed
App Successfully deployed & launched

Now, we can use tools like Frida or Objection to connect to this app.

Objection in Action

Congratulations! You’ve set up a non-jailbroken iOS pentesting lab. Make sure to follow ethical guidelines and legal considerations during your testing. Happy testing!