Let’s learn how to prepare a jailbroken iOS device to start an iOS pentesting. This article will be divided into Three parts; in first part we’ll cover:
Installing the required tools and Cydia tweaks
Note:– There are a plenty of different tools and methodologies when its coming to the iOS pentesting and I won’t be able to explain all of them, only my methodology will be shared here.
Prerequisites
1. A Jailbroken iOS device
Setting up the lab and installing basic tools:
1. Hope you already have Frida and Objection tools in your system, If not, install them
Releases · frida/frida (github.com)
GitHub — sensepost/objection: 📱 objection — runtime mobile exploration
2. iTunes: We know iTunes will help us to work with iOS environments in several ways.
3. 3uTools: This one has a lot of useful features such as Direct SSH connection, Screen mirroring, iOS application installer, etc..
3uTools | The best all-in-one tool for iOS users
4. Cydia Application: Basically, Cydia is a third-party application installer which is similar to the App Store and developed for the jailbroken iOS iDevices. If you are jailbreaking your device with Checkra1n or Uncover, The cydia app will automatically get installed into your device.
What if the Cydia haven’t installed during the jailbreak
In case of Checkra1n, you can manually install the Cydia from the Checkra1n app.
In case of Uncover, you can enable the Reinstall Cydia option from the Uncover app settings and start jailbreaking.
After the jailbreaking process, the Cydia app can be found in the device.
Method for installing Tweaks on the Jailbroken iOS device
1. With the help of Cydia
Step 1: Add the repo URL of the required cydia tweak in the source section
Step 2: After adding the Source, you can find search the tweak from the search section
Step 3: Select the tweak and install, Respring the device if it is needed.
2. Direct method
Installing the Tweaks with them .deb files through the OpenSSH terminal
Step 1: Find the Tweak’s deb file from its source.
Step 2: Copy the file link and SSH to the iOS device as root user
Step 3: Download the deb file using wget
Step 4: Make the file executable with the permission command “chmod +x file.deb” and install it using “dpkg” command
Step 5: That’s it, Now the tweak will be installed on your device
Dependencies
The following packages should be installed on the device:
- Cydia Substrate
- PreferenceLoader
Installing the required Cydia Tweaks
Tweaks are basically third-party applications which can be used to outrun some sort of fences set up in the target iOS applications. A lot of tweaks are available but here I am listing out the necessary ones.
A. Filza
Repo: https://tigisoftware.com/cydia/
Filza is a file manager for exploring directories including root’s directories.
Filza also provides WebDav server so we can access the application on our other local machines.
B. App Sync Unified
Repo: https://cydia.akemi.ai/
The tweak helps to install IPA files which are ad-hoc signed, fakesigned, or unsigned.
C. IPA installer
Repo: http://apt.thebigboss.org/repofiles/cydia/
This one can be used to install/Backup IPA files directly to our jailbroken iOS device.
D. OpenSSH
Repo: http://apt.saurik.com/
We know why we need an OpenSSH feature. We can get a terminal access to our iOS device with root privileges.
Root credential: — root: alpine
E. Frida
Repo: https://build.frida.re/
To work with frida tools, a frida server must be installed on our iOS device.
F. Plutil
Repo: https://apt.bingner.com/
This tool can be used to read .plist files (Similar to xml files in android)
G. fsmon
Repo: GitHub — nowsecure/fsmon: monitor filesystem on iOS / OS X / Android / FirefoxOS / Linux
This is a FileSystem Monitor utility that can be used in environments such as Linux, Android and iOS.
Tweaks for Bypassing Jailbreak detection
Following are the mostly used tweaks used for bypassing Jailbreak detections.
A. Liberty Lite
Repo: https://ryleyangus.com/repo/
B. A-Bypass
Repo: https://repo.co.kr/
C. HideJB
Repo: http://apt.thebigboss.org/repofiles/cydia/
D. Hestia
Repo: https://havoc.app/
E. iHide
Repo: https://repo.kc57.com/
Alternatively, You can use frida scripts to bypass the JB detection
Tweaks for Bypassing SSL Pinning Bypass
Following are the most used tweaks used for bypassing SSL certificate pinning.
A. SSL Kill Switch
Repo: https://julioverne.github.io/
B. SSLBypass
Repo: SSLBypass/packages at main · evilpenguin/SSLBypass · GitHub
Alternatively, You can use frida scripts to bypass the SSL pinning
Note:- Most of the Jailbreak Detection Bypass and SSL Bypass tweaks can be found in the device settings after the installation.
So that’s it guys, we almost ready to go. We will kickstart on our first iOS application pentesting in the Part-2. If I have missed something in this part, we will cover ’em up in the next part. Stay tuned, Happy hacking :)
