Update IPA Installation Techniques and Tools (by @NVISOSecurity)

Document/0x06b-iOS-Security-Testing.md

@@ -37,10 +37,9 @@ It is also possible to get the UDID via various command line tools on macOS whil
     |         "USB Serial Number" = "9e8ada44246cee813e2f8c1407520bf2f84849ec"
     ```
 
-- By using [ideviceinstaller](https://github.com/libimobiledevice/ideviceinstaller) (also available on Linux):
+- By using @MASTG-TOOL-0126:
 
     ```sh
-    $ brew install ideviceinstaller
     $ idevice_id -l
     316f01bd160932d2bf2f95f1f142bc29b1c62dbc
     ```

techniques/ios/MASTG-TECH-0052.md

@@ -50,7 +50,6 @@ During a real black box test, a reliable Wi-Fi connection may not be available.
 Connect macOS to an iOS device by installing and starting @MASTG-TOOL-0055:
 
 ```bash
-$ brew install libimobiledevice
 $ iproxy 2222 22
 waiting for connection
 ```
@@ -60,13 +59,11 @@ The above command maps port `22` on the iOS device to port `2222` on localhost.
 With the following command in a new terminal window, you can connect to the device:
 
 ```bash
-$ ssh -p 2222 root@localhost
-root@localhost's password:
-iPhone:~ root#
+$ ssh -p 2222 mobile@localhost
+mobile@localhost's password:
+iPhone:~ mobile%
 ```
 
-> Small note on USB of an iDevice: on an iOS device you cannot make data connections anymore after 1 hour of being in a locked state, unless you unlock it again due to the USB Restricted Mode, which was introduced with iOS 11.4.1
-
 ## On-device Shell App
 
 While usually using an on-device shell (terminal emulator) might be very tedious compared to a remote shell, it can prove handy for debugging in case of, for example, network issues or check some configuration. For example, you can install [NewTerm 2](https://chariz.com/get/newterm "NewTerm 2") via Cydia for this purpose (it supports iOS 6.0 to 12.1.2 at the time of this writing).

techniques/ios/MASTG-TECH-0055.md

@@ -3,19 +3,194 @@ title: Launching a Repackaged App in Debug Mode
 platform: ios
 ---
 
-After the app has been installed on the device, it needs to be launched in debug mode. This is not the case when launching the app via springboard (the application will crash), but it is possible with various tools as explained in @MASTG-TECH-0056. When the application is running in debug mode, Frida can be injected into the process with name `Gadget`:
+If you've repackaged an application with a Frida Gadget, or if you want to attach @MASTG-TOOL-0057 to the application, you have to launch the application in debug mode. When you launch the application via SpringBoard, it will not launch in debug mode and the application will crash.
+
+After the application has been installed using @MASTG-TECH-TOOL-0056, you can launch it in debug mode using the following commands:
+
+## iOS17 and newer
+
+First, make sure you know the correct Bundle Identifier. Depending on how you signed the application, the actual Bundle Identifier might be different from the original Bundle Identifier. To get an overview of the installed applications, use the `ideviceinstaller` tool (see @MASTG-TOOL-0126):
 
 ```bash
-idevicedebug -d run sg.vp.UnCrackable1
+$ ideviceinstaller list
+CFBundleIdentifier, CFBundleShortVersionString, CFBundleDisplayName
+sg.vp.UnCrackable1.QH868V5764, "1.0", "UnCrackable1"
+org.owasp.mastestapp.MASTestApp, "3.0.0", "Adyen3DS2Demo"
+com.apple.TestFlight, "3.5.2", "TestFlight"
+```
+
+In this example, @MASTG-TOOL-0118 appended the team identifier (`QH868V5764`) to the original Bundle Identifier.
+
+Next, we need to get the correct device identifier, which we can get using `idevice_id` (see @MASTG-TOOL-0126):
+
+```bash
+$ idevice_id
+00008101-1234567890123456 (USB)
+00008101-1234567890123456 (Network)
+```
+
+Now that we have the correct Bundle Identifier and device ID, we can launch the app using `xrun` (see @MASTG-TOOL-0071):
+
+```bash
+xcrun devicectl device process launch --device 00008101-1234567890123456  --start-stopped sg.vp.UnCrackable1.QH868V5764
+13:00:43  Enabling developer disk image services.
+13:00:43  Acquired usage assertion.
+Launched application with sg.vp.UnCrackable1.QH868V5764 bundle identifier.
+```
 
-# In a new terminal
+Finally, you can attach `lldb` using the following commands:
+
+```bash
+$ lldb
+(lldb) device select 00008101-1234567890123456
+(lldb) device process list
+PID    PARENT USER       TRIPLE                         NAME
+====== ====== ========== ============================== ============================
+1      0                                                launchd
+...
+771    0                                                <anonymous>
+774    0                                                <anonymous>
+781    0                                                ReportCrash
+783    0                                                UnCrackable Level 1
+(lldb) device process attach --pid 783
+Process 783 stopped
+* thread #1, stop reason = signal SIGSTOP
+    frame #0: 0x0000000104312920 dyld`_dyld_start
+dyld`_dyld_start:
+->  0x104312920 <+0>:  mov    x0, sp
+    0x104312924 <+4>:  and    sp, x0, #0xfffffffffffffff0
+    0x104312928 <+8>:  mov    x29, #0x0 ; =0
+    0x10431292c <+12>: mov    x30, #0x0 ; =0
+Target 0: (UnCrackable Level 1) stopped.
+(lldb) c
+Process 783 resuming
+(lldb)
+```
+
+If you manually injected a Frida Gadget, Frida will now be waiting for you to attach to it. Until you do so, the application will appear frozen.
+
+```bash
+rida-ps -Ua
+PID  Name           Identifier
+---  -------------  -------------------------------
+389  Calendar       com.apple.mobilecal
+783  Gadget         re.frida.Gadget
+336  TestFlight     com.apple.TestFlight
+783  UnCrackable1   sg.vp.UnCrackable1.QH868V5764
+339  Weather        com.apple.weather
+```
+
+The `783` process has launched a new thread called Gadget to which you can attach:
+
+```bash
 frida -U -n Gadget
+     ____
+    / _  |   Frida 16.5.9 - A world-class dynamic instrumentation toolkit
+   | (_| |
+    > _  |   Commands:
+   /_/ |_|       help      -> Displays the help system
+   . . . .       object?   -> Display information about 'object'
+   . . . .       exit/quit -> Exit
+   . . . .
+   . . . .   More info at https://frida.re/docs/home/
+   . . . .
+   . . . .   Connected to iPhone (id=00008101-000628803A69001E)
+
+[iPhone::Gadget ]-> ObjC.available
+true
+```
+
+After attaching, the application will continue executing as normal.
+
+## iOS16 and older
+
+On older versions of iOS, you can use either `idevicedebug` (see @MASTG-TOOL-0126) or @MASTG-TOOL-0054 to launch the app in debug mode.
+
+### Using idevicedebug
+
+```bash
+# Get the package name
+$ ideviceinstaller list
+CFBundleIdentifier, CFBundleShortVersionString, CFBundleDisplayName
+org.sec575.CoinGame, "1.0", "CoinGame"
+sg.vp.UnCrackable1.QH868V5764, "1.0", "UnCrackable1"
+com.apple.TestFlight, "3.7.0", "TestFlight"
+com.google.Maps, "24.50.0", "Google Maps"
+
+# Run in debug mode
+$ idevicedebug -d run sg.vp.UnCrackable1.QH868V5764
+working_directory: /private/var/mobile/Containers/Data/Application/438DE865-2714-4BD9-B1EE-881AD4E54AD1
+
+Setting logging bitmask...
+Setting maximum packet size...
+Setting working directory...
+Setting argv...
+app_argv[0] = /private/var/containers/Bundle/Application/E21B5B13-DD85-4C83-9A0E-03FCEBF95CF5/UnCrackable Level 1.app/UnCrackable Level 1
+Checking if launch succeeded...
+Setting thread...
+Continue running process...
+```
+
+### Using ios-deploy
+
+To use  @MASTG-TOOL-0054, you first have to unzip the IPA file:
+
+```bash
+$ unzip Uncrackable1-frida-codesigned.ipa -d unzipped
+```
+
+Next, use ios-deploy with the path of the app folder inside of the unzipped IPA:
+
+```bash
+$ ios-deploy --bundle 'unzipped/Payload/UnCrackable Level 1.app' -W -d -v
+ios-deploy --bundle 'pram/Payload/UnCrackable Level 1.app' -W -d -v
+[....] Waiting for iOS device to be connected
+Handling device type: 1
+Already found device? 0
+Hardware Model: D211AP
+Device Name: NVISO’s iPhone JBE
+Model Name: iPhone 8 Plus
+SDK Name: iphoneos
+Architecture Name: arm64
+Product Version: 16.6.1
+Build Version: 20G81
+[....] Using 593ad60af30ad045b9cb99d2901031226c1b8c84 (D211AP, iPhone 8 Plus, iphoneos, arm64, 16.6.1, 20G81) a.k.a. '**NVISO**’s iPhone JBE'.
+------ Install phase ------
+[  0%] Found 593ad60af30ad045b9cb99d2901031226c1b8c84 (D211AP, iPhone 8 Plus, iphoneos, arm64, 16.6.1, 20G81) a.k.a. 'NVISO’s iPhone JBE' connected through USB, beginning install
+[  5%] Copying /Users/MAS/unzipped/Payload/UnCrackable Level 1.app/META-INF/ to device
+[  5%] Copying /Users/MAS/unzipped/Payload/UnCrackable Level 1.app/META-INF/com.apple.ZipMetadata.plist to device
+[  6%] Copying /Users/MAS/unzipped/Payload/UnCrackable Level 1.app/META-INF/com.apple.ZipMetadata.plist to device
 ...
-[iPhone::Gadget ]-> 
 ```
 
-## Starting with iOS 17 and Xcode 15
+### Attaching Frida
+
+If your application was repackaged with a Frida Gadget, the application will wait for you to attach to it before it continues launching.
 
-Since Xcode 15 and iOS 17 the tool @MASTG-TOOL-0054 will [not work anymore to start an app in debug mode](https://github.com/ios-control/ios-deploy/issues/588).
+In a new terminal window, connect to the Frida gadget, just like in the iOS17 scenario:
 
-A workaround to start the re-packaged app with the `FridaGadget.dylib` in debug mode (without using @MASTG-TOOL-0054) can be found [here](https://github.com/ios-control/ios-deploy/issues/588#issuecomment-1907913430).
+```bash
+$ frida-ps -Ua
+PID  Name           Identifier
+---  -------------  -----------------------------
+...
+468  Gadget         re.frida.Gadget
+...
+468  UnCrackable1   sg.vp.UnCrackable1.QH868V5764
+
+
+$ frida -U -n Gadget
+     ____
+    / _  |   Frida 16.5.9 - A world-class dynamic instrumentation toolkit
+   | (_| |
+    > _  |   Commands:
+   /_/ |_|       help      -> Displays the help system
+   . . . .       object?   -> Display information about 'object'
+   . . . .       exit/quit -> Exit
+   . . . .
+   . . . .   More info at https://frida.re/docs/home/
+   . . . .
+   . . . .   Connected to iPhone (id=593ad60af30ad045b9cb99d2901031226c1b8c84)
+[iPhone::Gadget ]-> ObjC.available
+true
+```

techniques/ios/MASTG-TECH-0056.md

@@ -3,51 +3,38 @@ title: Installing Apps
 platform: ios
 ---
 
-When you install an application without using Apple's App Store, this is called sideloading. There are various ways of sideloading which are described below. On the iOS device, the actual installation process is then handled by the installd daemon, which will unpack and install the application. To integrate app services or be installed on an iOS device, all applications must be signed with a certificate issued by Apple. This means that the application can be installed only after successful code signature verification. On a jailbroken phone, however, you can circumvent this security feature with [AppSync](https://github.com/akemin-dayo/AppSync "AppSync"), a package available in the Cydia store. It contains numerous useful applications that leverage jailbreak-provided root privileges to execute advanced functionality. AppSync is a tweak that patches installd, allowing the installation of fake-signed IPA packages.
+When you install an application without using Apple's App Store, this is called sideloading. There are various ways of sideloading which are described below. On the iOS device, the actual installation process is then handled by the installd daemon, which will unpack and install the application. To integrate app services or be installed on an iOS device, all applications must be signed with a certificate issued by Apple. This means that the application can be installed only after successful code signature verification, which is explained in @MASTG-TECH-0092.
 
-Different methods exist for installing an IPA package onto an iOS device, which are described in detail below.
+On a jailbroken device, you can circumvent this requirement using @MASTG-TOOL-0127, allowing you to install IPA files without obtaining a valid signature.
 
-> Please note that iTunes is no longer available in macOS Catalina. If you are using an older version of macOS, iTunes is still available but since iTunes 12.7 it is not possible to install apps.
+Different methods exist for installing an IPA package onto an iOS device, which are described in detail below.
 
 ## Sideloadly
 
 @MASTG-TOOL-0118 is a GUI tool that can automate all required steps for you. It requires valid Apple developer credentials, as it will obtain a valid signature from Apple servers.
 
-!!! warning "Do not use your personal Apple account"
-    To sign an IPA file, you will need a valid iOS developer account, either free or paid. Both types come with certain restrictions, as explained on the Sideloadly website. We recommend creating a dedicated developer account for signing test applications, and **not** using your personal Apple account.
-
-## libimobiledevice
-
-On Linux and also macOS, you can alternatively use [libimobiledevice](https://www.libimobiledevice.org/ "libimobiledevice"), a cross-platform software protocol library and a set of tools for native communication with iOS devices. This allows you to install apps over a USB connection by executing ideviceinstaller. The connection is implemented with the USB multiplexing daemon [usbmuxd](https://www.theiphonewiki.com/wiki/Usbmux "Usbmux"), which provides a TCP tunnel over USB.
+Simply connect your device via USB, enter your Apple ID and drag-and-drop the IPA file onto SideLoadly. Click start to automatically sign and install the given IPA.
 
-The package for libimobiledevice will be available in your Linux package manager. On macOS you can install libimobiledevice via brew:
+<img src="Images/Techniques/0056-Sideloadly.png" width="400px" />
 
-```bash
-brew install libimobiledevice
-brew install ideviceinstaller
-```
+## libimobiledevice
 
-If you have any issues, try installing the libraries from source, as the precompiled version may be outdated.
+On Linux and also macOS, you can alternatively use @MASTG-TOOL-0126. This allows you to install apps over a USB connection by executing ideviceinstaller. The connection is implemented with the USB multiplexing daemon [usbmuxd](https://www.theiphonewiki.com/wiki/Usbmux "Usbmux"), which provides a TCP tunnel over USB.
 
-After the installation you have several new command line tools available, such as `ideviceinfo`, `ideviceinstaller` or `idevicedebug`. Let's install and debug the @MASTG-APP-0028 app with the following commands:
+Let's install and debug the @MASTG-APP-0028 app with the following commands:
 
 ```bash
-# The following command will show detailed information about the iOS device connected via USB.
-$ ideviceinfo
-# The following command will install the IPA to your iOS device.
-$ ideviceinstaller -i iGoat-Swift_v1.0-frida-codesigned.ipa
+$ ideviceinstaller -i Uncrackable.ipa
 ...
 Install: Complete
-# The following command will start the app in debug mode, by providing the bundle name. The bundle name can be found in the previous command after "Installing".
-$ idevicedebug -d run OWASP.iGoat-Swift
 ```
 
 ## ipainstaller
 
-The IPA can also be directly installed on the iOS device via the command line with [ipainstaller](https://github.com/autopear/ipainstaller "IPA Installer"). After copying the file over to the device, for example via scp, you can execute ipainstaller with the IPA's filename:
+The IPA can also be directly installed on the iOS device via the command line with [ipainstaller](https://github.com/autopear/ipainstaller "IPA Installer"). Naturally, this requires a jailbroken device, as otherwise you cannot SSH into the device. After copying the file over to the device, for example via scp, you can execute ipainstaller with the IPA's filename:
 
 ```bash
-ipainstaller App_name.ipa
+ipainstaller Uncrackable.ipa
 ```
 
 ## ios-deploy
@@ -56,18 +43,35 @@ On macOS you can also use the @MASTG-TOOL-0054 tool to install iOS apps from the
 
 ```bash
 unzip Name.ipa
-ios-deploy --bundle 'Payload/Name.app' -W -d -v
+ios-deploy --bundle 'Payload/UnCrackable Level 1.app' -W -v
 ```
 
-After the app is installed on the iOS device, you can simply start it by adding the `-m` flag which will directly start debugging without installing the app again.
+## xcrun
+
+After installing @MASTG-TOOL-0071, you can execute the following command to install a signed IPA:
 
 ```bash
-ios-deploy --bundle 'Payload/Name.app' -W -d -v -m
+# Get the correct device id
+$ idevice_id
+00008101-00FF28803FF9001E (USB)
+
+$ xcrun devicectl device install app --device 00008101-00FF28803FF9001E ~/signed.ipa
+11:59:04  Acquired tunnel connection to device.
+11:59:04  Enabling developer disk image services.
+11:59:04  Acquired usage assertion.
+4%... 12%... 28%... 30%... 31%... 32%... 33%... 35%... 36%... 37%... 39%... 40%... 42%... 43%... 45%... 49%... 51%... 52%... 54%... 55%... 57%... 59%... 60%... 62%... 66%... 68%... 72%... 76%... 80%... 84%... 88%... 92%... 96%... Complete!
+App installed:
+• bundleID: org.mas.myapp
+• installationURL: file:///private/var/containers/Bundle/Application/DFC99D25-FC36-462E-91D2-18CDE717ED21/UnCrackable%20Level%201.app/
+• launchServicesIdentifier: unknown
+• databaseUUID: DA52A5EB-5D39-4628-810E-8F42A5561CDF
+• databaseSequenceNumber: 1516
+• options:
 ```
 
 ## Xcode
 
-It is also possible to use the Xcode IDE to install iOS apps by doing the following steps:
+It is also possible to use the Xcode IDE to install iOS apps by executing the following steps:
 
 1. Start Xcode
 2. Select **Window/Devices and Simulators**
@@ -89,20 +93,11 @@ Sometimes an application can require to be used on an iPad device. If you only h
   </array>
 
 </dict>
-</plist>  
+</plist>
 ```
 
 It is important to note that changing this value will break the original signature of the IPA file so you need to re-sign the IPA, after the update, in order to install it on a device on which the signature validation has not been disabled.
 
 This bypass might not work if the application requires capabilities that are specific to modern iPads while your iPhone or iPod is a bit older.
 
 Possible values for the property [UIDeviceFamily](https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Articles/iPhoneOSKeys.html#//apple_ref/doc/uid/TP40009252-SW11 "UIDeviceFamily property") can be found in the Apple Developer documentation.
-
-One fundamental step when analyzing apps is information gathering. This can be done by inspecting the app package on your host computer or remotely by accessing the app data on the device. You'll find more advance techniques in the subsequent chapters but, for now, we will focus on the basics: getting a list of all installed apps, exploring the app package and accessing the app data directories on the device itself. This should give you a bit of context about what the app is all about without even having to reverse engineer it or perform more advanced analysis. We will be answering questions such as:
-
-- Which files are included in the package?
-- Which Frameworks does the app use?
-- Which capabilities does the app require?
-- Which permissions does the app request to the user and for what reason?
-- Does the app allow any unsecured connections?
-- Does the app create any new files when being installed?

techniques/ios/MASTG-TECH-0063.md

@@ -23,7 +23,7 @@ waiting for connection
 The next step is to make a remote port forwarding of port 8080 on the iOS device to the localhost interface on our computer to port 8080.
 
 ```bash
-ssh -R 8080:localhost:8080 root@localhost -p 2222
+ssh -R 8080:localhost:8080 mobile@localhost -p 2222
 ```
 
 You should now be able to reach Burp on your iOS device. Open Safari on iOS and go to 127.0.0.1:8080 and you should see the Burp Suite Page. This would also be a good time to [install the CA certificate](https://support.portswigger.net/customer/portal/articles/1841109-installing-burp-s-ca-certificate-in-an-ios-device "Installing Burp\'s CA Certificate in an iOS Device") of Burp on your iOS device.