Update IPA Installation Techniques and Tools (by @NVISOSecurity) #3100
Conversation
There was a problem hiding this comment.
Great content @TheDauntless! Also the warnings/tips for AppSync and libimobiledevice are spot on! I've reviewed the tools, planning to do the rest today or tomorrow.
tools/ios/MASTG-TOOL-0118.md
Outdated
| @@ -8,3 +8,6 @@ source: https://sideloadly.io/ | |||
| --- | |||
|
|
|||
| [Sideloadly](https://sideloadly.io/ "Sideloadly") allows you to obtain a valid signature for a given IPA file and then install it to a connected iOS device. In addition to signing and installing an IPA file, Sideloadly also allows you to inject tweaks, change the App or Bundle name or make other limited modifications to the IPA metadata. Sideloadly is available on both macOS and Windows. | |||
|
|
|||
| !!! warning "Do not use your personal Apple account" | |||
| To sign an IPA file, you will need a valid iOS developer account, either free or paid. Both types come with certain restrictions, as explained on the Sideloadly website. We recommend creating a dedicated developer account for signing test applications, and **not** using your personal Apple account. | |||
There was a problem hiding this comment.
What would be the restrictions when using a paid developer account?
There was a problem hiding this comment.
Not sure I understand this comment.
There was a problem hiding this comment.
You are writing:
To sign an IPA file, you will need a valid iOS developer account, either free or paid. Both types come with certain restrictions, as explained on the Sideloadly website.
I don't understand what the restrictions would be for a paid developer account. I also couldn't find anything on the sideloadly website.
A free account has a of course restrictions (7 days valid etc.)
There was a problem hiding this comment.
Oh, right. I've linked to the technique now which explains it. The paid account still has restrictions (365 days), so I think the text still makes sense.
There was a problem hiding this comment.
Ok. But shall we remove this sentence?
"Both types come with certain restrictions, as explained on the Sideloadly website."
If this is explained on the sideloadly website, let's link to it. But I couldn't find it.
Co-authored-by: Sven <[email protected]>
Co-authored-by: Sven <[email protected]>
Co-authored-by: Sven <[email protected]>
Co-authored-by: Sven <[email protected]>
|
Thanks for the review so far! |
There was a problem hiding this comment.
@TheDauntless reviewed more techniques, but not done yet. Thanks for the nice summary!
tools/ios/MASTG-TOOL-0118.md
Outdated
| @@ -8,3 +8,6 @@ source: https://sideloadly.io/ | |||
| --- | |||
|
|
|||
| [Sideloadly](https://sideloadly.io/ "Sideloadly") allows you to obtain a valid signature for a given IPA file and then install it to a connected iOS device. In addition to signing and installing an IPA file, Sideloadly also allows you to inject tweaks, change the App or Bundle name or make other limited modifications to the IPA metadata. Sideloadly is available on both macOS and Windows. | |||
|
|
|||
| !!! warning "Do not use your personal Apple account" | |||
| To sign an IPA file, you will need a valid iOS developer account, either free or paid. Both types come with certain restrictions, as explained on the Sideloadly website. We recommend creating a dedicated developer account for signing test applications, and **not** using your personal Apple account. | |||
There was a problem hiding this comment.
You are writing:
To sign an IPA file, you will need a valid iOS developer account, either free or paid. Both types come with certain restrictions, as explained on the Sideloadly website.
I don't understand what the restrictions would be for a paid developer account. I also couldn't find anything on the sideloadly website.
A free account has a of course restrictions (7 days valid etc.)
| com.google.Maps, "24.50.0", "Google Maps" | ||
|
|
||
| # Run in debug mode | ||
| $ idevicedebug -d run sg.vp.UnCrackable1.QH868V5764 |
There was a problem hiding this comment.
Unfortunately this always failed for my iOS 15.8.3 device (jailbroken). I couldn't find a DeveloperDiskImage for 15.8.3, but one for 15.7 but couldn't mount it. Were you testing this on macOS? I am using macOS sequoia 15.1.1 and Xcode 16.2
07:42:10 lockdown.c:278 lockdownd_stop_session(): success
07:42:10 idevice.c:1193 idevice_connection_disable_bypass_ssl(): Skipping bidirectional SSL shutdown. SSL error code: 5
07:42:10 idevice.c:1208 idevice_connection_disable_bypass_ssl(): SSL mode disabled
07:42:10 service.c:98 service_client_factory_start_service(): Could not start service com.apple.debugserver!
Could not start com.apple.debugserver!
Please make sure to mount the developer disk image first:
1) Get the iOS version from `ideviceinfo -k ProductVersion`.
2) Find the matching iPhoneOS DeveloperDiskImage.dmg files.
3) Run `ideviceimagemounter` with the above path.
There was a problem hiding this comment.
It works on my machine / device:
- macOS 15.2 (24C101)
- XCode 16.2 (16C5032a)
- iOS 15.8.3 (non-jb)
- idevicedebug 1.3.0-260-gc8cdf20
In installed via Sideloadly
idevicedebug -d run sg.vp.UnCrackable12
working_directory: /private/var/mobile/Containers/Data/Application/9C89C011-33D7-421B-9934-B92488F49486
Setting logging bitmask...
Setting maximum packet size...
Setting working directory...
Setting argv...
app_argv[0] = /private/var/containers/Bundle/Application/F7FDC3A7-2055-46B8-A88B-2764BF84ACD2/UnCrackable Level 1.app/UnCrackable Level 1
Checking if launch succeeded...
Setting thread...
Continue running process...Co-authored-by: Sven <[email protected]>
Co-authored-by: Sven <[email protected]>
Co-authored-by: Sven <[email protected]>
Co-authored-by: Sven <[email protected]>
Co-authored-by: Sven <[email protected]>
Co-authored-by: Sven <[email protected]>
Co-authored-by: Sven <[email protected]>
Co-authored-by: Sven <[email protected]>
Co-authored-by: Sven <[email protected]>
| @@ -56,18 +43,35 @@ On macOS you can also use the @MASTG-TOOL-0054 tool to install iOS apps from the | |||
|
|
|||
| ```bash | |||
| unzip Name.ipa | |||
| ios-deploy --bundle 'Payload/Name.app' -W -d -v | |||
| ios-deploy --bundle 'Payload/UnCrackable Level 1.app' -W -v | |||
There was a problem hiding this comment.
| ios-deploy --bundle 'Payload/UnCrackable Level 1.app' -W -v | |
| $ ios-deploy --bundle 'Payload/UnCrackable Level 1.app' -W -v |
tools/ios/MASTG-TOOL-0118.md
Outdated
| @@ -8,3 +8,6 @@ source: https://sideloadly.io/ | |||
| --- | |||
|
|
|||
| [Sideloadly](https://sideloadly.io/ "Sideloadly") allows you to obtain a valid signature for a given IPA file and then install it to a connected iOS device. In addition to signing and installing an IPA file, Sideloadly also allows you to inject tweaks, change the App or Bundle name or make other limited modifications to the IPA metadata. Sideloadly is available on both macOS and Windows. | |||
|
|
|||
| !!! warning "Do not use your personal Apple account" | |||
| To sign an IPA file, you will need a valid iOS developer account, either free or paid. Both types come with certain restrictions, as explained on the Sideloadly website. We recommend creating a dedicated developer account for signing test applications, and **not** using your personal Apple account. | |||
There was a problem hiding this comment.
Ok. But shall we remove this sentence?
"Both types come with certain restrictions, as explained on the Sideloadly website."
If this is explained on the sideloadly website, let's link to it. But I couldn't find it.
Co-authored-by: Sven <[email protected]>
Co-authored-by: Sven <[email protected]>
Co-authored-by: Sven <[email protected]>
Co-authored-by: Sven <[email protected]>
Co-authored-by: Sven <[email protected]>
Co-authored-by: Sven <[email protected]>
Co-authored-by: Sven <[email protected]>
Co-authored-by: Sven <[email protected]>
Co-authored-by: Sven <[email protected]>
Co-authored-by: Sven <[email protected]>
Co-authored-by: Sven <[email protected]>
techniques/ios/MASTG-TECH-0090.md
Outdated
|
|
||
| As an alternative to this automated approach, see @MASTG-TECH-0091. | ||
|
|
||
| ## @MASTG-TOOL-0118 | ||
| You can inject Frida into an application using @MASTG-TOOL-0039, @MASTG-TOOL-0118 or @MASTG-TOOL-0038 |
There was a problem hiding this comment.
I've removed tool 39 and the link to the frida website. This technique is explaining how to do it on a non-jailbroken, so would be weird to link to the frida docs this way.
| > Note that the commands that are part of @MASTG-TOOL-0126 refer to the latest version available from Github. If you installed them via brew or other package managers, you may have an older version with different command line flags. | ||
|
|
||
| ## iOS17 and newer | ||
|
|
There was a problem hiding this comment.
@TheDauntless I see that iOS 17 requires you to attach a debugger first to use the Gadget properly, right? Maybe we could add a sentence or two at the beginning of this paragraph to give this background. Then maybe we could have a subsection about LLDB and then another one about attaching to a process with Frida gadget?
There was a problem hiding this comment.
I see that iOS 17 requires you to attach a debugger first to use the Gadget properly, right?
Not entirely. If the app is running in debug mode, Frida can automatically inject into it and the app doesn't need to have the gadget included. However, if you did include the gadget yourself (e.g. Objection / Sideloadly), then the frida gadget library is loaded at startup, and then you do need to connect with lldb followed by Frida.
There was a problem hiding this comment.
In this technique we include the gadget ourselves, so the LLDB will always be required, right? Would be nice to write a short context e.g.
| On iOS 17, you need to launch an app with a debugger if you have repackaged it with a Frida gadget. The following steps show how to launch an app with a debugger | |
| ### Launching an app with LLDB debugger | |
I didn't test it myself but it looks like iOS17 and newer works for all iOS versions, no? In this case, maybe it's easier to skip the iOS16 and older? Or at least make it clear that iOS17 and newer is universal?
|
|
||
| !!! warning | ||
|
|
||
| You can normally install AppSync Unified from the `https://cydia.akemi.ai/` repository by adding it to the package manager on your iOS device. However, as this repository is not always available, we recommend building it from source and installing the created .deb file using `dpkg -i` on your device. |
There was a problem hiding this comment.
Why not use the .deb from the Releases page? e.g.
https://github.com/akemin-dayo/AppSync/releases/tag/116.0
And then Airdrop or scp it and use dpkg -i
|
|
||
| Different methods exist for installing an IPA package onto an iOS device, which are described in detail below. | ||
| On a jailbroken device, you can circumvent this requirement using @MASTG-TOOL-0127, allowing you to install IPA files without obtaining a valid signature. |
There was a problem hiding this comment.
| On a jailbroken device, you can circumvent this requirement using @MASTG-TOOL-0127, allowing you to install IPA files without obtaining a valid signature. | |
| **Disabling Signature Verification (optional)**: On a jailbroken device, you can bypass the signature verification requirement using @MASTG-TOOL-0127, which hooks the appropriate system daemon and disables signature verification for any installations you do with the tools below while it's enabled. |
| source: https://github.com/akemin-dayo/AppSync | ||
| --- | ||
|
|
||
| AppSync Unified disables various IPA signature verifications on jailbroken iOS devices, allowing you to install IPA files with missing or incorrect signatures. AppSync Unified does not require any configuration after installation. |
There was a problem hiding this comment.
Please clarify that it does not offer any cli tool or way to install apps. It's enabled after installation and you need additional tools to install the IPAs.
cpholguera
changed the title
|
|
||
| > Please note that iTunes is no longer available in macOS Catalina. If you are using an older version of macOS, iTunes is still available but since iTunes 12.7 it is not possible to install apps. | ||
| Different methods exist for installing an IPA package onto an iOS device, which are described in detail below. | ||
|
|
There was a problem hiding this comment.
Could you please add ## Filza and the tool page for it?
A cleanup of all the iOS signing / installing / running in debug mode.
I tried to be pragmatic, focussing on different techniques that work (I tested all of them, it was not a fun day) and also focussing on modern solutions rather than keep holding on to outdated ones.
This fixes #3090