In the next couple blog posts I will be installing Objection and theos-jailed. Both tools can be used for testing iOS apps on jailed devices. My goal is to test both tools and document my steps.
Please note that you will need a decrypted IPA file. If you don’t have an IPA file you would need to use a tool, such as clutch to decrypt the application. We wont tackle that subject in this blog post.
Although I am documenting my steps to install objection it is well documented here: https://github.com/sensepost/objection/wiki
In an earlier blog post Sideloading an iOS Application we learned how to sideload an iOS application on an iPad. Much like that blog post we will need to re-sign the IPA but this time we will be injecting FridaGagdet.dylib into the IPA. With the help of Objection we this process is painless.
- Learn more about Frida here: https://www.frida.re/docs/ios/
- Learn more about Objection here: https://sensepost.com/blog/2017/objection-mobile-runtime-exploration/
To get started we need to ensure some prerequisites are met.
I am using a MacBook Pro with Xcode already installed with
xcodebuild. These should be installed by default.
We also need to have a non-expired mobile provisioning file ready. Check out Sideloading an iOS Application to learn how to do that. I am also using the Damn Vulnerable iOS app – http://damnvulnerableiosapp.com/.
IPA Binary Prerequisites
If you don’t already have npm installed use the following command:
homebrew install npm
Install insert_dylib: https://github.com/Tyilo/insert_dylib
git clone https://github.com/Tyilo/insert_dylib cd insert_dylib xcodebuild cp build/Release/insert_dylib /usr/local/bin/insert_dylib
Go ahead and install applesign and ios-deploy. ios-deploy will be used in a later step but we will go ahead and install it.
npm install -g applesign
npm install ios-deploy
If you run into issues installing ios-deploy you might need to review the below. Find out more at: https://github.com/phonegap/ios-deploy
OS X 10.11 El Capitan or greater
- Add the
--unsafe-perm=trueflag when installing ios-deploy
- Add the
--allow-rootflag when installing ios-deploy
- Ensure the
nobodyuser has write access to
Patch the IPA Binary
Find your code signing identity:
security find-identity -p codesigning -v
Use Objection to patch the IPA file with Frida and re-sign it.
objection patchipa --source binary.ipa --codesign-signature D3333344445555...
At this point you should have a new repackaged IPA binary ready to be installed.
Install the IPA Binary
Attach the Apple device and keep it unlocked. Run the following command:
ios-deploy --bundle Payload/binary.app -W -d
In the terminal it will show success and the lldb debugger. On the Apple device the application will appear to be frozen.
Open a new terminal and launch objection to begin testing the app.
Testing with Objection
In another terminal use the following command to connect:
We will perform a few basic tests to test out Objection.
Insecure Data Storage
One of the exercises include storing data insecurely in a .plist file. To begin you will need to access the Menu and go to Insecure Data Storage. From there click on Plist and fill out the form and save. Now let’s locate the file using Objection.
Let’s first get an idea of what our environment looks like with the “env” command:
Let’s change into the DocumentDirectory to see what is available.
Looks like we have a userInfo.plist file located under the DocumentDirectory
You can use one or all of the following commands to either download or view the userInfo.plist file.
Run an OS command with “!” following by the command, such as cat.
Use the following command:
ios plist cat userInfo.plist
Or download the file with:
file download userInfo.plist
I had good luck with the “ios plist cat userInfo.plist” command and we can see the credentials that that I entered.
Side Channel Data Leakage
In the iOS menu app there is a test for Pasteboard in the Side Channel Data Leakage. Using Objection enable the job with the command:
ios pasteboard monitor
From the iOS app enter some information under the Pasteboard option. Objection will monitor and display information.
Disable Certificate Pinning
A few other useful commands while working with Objection is, “ios sslpinning disable”.
As you can see it attempts to disable certificate pinning.
Import Frida Scripts
You can also import frida scripts to help test iOS application by using the command:
That’s all for now. That gives us a good idea of the capabilities of Objection and how it can be used during an iOS application test using a jailed device. Objection is easy to setup and provides a lot options. It can also be extended using Frida scripts, which is nice.
In the next blog post I will install theos-jailed and perform some basic tests.