This is a continued post on installing Objection and theos-jailed to document my steps.
Again, I am documenting my steps to install thoes-jailed but it is also well documented here: https://github.com/sensepost/objection/wiki
To get started we need to ensure we have some prerequisites met, which if you followed along with the Jailed iOS App Testing w/ Objection – Getting Started post you should be good.
I am using a MacBook Pro with Xcode already installed with
xcodebuild. These should be installed by default. We also need to have a non-expired mobile provisioning file ready. Check out Sideloading an iOS Application to learn how to do that.
If you don’t already have npm installed use the following command:
homebrew install npm
brew install ldid
npm install ios-deploy
If you run into issues installing ios-deploy you might need to review the below. Find out more at: https://github.com/phonegap/ios-deploy
OS X 10.11 El Capitan or greater
- Add the
--unsafe-perm=trueflag when installing ios-deploy
- Add the
--allow-rootflag when installing ios-deploy
- Ensure the
nobodyuser has write access to
Create a .bash_profile if you don’t already have one.
cd ~/ touch .bash_profile vim .bash_profile
Add the following to the .bash_profile. I created a folder named “mobile” under Documents where theos will be cloned.
export THEOS=~/Documents/mobile/theos export PATH=$THEOS/bin:$PATH
Clone the theos and theos-jailed repository:
git clone --recursive https://github.com/theos/theos.git $THEOS git clone --recursive https://github.com/kabiroberai/theos-jailed.git
Install the theos-jailed template:
cd theos-jailed ./install
You should now have a new jailed template in Theos.
Create a New Jailed Tweak
After installing the new jailed template you can now launch theos and build a jailed tweak:
$THEOS/bin/nic.pl -t iphone/jailed
Follow the prompts to create a new tweak folder. Notice the new folder iosjailed is now located in the current directory.
Change into the “iosjailed” directory and issue the following command:
The make info command will provide instructions on opening Xcode, Creating a Provisioning Profile, and Installing the mobile application. There will be specific instructions on what you should use for the Product Name and Organization Identifier.
When going through the steps make sure the Deployment Target matches the iOS version on the Apple Device.
Select the device from the top left and click Play. You may need to unlock the device.
At this point you can delete the temporary app and close Xcode as the instructions indicate.
Install the IPA Binary
Before installing the device there are a few modifications we will make. Make sure you are in the “ios-jailed” folder. You should see a MakeFile and Tweak.xm file.
Open the “MakeFile” file with your favorite editor and add the following. Ensure you replace “TWEAK_NAME” with the name you chose.
Attach the Apple device and keep it unlocked. The instructions from the previous steps will have a specific command to use to install the IPA binary. It will look something like:
make package install PROFILE=ID-1A1AA0A.com.roy.ios-jailed
Testing with theos-jailed
Insecure Data Storage
One of the exercises include storing data insecurely in a .plist file. To begin you will need to access the Menu and go to Insecure Data Storage. From there click on Plist and fill out the form and save. Now let’s locate the file using FLEX.
On the device itself there is an overlay that allows the tester to access a File Browser. Notice in the screenshot below the FLEX menu button. From here you can review the information saved in userInfo.plist.
As you can see in the screenshot below the userInfo.plist file contains the credentials entered.