Jailed iOS App Testing w/ Theos-Jailed – Getting Started

This is a continued post on installing Objection and theos-jailed to document my steps.

Again, I am documenting my steps to install thoes-jailed but it is also well documented here: https://github.com/sensepost/objection/wiki

To get started we need to ensure we have some prerequisites met, which if you followed along with the Jailed iOS App Testing w/ Objection – Getting Started post you should be good.

I am using a MacBook Pro with Xcode already installed with securitycodesign,xcodebuild.  These should be installed by default.  We also need to have a non-expired mobile provisioning file ready.  Check out Sideloading an iOS Application to learn how to do that.

The Prerequisites

If you don’t already have npm installed use the following command:

homebrew install npm

Install ldid:

brew install ldid

Install ios-deploy:

npm install ios-deploy

If you run into issues installing ios-deploy you might need to review the below.  Find out more at: https://github.com/phonegap/ios-deploy

OS X 10.11 El Capitan or greater

If you are not using a node version manager like nvm or n, you may have to do either of these three things below when under El Capitan:

  1. Add the --unsafe-perm=true flag when installing ios-deploy
  2. Add the --allow-root flag when installing ios-deploy
  3. Ensure the nobody user has write access to /usr/local/lib/node_modules/ios-deploy/ios-deploy

Create a .bash_profile if you don’t already have one.

cd ~/
touch .bash_profile
vim .bash_profile

Add the following to the .bash_profile.  I created a folder named “mobile” under Documents where theos will be cloned.

export THEOS=~/Documents/mobile/theos
export PATH=$THEOS/bin:$PATH

Clone the theos and theos-jailed repository:

git clone --recursive https://github.com/theos/theos.git $THEOS 
git clone --recursive https://github.com/kabiroberai/theos-jailed.git

Install the theos-jailed template:

cd theos-jailed

You should now have a new jailed template in Theos.

Screen Shot 2018-01-10 at 1.45.01 PM

Create a New Jailed Tweak

After installing the new jailed template you can now launch theos and build a jailed tweak:

$THEOS/bin/nic.pl -t iphone/jailed

Follow the prompts to create a new tweak folder.  Notice the new folder iosjailed is now located in the current directory.

Screen Shot 2018-01-10 at 1.48.31 PM

Change into the “iosjailed” directory and issue the following command:

make info

The make info command will provide instructions on opening Xcode, Creating a Provisioning Profile, and Installing the mobile application.  There will be specific instructions on what you should use for the Product Name and Organization Identifier.

When going through the steps make sure the Deployment Target matches the iOS version on the Apple Device.

Screen Shot 2018-01-10 at 2.08.03 PM

Select the device from the top left and click Play.  You may need to unlock the device.

Screen Shot 2018-01-10 at 2.08.47 PM

At this point you can delete the temporary app and close Xcode as the instructions indicate.

Install the IPA Binary

Before installing the device there are a few modifications we will make.  Make sure you are in the “ios-jailed” folder.  You should see a MakeFile and Tweak.xm file.

Open the “MakeFile” file with your favorite editor and add the following.  Ensure you replace “TWEAK_NAME” with the name you chose.


Screen Shot 2018-01-10 at 2.19.05 PM

Attach the Apple device and keep it unlocked.  The instructions from the previous steps will have a specific command to use to install the IPA binary.  It will look something like:

make package install PROFILE=ID-1A1AA0A.com.roy.ios-jailed

Screen Shot 2018-01-10 at 2.23.45 PM

Testing with theos-jailed

Insecure Data Storage

One of the exercises include storing data insecurely in a .plist file.  To begin you will need to access the Menu and go to Insecure Data Storage.  From there click on Plist and fill out the form and save.  Now let’s locate the file using FLEX.

On the device itself there is an overlay that allows the tester to access a File Browser. Notice in the screenshot below the FLEX menu button.  From here you can review the information saved in userInfo.plist.


As you can see in the screenshot below the userInfo.plist file contains the credentials entered.