-
-
Notifications
You must be signed in to change notification settings - Fork 2.4k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* updated patching IPAs * update lint error * updated ID for fastlane * Extracted Sideloadly to a separate tool and restructured a bit * Fix linting * Reviewed fastlane and moved httptoolkit to different tool nr * Move files around * Fix linting * Fix tool collision * Fix broken link * Fix link * Update MASTG-TECH-0079: Change title and enhance instructions for obtaining a developer provisioning profile * Update MASTG-TECH-0090 and MASTG-TECH-0091: Revise titles and enhance instructions for injecting Frida Gadget and libraries into IPA files * Update MASTG-TECH-0092: Revise title and enhance instructions for repackaging and re-signing IPA files using Fastlane * fix IDs * Add MASTG-TECH-0119: Launching a repackaged app in debug mode * Update MASTG-TECH-0055: Replace previous title and redundant content. Fix IDs * Update MASTG-TECH-0090, MASTG-TECH-0091, and MASTG-TECH-0092: Enhance instructions for injecting Frida Gadget and streamline the installation process --------- Co-authored-by: Sven Schleier <[email protected]> Co-authored-by: Jeroen Beckers <[email protected]> Co-authored-by: Carlos Holguera <[email protected]>
- Loading branch information
1 parent
ae43160
commit 47ec773
Showing
17 changed files
with
144 additions
and
121 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -29,4 +29,5 @@ docs/assets/Images | |
OWASP_MASVS.yaml | ||
cross_references.yaml | ||
drafts/ | ||
Payload/ | ||
Payload/ | ||
.vscode/settings.json |
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,22 +1,21 @@ | ||
--- | ||
title: Repackaging Apps | ||
title: Launching a Repackaged App in Debug Mode | ||
platform: ios | ||
--- | ||
|
||
If you need to test on a non-jailbroken device you should learn how to repackage an app to enable dynamic testing on it. | ||
|
||
Use a computer with macOS to perform all the steps indicated in the article ["Patching iOS Applications"](https://github.com/sensepost/objection/wiki/Patching-iOS-Applications) from the objection Wiki. Once you're done you'll be able to patch an IPA by calling the objection command: | ||
After the app has been installed on the device, it needs to be launched in debug mode. This is not the case when launching the app via springboard (the application will crash), but it is possible with various tools as explained in @MASTG-TECH-0056. When the application is running in debug mode, Frida can be injected into the process with name `Gadget`: | ||
|
||
```bash | ||
objection patchipa --source my-app.ipa --codesign-signature 0C2E8200Dxxxx | ||
``` | ||
|
||
Finally, the app needs to be installed (sideloaded) and run with debugging communication enabled. Perform the steps from the article ["Running Patched iOS Applications"](https://github.com/sensepost/objection/wiki/Running-Patched-iOS-Applications) from the objection Wiki (using ios-deploy). | ||
idevicedebug -d run sg.vp.UnCrackable1 | ||
|
||
```bash | ||
ios-deploy --bundle Payload/my-app.app -W -d | ||
# In a new terminal | ||
frida -U -n Gadget | ||
... | ||
[iPhone::Gadget ]-> | ||
``` | ||
|
||
Refer to @MASTG-TECH-0056 to learn about other installation methods. Some of them doesn't require you to have a macOS. | ||
## Starting with iOS 17 and Xcode 15 | ||
|
||
Since Xcode 15 and iOS 17 the tool @MASTG-TOOL-0054 will [not work anymore to start an app in debug mode](https://github.com/ios-control/ios-deploy/issues/588). | ||
|
||
> This repackaging method is enough for most use cases. For more advanced repackaging, refer to @MASTG-TECH-0092. | ||
A workaround to start the re-packaged app with the `FridaGadget.dylib` in debug mode (without using @MASTG-TOOL-0054) can be found [here](https://github.com/ios-control/ios-deploy/issues/588#issuecomment-1907913430). |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,40 +1,24 @@ | ||
--- | ||
title: Patching | ||
title: Injecting Frida Gadget into an IPA Automatically | ||
platform: ios | ||
--- | ||
|
||
IPA files are actually ZIP archives, so you can use any ZIP tool to unpack the archive. | ||
If you want to enable dynamic testing with Frida but don't have access to a jailbroken device, you can patch and repackage the target app to load the [Frida gadget](https://www.frida.re/docs/gadget/). This way, you can instrument the app and do everything you need to do for dynamic analysis (of course, you can't break out of the sandbox this way). However, this technique only works if the app binary isn't FairPlay-encrypted (i.e., obtained from the App Store). | ||
|
||
```bash | ||
unzip UnCrackable-Level1.ipa | ||
``` | ||
The easiest way to inject Frida into an installed application is by using frida-server. However, if this is not possible, the Frida Gadget can be injected into a decrypted IPA file. | ||
|
||
## Patching Example: Installing Frida Gadget | ||
As an alternative to this automated approach, see @MASTG-TECH-0091. | ||
|
||
IF you want to use Frida on non-jailbroken devices you'll need to include `FridaGadget.dylib`. Download it first: | ||
## @MASTG-TOOL-0118 | ||
|
||
```bash | ||
curl -O https://build.frida.re/frida/ios/lib/FridaGadget.dylib | ||
``` | ||
Sideloadly can be used to automatically inject libraries while repackaging and signing the app. To do so, click the `Advanced Options`, followed by `Inject dylibs/frameworks` and `+dylib/deb/bundle`: | ||
|
||
Copy `FridaGadget.dylib` into the app directory and use @MASTG-TOOL-0059 to add a load command to the "UnCrackable Level 1" binary. | ||
<img src="Images/Techniques/0091-SideloadlyFrida.png" width="400px" /> | ||
|
||
```bash | ||
$ unzip UnCrackable_Level1.ipa | ||
$ cp FridaGadget.dylib Payload/UnCrackable\ Level\ 1.app/ | ||
$ optool install -c load -p "@executable_path/FridaGadget.dylib" -t Payload/UnCrackable\ Level\ 1.app/UnCrackable\ Level\ 1 | ||
Found FAT Header | ||
Found thin header... | ||
Found thin header... | ||
Inserting a LC_LOAD_DYLIB command for architecture: arm | ||
Successfully inserted a LC_LOAD_DYLIB command for arm | ||
Inserting a LC_LOAD_DYLIB command for architecture: arm64 | ||
Successfully inserted a LC_LOAD_DYLIB command for arm64 | ||
Writing executable to Payload/UnCrackable Level 1.app/UnCrackable Level 1... | ||
``` | ||
|
||
## Patching Example: Making an App Debuggable | ||
## @MASTG-TOOL-0038 | ||
|
||
By default, an app available on the Apple App Store is not debuggable. In order to debug an iOS application, it must have the `get-task-allow` entitlement enabled. This entitlement allows other processes (like a debugger) to attach to the app. Xcode is not adding the `get-task-allow` entitlement in a distribution provisioning profile; it is only whitelisted and added in a development provisioning profile. | ||
Objection can inject the Frida Gadget into a given IPA file. Use a computer with macOS to perform all the steps indicated in the article ["Patching iOS Applications"](https://github.com/sensepost/objection/wiki/Patching-iOS-Applications) from the objection Wiki. Once you're done you'll be able to patch an IPA by calling the objection command: | ||
|
||
Thus, to debug an iOS application obtained from the App Store, it needs to be re-signed with a development provisioning profile with the `get-task-allow` entitlement. How to re-sign an application is discussed in the next section. | ||
```bash | ||
objection patchipa --source my-app.ipa --codesign-signature 0C2E8200Dxxxx | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.