The objective of this post is to explain how to install an IPA binary onto a jailed iOS device.  It sounds like a trivial process but with iOS, if you don’t install directly from the Apple store you must re-sign the binary.  This blog post will go into the details of how to take an IPA binary, re-sign with your developer account, and install onto your device.  In our case, we will use a MacBook Pro and an iPad.

Why would someone want to sideload an iOS application?  For me, the primary reason is for security assessments.  You may also want to patch the IPA (to inject Frida).  Someone may also be part of the development team or beta program.  In these cases, the application may not be available in the Apple store.  For most everyday users they will not need to sideload an app. Ensure you trust the source of the binary before you sideload.

The first obstacle we must overcome is getting around the IPA that was provisioned and signed by another developer certificate.  We will not be able to simply install the application as-is.  This is due to how the IPA is signed under another developers account.  Basically, we must create our own developer account and re-sign the application using our own certificate.

The first step is to setup Xcode on your MacBook.  

Xcode Setup

  1. Install Xcode – https://developer.apple.com/xcode/
  2. Create a developer account - A free account will work but will be limited. In this article, a free account will be used.
  3. Start Xcode and go to:
    Xcode, Preferences, Click on the + to add the developer account.
Picture1

4.  Click on Manage Certificates.

5.  Select iOS Development Certificate - A new certificate will be created.

Picture2

6.  Click Done.  

Create a Mobile Provisioning Profile

The provisioning file has information that identifies the developer.  It is needed to re-sign the application in order to install it on the iPad.  Using an individual account is limited to specific devices.  There are paid accounts available for enterprise users without limitations.
At the end of these steps, there will be a new mobile provisioning profile created, with a .mobileprovision extension.  This new profile will be used in a later step to re-sign the IPA binary.

1.  Start Xcode and create a new “single view application” project.
2.  Choose a team name and select objective-c.
3.  Plugin in the device and keep it plugged in for the entire process.
4.  Make sure the Deployment Target version matches the iPad version. In this case, both should be at 11.1.

Picture3


5.  From the left side of Xcode choose the connected iPad device.

Picture4


6.  At this point, a provisioning profile should be created and ready for use.

Picture5


7.  Note that using the free developer account the provisioning profile will expire after a certain number of days.

Picture6


8.  From the iPad click General -> Device Management, then select your Developer App certificate to trust it.
1. Make sure the device is connected to the Internet or this process will not work.
9.  Press the play button, which will create the .mobileprovision file.
10. The file will be located under:
~/Library/MobileDevice/Provisioning Profiles
You can find this by opening Finder in Mac, click Go, and Go To Folder.
11. Once the mobileprovision file is found, copy it to another location.

Re-sign the IPA

The next steps can be manually completed but to make this process a little easier we will use a tool called applesign:  https://github.com/nowsecure/node-applesign
1.  Install NodeJS – https://nodejs.org/en/download/.
2.  git clone https://github.com/nowsecure/node-applesign.git.
3.  This is where the .mobileprovision file will be used.  I renamed it to embedded.mobileprovision.  
4.  Find the identity by using this command:

./applesign.js –L

5.  Run this command:

./path/to/applesign.js -i  -m embedded.mobileprovision iGoat.ipa

Congratulations!  We now have a re-signed iGoat binary that can be installed using Xcode.

Install the application

  1. Open Xcode.
  2. Click on Window, Devices, and Simulators.
Picture7

3.  Make sure the iPad is plugged in and unlocked.

4.  Drag and drop the re-signed IPA file to Installed Apps.

Picture8


5.  At this point, we have installed the application and can use it as normal.

The artwork used to head this article is called "Break Free" and it was created by Andreas Wikström.