iOS Pentesting without Jailbreak

Reading time: 5 minutes

Main idea

Applications signed with the entitlement get_task_allow allow third party applications to run a function called task_for_pid() with the process ID of the initial application as argument in order to get the task port over it (be able to control it and access it's memory).

However, it’s not as easy as just pulling the IPA, re-signing it with the entitlement, and flashing it back to your device. This is becasue of FairPlay protection. When the signature of the app changes, the DRM (Digital Rights Management) key is invalidated and the app won't work.

With an old jailbroken device, it's possible to install the IPA, decrypt it using your favourite tool (such as Iridium or frida-ios-dump), and pulling it back off the device. Although, if possible, it's recommended to just as the client for the decrypted IPA.

Obtain decrypted IPA

Get it from Apple

1. Install the app to pentest in the iPhone
2. Install and launch Apple Configurator inside your macos
3. Open Terminal on your Mac, and cd to /Users/[username]/Library/Group\\ Containers/K36BKF7T3D.group.com.apple.configurator/Library/Caches/Assets/TemporaryItems/MobileApps. The IPA will appear in this folder later.
4. You should see your iOS device. Double-click on it, and then click Add + → Apps from the top menu bar.
5. After clicking Add, Configurator will download the IPA from Apple, and attempt to push it to your device. If you followed my recommendation earlier and installed the IPA already, a prompt asking you to reinstall the app will appear.
6. The IPA should be downloaded inside /Users/[username]/Library/Group\\ Containers/K36BKF7T3D.group.com.apple.configurator/Library/Caches/Assets/TemporaryItems/MobileAppsfrom where you can grab it

Check https://dvuln.com/blog/modern-ios-pentesting-no-jailbreak-needed for more detailed information about this process.

Decrypting the app

In order to decrypt the IPA we are going to install it. However, if you have an old jailbroken iPhone, potentailly it's version is not going to be supported by the application as usually apps only suports latests versions.

So, in order to install it, just unzip the IPA:

unzip redacted.ipa -d unzipped

Check the Info.plist for the minimum supported versiona nd if your device is older than that, change the value so it's supported.

Zip back the IPA:

cd unzipped
zip -r ../no-min-version.ipa *

Then, install the IPA for example with:

ideviceinstaller -i no-min-version.ipa -w

Note that you might need AppSync Unified tweak from Cydia to prevent any invalid signature errors.

Once intalled, you can use Iridium tweak from Cydia in order to obtain the decrypted IPA.

### Patch entitlements & re-sign

In order to re-sign the application with the get-task-allow entitlement there are several tools available like app-signer, codesign, and iResign. app-signer has a very user-friendly interface that allows to very easily resing an IPA file indicating the IPA to re-sign, to put it get-taks-allow and the certificate and provisioning profile to use.

Regarding the certificate and signing profiles, Apple offers free developer signing profiles for all accounts through Xcode. Just create an app and configure one. Then, configure the iPhone to trust the developer apps by navigating to Settings → Privacy & Security, and click on Developer Mode.

With the re-signed IPA, it's time to install it in the device to pentest it:

ideviceinstaller -i resigned.ipa -w

Hook

You could easily hook your app using common tools like frida an objection:

objection -g [your app bundle ID] explore

References

• https://dvuln.com/blog/modern-ios-pentesting-no-jailbreak-needed