Skip to content

iOS Sandbox Explorer #1972

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
carlospolop wants to merge 1 commit into
base: master
Choose a base branch
from
Open

iOS Sandbox Explorer #1972

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
52 changes: 52 additions & 0 deletions src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,57 @@ ideviceinstaller -i resigned.ipa -w

---

### IPA patching + DYLIB injection + free Apple ID re-sign (CLI)

If you already have a **decrypted IPA**, you can patch it to load a custom DYLIB, add entitlements (e.g., network), and re-sign it **without Xcode** using a free Apple ID. This is useful for **in-app instrumentation** on non-jailbroken devices.

Typical flow:

```bash
# Build the implant (macOS for build step)
make

# Patch the IPA to inject the DYLIB
python3 tools/patcher.py patch --ipa MyApp.ipa --dylib libShell.dylib
# -> MyApp_patched.ipa

# Patch + sign + install in one step (free Apple ID)
python3 tools/patcher.py full \
--ipa MyApp.ipa \
--dylib libShell.dylib \
--apple-id user@example.com \
--install \
--udid <device-udid>
```

Notes:

- Free Apple ID signing usually expires in **7 days** and is limited to **3 App IDs/week** and **10 sideloaded apps**.
- The tool can re-sign cross-platform by authenticating with Apple via **SRP** and generating a free dev certificate + provisioning profile. Apple’s **anisette** headers are handled per platform (macOS via `AOSKit.framework`, Linux via Anisette.py, Windows via an external anisette server).
- This **does not** bypass the sandbox. The injected code runs inside the app process and can only access the app’s sandbox and keychain access groups.

### USB-only access to the injected implant

If the injected DYLIB exposes a local TCP control channel, you can keep traffic **off Wi-Fi/cellular** and forward it over USB:

```bash
# Forward device-local TCP port to host
iproxy 8080 8080

# Example client commands (host side)
python3 client.py "ls"
python3 client.py "pwd"
python3 client.py "scp -r Documents host:./downloads"
```

If the implant includes keychain helpers, you can dump items **accessible to that app**:

```bash
python3 client.py "keychain dump"
python3 client.py "keychain dump --filter self"
python3 client.py "keychain dump --class generic"
```

### Enable Developer Mode (iOS 16+)

Since iOS 16 Apple introduced **Developer Mode**: any binary that carries `get_task_allow` *or* is signed with a development certificate will refuse to launch until Developer Mode is enabled on the device. You will also not be able to attach Frida/LLDB unless this flag is on.
Expand Down Expand Up @@ -128,5 +179,6 @@ MobSF will automatically deploy the binary, enable a Frida server inside the app
- [https://dvuln.com/blog/modern-ios-pentesting-no-jailbreak-needed](https://dvuln.com/blog/modern-ios-pentesting-no-jailbreak-needed)
- Apple developer documentation – Enabling Developer Mode on a device: <https://developer.apple.com/documentation/xcode/enabling-developer-mode-on-a-device>
- Mobile Security Framework (MobSF): <https://mobsf.github.io/Mobile-Security-Framework-MobSF/>
- [https://github.com/test1ng-guy/iOS-sandbox-explorer](https://github.com/test1ng-guy/iOS-sandbox-explorer)

{{#include ../../banners/hacktricks-training.md}}