Getting Started With Objection + Frida
How to get started assessing iOS apps on a nailed device using Objection. which enables us to assess an iOS app in an environment using Frida.
In this blog I will explain how to get started assessing iOS apps on a jailed device using Objection. Objection also works with Android but our focus in this article will be on iOS. Objection enables us to assess an iOS app in an environment using Frida and it makes short work of re-signing the IPA, installing the app, and other tasks.
For example. with Objection you can browse the file system without the need to jailbreak the device. This is great when you assess an iOS app that requires the latest version and no jailbreak is available. Here is a great blog post that goes into more detail on Objection. I would also suggest reading more about Frida.
In this tutorial I am using a MacBook with Xcode installed with security, codesign, and xcodebuild. These should be installed by default but it's worth mentioning just in case. We also need to have a non-expired mobile provisioning file. Head over to my other article on SecJuice to learn how to create a provisioning file. I am also using Damn Vulnerable iOS app for this tutorial.
IPA Binary Prerequisites
If you don’t already have npm installed use the following command:
brew install npm
Install insert_dylib: https://github.com/Tyilo/insert_dylib
cd insert_dylib xcodebuild cp build/Release/insert_dylib /usr/local/bin/insert_dylib
Go ahead and install applesign and ios-deploy. ios-deploy will be used in a later step but we will go ahead and install it.
npm install -g applesign npm install ios-deploy
If you run into issues installing ios-deploy you might need to review the below. Find out more at: https://github.com/phonegap/ios-deploy
OS X 10.11 El Capitan or greater
If you are not using a node version manager like nvm or n, you may have to do either of these three things below when under El Capitan:
- Add the --unsafe-perm=true flag when installing ios-deploy
- Add the --allow-root flag when installing ios-deploy
- Ensure the nobody user has write access to /usr/local/lib/node_modules/ios-deploy/ios-deploy
Patch the Binary
Find your code signing identity:
security find-identity -p codesigning -v
Use Objection to patch the IPA file with Frida and re-sign it.
objection patchipa --source binary.ipa --codesign-signature D3333344445555...
At this point you should have a new repackaged IPA binary ready to be installed.
Install the IPA Binary
Attach the Apple device and keep it unlocked. Run the following command:
ios-deploy --bundle Payload/binary.app -W -d
In the terminal it will show success and the lldb debugger. On the Apple device the application will appear to be frozen.
Testing with Objection
In another terminal use the following command to launch the application:
To get an idea of how objection works I will perform a few tasks.
Insecure Data Storage
One of the exercises with Damn Vulnerable iOS include storing data insecurely in a .plist file. To begin you will need to access the Menu from the Apple device and go to Insecure Data Storage. From there click on Plist and fill out the form and save.
Now let’s locate the file using Objection.
Let’s first get an idea of what our environment looks like with the “env” command:
Let’s change into the DocumentDirectory to see what is available.
Looks like we have a userInfo.plist file located under the DocumentDirectory
You can use one or all of the following commands to either download or view the userInfo.plist file.
Run an OS command with “!” following by the command, such as cat.
Use the following command:
ios plist cat userInfo.plist
Or download the file with:
file download userInfo.plist
Using the “ios plist cat userInfo.plist” command and we can see the credentials that I entered.
Side Channel Data Leakage
In the iOS menu app there is a test for Pasteboard in the Side Channel Data Leakage. Using Objection enable the job with the command:
ios pasteboard monitor
From the iOS app enter some information under the Pasteboard option. Objection will monitor and display the information.
Disable Certificate Pinning
A few other useful commands while working with Objection is,
ios sslpinning disable
As you can see it attempts to disable certificate pinning.
Import Frida Scripts
You can also import frida scripts which provide many scripts at your disposal. Take a look at CodeShare to get an idea of some of the available scripts out there.
As you can see Objection makes testing an iOS app much easier from re-signing the app to testing for vulnerabilities. With the ability to import Frida scripts you can take advantage of the many scripts out there.