4

Is it possible to run a security assessment on an iOS application using a non-jailbroken device?

My device was recently restored (recovered - no SHSH blobs) to iOS 8.4.1 (as Apple doesn't like people using less than latest firmware versions) and as there is no public jailbreak method available to fix this (probably for the next few weeks), the required tools can't be installed (as far as i know).

So, has anyone done anything like this?

DarkLighting
  • 1,523
  • 11
  • 16

1 Answers1

2

Recently, I was able to downgrade my iOS 8.4.1 to 8.4 and jailbreak. However, as you alluded to, this is no longer possible especially without the SHSH blobs.

There are ways to perform a security assessment on a jailed iOS device. The method was first detailed here -- http://forum.unity3d.com/threads/urgent-mac-app-review-team-rejected-because-gamekit-framework-linked.261354/

but further elaboration to modern mobile app penetration testing needs was discussed by Carl Livitt on the Bishop Fox blog in a two-part series:

You will find that some services, such as IBM's BlueMix AppScan Mobile Analyzer for iOS, will perform similar (but perhaps not the same) assessments using jailed iOS devices.

Once you have enabled use of Cydia Substrate (or cycript), it shouldn't be much of a challenge to get the standard Theos, Logos, idb, and Frida tools working. You can read more about Theos and Logos (and associated infrastructure) in the "Tweak Development Using Theos and Logos" subsection of the Mobile Application Hacker's Handbook, as well as Frida and Cydia Substrate in its section on "Attacking the iOS Runtime". More information on idb can be found in the book, "Learning iOS Forensics". Hooking some functions that accept a variety of arguments can be an additional challenge, but there is some concept code capable of hooking variadic functions.

atdre
  • 18,885
  • 6
  • 58
  • 107
  • Well, if i understood everything correctly, i need to get an apple registered developer key to sign them if i'm to make any changes to those IPA files, or install pretty much anything in it, right? Going in without this key will get me little information. I'm starting to think that it will be better to wait for the iOS 8.4.1 jailbreak that will be made public after the iOS9 release date, as the Pangu team already demonstrated the PoC during "HackPwn 2015". – DarkLighting Sep 02 '15 at 22:00
  • I know, i'm still able to test the server application, network traffic, ipa package files and all. I will do that. I just think that the apple signing key tax is not worth it, since i'm not a frequent iOS app developer (if apple required a one-time fee like google, maybe i would pay for it). – DarkLighting Sep 02 '15 at 22:21
  • 1
    It looks like you can use a free developer account with iOS 9 -- http://www.idownloadblog.com/2015/09/18/how-to-compile-apps-using-xcode-7-to-run-on-a-non-jailbroken-device/ – atdre Sep 21 '15 at 17:20
  • https://sensepost.com/blog/2017/objection-mobile-runtime-exploration/ -- https://github.com/sensepost/objection – atdre Jul 12 '17 at 18:06