Welcome to the iOS-Pentesting wiki!

JB Testing

Re-sign using applesign

List identities

./applesign.js -L

Re-sign

./applesign.js -i ABCDEFGHIJKLMNOPQRST /blah/blah.ipa

Re-sign using ios-app-signer

https://github.com/DanTheMan827/ios-app-signer/releases/tag/1.14

Deploy using xcode

https://slashedm.gitbook.io/xcode-app-signing/where-do-we-go-now/newer-versions

Xcode + iOS App Signer

Install Xcode, open it, and agree to the license agreement.
Plug in your iOS device and select it as the build target.
Open Xcode and create a new iOS Application.
Type a name and identifier.
Xcode will complain about the lack of a provisioning profile. Click fix issue.
Sign into an Apple ID when prompted.
Download iOS App Signer
Download the latest version of unc0ver from above.
Open iOS App Signer.
Select the ipa you just downloaded as an input file.
Click start.
Return to Xcode. Go to the menu bar. Click Window → Devices.
Find your device, click the plus, and select the file created by iOS App Signer.

Objection

frida-ps -Uia objection --gadget "com.apple.AppStore" explore

objection explore --startup-command 'ios jailbreak simulate'

#Get IPA - frida-iOS-dump

sudo iproxy 2222 22

python3 dump.py com.blah -H 127.0.0.1 -p 2222 -u mobile -P password -o blah.ipa

Non-JB Testing

Connect phone to Mac - run a test app in xcode and fix signing certificates. This should generate a provisioning file.

Find code sigs

security find-identity -p codesigning -v

Patch Frida dylib to ipa

objection patchipa --source blah.ipa --codesign-signature 1234BLAH

objection patchipa --source blah.ipa --codesign-signature 39AAAAAAAAAAAAAAAAAAAAAAAA29 -P '~/Library/MobileDevice/Provisioning Profiles/blah.mobileprovision'

Deploy in debugging mode

ios-deploy --bundle blah.app -W -d {this might take a while - be patient - lldb will load} Run in debug mode without installing again

ios-deploy -b blah.app -W -m

Use objection

objection explore

Reversing/Patching - use Hopper