Jailed iOS App Testing w/ Objection – Getting Started

In the next couple blog posts I will be installing Objection and theos-jailed. Both tools can be used for testing iOS apps on jailed devices.

Please note that you will need a decrypted IPA file.  If you don’t have an IPA file you would need to use a tool, such as clutch to decrypt the application.  We wont tackle that subject in this blog post.

Although I am documenting my steps to install objection it is well documented here: https://github.com/sensepost/objection/wiki

In an earlier blog post Sideloading an iOS Application we learned how to sideload an iOS application on an iPad.  Much like that blog post we will need to re-sign the IPA but this time we will be injecting FridaGagdet.dylib into the IPA.  With the help of Objection this process is painless.

  • Learn more about Frida here:  https://www.frida.re/docs/ios/
  • Learn more about Objection here: https://sensepost.com/blog/2017/objection-mobile-runtime-exploration/

To get started we need to ensure some prerequisites are met.

I am using a MacBook Pro with Xcode already installed with securitycodesign,xcodebuild.  These should be installed by default.

We also need to have a non-expired mobile provisioning file ready.  Check out the post on Sideloading an iOS Application to learn more.  I am also using the Damn Vulnerable iOS app – http://damnvulnerableiosapp.com/.

IPA Binary Prerequisites

If you don’t already have npm installed use the following command:

homebrew install npm

Install insert_dylib: https://github.com/Tyilo/insert_dylib

git clone https://github.com/Tyilo/insert_dylib
cd insert_dylib
xcodebuild
cp build/Release/insert_dylib /usr/local/bin/insert_dylib

Go ahead and install applesign and ios-deploy.  ios-deploy will be used in a later step but we will go ahead and install it.

npm install -g applesign
npm install ios-deploy

If you run into issues installing ios-deploy you might need to review the below.  Find out more at: https://github.com/phonegap/ios-deploy

OS X 10.11 El Capitan or greater

If you are not using a node version manager like nvm or n, you may have to do either of these three things below when under El Capitan:

  1. Add the --unsafe-perm=true flag when installing ios-deploy
  2. Add the --allow-root flag when installing ios-deploy
  3. Ensure the nobody user has write access to /usr/local/lib/node_modules/ios-deploy/ios-deploy

Patch the IPA Binary

Find your code signing identity:

security find-identity -p codesigning -v

Use Objection to patch the IPA file with Frida and re-sign it.

objection patchipa --source binary.ipa --codesign-signature D3333344445555...

At this point you should have a new repackaged IPA binary ready to be installed.

Install the IPA Binary

unzip binary-frida-codesigned.ipa

Attach the Apple device and keep it unlocked.  Run the following command:

ios-deploy --bundle Payload/binary.app -W -d

In the terminal it will show success and the lldb debugger.  On the Apple device the application will appear to be frozen.

Screen Shot 2018-01-10 at 1.05.08 PM

Open a new terminal and launch objection to begin testing the app.

Testing with Objection

In another terminal use the following command to connect:

objection explore

Screen Shot 2018-01-10 at 1.06.44 PM

We will perform a few basic tests.

Insecure Data Storage

One of the exercises include storing data insecurely in a .plist file.  To begin you will need to access the Menu and go to Insecure Data Storage.  From there click on Plist and fill out the form and save.  Now let’s locate the file using Objection.

Let’s first get an idea of what our environment looks like with the “env” command:

env

Screen Shot 2018-01-10 at 4.29.22 PM

Let’s change into the DocumentDirectory to see what is available.

cd /var/mobile/Containers/Data/Application/F4E7A577-162F-4B30-9566-703101C394D6/Documents

Looks like we have a userInfo.plist file located under the DocumentDirectory

Screen Shot 2018-01-10 at 4.33.13 PM

You can use one or all of the following commands to either download or view the userInfo.plist file.

Run an OS command with “!” following by the command, such as cat.

!cat userInfo.plist

Use the following command:

ios plist cat userInfo.plist

Or download the file with:

file download userInfo.plist

Using the “ios plist cat userInfo.plist” command and we can see the credentials that I entered.

Screen Shot 2018-01-10 at 5.05.59 PM

Side Channel Data Leakage

In the iOS menu app there is a test for Pasteboard in the Side Channel Data Leakage.  Using Objection enable the job with the command:

ios pasteboard monitor

From the iOS app enter some information under the Pasteboard option.  Objection will monitor and display information.

Screen Shot 2018-01-10 at 9.47.50 PM

Disable Certificate Pinning

A few other useful commands while working with Objection is, “ios sslpinning disable”.

Screen Shot 2018-01-10 at 5.11.18 PM.png

As you can see it attempts to disable certificate pinning.

Import Frida Scripts

You can also import frida scripts to help test iOS application by using the command:

import <fridaScript>

That’s all for now.  That gives us a good idea of the capabilities of Objection and how it can be used during an iOS application test using a jailed device.  Objection is easy to setup and provides a lot options.

In the next blog post I will install theos-jailed.