Merge pull request #1089 from HackTricks-wiki/research_update_src_mobile-pentesting_ios-pentesting_ios-pentesting-without-jailbreak_20250710_083503

Add content: Research Update Enhanced src/mobile-pentesting/ios-pentestin...

Author: carlospolop

src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md

@@ -2,7 +2,6 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-
 ## Main idea
 
 Applications signed with the **entitlement `get_task_allow`** allow third party applications to run a function called **`task_for_pid()`** with the process ID of the initial application as argument in order to get the task port over it (be able to control it and access it's memory).
@@ -56,32 +55,78 @@ Note that you might need **AppSync Unified tweak** from Cydia to prevent any `in
 Once intalled, you can use **Iridium tweak** from Cydia in order to obtain the decrypted IPA.
 
 
-### Patch entitlements & re-sign
+### Patch entitlements & re-sign
 
 In order to re-sign the application with the `get-task-allow` entitlement there are several tools available like `app-signer`, `codesign`, and `iResign`. `app-signer` has a very user-friendly interface that allows to very easily resing an IPA file indicating the IPA to re-sign, to **put it `get-taks-allow`** and the certificate and provisioning profile to use.
 
 Regarding the certificate and signing profiles, Apple offers **free developer signing profiles** for all accounts through Xcode. Just create an app and configure one. Then, configure the **iPhone to trust the developer apps** by navigating to `Settings` → `Privacy & Security`, and click on `Developer Mode`.
 
-
 With the re-signed IPA, it's time to install it in the device to pentest it:
 
 ```bash
 ideviceinstaller -i resigned.ipa -w
 ```
 
-### Hook
+---
+
+### Enable Developer Mode (iOS 16+)
+
+Since iOS 16 Apple introduced **Developer Mode**: any binary that carries `get_task_allow` *or* is signed with a development certificate will refuse to launch until Developer Mode is enabled on the device. You will also not be able to attach Frida/LLDB unless this flag is on.
+
+1. Install or push **any** developer-signed IPA to the phone.
+2. Navigate to **Settings → Privacy & Security → Developer Mode** and toggle it on.
+3. The device will reboot; after entering the passcode you will be asked to **Turn On** Developer Mode.
+
+Developer Mode remains active until you disable it or wipe the phone, so this step only needs to be performed once per device. [Apple documentation](https://developer.apple.com/documentation/xcode/enabling-developer-mode-on-a-device) explains the security implications.
+
+### Modern sideloading options
+
+There are now several mature ways to sideload and keep re-signed IPAs up-to-date without a jailbreak:
+
+| Tool | Requirements | Strengths | Limitations |
+|------|--------------|-----------|-------------|
+| **AltStore 2 / SideStore** | macOS/Windows/Linux companion that re-signs the IPA every 7 days with a free dev profile | Automatic reload over Wi-Fi, works up to iOS 17 | Needs computer on the same network, 3-app limit imposed by Apple |
+| **TrollStore 1/2** | Device on iOS 14 – 15.4.1 vulnerable to the CoreTrust bug | *Permanent* signing (no 7-day limit); no computer required once installed | Not supported on iOS 15.5+ (bug patched) |
+
+For routine pentests on current iOS versions Alt/Side-Store are usually the most practical choice.
 
-You could easily hook your app using common tools like frida an objection:
+### Hooking / dynamic instrumentation
+
+You can hook your app exactly as on a jailbroken device once it is signed with `get_task_allow` **and** Developer Mode is on:
 
 ```bash
-objection -g [your app bundle ID] explore
+# Spawn & attach with objection
+objection -g "com.example.target" explore
+
+# Or plain Frida
+frida -U -f com.example.target -l my_script.js --no-pause
+```
+
+Recent Frida releases (>=16) automatically handle pointer authentication and other iOS 17 mitigations, so most existing scripts work out-of-the-box.
+
+### Automated dynamic analysis with MobSF (no jailbreak)
 
+[MobSF](https://mobsf.github.io/Mobile-Security-Framework-MobSF/) can instrument a dev-signed IPA on a real device using the same technique (`get_task_allow`) and provides a web UI with filesystem browser, traffic capture and Frida console【turn6view0†L2-L3】. The quickest way is to run MobSF in Docker and then plug your iPhone via USB:
+
+```bash
+docker pull opensecurity/mobile-security-framework-mobsf:latest
+docker run -p 8000:8000 --privileged \
+           -v /var/run/usbmuxd:/var/run/usbmuxd \
+           opensecurity/mobile-security-framework-mobsf:latest
+# Browse to http://127.0.0.1:8000 and upload your resigned IPA
 ```
 
+MobSF will automatically deploy the binary, enable a Frida server inside the app sandbox and generate an interactive report.
+
+### iOS 17 & Lockdown Mode caveats
+
+* **Lockdown Mode** (Settings → Privacy & Security) blocks the dynamic linker from loading unsigned or externally signed dynamic libraries. When testing devices that might have this mode enabled make sure it is **disabled** or your Frida/objection sessions will terminate immediately.
+* Pointer Authentication (PAC) is enforced system-wide on A12+ devices. Frida ≥16 transparently handles PAC stripping — just keep both *frida-server* and the Python/CLI toolchain up-to-date when a new major iOS version ships.
 
 ## References
 
 - [https://dvuln.com/blog/modern-ios-pentesting-no-jailbreak-needed](https://dvuln.com/blog/modern-ios-pentesting-no-jailbreak-needed)
-
+- Apple developer documentation – Enabling Developer Mode on a device: <https://developer.apple.com/documentation/xcode/enabling-developer-mode-on-a-device>
+- Mobile Security Framework (MobSF): <https://mobsf.github.io/Mobile-Security-Framework-MobSF/>
 
 {{#include ../../banners/hacktricks-training.md}}