Start your first iOS Application Pentest with me.. (Part- 1)

Kishor balan
6 min readJan 14, 2023

--

Hola Heckers,

Hope y’all doing good. So today we are going to prepare a jailbroken iOS device to start an iOS pentesting. This article won’t be covering the complete methodologies, Will be sliced into two parts. Only the following things will be covered today.

1: Installing the required tools and Cydia tweaks

Note:- There are a plenty of different tools and methodologies when its coming to the iOS pentesting and I won’t be able to explain all of them, only my methodology will be shared here.

Prerequisites:

1: A Jailbroken iOS device

Setting up the lab and installing basic tools:

1: Hope you already have Frida and Objection tools in your system, If not , install them

Releases · frida/frida (github.com)

GitHub — sensepost/objection: 📱 objection — runtime mobile exploration

2: iTunes: We know iTunes will help us to work with iOS environments in several ways.

3: 3uTools: This one has a lot of useful features such as Direct SSH connection, Screen mirroring, iOS application installer, etc..

3uTools | The best all-in-one tool for iOS users

4: Cydia Application:- Basically, Cydia is a third-party application installer which is similar to the App Store and developed for the jailbroken iOS iDevices. If you are jailbreaking your device with Checkra1n or Uncover, The cydia app will automatically get installed into your device.

What if the Cydia haven’t installed during the jailbreak:

In case of Checkra1n, you can manually install the Cydia from the Checkra1n app.

In case of Uncover, you can enable the Reinstall Cydia option from the Uncover app settings and start jailbreaking.

After the jailbreaking process, the Cydia app can be found in the device.

Method for installing Tweaks on the Jailbroken iOS device:

1: With the help of Cydia

Step 1: Add the repo URL of the required cydia tweak in the source section

Step 2: After adding the Source, You can find search the tweak from the search section

Step 3: Select the tweak and install, Respring the device if it is needed.

2: Direct method:

Installing the Tweaks with their .deb files through the OpenSSH terminal

Step 1: Find the Tweak’s deb file from its source.

Step 2: Copy the file link and SSH to the iOS device as root user

Step 3: Download the deb file using wget

Step 4: Make the file executable with the permission command “chmod +x file.deb” and install it using “dpkg” command

Step 5: That’s it, Now the tweak will be installed on your device

Dependencies:

The following packages should be installed on the device:

  • Cydia Substrate
  • PreferenceLoader

Installing the required Cydia Tweaks:

Tweaks are basically third party applications which can be used to outrun some sort of fences set up in the target iOS applications. A lot of tweaks are available but here I am listing out the necessary ones.

A: Filza:

Repo: https://tigisoftware.com/cydia/

Filza is a file manager for exploring directories including root’s directories.

Filza also provides WebDav server so we can access the application on our other local machines.

B: App Sync Unified

Repo: https://cydia.akemi.ai/

The tweak helps to install IPA files which are ad-hoc signed, fakesigned, or unsigned.

C: IPA installer

Repo: http://apt.thebigboss.org/repofiles/cydia/

This one can be used to install/Backup IPA files directly to our jailbroken iOS device.

D: OpenSSH

Repo: http://apt.saurik.com/

We know why we need an OpenSSH feature. We can get a terminal access to our iOS device with root privileges.

Root credential: — root: alpine

E: Frida

Repo: https://build.frida.re/

To work with frida tools, a frida server must be installed on our iOS device.

F: Plutil

Repo: https://apt.bingner.com/

This tool can be used to read .plist files (Similar to xml files in android)

G: fsmon

Repo: GitHub — nowsecure/fsmon: monitor filesystem on iOS / OS X / Android / FirefoxOS / Linux

This is a FileSystem Monitor utility that can be used in environments such as Linux, Android and iOS.

Tweaks for Bypassing Jailbreak detection:

Following are the mostly used tweaks used for bypassing Jailbreak detections.

A: Liberty Lite

Repo: https://ryleyangus.com/repo/

B: A-Bypass

Repo: https://repo.co.kr/

C: HideJB

Repo: http://apt.thebigboss.org/repofiles/cydia/

D: Hestia

Repo: https://havoc.app/

E: iHide

Repo: https://repo.kc57.com/

Alternatively, You can use frida scripts to bypass the JB detection

Frida CodeShare

Tweaks for Bypassing SSL Pinning Bypass:

Following are the most used tweaks used for bypassing SSL certificate pinning.

A: SSL Kill Switch

Repo: https://julioverne.github.io/

B: SSLBypass

Repo: SSLBypass/packages at main · evilpenguin/SSLBypass · GitHub

Alternatively, You can use frida scripts to bypass the SSL pinning

Frida CodeShare

Note:- Most of the Jailbreak Detection Bypass and SSL Bypass tweaks can be found in the device settings after the installation.

So that’s it guys, We almost ready to go. We will kickstart on our first iOS application pentesting in the Part-2. If I have missed something in this part, we will cover ’em up in the next part. Stay tuned, Happy hacking :)

--

--