As mentioned in the Mobile Pentesting 101 – How to set up your Android Environment article, I am now offering you valuable information regarding the iOS pentesting environment. This will be much more of a methodology rather than a step-by-step guide, as some tools might be outdated and replaced.
You can recall from the previous article that the usage of Android Emulators is really a good thing to have in your toolkit as you can easily switch between APIs and functionalities. But that was valid for Android only. The iOS emulators are not fully-fledged emulators as only the basic needs for the application to run are simulated, and that’s why they are called Simulators. To test the application on the simulator, you would need Xcode on a Macbook device.
Due to the limited capabilities of the iOS Simulator, I will offer you only the settings, tools, and methods I use on a physical device.
While the industry becomes more and more aware of the methods attackers use to break Apple’s environment, newer phones or even iOS versions are much harder to jailbreak, thus extending the device’s capabilities. As an example, the checkm8 exploit that offers semi-tethered jailbreak is applicable to devices with chipsets up to A11, or iPhone X.
Jailbreaking is the process of removing the limitations imposed by Apple on devices running the iOS operating system and extending its capabilities.
There are two common and totally different jailbreaking methods: tethered and untethered jailbreak.
Tethered jailbreaking requires users to perform the jailbreak process every time the device is restarted while an untethered jailbreak is a one-time activity and does not have such restriction. Both jailbreaks offer the ability to install “unauthorized” software on proprietary Apple devices, i.e. applications that are not downloaded from Apple’s store and have not been approved or vetted by Apple. These include apps from the Cydia app store.
First and foremost, each device and iOS version comes with limitations or, contrary, comes with exploits that allow you to elevate your privileges and obtain a valid jailbroken device. Now, the actual jailbreak depends on the device and the iOS version you are running, but for me, any of the following 3 methods worked seamlessly: checkra1n, palera1n, and Unc0ver. Let’s explain in a few words each of them.
Checkra1n is a semi-tethered jailbreaking method, thus you need to connect to a computer every time you want to re-jailbreak. The advantage is that you can still use your iPhone in a non-jailbroken state after powering it off and on again. Moreover, checkra1n uses a hardware-based bootrom exploit called checkm8 which works on devices having the A7 chip and as new as the A11 chip, e.g. iPhone 5S up to iPhone X. If you don’t have a Linux device, bootra1n can be used to easily jailbreak your iPhone.
Palera1n, as developers describe it, is a developer-oriented jailbreak for checkm8 devices (A8-A11) on iOS 15.0-16.5. This means that devices like iPhone X with iOS 16 can be jailbroken using this technique only by using a Macbook or Linux machine. Palera1n has all the functionalities checkra1n does, but the main drawback is that on A11 devices, you must disable your passcode and will not be able to use your passcode, or other SEP functionality until you boot into a stock iOS state.
Unc0ver is a semi-untethered jailbreaking method, thus you won’t need to connect to a computer every time you want to re-jailbreak. The advantage is that you can still use your iPhone in a non-jailbroken state after powering it off and on again. Moreover, unc0ver uses a variety of different software-based tfp0 exploits, which means that Apple can patch it through Software Updates. As a consequence, Unc0ver only works only for iOS versions up to 14.8, since Apple patched the issues that allowed Unc0ver to run.
Crucial for a successful penetration test is the correct usage of publicly available apps from the Cydia Store. While some might work on their own, others require a combination of them to successfully perform an action. To help you overcome the headache of discovering which apps should be used, I created a list of my go-to applications from the Cydia Store. Of course, the same can be found in the Zebra or Sileo Stores.
As I already mentioned, the iOS environment is really tricky, and sometimes, to successfully execute an action, you might need to use 2 or 3 applications. For example, to install an application, you might need to use Filza + AppSync Unified + IPA Installer. Or to successfully bypass the advanced jailbreak detection mechanism, you might want to use Choicy + KernBypass.
As mentioned earlier on Mobile Pentesting 101 – How to setup you Android Environment, to have a go-to machine with all the tools required pre-installed is gold, thus I still recommend Mobexler as your virtual machine.
If you still need only a couple of third-party tools installed on your pentest station, I will give you a brief introduction to the topmost tools that I use in almost all iOS engagements that I have. All the tools and installation methods described below are for Ubuntu, but you can find the Windows details in their specific documentation.
Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis, and security assessment framework capable of performing only static analysis for iOS applications. More details can be found on their GitHub page, but an easy installation on Ubuntu contains the following 3 steps:
git clone https://github.com/MobSF/Mobile-Security-Framework-MobSF.git
cd Mobile-Security-Framework-MobSF
./setup.sh
As mentioned so many times, Frida is the must-have tool every pentester should use in their day-to-day mobile pentesting methodology. It helps you perform dynamic analysis at its best, injecting JavaScript scripts that communicate with the operating system. As per their documentation, we find that Frida can hook any function, spy on crypto APIs, or trace private application code. You can also edit, hit save, and instantly see the results without compilation steps or program restarts. You can easily install Frida using:
python3 -m pip install frida-tools
Once you installed Frida on your hacking station, you can easily search for already crafted scripts on https://codeshare.frida.re/, or you can create your own. Furthermore, you can use the scripts using either of the following commands:
frida -U -f Twitter -l script.js
frida -U -F -l script.js
Objection is a runtime mobile exploration toolkit, powered by Frida, built to help you assess the security posture of your mobile applications, without needing a jailbreak. It can help you bypass fingerprint, SSL pinning, and many more.
You can install it using python’s pip as easily as:
python3 -m pip install objection
I wrote an entire article dedicated to this tool, so you should check it out here. To install it, just use the following:
npm install -g rms-runtime-mobile-security
Grapefruit, formerly known as Passionfruit, is a Runtime Application Instrumentation for iOS. It allows you to view the objects stored in Keychain, the entire application’s private directory, decompiled source code, and many more. Just install it using:
npm install -g igf
I hope this article helped you create your mobile pentesting environment or refine your existing one. Also, take a look at Mobile Pentesting 101 – How to set up your Android Environment if you ever need to pentest an Android application.