updated patching IPAs (#2907)

* updated patching IPAs * update lint error * updated ID for fastlane * Extracted Sideloadly to a separate tool and restructured a bit * Fix linting * Reviewed fastlane and moved httptoolkit to different tool nr * Move files around * Fix linting * Fix tool collision * Fix broken link * Fix link * Update MASTG-TECH-0079: Change title and enhance instructions for obtaining a developer provisioning profile * Update MASTG-TECH-0090 and MASTG-TECH-0091: Revise titles and enhance instructions for injecting Frida Gadget and libraries into IPA files * Update MASTG-TECH-0092: Revise title and enhance instructions for repackaging and re-signing IPA files using Fastlane * fix IDs * Add MASTG-TECH-0119: Launching a repackaged app in debug mode * Update MASTG-TECH-0055: Replace previous title and redundant content. Fix IDs * Update MASTG-TECH-0090, MASTG-TECH-0091, and MASTG-TECH-0092: Enhance instructions for injecting Frida Gadget and streamline the installation process --------- Co-authored-by: Sven Schleier <[email protected]> Co-authored-by: Jeroen Beckers <[email protected]> Co-authored-by: Carlos Holguera <[email protected]>
OWASP · Dec 12, 2024 · 47ec773 · 47ec773
1 parent ae43160
commit 47ec773
Show file tree

Hide file tree

Showing 17 changed files with 144 additions and 121 deletions.
diff --git a/.gitignore b/.gitignore
@@ -29,4 +29,5 @@ docs/assets/Images
 OWASP_MASVS.yaml
 cross_references.yaml
 drafts/
-Payload/
+Payload/
+.vscode/settings.json
diff --git a/Document/Images/Techniques/0091-SideloadlyFrida.png b/Document/Images/Techniques/0091-SideloadlyFrida.png
diff --git a/techniques/ios/MASTG-TECH-0055.md b/techniques/ios/MASTG-TECH-0055.md
@@ -1,22 +1,21 @@
 ---
-title: Repackaging Apps
+title: Launching a Repackaged App in Debug Mode
 platform: ios
 ---
 
-If you need to test on a non-jailbroken device you should learn how to repackage an app to enable dynamic testing on it.
-
-Use a computer with macOS to perform all the steps indicated in the article ["Patching iOS Applications"](https://github.com/sensepost/objection/wiki/Patching-iOS-Applications) from the objection Wiki. Once you're done you'll be able to patch an IPA by calling the objection command:
+After the app has been installed on the device, it needs to be launched in debug mode. This is not the case when launching the app via springboard (the application will crash), but it is possible with various tools as explained in @MASTG-TECH-0056. When the application is running in debug mode, Frida can be injected into the process with name `Gadget`:
 
 ```bash
-objection patchipa --source my-app.ipa --codesign-signature 0C2E8200Dxxxx
-```
-
-Finally, the app needs to be installed (sideloaded) and run with debugging communication enabled. Perform the steps from the article ["Running Patched iOS Applications"](https://github.com/sensepost/objection/wiki/Running-Patched-iOS-Applications) from the objection Wiki (using ios-deploy).
+idevicedebug -d run sg.vp.UnCrackable1
 
-```bash
-ios-deploy --bundle Payload/my-app.app -W -d
+# In a new terminal
+frida -U -n Gadget
+...
+[iPhone::Gadget ]-> 
 ```
 
-Refer to @MASTG-TECH-0056 to learn about other installation methods. Some of them doesn't require you to have a macOS.
+## Starting with iOS 17 and Xcode 15
+
+Since Xcode 15 and iOS 17 the tool @MASTG-TOOL-0054 will [not work anymore to start an app in debug mode](https://github.com/ios-control/ios-deploy/issues/588).
 
-> This repackaging method is enough for most use cases. For more advanced repackaging, refer to @MASTG-TECH-0092.
+A workaround to start the re-packaged app with the `FridaGadget.dylib` in debug mode (without using @MASTG-TOOL-0054) can be found [here](https://github.com/ios-control/ios-deploy/issues/588#issuecomment-1907913430).
diff --git a/techniques/ios/MASTG-TECH-0056.md b/techniques/ios/MASTG-TECH-0056.md
@@ -3,15 +3,15 @@ title: Installing Apps
 platform: ios
 ---
 
-When you install an application without using Apple's App Store, this is called sideloading. There are various ways of sideloading which are described below. On the iOS device, the actual installation process is then handled by the installd daemon, which will unpack and install the application. To integrate app services or be installed on an iOS device, all applications must be signed with a certificate issued by Apple. This means that the application can be installed only after successful code signature verification. On a jailbroken phone, however, you can circumvent this security feature with [AppSync](http://repo.hackyouriphone.org/appsyncunified "AppSync"), a package available in the Cydia store. It contains numerous useful applications that leverage jailbreak-provided root privileges to execute advanced functionality. AppSync is a tweak that patches installd, allowing the installation of fake-signed IPA packages.
+When you install an application without using Apple's App Store, this is called sideloading. There are various ways of sideloading which are described below. On the iOS device, the actual installation process is then handled by the installd daemon, which will unpack and install the application. To integrate app services or be installed on an iOS device, all applications must be signed with a certificate issued by Apple. This means that the application can be installed only after successful code signature verification. On a jailbroken phone, however, you can circumvent this security feature with [AppSync](https://github.com/akemin-dayo/AppSync "AppSync"), a package available in the Cydia store. It contains numerous useful applications that leverage jailbreak-provided root privileges to execute advanced functionality. AppSync is a tweak that patches installd, allowing the installation of fake-signed IPA packages.
 
 Different methods exist for installing an IPA package onto an iOS device, which are described in detail below.
 
 > Please note that iTunes is no longer available in macOS Catalina. If you are using an older version of macOS, iTunes is still available but since iTunes 12.7 it is not possible to install apps.
 
 ## Sideloadly
 
-[Sideloadly](https://sideloadly.io/ "Sideloadly") allows you to obtain a valid signature for a given IPA file and then install it to a connected iOS device. In addition to signing and installing an IPA file, Sideloadly also allows you to inject tweaks, change the App or Bundle name or make other limited modifications to the IPA metadata. Sideloadly is available on both macOS and Windows.
+@MASTG-TOOL-0118 is a GUI tool that can automate all required steps for you. It requires valid Apple developer credentials, as it will obtain a valid signature from Apple servers.
 
 !!! warning "Do not use your personal Apple account"
     To sign an IPA file, you will need a valid iOS developer account, either free or paid. Both types come with certain restrictions, as explained on the Sideloadly website. We recommend creating a dedicated developer account for signing test applications, and **not** using your personal Apple account.
@@ -27,6 +27,8 @@ brew install libimobiledevice
 brew install ideviceinstaller
 ```
 
+If you have any issues, try installing the libraries from source, as the precompiled version may be outdated.
+
 After the installation you have several new command line tools available, such as `ideviceinfo`, `ideviceinstaller` or `idevicedebug`. Let's install and debug the @MASTG-APP-0028 app with the following commands:
 
 ```bash

diff --git a/techniques/ios/MASTG-TECH-0064.md b/techniques/ios/MASTG-TECH-0064.md
@@ -11,7 +11,7 @@ This section describes various ways to bypass SSL Pinning and gives guidance abo
 
 ## Methods for Jailbroken and Non-jailbroken Devices
 
-If you have a jailbroken device with frida-server installed, you can bypass SSL pinning by running the following @MASTG-TOOL-0038 command (see @MASTG-TECH-0055 if you're using a non-jailbroken device):
+If you have a jailbroken device with frida-server installed, you can bypass SSL pinning by running the following @MASTG-TOOL-0038 command (see @MASTG-TECH-0090 if you're using a non-jailbroken device):
 
 ```bash
 ios sslpinning disable

diff --git a/techniques/ios/MASTG-TECH-0079.md b/techniques/ios/MASTG-TECH-0079.md
@@ -1,33 +1,13 @@
 ---
-title: Dynamic Analysis on Non-Jailbroken Devices
+title: Getting a Developer Provisioning Profile
 platform: ios
 ---
 
-If you don't have access to a jailbroken device, you can patch and repackage the target app to load a dynamic library at startup (e.g. the [Frida gadget](https://www.frida.re/docs/gadget/ "Frida Gadget") to enable dynamic testing with Frida and related tools such as objection). This way, you can instrument the app and do everything you need to do for  dynamic analysis (of course, you can't break out of the sandbox this way). However, this technique only works if the app binary isn't FairPlay-encrypted (i.e., obtained from the App Store).
-
-## Automated Repackaging
-
-@MASTG-TOOL-0038 automates the process of app repackaging. You can find exhaustive documentation on the official [wiki pages](https://github.com/sensepost/objection/wiki "Objection - Documentation").
-
-Using objection's repackaging feature is sufficient for most of use cases. However, in some complex scenarios you might need more fine-grained control or a more customizable repackaging process. In that case, you can read a detailed explanation of the repackaging and resigning process in ["Manual Repackaging"](#manual-repackaging).
-
-## Manual Repackaging
-
-Thanks to Apple's confusing provisioning and code-signing system, re-signing an app is more challenging than you would expect. iOS won't run an app unless you get the provisioning profile and code signature header exactly right. This requires learning many concepts-certificate types, Bundle IDs, application IDs, team identifiers, and how Apple's build tools connect them. Getting the OS to run a binary that hasn't been built via the default method (Xcode) can be a daunting process.
-
-We'll use @MASTG-TOOL-0059, Apple's build tools, and some shell commands. Our method is inspired by [Vincent Tan's Swizzler project](https://github.com/vtky/Swizzler2/ "Swizzler"). [The NCC group](https://research.nccgroup.com/2016/10/12/ios-instrumentation-without-jailbreak/ "NCC blog - iOS instrumentation without jailbreak") has described an alternative repackaging method.
-
-To reproduce the steps listed below, download @MASTG-APP-0025. Our goal is to make the UnCrackable app load `FridaGadget.dylib` during startup so we can instrument the app with Frida.
-
-> Please note that the following steps apply to macOS only, as Xcode is only available for macOS.
-
-## Getting a Developer Provisioning Profile and Certificate
-
 The _provisioning profile_ is a plist file signed by Apple, which adds your code-signing certificate to its list of accepted certificates on one or more devices. In other words, this represents Apple explicitly allowing your app to run for certain reasons, such as debugging on selected devices (development profile). The provisioning profile also includes the _entitlements_ granted to your app. The _certificate_ contains the private key you'll use to sign.
 
 Depending on whether you're registered as an iOS developer, you can obtain a certificate and provisioning profile in one of the following ways:
 
-**With an iOS developer account:**
+## With an iOS developer account
 
 If you've developed and deployed iOS apps with Xcode before, you already have your own code-signing certificate installed. Use the @MASTG-TOOL-0063 command (macOS only) to list your signing identities:
 
@@ -41,11 +21,13 @@ Log into the Apple Developer portal to issue a new App ID, then issue and downlo
 
 In the examples below, I use my signing identity, which is associated with my company's development team. I created the App ID "sg.vp.repackaged" and the provisioning profile "AwesomeRepackaging" for these examples. I ended up with the file `AwesomeRepackaging.mobileprovision`-replace this with your own filename in the shell commands below.
 
-**With a Regular Apple ID:**
+## With a Regular Apple ID
 
 Apple will issue a free development provisioning profile even if you're not a paying developer. You can obtain the profile via Xcode and your regular Apple account: simply create an empty iOS project and extract `embedded.mobileprovision` from the app container, which is in the Xcode subdirectory of your home directory: `~/Library/Developer/Xcode/DerivedData/<ProjectName>/Build/Products/Debug-iphoneos/<ProjectName>.app/`. The [NCC blog post "iOS instrumentation without jailbreak"](https://research.nccgroup.com/2016/10/12/ios-instrumentation-without-jailbreak/ "iOS instrumentation without jailbreak") explains this process in great detail.
 
-Once you've obtained the provisioning profile, you can check its contents with the @MASTG-TOOL-0063 command. You'll find the entitlements granted to the app in the profile, along with the allowed certificates and devices. You'll need these for code-signing, so extract them to a separate plist file as shown below. Have a look at the file contents to make sure everything is as expected.
+## Inspecting the Provisioning Profile
+
+Once you've obtained the provisioning profile, you can inspect its contents with the @MASTG-TOOL-0063 command. You'll find the entitlements granted to the app in the profile, along with the allowed certificates and devices. You'll need these for code-signing, so extract them to a separate plist file as shown below. Have a look at the file contents to make sure everything is as expected.
 
 ```bash
 $ security cms -D -i AwesomeRepackaging.mobileprovision > profile.plist

diff --git a/techniques/ios/MASTG-TECH-0086.md b/techniques/ios/MASTG-TECH-0086.md
@@ -5,7 +5,7 @@ platform: ios
 
 Intercepting Objective-C methods is a useful iOS security testing technique. For example, you may be interested in data storage operations or network requests. In the following example, we'll write a simple tracer for logging HTTP(S) requests made via iOS standard HTTP APIs. We'll also show you how to inject the tracer into the Safari web browser.
 
-In the following examples, we'll assume that you are working on a jailbroken device. If that's not the case, you first need to follow the steps outlined in @MASTG-TECH-0055 to repackage the Safari app.
+In the following examples, we'll assume that you are working on a jailbroken device. If that's not the case, you first need to follow the steps outlined in @MASTG-TECH-0090 to repackage the Safari app with the Frida Gadget.
 
 Frida comes with `frida-trace`, a function tracing tool. `frida-trace` accepts Objective-C methods via the `-m` flag. You can pass it wildcards as well-given `-[NSURL *]`, for example, `frida-trace` will automatically install hooks on all `NSURL` class selectors. We'll use this to get a rough idea about which library functions Safari calls when the user opens a URL.
 

diff --git a/techniques/ios/MASTG-TECH-0090.md b/techniques/ios/MASTG-TECH-0090.md
@@ -1,40 +1,24 @@
 ---
-title: Patching
+title: Injecting Frida Gadget into an IPA Automatically
 platform: ios
 ---
 
-IPA files are actually ZIP archives, so you can use any ZIP tool to unpack the archive.
+If you want to enable dynamic testing with Frida but don't have access to a jailbroken device, you can patch and repackage the target app to load the [Frida gadget](https://www.frida.re/docs/gadget/). This way, you can instrument the app and do everything you need to do for dynamic analysis (of course, you can't break out of the sandbox this way). However, this technique only works if the app binary isn't FairPlay-encrypted (i.e., obtained from the App Store).
 
-```bash
-unzip UnCrackable-Level1.ipa
-```
+The easiest way to inject Frida into an installed application is by using frida-server. However, if this is not possible, the Frida Gadget can be injected into a decrypted IPA file.
 
-## Patching Example: Installing Frida Gadget
+As an alternative to this automated approach, see @MASTG-TECH-0091.
 
-IF you want to use Frida on non-jailbroken devices you'll need to include `FridaGadget.dylib`. Download it first:
+## @MASTG-TOOL-0118
 
-```bash
-curl -O https://build.frida.re/frida/ios/lib/FridaGadget.dylib
-```
+Sideloadly can be used to automatically inject libraries while repackaging and signing the app. To do so, click the `Advanced Options`, followed by `Inject dylibs/frameworks` and `+dylib/deb/bundle`:
 
-Copy `FridaGadget.dylib` into the app directory and use @MASTG-TOOL-0059 to add a load command to the "UnCrackable Level 1" binary.
+<img src="Images/Techniques/0091-SideloadlyFrida.png" width="400px" />
 
-```bash
-$ unzip UnCrackable_Level1.ipa
-$ cp FridaGadget.dylib Payload/UnCrackable\ Level\ 1.app/
-$ optool install -c load -p "@executable_path/FridaGadget.dylib"  -t Payload/UnCrackable\ Level\ 1.app/UnCrackable\ Level\ 1
-Found FAT Header
-Found thin header...
-Found thin header...
-Inserting a LC_LOAD_DYLIB command for architecture: arm
-Successfully inserted a LC_LOAD_DYLIB command for arm
-Inserting a LC_LOAD_DYLIB command for architecture: arm64
-Successfully inserted a LC_LOAD_DYLIB command for arm64
-Writing executable to Payload/UnCrackable Level 1.app/UnCrackable Level 1...
-```
-
-## Patching Example: Making an App Debuggable
+## @MASTG-TOOL-0038
 
-By default, an app available on the Apple App Store is not debuggable. In order to debug an iOS application, it must have the `get-task-allow` entitlement enabled. This entitlement allows other processes (like a debugger) to attach to the app. Xcode is not adding the `get-task-allow` entitlement in a distribution provisioning profile; it is only whitelisted and added in a development provisioning profile.
+Objection can inject the Frida Gadget into a given IPA file. Use a computer with macOS to perform all the steps indicated in the article ["Patching iOS Applications"](https://github.com/sensepost/objection/wiki/Patching-iOS-Applications) from the objection Wiki. Once you're done you'll be able to patch an IPA by calling the objection command:
 
-Thus, to debug an iOS application obtained from the App Store, it needs to be re-signed with a development provisioning profile with the `get-task-allow` entitlement. How to re-sign an application is discussed in the next section.
+```bash
+objection patchipa --source my-app.ipa --codesign-signature 0C2E8200Dxxxx
+```
diff --git a/techniques/ios/MASTG-TECH-0091.md b/techniques/ios/MASTG-TECH-0091.md
@@ -1,20 +1,44 @@
 ---
-title: Library Injection
+title: Injecting Libraries into an IPA Manually
 platform: ios
 ---
 
-If you want to use Frida on non-jailbroken devices you'll need to include `FridaGadget.dylib`. Download it first:
+This technique allows you to inject arbitrary libraries into an IPA file.
+
+This is useful when you want to add additional functionality or testing capabilities to an application. For example, you can inject the Frida Gadget into an IPA file to enable dynamic instrumentation of the application.
+
+We'll use the Frida Gadget (`FridaGadget.dylib`) as an example but you can use this technique to inject any `.dylib` library you want.
+
+## Obtaining the Library
+
+In our example, the library is Frida Gadget, which can be downloaded from the [GitHub release page](https://github.com/frida/frida/releases) of the Frida project. Look for the latest release that matches your target platform and download the `frida-gadget-XX.YY.ZZ-ios-universal.dylib.xz` file.
+
+Decompress the file using the `xz` tool and save it as `FridaGadget.dylib`:
 
 ```bash
-curl -O https://build.frida.re/frida/ios/lib/FridaGadget.dylib
+xz -d <frida-gadget-XX.YY.ZZ-ios-universal.dylib.xz> -c > FridaGadget.dylib
 ```
 
-Copy `FridaGadget.dylib` into the app directory and use @MASTG-TOOL-0059 to add a load command to the "UnCrackable Level 1" binary.
+## Adding the Library to the IPA
+
+IPA files are ZIP archives, so you can use any ZIP tool to unpack the archive:
 
 ```bash
-$ unzip UnCrackable-Level1.ipa
-$ cp FridaGadget.dylib Payload/UnCrackable\ Level\ 1.app/
-$ optool install -c load -p "@executable_path/FridaGadget.dylib"  -t Payload/UnCrackable\ Level\ 1.app/UnCrackable\ Level\ 1
+unzip UnCrackable-Level1.ipa
+```
+
+Next, copy the target library, in this case `FridaGadget.dylib`, into the `.app/Frameworks` directory (create the directory if it doesn't exist):
+
+```bash
+mkdir -p Payload/UnCrackable\ Level\ 1.app/Frameworks
+cp FridaGadget.dylib Payload/UnCrackable\ Level\ 1.app/Frameworks/
+```
+
+Use @MASTG-TOOL-0059 to add a `load` command to the binary (`LC_LOAD_DYLIB`). The code below shows how this is done for the @MASTG-APP-0025:
+
+```bash
+optool install -c load -p "@executable_path/Frameworks/FridaGadget.dylib"  -t Payload/UnCrackable\ Level\ 1.app/UnCrackable\ Level\ 1
+
 Found FAT Header
 Found thin header...
 Found thin header...
@@ -25,8 +49,10 @@ Successfully inserted a LC_LOAD_DYLIB command for arm64
 Writing executable to Payload/UnCrackable Level 1.app/UnCrackable Level 1...
 ```
 
-## Patching Example: Making an App Debuggable
+After injecting the `load` command, you need to repackage the IPA:
 
-By default, an app available on the Apple App Store is not debuggable. In order to debug an iOS application, it must have the `get-task-allow` entitlement enabled. This entitlement allows other processes (like a debugger) to attach to the app. Xcode is not adding the `get-task-allow` entitlement in a distribution provisioning profile; it is only whitelisted and added in a development provisioning profile.
+```bash
+zip -r patched.ipa Payload
+```
 
-Thus, to debug an iOS application obtained from the App Store, it needs to be re-signed with a development provisioning profile with the `get-task-allow` entitlement. How to re-sign an application is discussed in @MASTG-TECH-0079.
+To debug an iOS application obtained from the App Store, it needs to be re-signed with a development provisioning profile with the `get-task-allow` entitlement. How to re-sign an application is discussed in @MASTG-TECH-0079.