In this blog I will explain how to get started assessing iOS apps on a jailed device using Objection.  Objection also works with Android but our focus in this article will be on iOS.  Objection enables us to assess an iOS app in an environment using Frida and it makes short work of re-signing the IPA, installing the app, and other tasks.  

For example. with Objection you can browse the file system without the need to jailbreak the device.  This is great when you assess an iOS app that requires the latest version and no jailbreak is available.  Here is a great blog post that goes into more detail on Objection.  I would also suggest reading more about Frida.    

Getting Started

In this tutorial I am using a MacBook with Xcode installed with security, codesign, and xcodebuild.  These should be installed by default but it's worth mentioning just in case.  We also need to have a non-expired mobile provisioning file.  Head over to my other article on SecJuice to learn how to create a provisioning file.  I am also using Damn Vulnerable iOS app for this tutorial.  

IPA Binary Prerequisites

If you don’t already have npm installed use the following command:

brew install npm

Install insert_dylib: https://github.com/Tyilo/insert_dylib

cd insert_dylib
xcodebuild
cp build/Release/insert_dylib /usr/local/bin/insert_dylib

Go ahead and install applesign and ios-deploy. ios-deploy will be used in a later step but we will go ahead and install it.

npm install -g applesign
npm install ios-deploy

If you run into issues installing ios-deploy you might need to review the below. Find out more at: https://github.com/phonegap/ios-deploy

OS X 10.11 El Capitan or greater

If you are not using a node version manager like nvm or n, you may have to do either of these three things below when under El Capitan:

  1. Add the --unsafe-perm=true flag when installing ios-deploy
  2. Add the --allow-root flag when installing ios-deploy
  3. Ensure the nobody user has write access to /usr/local/lib/node_modules/ios-deploy/ios-deploy

Patch the Binary  

Find your code signing identity:

security find-identity -p codesigning -v

Use Objection to patch the IPA file with Frida and re-sign it.

objection patchipa --source binary.ipa --codesign-signature D3333344445555...

At this point you should have a new repackaged IPA binary ready to be installed.

Install the IPA Binary

unzip binary-frida-codesigned.ipa

Attach the Apple device and keep it unlocked. Run the following command:

ios-deploy --bundle Payload/binary.app -W -d

In the terminal it will show success and the lldb debugger. On the Apple device the application will appear to be frozen.

Screen Shot 2018-01-10 at 1.05.08 PM

Testing with Objection

In another terminal use the following command to launch the application:

objection explore
Screen Shot 2018-01-10 at 1.06.44 PM

To get an idea of how objection works I will perform a few tasks.  

Insecure Data Storage

One of the exercises with Damn Vulnerable iOS include storing data insecurely in a .plist file. To begin you will need to access the Menu from the Apple device and go to Insecure Data Storage. From there click on Plist and fill out the form and save.

Now let’s locate the file using Objection.

Let’s first get an idea of what our environment looks like with the “env” command:

env
Screen Shot 2018-01-10 at 4.29.22 PM

Let’s change into the DocumentDirectory to see what is available.

cd /var/mobile/Containers/Data/Application/F4E7A577-162F-4B30-9566-703101C394D6/Documents

Looks like we have a userInfo.plist file located under the DocumentDirectory

Screen Shot 2018-01-10 at 4.33.13 PM

You can use one or all of the following commands to either download or view the userInfo.plist file.

Run an OS command with “!” following by the command, such as cat.

!cat userInfo.plist

Use the following command:

ios plist cat userInfo.plist

Or download the file with:

file download userInfo.plist

Using the “ios plist cat userInfo.plist” command and we can see the credentials that I entered.

Screen Shot 2018-01-10 at 5.05.59 PM

Side Channel Data Leakage

In the iOS menu app there is a test for Pasteboard in the Side Channel Data Leakage. Using Objection enable the job with the command:

ios pasteboard monitor

From the iOS app enter some information under the Pasteboard option. Objection will monitor and display the information.

Screen Shot 2018-01-10 at 9.47.50 PM

Disable Certificate Pinning

A few other useful commands while working with Objection is,

ios sslpinning disable
Screen Shot 2018-01-10 at 5.11.18 PM.png

As you can see it attempts to disable certificate pinning.

Import Frida Scripts

You can also import frida scripts which provide many scripts at your disposal.  Take a look at CodeShare to get an idea of some of the available scripts out there.    

import <FridaScript>

As you can see Objection makes testing an iOS app much easier from re-signing the app to testing for vulnerabilities.  With the ability to import Frida scripts you can take advantage of the many scripts out there.  

The awesome GIF used to head this article is called Jail Time and it was created by John Rowley.