diff --git a/Document/0x06b-iOS-Security-Testing.md b/Document/0x06b-iOS-Security-Testing.md index c97ebdc861..7fe9e7032a 100644 --- a/Document/0x06b-iOS-Security-Testing.md +++ b/Document/0x06b-iOS-Security-Testing.md @@ -37,10 +37,9 @@ It is also possible to get the UDID via various command line tools on macOS whil | "USB Serial Number" = "9e8ada44246cee813e2f8c1407520bf2f84849ec" ``` -- By using [ideviceinstaller](https://github.com/libimobiledevice/ideviceinstaller) (also available on Linux): +- By using @MASTG-TOOL-0126: ```sh - $ brew install ideviceinstaller $ idevice_id -l 316f01bd160932d2bf2f95f1f142bc29b1c62dbc ``` diff --git a/Document/Images/Techniques/0056-Sideloadly.png b/Document/Images/Techniques/0056-Sideloadly.png new file mode 100644 index 0000000000..373c7363ff Binary files /dev/null and b/Document/Images/Techniques/0056-Sideloadly.png differ diff --git a/techniques/ios/MASTG-TECH-0052.md b/techniques/ios/MASTG-TECH-0052.md index 204ecce363..42ae34f4af 100644 --- a/techniques/ios/MASTG-TECH-0052.md +++ b/techniques/ios/MASTG-TECH-0052.md @@ -50,7 +50,6 @@ During a real black box test, a reliable Wi-Fi connection may not be available. Connect macOS to an iOS device by installing and starting @MASTG-TOOL-0055: ```bash -$ brew install libimobiledevice $ iproxy 2222 22 waiting for connection ``` @@ -60,13 +59,11 @@ The above command maps port `22` on the iOS device to port `2222` on localhost. With the following command in a new terminal window, you can connect to the device: ```bash -$ ssh -p 2222 root@localhost -root@localhost's password: -iPhone:~ root# +$ ssh -p 2222 mobile@localhost +mobile@localhost's password: +iPhone:~ mobile% ``` -> Small note on USB of an iDevice: on an iOS device you cannot make data connections anymore after 1 hour of being in a locked state, unless you unlock it again due to the USB Restricted Mode, which was introduced with iOS 11.4.1 - ## On-device Shell App While usually using an on-device shell (terminal emulator) might be very tedious compared to a remote shell, it can prove handy for debugging in case of, for example, network issues or check some configuration. For example, you can install [NewTerm 2](https://chariz.com/get/newterm "NewTerm 2") via Cydia for this purpose (it supports iOS 6.0 to 12.1.2 at the time of this writing). diff --git a/techniques/ios/MASTG-TECH-0055.md b/techniques/ios/MASTG-TECH-0055.md index 2fef60e060..d8d64f384d 100644 --- a/techniques/ios/MASTG-TECH-0055.md +++ b/techniques/ios/MASTG-TECH-0055.md @@ -3,19 +3,194 @@ title: Launching a Repackaged App in Debug Mode platform: ios --- -After the app has been installed on the device, it needs to be launched in debug mode. This is not the case when launching the app via springboard (the application will crash), but it is possible with various tools as explained in @MASTG-TECH-0056. When the application is running in debug mode, Frida can be injected into the process with name `Gadget`: +If you've repackaged an application with a Frida Gadget, or if you want to attach @MASTG-TOOL-0057 to the application, you have to launch the application in debug mode. When you launch the application via SpringBoard, it will not launch in debug mode and the application will crash. + +After the application has been installed using @MASTG-TECH-TOOL-0056, you can launch it in debug mode using the following commands: + +## iOS17 and newer + +First, make sure you know the correct Bundle Identifier. Depending on how you signed the application, the actual Bundle Identifier might be different from the original Bundle Identifier. To get an overview of the installed applications, use the `ideviceinstaller` tool (see @MASTG-TOOL-0126): ```bash -idevicedebug -d run sg.vp.UnCrackable1 +$ ideviceinstaller list +CFBundleIdentifier, CFBundleShortVersionString, CFBundleDisplayName +sg.vp.UnCrackable1.QH868V5764, "1.0", "UnCrackable1" +org.owasp.mastestapp.MASTestApp, "3.0.0", "Adyen3DS2Demo" +com.apple.TestFlight, "3.5.2", "TestFlight" +``` + +In this example, @MASTG-TOOL-0118 appended the team identifier (`QH868V5764`) to the original Bundle Identifier. + +Next, we need to get the correct device identifier, which we can get using `idevice_id` (see @MASTG-TOOL-0126): + +```bash +$ idevice_id +00008101-1234567890123456 (USB) +00008101-1234567890123456 (Network) +``` + +Now that we have the correct Bundle Identifier and device ID, we can launch the app using `xrun` (see @MASTG-TOOL-0071): + +```bash +xcrun devicectl device process launch --device 00008101-1234567890123456 --start-stopped sg.vp.UnCrackable1.QH868V5764 +13:00:43 Enabling developer disk image services. +13:00:43 Acquired usage assertion. +Launched application with sg.vp.UnCrackable1.QH868V5764 bundle identifier. +``` -# In a new terminal +Finally, you can attach `lldb` using the following commands: + +```bash +$ lldb +(lldb) device select 00008101-1234567890123456 +(lldb) device process list +PID PARENT USER TRIPLE NAME +====== ====== ========== ============================== ============================ +1 0 launchd +... +771 0 +774 0 +781 0 ReportCrash +783 0 UnCrackable Level 1 +(lldb) device process attach --pid 783 +Process 783 stopped +* thread #1, stop reason = signal SIGSTOP + frame #0: 0x0000000104312920 dyld`_dyld_start +dyld`_dyld_start: +-> 0x104312920 <+0>: mov x0, sp + 0x104312924 <+4>: and sp, x0, #0xfffffffffffffff0 + 0x104312928 <+8>: mov x29, #0x0 ; =0 + 0x10431292c <+12>: mov x30, #0x0 ; =0 +Target 0: (UnCrackable Level 1) stopped. +(lldb) c +Process 783 resuming +(lldb) +``` + +If you manually injected a Frida Gadget, Frida will now be waiting for you to attach to it. Until you do so, the application will appear frozen. + +```bash +rida-ps -Ua +PID Name Identifier +--- ------------- ------------------------------- +389 Calendar com.apple.mobilecal +783 Gadget re.frida.Gadget +336 TestFlight com.apple.TestFlight +783 UnCrackable1 sg.vp.UnCrackable1.QH868V5764 +339 Weather com.apple.weather +``` + +The `783` process has launched a new thread called Gadget to which you can attach: + +```bash frida -U -n Gadget + ____ + / _ | Frida 16.5.9 - A world-class dynamic instrumentation toolkit + | (_| | + > _ | Commands: + /_/ |_| help -> Displays the help system + . . . . object? -> Display information about 'object' + . . . . exit/quit -> Exit + . . . . + . . . . More info at https://frida.re/docs/home/ + . . . . + . . . . Connected to iPhone (id=00008101-000628803A69001E) + +[iPhone::Gadget ]-> ObjC.available +true +``` + +After attaching, the application will continue executing as normal. + +## iOS16 and older + +On older versions of iOS, you can use either `idevicedebug` (see @MASTG-TOOL-0126) or @MASTG-TOOL-0054 to launch the app in debug mode. + +### Using idevicedebug + +```bash +# Get the package name +$ ideviceinstaller list +CFBundleIdentifier, CFBundleShortVersionString, CFBundleDisplayName +org.sec575.CoinGame, "1.0", "CoinGame" +sg.vp.UnCrackable1.QH868V5764, "1.0", "UnCrackable1" +com.apple.TestFlight, "3.7.0", "TestFlight" +com.google.Maps, "24.50.0", "Google Maps" + +# Run in debug mode +$ idevicedebug -d run sg.vp.UnCrackable1.QH868V5764 +working_directory: /private/var/mobile/Containers/Data/Application/438DE865-2714-4BD9-B1EE-881AD4E54AD1 + +Setting logging bitmask... +Setting maximum packet size... +Setting working directory... +Setting argv... +app_argv[0] = /private/var/containers/Bundle/Application/E21B5B13-DD85-4C83-9A0E-03FCEBF95CF5/UnCrackable Level 1.app/UnCrackable Level 1 +Checking if launch succeeded... +Setting thread... +Continue running process... +``` + +### Using ios-deploy + +To use @MASTG-TOOL-0054, you first have to unzip the IPA file: + +```bash +$ unzip Uncrackable1-frida-codesigned.ipa -d unzipped +``` + +Next, use ios-deploy with the path of the app folder inside of the unzipped IPA: + +```bash +$ ios-deploy --bundle 'unzipped/Payload/UnCrackable Level 1.app' -W -d -v +ios-deploy --bundle 'pram/Payload/UnCrackable Level 1.app' -W -d -v +[....] Waiting for iOS device to be connected +Handling device type: 1 +Already found device? 0 +Hardware Model: D211AP +Device Name: NVISO’s iPhone JBE +Model Name: iPhone 8 Plus +SDK Name: iphoneos +Architecture Name: arm64 +Product Version: 16.6.1 +Build Version: 20G81 +[....] Using 593ad60af30ad045b9cb99d2901031226c1b8c84 (D211AP, iPhone 8 Plus, iphoneos, arm64, 16.6.1, 20G81) a.k.a. '**NVISO**’s iPhone JBE'. +------ Install phase ------ +[ 0%] Found 593ad60af30ad045b9cb99d2901031226c1b8c84 (D211AP, iPhone 8 Plus, iphoneos, arm64, 16.6.1, 20G81) a.k.a. 'NVISO’s iPhone JBE' connected through USB, beginning install +[ 5%] Copying /Users/MAS/unzipped/Payload/UnCrackable Level 1.app/META-INF/ to device +[ 5%] Copying /Users/MAS/unzipped/Payload/UnCrackable Level 1.app/META-INF/com.apple.ZipMetadata.plist to device +[ 6%] Copying /Users/MAS/unzipped/Payload/UnCrackable Level 1.app/META-INF/com.apple.ZipMetadata.plist to device ... -[iPhone::Gadget ]-> ``` -## Starting with iOS 17 and Xcode 15 +### Attaching Frida + +If your application was repackaged with a Frida Gadget, the application will wait for you to attach to it before it continues launching. -Since Xcode 15 and iOS 17 the tool @MASTG-TOOL-0054 will [not work anymore to start an app in debug mode](https://github.com/ios-control/ios-deploy/issues/588). +In a new terminal window, connect to the Frida gadget, just like in the iOS17 scenario: -A workaround to start the re-packaged app with the `FridaGadget.dylib` in debug mode (without using @MASTG-TOOL-0054) can be found [here](https://github.com/ios-control/ios-deploy/issues/588#issuecomment-1907913430). +```bash +$ frida-ps -Ua +PID Name Identifier +--- ------------- ----------------------------- +... +468 Gadget re.frida.Gadget +... +468 UnCrackable1 sg.vp.UnCrackable1.QH868V5764 + + +$ frida -U -n Gadget + ____ + / _ | Frida 16.5.9 - A world-class dynamic instrumentation toolkit + | (_| | + > _ | Commands: + /_/ |_| help -> Displays the help system + . . . . object? -> Display information about 'object' + . . . . exit/quit -> Exit + . . . . + . . . . More info at https://frida.re/docs/home/ + . . . . + . . . . Connected to iPhone (id=593ad60af30ad045b9cb99d2901031226c1b8c84) +[iPhone::Gadget ]-> ObjC.available +true +``` diff --git a/techniques/ios/MASTG-TECH-0056.md b/techniques/ios/MASTG-TECH-0056.md index 6ea4104a83..935f4eea58 100644 --- a/techniques/ios/MASTG-TECH-0056.md +++ b/techniques/ios/MASTG-TECH-0056.md @@ -3,51 +3,38 @@ title: Installing Apps platform: ios --- -When you install an application without using Apple's App Store, this is called sideloading. There are various ways of sideloading which are described below. On the iOS device, the actual installation process is then handled by the installd daemon, which will unpack and install the application. To integrate app services or be installed on an iOS device, all applications must be signed with a certificate issued by Apple. This means that the application can be installed only after successful code signature verification. On a jailbroken phone, however, you can circumvent this security feature with [AppSync](https://github.com/akemin-dayo/AppSync "AppSync"), a package available in the Cydia store. It contains numerous useful applications that leverage jailbreak-provided root privileges to execute advanced functionality. AppSync is a tweak that patches installd, allowing the installation of fake-signed IPA packages. +When you install an application without using Apple's App Store, this is called sideloading. There are various ways of sideloading which are described below. On the iOS device, the actual installation process is then handled by the installd daemon, which will unpack and install the application. To integrate app services or be installed on an iOS device, all applications must be signed with a certificate issued by Apple. This means that the application can be installed only after successful code signature verification, which is explained in @MASTG-TECH-0092. -Different methods exist for installing an IPA package onto an iOS device, which are described in detail below. +On a jailbroken device, you can circumvent this requirement using @MASTG-TOOL-0127, allowing you to install IPA files without obtaining a valid signature. -> Please note that iTunes is no longer available in macOS Catalina. If you are using an older version of macOS, iTunes is still available but since iTunes 12.7 it is not possible to install apps. +Different methods exist for installing an IPA package onto an iOS device, which are described in detail below. ## Sideloadly @MASTG-TOOL-0118 is a GUI tool that can automate all required steps for you. It requires valid Apple developer credentials, as it will obtain a valid signature from Apple servers. -!!! warning "Do not use your personal Apple account" - To sign an IPA file, you will need a valid iOS developer account, either free or paid. Both types come with certain restrictions, as explained on the Sideloadly website. We recommend creating a dedicated developer account for signing test applications, and **not** using your personal Apple account. - -## libimobiledevice - -On Linux and also macOS, you can alternatively use [libimobiledevice](https://www.libimobiledevice.org/ "libimobiledevice"), a cross-platform software protocol library and a set of tools for native communication with iOS devices. This allows you to install apps over a USB connection by executing ideviceinstaller. The connection is implemented with the USB multiplexing daemon [usbmuxd](https://www.theiphonewiki.com/wiki/Usbmux "Usbmux"), which provides a TCP tunnel over USB. +Simply connect your device via USB, enter your Apple ID and drag-and-drop the IPA file onto SideLoadly. Click start to automatically sign and install the given IPA. -The package for libimobiledevice will be available in your Linux package manager. On macOS you can install libimobiledevice via brew: + -```bash -brew install libimobiledevice -brew install ideviceinstaller -``` +## libimobiledevice -If you have any issues, try installing the libraries from source, as the precompiled version may be outdated. +On Linux and also macOS, you can alternatively use @MASTG-TOOL-0126. This allows you to install apps over a USB connection by executing ideviceinstaller. The connection is implemented with the USB multiplexing daemon [usbmuxd](https://www.theiphonewiki.com/wiki/Usbmux "Usbmux"), which provides a TCP tunnel over USB. -After the installation you have several new command line tools available, such as `ideviceinfo`, `ideviceinstaller` or `idevicedebug`. Let's install and debug the @MASTG-APP-0028 app with the following commands: +Let's install and debug the @MASTG-APP-0028 app with the following commands: ```bash -# The following command will show detailed information about the iOS device connected via USB. -$ ideviceinfo -# The following command will install the IPA to your iOS device. -$ ideviceinstaller -i iGoat-Swift_v1.0-frida-codesigned.ipa +$ ideviceinstaller -i Uncrackable.ipa ... Install: Complete -# The following command will start the app in debug mode, by providing the bundle name. The bundle name can be found in the previous command after "Installing". -$ idevicedebug -d run OWASP.iGoat-Swift ``` ## ipainstaller -The IPA can also be directly installed on the iOS device via the command line with [ipainstaller](https://github.com/autopear/ipainstaller "IPA Installer"). After copying the file over to the device, for example via scp, you can execute ipainstaller with the IPA's filename: +The IPA can also be directly installed on the iOS device via the command line with [ipainstaller](https://github.com/autopear/ipainstaller "IPA Installer"). Naturally, this requires a jailbroken device, as otherwise you cannot SSH into the device. After copying the file over to the device, for example via scp, you can execute ipainstaller with the IPA's filename: ```bash -ipainstaller App_name.ipa +ipainstaller Uncrackable.ipa ``` ## ios-deploy @@ -56,18 +43,35 @@ On macOS you can also use the @MASTG-TOOL-0054 tool to install iOS apps from the ```bash unzip Name.ipa -ios-deploy --bundle 'Payload/Name.app' -W -d -v +ios-deploy --bundle 'Payload/UnCrackable Level 1.app' -W -v ``` -After the app is installed on the iOS device, you can simply start it by adding the `-m` flag which will directly start debugging without installing the app again. +## xcrun + +After installing @MASTG-TOOL-0071, you can execute the following command to install a signed IPA: ```bash -ios-deploy --bundle 'Payload/Name.app' -W -d -v -m +# Get the correct device id +$ idevice_id +00008101-00FF28803FF9001E (USB) + +$ xcrun devicectl device install app --device 00008101-00FF28803FF9001E ~/signed.ipa +11:59:04 Acquired tunnel connection to device. +11:59:04 Enabling developer disk image services. +11:59:04 Acquired usage assertion. +4%... 12%... 28%... 30%... 31%... 32%... 33%... 35%... 36%... 37%... 39%... 40%... 42%... 43%... 45%... 49%... 51%... 52%... 54%... 55%... 57%... 59%... 60%... 62%... 66%... 68%... 72%... 76%... 80%... 84%... 88%... 92%... 96%... Complete! +App installed: +• bundleID: org.mas.myapp +• installationURL: file:///private/var/containers/Bundle/Application/DFC99D25-FC36-462E-91D2-18CDE717ED21/UnCrackable%20Level%201.app/ +• launchServicesIdentifier: unknown +• databaseUUID: DA52A5EB-5D39-4628-810E-8F42A5561CDF +• databaseSequenceNumber: 1516 +• options: ``` ## Xcode -It is also possible to use the Xcode IDE to install iOS apps by doing the following steps: +It is also possible to use the Xcode IDE to install iOS apps by executing the following steps: 1. Start Xcode 2. Select **Window/Devices and Simulators** @@ -89,7 +93,7 @@ Sometimes an application can require to be used on an iPad device. If you only h - + ``` It is important to note that changing this value will break the original signature of the IPA file so you need to re-sign the IPA, after the update, in order to install it on a device on which the signature validation has not been disabled. @@ -97,12 +101,3 @@ It is important to note that changing this value will break the original signatu This bypass might not work if the application requires capabilities that are specific to modern iPads while your iPhone or iPod is a bit older. Possible values for the property [UIDeviceFamily](https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Articles/iPhoneOSKeys.html#//apple_ref/doc/uid/TP40009252-SW11 "UIDeviceFamily property") can be found in the Apple Developer documentation. - -One fundamental step when analyzing apps is information gathering. This can be done by inspecting the app package on your host computer or remotely by accessing the app data on the device. You'll find more advance techniques in the subsequent chapters but, for now, we will focus on the basics: getting a list of all installed apps, exploring the app package and accessing the app data directories on the device itself. This should give you a bit of context about what the app is all about without even having to reverse engineer it or perform more advanced analysis. We will be answering questions such as: - -- Which files are included in the package? -- Which Frameworks does the app use? -- Which capabilities does the app require? -- Which permissions does the app request to the user and for what reason? -- Does the app allow any unsecured connections? -- Does the app create any new files when being installed? diff --git a/techniques/ios/MASTG-TECH-0063.md b/techniques/ios/MASTG-TECH-0063.md index 2c7c511c66..5e29735cb9 100644 --- a/techniques/ios/MASTG-TECH-0063.md +++ b/techniques/ios/MASTG-TECH-0063.md @@ -23,7 +23,7 @@ waiting for connection The next step is to make a remote port forwarding of port 8080 on the iOS device to the localhost interface on our computer to port 8080. ```bash -ssh -R 8080:localhost:8080 root@localhost -p 2222 +ssh -R 8080:localhost:8080 mobile@localhost -p 2222 ``` You should now be able to reach Burp on your iOS device. Open Safari on iOS and go to 127.0.0.1:8080 and you should see the Burp Suite Page. This would also be a good time to [install the CA certificate](https://support.portswigger.net/customer/portal/articles/1841109-installing-burp-s-ca-certificate-in-an-ios-device "Installing Burp\'s CA Certificate in an iOS Device") of Burp on your iOS device. diff --git a/techniques/ios/MASTG-TECH-0079.md b/techniques/ios/MASTG-TECH-0079.md index 51cfbde2a5..2febb2fa8a 100644 --- a/techniques/ios/MASTG-TECH-0079.md +++ b/techniques/ios/MASTG-TECH-0079.md @@ -1,54 +1,125 @@ --- -title: Getting a Developer Provisioning Profile +title: Obtaining a Developer Provisioning Profile platform: ios --- The _provisioning profile_ is a plist file signed by Apple, which adds your code-signing certificate to its list of accepted certificates on one or more devices. In other words, this represents Apple explicitly allowing your app to run for certain reasons, such as debugging on selected devices (development profile). The provisioning profile also includes the _entitlements_ granted to your app. The _certificate_ contains the private key you'll use to sign. -Depending on whether you're registered as an iOS developer, you can obtain a certificate and provisioning profile in one of the following ways: +A valid provisioning profile can only be obtained from Apple. This means that you need a valid Apple account. -## With an iOS developer account +!!! info -If you've developed and deployed iOS apps with Xcode before, you already have your own code-signing certificate installed. Use the @MASTG-TOOL-0063 command (macOS only) to list your signing identities: + You can obtain a valid provisioning profile for both normal Apple accounts, and for Apple Developer accounts. There are two important differences between the two types: + + **Certificate expiration** + + - Apple account: Certificates expire 7 days after creation + - Developer account: Certificates expire 1 year after creation + + **Wildcard certificates** + + - Apple account: Certificates are only valid for one Bundle Identifier. This Bundle Identifier has to be unique. + - Developer account: Certificates can be wildcards, allowing you to keep the original Bundle Identifier + + An Apple Developer account costs $99 per year and is a nice-to-have due to the longer expiration, but not a requirement. + +The steps below work for both a normal Apple account and an Apple Developer account, but do require a macOS host. + +## Creating a signing identity + +Install @MASTG-TOOL-0070 and create a new iOS application with any language and configuration. Set up the project to use automatic signing and deploy the application to your iOS device. During this flow, you will have to accept your Developer certificate on the device, as well as enable Developer mode. + +After these steps, you can use the @MASTG-TOOL-0063 command to list your signing identities: ```bash -$ security find-identity -v - 1) 61FA3547E0AF42A11E233F6A2B255E6B6AF262CE "iPhone Distribution: Company Name Ltd." - 2) 8004380F331DCA22CC1B47FB1A805890AE41C938 "iPhone Developer: Bernhard Müller (RV852WND79)" +$ security find-identity -v -p codesigning + 1) 50034388646913B117AF1D6E51D9E045B77EA916 "Apple Development: MAS@owasp.org (LVGBSLUQB4)" + 1 valid identities found ``` -Log into the Apple Developer portal to issue a new App ID, then issue and download the profile. An App ID is a two-part string: a Team ID supplied by Apple and a bundle ID search string that you can set to an arbitrary value, such as `com.example.myapp`. Note that you can use a single App ID to re-sign multiple apps. Make sure you create a _development_ profile and not a _distribution_ profile so that you can debug the app. +Additionally, the provisioning profile is stored on your host in the `~/Library/Developer/Xcode/DerivedData` folder: -In the examples below, I use my signing identity, which is associated with my company's development team. I created the App ID "sg.vp.repackaged" and the provisioning profile "AwesomeRepackaging" for these examples. I ended up with the file `AwesomeRepackaging.mobileprovision`-replace this with your own filename in the shell commands below. +```bash +$ find ~/Library/Developer/Xcode/DerivedData | grep embedded +/Users/MAS/Library/Developer/Xcode/DerivedData/apptest-aijwmhfiximgzkhcmnluxrscflyc/Build/Products/Debug-iphoneos/apptest.app/embedded.mobileprovision +``` -## With a Regular Apple ID +This file can be copied to your local directory and can be used to sign any IPA file, even those with a different identifier. -Apple will issue a free development provisioning profile even if you're not a paying developer. You can obtain the profile via Xcode and your regular Apple account: simply create an empty iOS project and extract `embedded.mobileprovision` from the app container, which is in the Xcode subdirectory of your home directory: `~/Library/Developer/Xcode/DerivedData//Build/Products/Debug-iphoneos/.app/`. The [NCC blog post "iOS instrumentation without jailbreak"](https://research.nccgroup.com/2016/10/12/ios-instrumentation-without-jailbreak/ "iOS instrumentation without jailbreak") explains this process in great detail. +```bash +cp /Users/MAS/Library/Developer/Xcode/DerivedData/apptest-aijwmhfiximgzkhcmnluxrscflyc/Build/Products/Debug-iphoneos/apptest.app/embedded.mobileprovision ./embedded.mobileprovision +``` ## Inspecting the Provisioning Profile Once you've obtained the provisioning profile, you can inspect its contents with the @MASTG-TOOL-0063 command. You'll find the entitlements granted to the app in the profile, along with the allowed certificates and devices. You'll need these for code-signing, so extract them to a separate plist file as shown below. Have a look at the file contents to make sure everything is as expected. ```bash -$ security cms -D -i AwesomeRepackaging.mobileprovision > profile.plist -$ /usr/libexec/PlistBuddy -x -c 'Print :Entitlements' profile.plist > entitlements.plist -$ cat entitlements.plist +$ security cms -D -i embedded.mobileprovision +``` + +```xml - - application-identifier - LRUD9L355Y.sg.vantagepoint.repackage - com.apple.developer.team-identifier - LRUD9L355Y - get-task-allow - - keychain-access-groups - - LRUD9L355Y.* - - + + AppIDName + XC org mas testapp + ApplicationIdentifierPrefix + + QH868V5764 + + CreationDate + 2024-12-26T07:22:22Z + Platform + + iOS + xrOS + visionOS + + IsXcodeManaged + + DeveloperCertificates + + ...SNIP... + + DER-Encoded-Profile + ...SNIP... + Entitlements + + application-identifier + QH868V5764.org.mas.apptest + keychain-access-groups + + QH868V5764.* + + get-task-allow + + com.apple.developer.team-identifier + QH868V5764 + + ExpirationDate + 2025-01-02T07:22:22Z + Name + iOS Team Provisioning Profile: org.mas.testapp + ProvisionedDevices + + ...SNIP... + + LocalProvision + + TeamIdentifier + + QH868V5764 + + TeamName + OWASP MAS + TimeToLive + 7 + UUID + ...SNIP... + Version + 1 + ``` - -Note the application identifier, which is a combination of the Team ID (LRUD9L355Y) and Bundle ID (sg.vantagepoint.repackage). This provisioning profile is only valid for the app that has this App ID. The `get-task-allow` key is also important: when set to `true`, other processes, such as the debugging server, are allowed to attach to the app (consequently, this would be set to `false` in a distribution profile). diff --git a/techniques/ios/MASTG-TECH-0090.md b/techniques/ios/MASTG-TECH-0090.md index cd1512308a..ad286b123b 100644 --- a/techniques/ios/MASTG-TECH-0090.md +++ b/techniques/ios/MASTG-TECH-0090.md @@ -5,17 +5,55 @@ platform: ios If you want to enable dynamic testing with Frida but don't have access to a jailbroken device, you can patch and repackage the target app to load the [Frida gadget](https://www.frida.re/docs/gadget/). This way, you can instrument the app and do everything you need to do for dynamic analysis (of course, you can't break out of the sandbox this way). However, this technique only works if the app binary isn't FairPlay-encrypted (i.e., obtained from the App Store). -The easiest way to inject Frida into an installed application is by using frida-server. However, if this is not possible, the Frida Gadget can be injected into a decrypted IPA file. +On a jailbroken device, you can run `frida-server` which will take care of the injection for you, even in encrypted apps. However, on a non-jailbroken device we have to manually prepare the application. There are two approaches we can take: + +- Install a debug version of the application and inject during application launch +- Repackage the application to already include the Frida Gadget As an alternative to this automated approach, see @MASTG-TECH-0091. -## @MASTG-TOOL-0118 +You can inject Frida into an application using @MASTG-TOOL-0039, @MASTG-TOOL-0118 or @MASTG-TOOL-0038 + +## Frida + +After following any of the techniques of @MASTG-TECH-0057, your application will be running with the `get-task-allow` entitlement, which means it can be debugged. This means that the `frida` CLI tool can spawn the application and inject the Frida Gadget automatically, even on non-jailbroken devices. + +First, download the latest version of the Frida Gadget and move it to `/Users//.cache/frida/gadget-ios.dylib`: + +```bash +wget https://github.com/frida/frida/releases/download/16.5.9/frida-gadget-16.5.9-ios-universal.dylib.gz +gzip -d frida-gadget-16.5.9-ios-universal.dylib.gz +mv frida-gadget-16.5.9-ios-universal.dylib /Users/MAS/.cache/frida/gadget-ios.dylib +``` + +Next, simply run `frida` as you would normally: + +```bash +$ frida -U -f org.mas.myapp + ____ + / _ | Frida 16.5.9 - A world-class dynamic instrumentation toolkit + | (_| | + > _ | Commands: + /_/ |_| help -> Displays the help system + . . . . object? -> Display information about 'object' + . . . . exit/quit -> Exit + . . . . + . . . . More info at https://frida.re/docs/home/ + . . . . + . . . . Connected to iPhone (id=123456789) +Spawned `org.mas.myapp`. Resuming main thread! +[iPhone::org.mas.myapp]-> +``` + +## Sideloadly Sideloadly can be used to automatically inject libraries while repackaging and signing the app. To do so, click the `Advanced Options`, followed by `Inject dylibs/frameworks` and `+dylib/deb/bundle`: -## @MASTG-TOOL-0038 +After installation, you will not be able to launch the application from SpringBoard. However, you can launch the application in debug mode and attach Frida as explained in @MASTG-TECH-0055. + +## Objection Objection can inject the Frida Gadget into a given IPA file. Use a computer with macOS to perform all the steps indicated in the article ["Patching iOS Applications"](https://github.com/sensepost/objection/wiki/Patching-iOS-Applications) from the objection Wiki. Once you're done you'll be able to patch an IPA by calling the objection command: diff --git a/techniques/ios/MASTG-TECH-0091.md b/techniques/ios/MASTG-TECH-0091.md index 3d3d99bcdc..2f94ead922 100644 --- a/techniques/ios/MASTG-TECH-0091.md +++ b/techniques/ios/MASTG-TECH-0091.md @@ -3,9 +3,9 @@ title: Injecting Libraries into an IPA Manually platform: ios --- -This technique allows you to inject arbitrary libraries into an IPA file. +This technique allows you to inject arbitrary libraries into an IPA file. After injecting the library, you'll have to install the modified IPA onto your device using @MASTG-TECH-0056. -This is useful when you want to add additional functionality or testing capabilities to an application. For example, you can inject the Frida Gadget into an IPA file to enable dynamic instrumentation of the application. +This technique is useful when you want to add additional functionality or testing capabilities to an application. For example, you can inject the Frida Gadget into an IPA file to enable dynamic instrumentation of the application. We'll use the Frida Gadget (`FridaGadget.dylib`) as an example but you can use this technique to inject any `.dylib` library you want. diff --git a/techniques/ios/MASTG-TECH-0092.md b/techniques/ios/MASTG-TECH-0092.md index 541a9c2664..225953a647 100644 --- a/techniques/ios/MASTG-TECH-0092.md +++ b/techniques/ios/MASTG-TECH-0092.md @@ -1,26 +1,30 @@ --- -title: Repackaging and Re-Signing +title: Signing IPA files platform: ios --- -Tampering with an app invalidates the code signature of the main executable, so it won't run on a non-jailbroken device. +To install an IPA file on a non-jailbroken device, it needs to have a valid signature. On a jailbroken device, this is not required after installing @MASTG-TOOL-0127. -Before re-signing and IPA you need to obtain a developer provisioning profile and certificate, see @MASTG-TECH-0079. +First, you need to obtain a developer provisioning profile and certificate, as explained in @MASTG-TECH-0079. -The re-signing process can be done manually using @MASTG-TOOL-0102, or by using automated tools like @MASTG-TOOL-0117 or @MASTG-TOOL-0114. +!!! Warning -## @MASTG-TOOL-0117 + If you have a normal Apple account, you will only be able to sign the IPA with a modified (unique) Bundle identifier. If you have a Developer account, you can sign with the original Bundle identifier. -Create a directory `fastlane` and create a `Fastfile` file as described in the documentation for [resigning](https://docs.fastlane.tools/actions/resign/). +The signing process can be done using @MASTG-TOOL-0102, @MASTG-TOOL-0117, @MASTG-TOOL-0118 or @MASTG-TOOL-0114. + +## Using fastlane + +Create a directory `fastlane` and create a `Fastfile` file as described in the documentation for [resigning](https://docs.fastlane.tools/actions/resign/). Put both the `Fastfile` and your IPA in the `fastlane` directory. Example: ```yaml lane :resignipa do resign( - ipa: ".mobileprovision", + ipa: "./filename.ipa", + signing_identity: "Apple Development: MAS@owasp.org (LVGBSLUQB4)", + provisioning_profile: "./embedded.mobileprovision", ) end ``` @@ -50,6 +54,37 @@ $ fastlane resignipa [15:22:03]: fastlane.tools finished successfully 🎉 ``` -After having this set up once, you only need to change the path in the `Fastfile` for the IPA you want to resign and execute the command again. +After setting this set up, you only need to change the path in the `Fastfile` for the IPA you want to resign and execute the command again. More information can be found in the official documentation: ["Codesign an existing ipa file with fastlane resign"](https://docs.fastlane.tools/actions/resign/) + +!!! warning + + By default, fastlane will always use the Bundle identifier from the given provisioning profile, both for normal Apple accounts and Developer accounts. If you have a Developer account, you can specify the desired Bundle identifier by directly using the `resign.sh` script bundled with Fastlane and specifying the `--bundle-id` property: + + ```bash + $ /opt/homebrew/Cellar/fastlane/2.226.0/libexec/gems/fastlane-2.226.0/sigh/lib/assets/resign.sh /Users/MAS/uncrackable1.ipa -p /Users/MAS/embedded.mobileprovision /Users/MAS/signed.ipa -v --bundle-id "org.mas.myapp" + + Specified provisioning profile: '/Users/MAS/embedded.mobileprovision' + Original file: '/Users/MAS/uncrackable1.ipa' + Certificate: '' + Specified bundle identifier: 'org.mas.myapp' + Output file name: '/Users/MAS/signed.ipa' + Current bundle identifier is: 'org.mas.testapp' + New bundle identifier will be: 'org.mas.myapp' + Validating the new provisioning profile: /Users/MAS/embedded.mobileprovision + Profile app identifier prefix is '6FZT6QZ6X3' + Profile team identifier is '6FZT6QZ6X3' + Updating the bundle identifier from 'org.mas.testapp' to 'org.mas.myapp' + Fixing nested app and extension references + Extracting entitlements from provisioning profile + Resigning application using certificate: '' + and entitlements from provisioning profile: /Users/MAS/embedded.mobileprovision + _floatsignTemp/Payload/UnCrackable Level 1.app: replacing existing signature + _floatsignTemp/Payload/UnCrackable Level 1.app: signed app bundle with Mach-O universal (armv7 arm64) [org.mas.myapp] + Repackaging as /Users/MAS/signed.ipa + ``` + +## Using Sideloadly + +Sideloadly can take care of obtaining a valid certificate for your app, but it is not possible to simply sign an existing IPA file in-place. Sideloadly will sign the given IPA file and directly install it on the connected device. When using a normal Apple account, Sideloadly will modify the original package name by appending your team identifier (e.g. `sg.vp.UnCrackable1` becomes `sg.vp.UnCrackable1.QH868V5764`) diff --git a/techniques/ios/MASTG-TECH-0096.md b/techniques/ios/MASTG-TECH-0096.md index 6039b34128..c993c425bf 100644 --- a/techniques/ios/MASTG-TECH-0096.md +++ b/techniques/ios/MASTG-TECH-0096.md @@ -60,7 +60,7 @@ If you're only interested into the modules (binaries and libraries) that the app As you might expect you can correlate the addresses of the libraries with the memory maps: e.g. the main app from @MASTG-APP-0028 is called "iGoat-Swift" and is located at `0x0000000100b7c000` and the Realm Framework at `0x0000000100f60000`. -You can also use objection to display the same information. +You can also use @MASTG-TOOL-0074 to display the same information. ```bash $ objection --gadget OWASP.iGoat-Swift explore diff --git a/techniques/ios/MASTG-TECH-0118.md b/techniques/ios/MASTG-TECH-0118.md index a0d3055494..415f8995f0 100644 --- a/techniques/ios/MASTG-TECH-0118.md +++ b/techniques/ios/MASTG-TECH-0118.md @@ -12,7 +12,7 @@ In radare2, the presence of these compiler-provided security features can be che **Check for PIC and Canaries:** Using the `i` command, you can check if the binary has Position Independent Code (PIC) enabled (`pic`) and if it has stack canaries (`canary`). ```sh -r2 MASTestApp +r2 MASTestApp [0x100007408]> i~canary,pic canary true pic true diff --git a/tools/ios/MASTG-TOOL-0055.md b/tools/ios/MASTG-TOOL-0055.md index f6ae769520..5dd9bf6982 100644 --- a/tools/ios/MASTG-TOOL-0055.md +++ b/tools/ios/MASTG-TOOL-0055.md @@ -1,7 +1,15 @@ --- -title: iProxy +title: iproxy platform: ios -source: https://github.com/tcurdt/iProxy +host: +- macOS +- windows +- linux +source: https://github.com/libimobiledevice/libusbmuxd --- -A tool used to connect via SSH to a jailbroken iPhone via USB - +`iproxy` allows you to forward a port from a connected iOS device to a port on the host machine. This can be useful for interacting with jailbroken devices, as some jailbreaks do not expose the SSH port on the public interface. With `iproxy`, the SSH port can be forwarded over USB to the host, allowing you to still connect to it. + +!!! warning + + While many package repositories (apt, brew, cargo, ...) have versions of libimobiledevice tools, they are often outdated. We recommend compiling the different tools from source for the best results. diff --git a/tools/ios/MASTG-TOOL-0118.md b/tools/ios/MASTG-TOOL-0118.md index 8963f71746..819ac41ecf 100644 --- a/tools/ios/MASTG-TOOL-0118.md +++ b/tools/ios/MASTG-TOOL-0118.md @@ -8,3 +8,6 @@ source: https://sideloadly.io/ --- [Sideloadly](https://sideloadly.io/ "Sideloadly") allows you to obtain a valid signature for a given IPA file and then install it to a connected iOS device. In addition to signing and installing an IPA file, Sideloadly also allows you to inject tweaks, change the App or Bundle name or make other limited modifications to the IPA metadata. Sideloadly is available on both macOS and Windows. + +!!! warning "Do not use your personal Apple account" + To sign an IPA file, you will need a valid iOS developer account, either free or paid. Both types come with certain restrictions, as explained on the Sideloadly website. We recommend creating a dedicated developer account for signing test applications, and **not** using your personal Apple account. diff --git a/tools/ios/MASTG-TOOL-0126.md b/tools/ios/MASTG-TOOL-0126.md new file mode 100644 index 0000000000..97e6dbe040 --- /dev/null +++ b/tools/ios/MASTG-TOOL-0126.md @@ -0,0 +1,42 @@ +--- +title: libimobiledevice suite +platform: ios +host: +- macOS +- windows +- linux +source: https://libimobiledevice.org/ +--- + +The libimobiledevice suite is cross-platform protocol library for interacting with iOS devices. The different libraries can be compiled into binaries for direct interaction with iOS devices from the command line. + +!!! warning + + While many package repositories (apt, brew, cargo, ...) have versions of libimobiledevice tools, they are often outdated. We recommend compiling the different tools from source for the best results. Note that even if your package manager has the latest version based on `-v`, the source code will still be more up-to-date. + +The following tools are part of the libimobiledevice suite: + +| Tool | Purpose | +|------------------|---------------------| +| idevice_id | List attached devices or print device name of given device. | +| idevicebackup | Create or restore backup from the current or specified directory (= iOS 4). | +| idevicecrashreport | Move crash reports from device to a local DIRECTORY. | +| idevicedate | Display the current date or set it on a device. | +| idevicedebug | Interact with the debugserver service of a device. | +| idevicedebugserverproxy | Proxy debugserver connection from device to a local socket at PORT. | +| idevicediagnostics | Use diagnostics interface of a device running iOS 4 or later. | +| ideviceenterrecovery | Makes a device with the supplied UDID enter recovery mode immediately. | +| ideviceimagemounter | Mounts the specified disk image on the device. | +| ideviceinfo | Show information about a connected device. | +| ideviceinstaller | Manage apps on iOS devices. | +| idevicename | Display the device name or set it to NAME if specified. | +| idevicenotificationproxy | Post or observe notifications on a device. | +| idevicepair | Manage host pairings with devices and usbmuxd. | +| ideviceprovision | Manage provisioning profiles on a device. | +| idevicescreenshot | Gets a screenshot from a device. | +| idevicesetlocation | Sets the location on a device. | +| idevicesyslog | Relay syslog of a connected device. | +| inetcat | Opens a read/write interface via STDIN/STDOUT to a TCP port on a usbmux device. | +| iproxy | Proxy that binds local TCP ports to be forwarded to the specified ports on a usbmux device. | +| plistutil | Convert a plist FILE between binary, XML, JSON, and OpenStep format. | diff --git a/tools/ios/MASTG-TOOL-0127.md b/tools/ios/MASTG-TOOL-0127.md new file mode 100644 index 0000000000..0f48cca1cd --- /dev/null +++ b/tools/ios/MASTG-TOOL-0127.md @@ -0,0 +1,13 @@ +--- +title: AppSync Unified +platform: ios +host: +- ios +source: https://github.com/akemin-dayo/AppSync +--- + +AppSync Unified disables various IPA signature verifications on jailbroken iOS devices, allowing you to install IPA files with missing or incorrect signatures. AppSync Unified does not require any configuration after installation. + +!!! warning + + You can normally install AppSync Unified from the `https://cydia.akemi.ai/` repository by adding it to the package manager on your iOS device. However, as this repository is not always available, we recommend building it from source and installing the created .deb file using `dpkg -i` on your device.