updated patching IPAs

.gitignore

@@ -29,4 +29,5 @@ docs/assets/Images
 OWASP_MASVS.yaml
 cross_references.yaml
 drafts/
-Payload/
+Payload/
+.vscode/settings.json

techniques/ios/MASTG-TECH-0056.md

@@ -11,7 +11,7 @@ Different methods exist for installing an IPA package onto an iOS device, which
 
 ## Sideloadly
 
-[Sideloadly](https://sideloadly.io/ "Sideloadly") allows you to obtain a valid signature for a given IPA file and then install it to a connected iOS device. In addition to signing and installing an IPA file, Sideloadly also allows you to inject tweaks, change the App or Bundle name or make other limited modifications to the IPA metadata. Sideloadly is available on both macOS and Windows.
+@MASTG-TOOL-0116 is a GUI tool that can automate all required steps for you. It requires valid Apple developer credentials, as it will obtain a valid signature from Apple servers.
 
 !!! warning "Do not use your personal Apple account"
     To sign an IPA file, you will need a valid iOS developer account, either free or paid. Both types come with certain restrictions, as explained on the Sideloadly website. We recommend creating a dedicated developer account for signing test applications, and **not** using your personal Apple account.
@@ -27,6 +27,8 @@ brew install libimobiledevice
 brew install ideviceinstaller
 ```
 
+If you have any issues, try installing the libraries from source, as the precompiled version may be outdated.
+
 After the installation you have several new command line tools available, such as `ideviceinfo`, `ideviceinstaller` or `idevicedebug`. Let's install and debug the @MASTG-APP-0028 app with the following commands:
 
 ```bash

techniques/ios/MASTG-TECH-0090.md

@@ -1,28 +1,38 @@
 ---
-title: Patching
+title: Injecting Frida Gadget into IPA Manually
 platform: ios
 ---
 
-IPA files are actually ZIP archives, so you can use any ZIP tool to unpack the archive.
+The easiest way to inject Frida into an installed application is by using frida-server. However, if this is not possible, the Frida Gadget can be injected into a decrypted IPA file (see @MASTG-TECH-0054).
+
+This technique describes a manual way of patching the IPA. Alternatively, see @MASTG-TECH-0091.
+
+## Obtaining the Frida Gadget
+
+The Frida Gadget can be downloaded from the [Github release page](https://github.com/frida/frida/releases). You are looking for the `frida-gadget-XX.YY.ZZ-ios-universal.dylib.xz` file. This file is compressed, so you need to decompress it using the `xz` tool.
 
 ```bash
-unzip UnCrackable-Level1.ipa
+xz -d <frida-gadget-XX.YY.ZZ-ios-universal.dylib.xz> -c > FridaGadget.dylib
 ```
 
-## Patching Example: Installing Frida Gadget
+This will decompress the Frida Gadget and automatically save it to `FridaGadget.dylib`.
 
-IF you want to use Frida on non-jailbroken devices you'll need to include `FridaGadget.dylib`. Download it first:
+## Adding the Frida Gadget to the IPA
+
+IPA files are ZIP archives, so you can use any ZIP tool to unpack the archive:
 
 ```bash
-curl -O https://build.frida.re/frida/ios/lib/FridaGadget.dylib
+unzip UnCrackable-Level1.ipa
 ```
 
-Copy `FridaGadget.dylib` into the app directory and use @MASTG-TOOL-0059 to add a load command to the "UnCrackable Level 1" binary.
+Next, copy the `FridaGadget.dylib` into the app directory and use @MASTG-TOOL-0059 to add a load command to the binary. The code below shows how this is done for the @MASTG-APP-0025:
 
 ```bash
-$ unzip UnCrackable_Level1.ipa
-$ cp FridaGadget.dylib Payload/UnCrackable\ Level\ 1.app/
-$ optool install -c load -p "@executable_path/FridaGadget.dylib"  -t Payload/UnCrackable\ Level\ 1.app/UnCrackable\ Level\ 1
+unzip UnCrackable_Level1.ipa
+mkdir -p Payload/UnCrackable\ Level\ 1.app/Frameworks
+cp FridaGadget.dylib Payload/UnCrackable\ Level\ 1.app/Frameworks/
+optool install -c load -p "@executable_path/Frameworks/FridaGadget.dylib"  -t Payload/UnCrackable\ Level\ 1.app/UnCrackable\ Level\ 1
+
 Found FAT Header
 Found thin header...
 Found thin header...
@@ -33,8 +43,23 @@ Successfully inserted a LC_LOAD_DYLIB command for arm64
 Writing executable to Payload/UnCrackable Level 1.app/UnCrackable Level 1...
 ```
 
-## Patching Example: Making an App Debuggable
+After injecting the load command, you need to recreate the IPA file:
 
-By default, an app available on the Apple App Store is not debuggable. In order to debug an iOS application, it must have the `get-task-allow` entitlement enabled. This entitlement allows other processes (like a debugger) to attach to the app. Xcode is not adding the `get-task-allow` entitlement in a distribution provisioning profile; it is only whitelisted and added in a development provisioning profile.
+```bash
+zip -r patched.ipa Payload
+```
+
+Finally, install the IPA as described in @MASTG-TECH-0056.
+
+## Launching the Repackaged App in Debug Mode
+
+After the app has been installed on the device, it needs to be launched in debug mode. This is not the case when launching the app via springboard (the application will crash), but it is possible with various tools as explained in @MASTG-TECH-0056. When the application is running in debug mode, Frida can be injected into the process with name `Gadget`:
 
-Thus, to debug an iOS application obtained from the App Store, it needs to be re-signed with a development provisioning profile with the `get-task-allow` entitlement. How to re-sign an application is discussed in the next section.
+```bash
+idevicedebug -d run sg.vp.UnCrackable1
+
+# In a new terminal
+frida -U -n Gadget
+...
+[iPhone::Gadget ]-> 
+```

techniques/ios/MASTG-TECH-0091.md

@@ -1,32 +1,37 @@
 ---
-title: Library Injection
+title: Injecting Frida Gadget into IPA Automatically
 platform: ios
 ---
 
-If you want to use Frida on non-jailbroken devices you'll need to include `FridaGadget.dylib`. Download it first:
+The easiest way to inject Frida into an installed application is by using frida-server. However, if this is not possible, the Frida Gadget can be injected into a decrypted IPA file (see @MASTG-TECH-0054).
 
-```bash
-curl -O https://build.frida.re/frida/ios/lib/FridaGadget.dylib
-```
+As an alternative to this automated approach, see @MASTG-TECH-0090.
+
+## Patching with Sideloadly
+
+@MASTG-TOOL-0116 can be used to automatically inject libraries while repackaging and signing the app. To do so, click the `Advanced Options`, followed by `Inject dylibs/frameworks` and `+dylib/deb/bundle`:
+
+<img src="Images/Techniques/0091-SideloadlyFrida.png" width="400px" />
 
-Copy `FridaGadget.dylib` into the app directory and use @MASTG-TOOL-0059 to add a load command to the "UnCrackable Level 1" binary.
+## Patching with Objection
+
+@MASTG-TOOL-0038 can inject the Frida Gadget into a given IPA file. The `objection explore` command expects an IPA file and a valid code signature. How this signature can be obtained is explained on [Objection's wiki](https://github.com/sensepost/objection/wiki/Patching-iOS-Applications).
+
+## Launching the Repackaged App in Debug Mode
+
+After the app has been installed on the device, it needs to be launched in debug mode. This is not the case when launching the app via springboard (the application will crash), but it is possible with various tools as explained in @MASTG-TECH-0056. When the application is running in debug mode, Frida can be injected into the process with name `Gadget`:
 
 ```bash
-$ unzip UnCrackable-Level1.ipa
-$ cp FridaGadget.dylib Payload/UnCrackable\ Level\ 1.app/
-$ optool install -c load -p "@executable_path/FridaGadget.dylib"  -t Payload/UnCrackable\ Level\ 1.app/UnCrackable\ Level\ 1
-Found FAT Header
-Found thin header...
-Found thin header...
-Inserting a LC_LOAD_DYLIB command for architecture: arm
-Successfully inserted a LC_LOAD_DYLIB command for arm
-Inserting a LC_LOAD_DYLIB command for architecture: arm64
-Successfully inserted a LC_LOAD_DYLIB command for arm64
-Writing executable to Payload/UnCrackable Level 1.app/UnCrackable Level 1...
+idevicedebug -d run sg.vp.UnCrackable1
+
+# In a new terminal
+frida -U -n Gadget
+...
+[iPhone::Gadget ]-> 
 ```
 
-## Patching Example: Making an App Debuggable
+## Starting with iOS 17 and Xcode 15
 
-By default, an app available on the Apple App Store is not debuggable. In order to debug an iOS application, it must have the `get-task-allow` entitlement enabled. This entitlement allows other processes (like a debugger) to attach to the app. Xcode is not adding the `get-task-allow` entitlement in a distribution provisioning profile; it is only whitelisted and added in a development provisioning profile.
+Since Xcode 15 and iOS 17 the tool @MASTG-TOOL-0054 will [not work anymore to start an app in debug mode](https://github.com/ios-control/ios-deploy/issues/588).
 
-Thus, to debug an iOS application obtained from the App Store, it needs to be re-signed with a development provisioning profile with the `get-task-allow` entitlement. How to re-sign an application is discussed in the next section.
+A workaround to start the re-packaged app with the `FridaGadget.dylib` in debug mode (without using @MASTG-TOOL-0054) can be found [here](https://github.com/ios-control/ios-deploy/issues/588#issuecomment-1907913430).

techniques/ios/MASTG-TECH-0092.md

@@ -1,56 +1,18 @@
 ---
-title: Repackaging and Re-Signing
+title: Re-Signing
 platform: ios
 ---
 
-Tampering an app invalidates the main executable's code signature, so this won't run on a non-jailbroken device. You'll need to replace the provisioning profile and sign both the main executable and the files you've made include (e.g. `FridaGadget.dylib`) with the certificate listed in the profile.
+Tampering with an app invalidates the code signature of the main executable, so it won't run on a non-jailbroken device.
 
-## Repackaging
+You'll need to re-sign the IPA with your provisioning profile. This can be done in various ways with different tools:
 
-First, let's add our own provisioning profile to the package:
+- @MASTG-TOOL-0114
+- @MASTG-TOOL-0117
+- @MASTG-TOOL-0102
 
-```bash
-cp AwesomeRepackaging.mobileprovision Payload/UnCrackable\ Level\ 1.app/embedded.mobileprovision
-```
-
-Next, we need to make sure that the Bundle ID in `Info.plist` matches the one specified in the profile because the codesign tool will read the Bundle ID from `Info.plist` during signing; the wrong value will lead to an invalid signature.
-
-```bash
-/usr/libexec/PlistBuddy -c "Set :CFBundleIdentifier sg.vantagepoint.repackage" Payload/UnCrackable\ Level\ 1.app/Info.plist
-```
-
-## Re-Signing
-
-Finally, we use the @MASTG-TOOL-0114 tool to re-sign both binaries. You need to use _your own_ signing identity (in this example 8004380F331DCA22CC1B47FB1A805890AE41C938), which you can output by executing the command `security find-identity -v`.
-
-```bash
-$ rm -rf Payload/UnCrackable\ Level\ 1.app/_CodeSignature
-$ /usr/bin/codesign --force --sign 8004380F331DCA22CC1B47FB1A805890AE41C938  Payload/UnCrackable\ Level\ 1.app/FridaGadget.dylib
-Payload/UnCrackable Level 1.app/FridaGadget.dylib: replacing existing signature
-```
-
-`entitlements.plist` is the file you created for your empty iOS project.
-
-```bash
-$ /usr/bin/codesign --force --sign 8004380F331DCA22CC1B47FB1A805890AE41C938 --entitlements entitlements.plist Payload/UnCrackable\ Level\ 1.app/UnCrackable\ Level\ 1
-Payload/UnCrackable Level 1.app/UnCrackable Level 1: replacing existing signature
-```
-
-Now you should be ready to run the modified app. Deploy and run the app on the device using @MASTG-TOOL-0054:
+After re-signing you should be ready to run the modified app. Install the app on the device using @MASTG-TOOL-0054 and start the app by clicking on the app icon:
 
 ```bash
-ios-deploy --debug --bundle Payload/UnCrackable\ Level\ 1.app/
+ios-deploy -b <name>.ipa
 ```
-
-If everything went well, the app should start in debugging mode with LLDB attached. Frida should then be able to attach to the app as well. You can verify this via the frida-ps command:
-
-```bash
-$ frida-ps -U
-PID  Name
----  ------
-499  Gadget
-```
-
-<img src="Images/Chapters/0x06b/fridaStockiOS.png" width="100%" />
-
-When something goes wrong (and it usually does), mismatches between the provisioning profile and code-signing header are the most likely causes. Reading the [official documentation](https://developer.apple.com/support/code-signing/ "Code Signing") helps you understand the code-signing process. Apple's [entitlement troubleshooting page](https://developer.apple.com/library/content/technotes/tn2415/_index.html "Entitlements Troubleshooting") is also a useful resource.

tools/ios/MASTG-TOOL-0114.md

@@ -4,6 +4,7 @@ platform: ios
 source: https://www.unix.com/man-page/osx/1/codesign/
 alternatives:
 - MASTG-TOOL-0102
+- MASTG-TOOL-0117
 ---
 
 The codesign tool is primarily used to create, verify, and display code signatures, and to query the dynamic status of signed code in the system. Although Xcode typically automates the process of signing code during builds and before distribution, there are scenarios where manual intervention with codesign is required. This can include inspecting or verifying the details of an app's code signature, or manually re-signing an app. For more detailed tasks such as these, you can use the codesign command line tool directly, as described in Apple's Code Signing Guide.

tools/ios/MASTG-TOOL-0116.md

@@ -0,0 +1,10 @@
+---
+title: Sideloadly
+platform: ios
+hosts:
+- windows
+- macos
+source: https://sideloadly.io/
+---
+
+[Sideloadly](https://sideloadly.io/ "Sideloadly") allows you to obtain a valid signature for a given IPA file and then install it to a connected iOS device. In addition to signing and installing an IPA file, Sideloadly also allows you to inject tweaks, change the App or Bundle name or make other limited modifications to the IPA metadata. Sideloadly is available on both macOS and Windows.

tools/ios/MASTG-TOOL-0117.md

@@ -0,0 +1,61 @@
+---
+title: fastlane
+platform: ios
+source: https://github.com/fastlane/fastlane
+hosts:
+- macOS
+- linux
+- windows
+alternatives:
+- MASTG-TOOL-0114
+- MASTG-TOOL-0102
+---
+
+[fastlane](https://github.com/fastlane/fastlane) is a tool for iOS and Android developers to automate tasks like dealing with provisioning profiles, and releasing mobile apps. Once set up, it can be used to resign IPA files with your Xcode provisioning profile.
+
+Before executing fastlane:
+
+- Install fastlane via brew (`brew install fastlane`)
+- [Obtain a developer provisioning profile and certificate](https://mas.owasp.org/MASTG/techniques/ios/MASTG-TECH-0079/#getting-a-developer-provisioning-profile-and-certificate)
+- Create a directory `fastlane` and create a `Fastfile` file as described in the documentation for [resigning](https://docs.fastlane.tools/actions/resign/).
+
+Example:
+
+```yaml
+lane :resignipa do
+  resign(
+    ipa: "<PATH-to-IPA/filename.ipa",
+    signing_identity: "Apple Development: Foobar (STGXYCETF3)",
+    provisioning_profile: "~/Library/MobileDevice/Provisioning Profiles/<FILE-NAME>.mobileprovision",
+  )
+end
+```
+
+Afterwards, execute the `fastlane resignipa` command.
+
+```bash
+$ fastlane resignipa
+[✔] 🚀 
+[15:21:51]: Get started using a Gemfile for fastlane https://docs.fastlane.tools/getting-started/ios/setup/#use-a-gemfile
+[15:21:52]: Driving the lane 'resignipa' 🚀
+[15:21:52]: --------------------
+[15:21:52]: --- Step: resign ---
+[15:21:52]: --------------------
+...
+[15:22:03]: Successfully signed /test.ipa!
+[15:22:03]: Successfully re-signed .ipa 🔏.
+
++-----------------------------+
+|      fastlane summary       |
++------+--------+-------------+
+| Step | Action | Time (in s) |
++------+--------+-------------+
+| 1    | resign | 11          |
++------+--------+-------------+
+
+[15:22:03]: fastlane.tools finished successfully 🎉
+```
+
+After having this set up once, you only need to change the path in the `Fastfile` for the IPA you want to resign and execute the command again.
+
+More information can be found in the official documentation: ["Codesign an existing ipa file with fastlane resign"](https://docs.fastlane.tools/actions/resign/)