diff --git a/src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md b/src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md index 1f226fae017..fb0131ffd1a 100644 --- a/src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md +++ b/src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md @@ -69,6 +69,57 @@ ideviceinstaller -i resigned.ipa -w --- +### IPA patching + DYLIB injection + free Apple ID re-sign (CLI) + +If you already have a **decrypted IPA**, you can patch it to load a custom DYLIB, add entitlements (e.g., network), and re-sign it **without Xcode** using a free Apple ID. This is useful for **in-app instrumentation** on non-jailbroken devices. + +Typical flow: + +```bash +# Build the implant (macOS for build step) +make + +# Patch the IPA to inject the DYLIB +python3 tools/patcher.py patch --ipa MyApp.ipa --dylib libShell.dylib +# -> MyApp_patched.ipa + +# Patch + sign + install in one step (free Apple ID) +python3 tools/patcher.py full \ + --ipa MyApp.ipa \ + --dylib libShell.dylib \ + --apple-id user@example.com \ + --install \ + --udid +``` + +Notes: + +- Free Apple ID signing usually expires in **7 days** and is limited to **3 App IDs/week** and **10 sideloaded apps**. +- The tool can re-sign cross-platform by authenticating with Apple via **SRP** and generating a free dev certificate + provisioning profile. Apple’s **anisette** headers are handled per platform (macOS via `AOSKit.framework`, Linux via Anisette.py, Windows via an external anisette server). +- This **does not** bypass the sandbox. The injected code runs inside the app process and can only access the app’s sandbox and keychain access groups. + +### USB-only access to the injected implant + +If the injected DYLIB exposes a local TCP control channel, you can keep traffic **off Wi-Fi/cellular** and forward it over USB: + +```bash +# Forward device-local TCP port to host +iproxy 8080 8080 + +# Example client commands (host side) +python3 client.py "ls" +python3 client.py "pwd" +python3 client.py "scp -r Documents host:./downloads" +``` + +If the implant includes keychain helpers, you can dump items **accessible to that app**: + +```bash +python3 client.py "keychain dump" +python3 client.py "keychain dump --filter self" +python3 client.py "keychain dump --class generic" +``` + ### Enable Developer Mode (iOS 16+) Since iOS 16 Apple introduced **Developer Mode**: any binary that carries `get_task_allow` *or* is signed with a development certificate will refuse to launch until Developer Mode is enabled on the device. You will also not be able to attach Frida/LLDB unless this flag is on. @@ -128,5 +179,6 @@ MobSF will automatically deploy the binary, enable a Frida server inside the app - [https://dvuln.com/blog/modern-ios-pentesting-no-jailbreak-needed](https://dvuln.com/blog/modern-ios-pentesting-no-jailbreak-needed) - Apple developer documentation – Enabling Developer Mode on a device: - Mobile Security Framework (MobSF): +- [https://github.com/test1ng-guy/iOS-sandbox-explorer](https://github.com/test1ng-guy/iOS-sandbox-explorer) {{#include ../../banners/hacktricks-training.md}}