ios.md

iOS Penetration Testing

A simple guide on how to get started with iOS penetration testing. Information about sources and versions is being kept up to date :)

Table of contents

• Jailbreak
• Cydia Sources
• Burp Suite
  • Bypass SSL pinning
  • Install CA certificate
  • Mobile Assistant
• Tools

Jailbreak

JB	Devices	Version
checkra1n	A7-A11	latest iOS
unc0ver	All	iOS 11.0 - 13.5
odyssey	All	iOS 13.0 - 13.7
fugu	A10-A10X	iOS 13 - 13.5.1
chimera	All	iOS 12.0 - 12.5
rootlessJB4	A7-A11	iOS 12.0 - 12.4.8
electra	All	iOS 11.0 - 11.4.1

Cydia Sources

• Spark - https://sparkdev.me/
• Ivano Bilenchi - https://ib-soft.net/cydia/
• Ryan Petrich - https://rpetri.ch/repo/
• Junes iPhone - https://junesiphone.com/supersecret/
• TigiSoftware - https://data.tigisoftware.com/cydia/
• Bingner - https://apt.bingner.com/
• XenPublic - https://xenpublic.incendo.ws/
• Nepeta - https://repo.nepeta.me/
• Skitty - https://skitty.xyz/repo/
• PoomSmart - https://poomsmart.github.io/repo/
• Packix - https://repo.packix.com/
• Evelyn's Collection - https://evynw.github.io/
• Julio Verne - https://julioverne.github.io/
• BigBoss - http://apt.thebigboss.org/repofiles/cydia/
• Chairz - https://repo.chairz.com/
• Dynastic - https://repo.dynastic.co/
• CreatureCoding - https://creaturecoding.com/repo/
• Buufjuiced - https://buufjuiced.yourepo.com/
• ModMyi - http://apt.modmyi.com/
• ZodTTD & MacCiti - http://cydia.zodttd.com/repo/cydia/

---

Burp Suite

• Bypass SSL pinning
  • Cydia dependencies
    • Debian Packager
    • Cydia Substrate
    • PreferenceLoader
  • Download latest release of ssl-kill-switch2
    • https://github.com/nabla-c0d3/ssl-kill-switch2/releases
  • Install

dpkg -i <package>.deb
killall -HUP SpringBoard

• Install CA certificate
  • Turn on burp proxy
  • Configure Wifi proxy settinngs
  • http://burp
  • Install certificate
• Mobile Assistant
  • https://portswigger.net/burp/documentation/desktop/tools/mobile-assistant/installing
  • enable Burp proxy on all interfaces
  • add as a source to cydia and install mobile assistant

---

Tools

• Frida
• FireCat
• Cycript
• Grapefruit
• Needle
• iRET
• Clutch
• iDB
• BinaryCookieReader
• iSpy
• iWep Pro
• 3UTools

Miscellaneous

• Fix PreferenceLoader for A12 devices that are using Chimera and Sileo

1. Reboot & RootFS 
2. Reboot & RootFS
3. Reboot & Jailbreak
4. Install Cephei (+ dependencies)
5. Add rpetri.ch/repo
6. Update RocketBootstrap

• Directories to check for tweak remains

/var/mobile/Library/Caches
/var/mobile/Library/Preferences
/var/root/Library/Caches
/var/root/Library/Preferences

• Check for information/files stored in device (3U TOOLS - SSH Tunnel):

/private/var/mobile/Containers/Data/Application/{HASH}/{BundleID-3uTools-getBundelID}
/private/var/containers/Bundle/Application/{HASH}/IPA_NAME}
/var/containers/Bundle/Application/{HASH}
/var/mobile/Containers/Data/Application/{HASH}

• Fast finds to check sensible strings stored in devices:

find /data/app -type f -exec grep --color -Hsiran "FINDTHIS" {} \;
find /data/app -type f -exec grep --color -Hsiran "\"value\":\"" {} \;

# Manual review
find APPPATH -iname "*localstorage-wal"