Mobile Pentesting 101 – How to Set Up Your iOS Environment

As mentioned in the Mobile Pentesting 101 – How to set up your Android Environment article, I am now offering you valuable information regarding the iOS pentesting environment. This will be much more of a methodology rather than a step-by-step guide, as some tools might be outdated and replaced.

1. Do I need a real device for the pentest?
2. Setting up your iOS Device
   1. What is Jailbreaking
   2. How to jailbreak your device
      1. checkra1n
      2. palera1n
      3. Unc0ver
   3. Installing Cydia applications
3. Preparing your pentest station
   1. MobSF
   2. Frida
   3. Objection
   4. Runtime Mobile Security (RMS)
   5. Grapefruit
4. Conclusion

Do I need a real device for the pentest?

You can recall from the previous article that the usage of Android Emulators is really a good thing to have in your toolkit as you can easily switch between APIs and functionalities. But that was valid for Android only. The iOS emulators are not fully-fledged emulators as only the basic needs for the application to run are simulated, and that’s why they are called Simulators. To test the application on the simulator, you would need Xcode on a Macbook device.

Setting up your iOS Device

Due to the limited capabilities of the iOS Simulator, I will offer you only the settings, tools, and methods I use on a physical device.

While the industry becomes more and more aware of the methods attackers use to break Apple’s environment, newer phones or even iOS versions are much harder to jailbreak, thus extending the device’s capabilities. As an example, the checkm8 exploit that offers semi-tethered jailbreak is applicable to devices with chipsets up to A11, or iPhone X.

What is Jailbreaking

Jailbreaking is the process of removing the limitations imposed by Apple on devices running the iOS operating system and extending its capabilities. 

There are two common and totally different jailbreaking methods: tethered and untethered jailbreak.

Tethered jailbreaking requires users to perform the jailbreak process every time the device is restarted while an untethered jailbreak is a one-time activity and does not have such restriction. Both jailbreaks offer the ability to install “unauthorized” software on proprietary Apple devices, i.e. applications that are not downloaded from Apple’s store and have not been approved or vetted by Apple. These include apps from the Cydia app store.

How to jailbreak your device

First and foremost, each device and iOS version comes with limitations or, contrary, comes with exploits that allow you to elevate your privileges and obtain a valid jailbroken device. Now, the actual jailbreak depends on the device and the iOS version you are running, but for me, any of the following 3 methods worked seamlessly: checkra1n, palera1n, and Unc0ver. Let’s explain in a few words each of them.

checkra1n

Checkra1n is a semi-tethered jailbreaking method, thus you need to connect to a computer every time you want to re-jailbreak. The advantage is that you can still use your iPhone in a non-jailbroken state after powering it off and on again. Moreover, checkra1n uses a hardware-based bootrom exploit called checkm8 which works on devices having the A7 chip and as new as the A11 chip, e.g. iPhone 5S up to iPhone X. If you don’t have a Linux device, bootra1n can be used to easily jailbreak your iPhone.

palera1n

Palera1n, as developers describe it, is a developer-oriented jailbreak for checkm8 devices (A8-A11) on iOS 15.0-16.5. This means that devices like iPhone X with iOS 16 can be jailbroken using this technique only by using a Macbook or Linux machine. Palera1n has all the functionalities checkra1n does, but the main drawback is that on A11 devices, you must disable your passcode and will not be able to use your passcode, or other SEP functionality until you boot into a stock iOS state.

Unc0ver

Installing Cydia applications

Crucial for a successful penetration test is the correct usage of publicly available apps from the Cydia Store. While some might work on their own, others require a combination of them to successfully perform an action. To help you overcome the headache of discovering which apps should be used, I created a list of my go-to applications from the Cydia Store. Of course, the same can be found in the Zebra or Sileo Stores.

• OpenSSH – as the name implies, it is used for SSH connections
• Filza – An advanced file manager application
• SSL Kill Switch 2 – Allows you to easily circumvent the SSL Pinning
• Frida – Dynamic Instrumentation
• Jailbreak Bypass apps
  • Shadow
  • Liberty Lite
  • KernBypass
  • iHide
• Choicy – An advanced tweak configurator 
• AppSync Unified –  is a tweak that allows users to freely install ad-hoc signed, fake-signed, or unsigned IPA app packages
• IPA Installer – Allows you to build IPA from sources or to Install IPA packages directly from your device

As I already mentioned, the iOS environment is really tricky, and sometimes, to successfully execute an action, you might need to use 2 or 3 applications. For example, to install an application, you might need to use Filza + AppSync Unified + IPA Installer. Or to successfully bypass the advanced jailbreak detection mechanism, you might want to use Choicy + KernBypass.

Preparing your pentest station

As mentioned earlier on Mobile Pentesting 101 – How to setup you Android Environment, to have a go-to machine with all the tools required pre-installed is gold, thus I still recommend Mobexler as your virtual machine.

If you still need only a couple of third-party tools installed on your pentest station, I will give you a brief introduction to the topmost tools that I use in almost all iOS engagements that I have. All the tools and installation methods described below are for Ubuntu, but you can find the Windows details in their specific documentation.

MobSF

Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis, and security assessment framework capable of performing only static analysis for iOS applications. More details can be found on their GitHub page, but an easy installation on Ubuntu contains the following 3 steps:

git clone https://github.com/MobSF/Mobile-Security-Framework-MobSF.git
cd Mobile-Security-Framework-MobSF
./setup.sh

Frida

As mentioned so many times, Frida is the must-have tool every pentester should use in their day-to-day mobile pentesting methodology. It helps you perform dynamic analysis at its best, injecting JavaScript scripts that communicate with the operating system. As per their documentation, we find that Frida can hook any function, spy on crypto APIs, or trace private application code. You can also edit, hit save, and instantly see the results without compilation steps or program restarts. You can easily install Frida using:

python3 -m pip install frida-tools

Once you installed Frida on your hacking station, you can easily search for already crafted scripts on https://codeshare.frida.re/, or you can create your own. Furthermore, you can use the scripts using either of the following commands:

frida -U -f Twitter -l script.js 
frida -U -F -l script.js 

Objection

Objection is a runtime mobile exploration toolkit, powered by Frida, built to help you assess the security posture of your mobile applications, without needing a jailbreak. It can help you bypass fingerprint, SSL pinning, and many more.

You can install it using python’s pip as easily as:

python3 -m pip install objection

Runtime Mobile Security (RMS)

I wrote an entire article dedicated to this tool, so you should check it out here. To install it, just use the following:

npm install -g rms-runtime-mobile-security

Grapefruit

Grapefruit, formerly known as Passionfruit, is a Runtime Application Instrumentation for iOS. It allows you to view the objects stored in Keychain, the entire application’s private directory, decompiled source code, and many more. Just install it using:

npm install -g igf

Conclusion

I hope this article helped you create your mobile pentesting environment or refine your existing one. Also, take a look at Mobile Pentesting 101 – How to set up your Android Environment if you ever need to pentest an Android application.