diff --git a/src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md b/src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md index 7a87f8fb003..004d7bf0e0e 100644 --- a/src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md +++ b/src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md @@ -2,7 +2,6 @@ {{#include ../../banners/hacktricks-training.md}} - ## Main idea Applications signed with the **entitlement `get_task_allow`** allow third party applications to run a function called **`task_for_pid()`** with the process ID of the initial application as argument in order to get the task port over it (be able to control it and access it's memory). @@ -56,32 +55,78 @@ Note that you might need **AppSync Unified tweak** from Cydia to prevent any `in Once intalled, you can use **Iridium tweak** from Cydia in order to obtain the decrypted IPA. -### Patch entitlements & re-sign +### Patch entitlements & re-sign In order to re-sign the application with the `get-task-allow` entitlement there are several tools available like `app-signer`, `codesign`, and `iResign`. `app-signer` has a very user-friendly interface that allows to very easily resing an IPA file indicating the IPA to re-sign, to **put it `get-taks-allow`** and the certificate and provisioning profile to use. Regarding the certificate and signing profiles, Apple offers **free developer signing profiles** for all accounts through Xcode. Just create an app and configure one. Then, configure the **iPhone to trust the developer apps** by navigating to `Settings` → `Privacy & Security`, and click on `Developer Mode`. - With the re-signed IPA, it's time to install it in the device to pentest it: ```bash ideviceinstaller -i resigned.ipa -w ``` -### Hook +--- + +### Enable Developer Mode (iOS 16+) + +Since iOS 16 Apple introduced **Developer Mode**: any binary that carries `get_task_allow` *or* is signed with a development certificate will refuse to launch until Developer Mode is enabled on the device. You will also not be able to attach Frida/LLDB unless this flag is on. + +1. Install or push **any** developer-signed IPA to the phone. +2. Navigate to **Settings → Privacy & Security → Developer Mode** and toggle it on. +3. The device will reboot; after entering the passcode you will be asked to **Turn On** Developer Mode. + +Developer Mode remains active until you disable it or wipe the phone, so this step only needs to be performed once per device. [Apple documentation](https://developer.apple.com/documentation/xcode/enabling-developer-mode-on-a-device) explains the security implications. + +### Modern sideloading options + +There are now several mature ways to sideload and keep re-signed IPAs up-to-date without a jailbreak: + +| Tool | Requirements | Strengths | Limitations | +|------|--------------|-----------|-------------| +| **AltStore 2 / SideStore** | macOS/Windows/Linux companion that re-signs the IPA every 7 days with a free dev profile | Automatic reload over Wi-Fi, works up to iOS 17 | Needs computer on the same network, 3-app limit imposed by Apple | +| **TrollStore 1/2** | Device on iOS 14 – 15.4.1 vulnerable to the CoreTrust bug | *Permanent* signing (no 7-day limit); no computer required once installed | Not supported on iOS 15.5+ (bug patched) | + +For routine pentests on current iOS versions Alt/Side-Store are usually the most practical choice. -You could easily hook your app using common tools like frida an objection: +### Hooking / dynamic instrumentation + +You can hook your app exactly as on a jailbroken device once it is signed with `get_task_allow` **and** Developer Mode is on: ```bash -objection -g [your app bundle ID] explore +# Spawn & attach with objection +objection -g "com.example.target" explore + +# Or plain Frida +frida -U -f com.example.target -l my_script.js --no-pause +``` + +Recent Frida releases (>=16) automatically handle pointer authentication and other iOS 17 mitigations, so most existing scripts work out-of-the-box. + +### Automated dynamic analysis with MobSF (no jailbreak) +[MobSF](https://mobsf.github.io/Mobile-Security-Framework-MobSF/) can instrument a dev-signed IPA on a real device using the same technique (`get_task_allow`) and provides a web UI with filesystem browser, traffic capture and Frida console【turn6view0†L2-L3】. The quickest way is to run MobSF in Docker and then plug your iPhone via USB: + +```bash +docker pull opensecurity/mobile-security-framework-mobsf:latest +docker run -p 8000:8000 --privileged \ + -v /var/run/usbmuxd:/var/run/usbmuxd \ + opensecurity/mobile-security-framework-mobsf:latest +# Browse to http://127.0.0.1:8000 and upload your resigned IPA ``` +MobSF will automatically deploy the binary, enable a Frida server inside the app sandbox and generate an interactive report. + +### iOS 17 & Lockdown Mode caveats + +* **Lockdown Mode** (Settings → Privacy & Security) blocks the dynamic linker from loading unsigned or externally signed dynamic libraries. When testing devices that might have this mode enabled make sure it is **disabled** or your Frida/objection sessions will terminate immediately. +* Pointer Authentication (PAC) is enforced system-wide on A12+ devices. Frida ≥16 transparently handles PAC stripping — just keep both *frida-server* and the Python/CLI toolchain up-to-date when a new major iOS version ships. ## References - [https://dvuln.com/blog/modern-ios-pentesting-no-jailbreak-needed](https://dvuln.com/blog/modern-ios-pentesting-no-jailbreak-needed) - +- Apple developer documentation – Enabling Developer Mode on a device: +- Mobile Security Framework (MobSF): {{#include ../../banners/hacktricks-training.md}}