From ae207250f58cf655b65df79f9dc94ecfd8538957 Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Fri, 27 Feb 2026 18:44:33 +0000 Subject: [PATCH] =?UTF-8?q?Add=20content=20from:=20Gadgetinjector=20?= =?UTF-8?q?=E2=80=94=20Frida=20Gadget=20injector=20for=20iOS=2017=20/=20iO?= =?UTF-8?q?S=2018=20I...?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../ios-pentesting-without-jailbreak.md | 40 ++++++++++++++++--- 1 file changed, 35 insertions(+), 5 deletions(-) diff --git a/src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md b/src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md index 1f226fae017..58689f6044a 100644 --- a/src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md +++ b/src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md @@ -10,7 +10,6 @@ However, it’s not as easy as just pulling the IPA, re-signing it with the enti With an old jailbroken device, it's possible to install the IPA, **decrypt it using your favourite tool** (such as Iridium or frida-ios-dump), and pulling it back off the device. Although, if possible, it's recommended to just as the client for the decrypted IPA. - ## Obtain decrypted IPA ### Get it from Apple @@ -24,7 +23,6 @@ With an old jailbroken device, it's possible to install the IPA, **decrypt it us Check [https://dvuln.com/blog/modern-ios-pentesting-no-jailbreak-needed](https://dvuln.com/blog/modern-ios-pentesting-no-jailbreak-needed) for more detailed information about this process. - ### Decrypting the app In order to decrypt the IPA we are going to install it. However, if you have an old jailbroken iPhone, potentailly it's version is not going to be supported by the application as usually apps only suports latests versions. @@ -54,7 +52,6 @@ Note that you might need **AppSync Unified tweak** from Cydia to prevent any `in Once intalled, you can use **Iridium tweak** from Cydia in order to obtain the decrypted IPA. - ### Patch entitlements & re-sign In order to re-sign the application with the `get-task-allow` entitlement there are several tools available like `app-signer`, `codesign`, and `iResign`. `app-signer` has a very user-friendly interface that allows to very easily resing an IPA file indicating the IPA to re-sign, to **put it `get-taks-allow`** and the certificate and provisioning profile to use. @@ -104,6 +101,40 @@ frida -U -f com.example.target -l my_script.js --no-pause Recent Frida releases (>=16) automatically handle pointer authentication and other iOS 17 mitigations, so most existing scripts work out-of-the-box. +### Frida Gadget injection in non-jailbroken IPAs (listen mode) + +If you can **modify and re-sign an IPA**, you can embed **Frida Gadget** and patch the Mach-O to load it via **`@rpath`** at startup. This enables Frida/Objection without a jailbreak (the device must accept the re-signed IPA). + +A practical workflow is to use **GadgetInjector** (Python tool) to inject `FridaGadget.dylib` and generate a listen-mode configuration: + +```bash +python3 gadget_injector.py MyApp.ipa +# Output: MyApp-frida-listen.ipa +``` + +**Re-signing constraints** (important for non-jailbroken installs): + +- Sign **all embedded dylibs** with the **same Team ID**. +- Do **not** add extra entitlements to `FridaGadget.dylib`. + +After re-signing and installing the IPA, attach in listen mode: + +```bash +# (Optional) start the app paused +xcrun devicectl device process launch \ + --device \ + --start-stopped + +# Forward Frida listen port over USB (default 27042) +pymobiledevice3 usbmux forward 27042 27042 + +# Objection +objection -g explore + +# Or Frida CLI +frida -H 127.0.0.1:27042 -n MyApp +``` + ### Automated dynamic analysis with MobSF (no jailbreak) [MobSF](https://mobsf.github.io/Mobile-Security-Framework-MobSF/) can instrument a dev-signed IPA on a real device using the same technique (`get_task_allow`) and provides a web UI with filesystem browser, traffic capture and Frida console【】. The quickest way is to run MobSF in Docker and then plug your iPhone via USB: @@ -124,9 +155,8 @@ MobSF will automatically deploy the binary, enable a Frida server inside the app * Pointer Authentication (PAC) is enforced system-wide on A12+ devices. Frida ≥16 transparently handles PAC stripping — just keep both *frida-server* and the Python/CLI toolchain up-to-date when a new major iOS version ships. ## References - - [https://dvuln.com/blog/modern-ios-pentesting-no-jailbreak-needed](https://dvuln.com/blog/modern-ios-pentesting-no-jailbreak-needed) - Apple developer documentation – Enabling Developer Mode on a device: - Mobile Security Framework (MobSF): - +- [https://github.com/Saurabh221662/GadgetInjector](https://github.com/Saurabh221662/GadgetInjector) {{#include ../../banners/hacktricks-training.md}}