Sideloading an iOS App on a Jailed Device

The objective of this post is to explain how to install an IPA binary onto a jailed iOS device.  That sounds like a trivial process that shouldn’t even require a blog post.  However, there are a few steps required to install the IPA binary onto a device.  In our case we will use a Macbook Pro and an iPad.

Why would someone want to sideload an iOS application?  For me the primary reason is for security assessments.  Someone may also be part of a beta program.  In these cases the application will not be available in the Apple store.  For most everyday users they will not need to sideload an app.  Ensure you trust the source before you sideload. 

The first obstacle we must overcome is getting around the IPA that was provisioned and signed by another certificate.  We will not be able to simply install the application as is.  This is due to how the IPA is signed under another developers account.  Basically, we must create our own developer account and re-sign the application using our own certificate.

We want a solution that is repeatable and somewhat easy to follow for next time.  Something that can be written into a standard operating procedure a team could follow.

We will be installing Xcode on a Macbook with the end goal to sideload the application as described below.

Xcode Setup

  1. Install Xcode – https://developer.apple.com/xcode/
  2. Create a developer account
    1. A free account will work but might be limited. In this article, a free account will be used
  3. Start Xcode and go to:
    1. Xcode, Preferences, Click on the + to add the developer accountPicture1
  4. Click on Manage Certificates
  5. Select iOS Development CertificatePicture2
  6. A new certificate will be created
  7. Click Done

Create a Mobile Provisioning Profile

The provisioning file has information that identifies the developer.  It is needed to re-sign the application in order to install it on the iPad.  Using an individual account is limited to specific devices.  There are paid accounts available for enterprise users without limitations.

At the end of these steps below there will be a new mobile provisioning profile created, named embedded.mobileprovision.  This new profile will be used in a later step to re-sign the IPA binary.

  1. Start Xcode and create a new “single view application” project
  2. Choose a team name and select objective-c
  3. Plugin in the device and keep it plugged in for the entire process
  4. Make sure the Deployment Target version matches the iPad version. In this case both should be at 11.1Picture3
  5. From the left side of Xcode choose the connected iPad devicePicture4
  6. At this point a provisioning profile should be created and ready for usePicture5
  7. Note that using the free developer account the provisioning profile will expire after a certain number of daysPicture6
  8. From the iPad click General -> Device Management, then select your Developer App certificate to trust it.
    1. Make sure the device is connected to the Internet or this process will not work
  9. Press the play button, which will create the embedded.mobileprovision file
  10. The file will be located under ~/Library/Developer/Xcode/DerivedData/
  11. Once the embedded.mobileprovision is found copy it to another location

Re-sign the IPA

The next steps can be manually completed but to make this process a little easier we will use a tool called applesign:  https://github.com/nowsecure/node-applesign

  1. Install NodeJS – https://nodejs.org/en/download/
  2. git clone https://github.com/nowsecure/node-applesign.git
  3. This is where the embedded.mobileprovision file will be used
  4. Find the identity by using this command: ./applesign.js –L
  5. ./path/to/applesign.js -i <identity> -m embedded.mobileprovision iGoat.ipa

Congratulations!  We now have a re-signed iGoat binary that can finally be installed using Xcode.

Install the application

  1. Open Xcode
  2. Click on Window, Devices and SimulatorsPicture7
  3. Make sure the iPad is plugged in and unlocked
  4. Drag and drop the re-signed IPA file to Installed AppsPicture8

At this point we have installed the application and can use it as normal.

In future blog posts I will explain what it takes to perform an iOS assessment on a jailed device.