Skip to content

Gadgetinjector — Frida Gadget injector for iOS 17 / iOS 18 I... #1949

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
carlospolop wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Gadgetinjector — Frida Gadget injector for iOS 17 / iOS 18 I... #1949

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
40 changes: 35 additions & 5 deletions src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,6 @@ However, it’s not as easy as just pulling the IPA, re-signing it with the enti

With an old jailbroken device, it's possible to install the IPA, **decrypt it using your favourite tool** (such as Iridium or frida-ios-dump), and pulling it back off the device. Although, if possible, it's recommended to just as the client for the decrypted IPA.


## Obtain decrypted IPA

### Get it from Apple
Expand All @@ -24,7 +23,6 @@ With an old jailbroken device, it's possible to install the IPA, **decrypt it us

Check [https://dvuln.com/blog/modern-ios-pentesting-no-jailbreak-needed](https://dvuln.com/blog/modern-ios-pentesting-no-jailbreak-needed) for more detailed information about this process.


### Decrypting the app

In order to decrypt the IPA we are going to install it. However, if you have an old jailbroken iPhone, potentailly it's version is not going to be supported by the application as usually apps only suports latests versions.
Expand Down Expand Up @@ -54,7 +52,6 @@ Note that you might need **AppSync Unified tweak** from Cydia to prevent any `in

Once intalled, you can use **Iridium tweak** from Cydia in order to obtain the decrypted IPA.


### Patch entitlements & re-sign

In order to re-sign the application with the `get-task-allow` entitlement there are several tools available like `app-signer`, `codesign`, and `iResign`. `app-signer` has a very user-friendly interface that allows to very easily resing an IPA file indicating the IPA to re-sign, to **put it `get-taks-allow`** and the certificate and provisioning profile to use.
Expand Down Expand Up @@ -104,6 +101,40 @@ frida -U -f com.example.target -l my_script.js --no-pause

Recent Frida releases (>=16) automatically handle pointer authentication and other iOS 17 mitigations, so most existing scripts work out-of-the-box.

### Frida Gadget injection in non-jailbroken IPAs (listen mode)

If you can **modify and re-sign an IPA**, you can embed **Frida Gadget** and patch the Mach-O to load it via **`@rpath`** at startup. This enables Frida/Objection without a jailbreak (the device must accept the re-signed IPA).

A practical workflow is to use **GadgetInjector** (Python tool) to inject `FridaGadget.dylib` and generate a listen-mode configuration:

```bash
python3 gadget_injector.py MyApp.ipa
# Output: MyApp-frida-listen.ipa
```

**Re-signing constraints** (important for non-jailbroken installs):

- Sign **all embedded dylibs** with the **same Team ID**.
- Do **not** add extra entitlements to `FridaGadget.dylib`.

After re-signing and installing the IPA, attach in listen mode:

```bash
# (Optional) start the app paused
xcrun devicectl device process launch \
--device <UDID> \
--start-stopped <bundle-id>

# Forward Frida listen port over USB (default 27042)
pymobiledevice3 usbmux forward 27042 27042

# Objection
objection -g <bundle-id> explore

# Or Frida CLI
frida -H 127.0.0.1:27042 -n MyApp
```

### Automated dynamic analysis with MobSF (no jailbreak)

[MobSF](https://mobsf.github.io/Mobile-Security-Framework-MobSF/) can instrument a dev-signed IPA on a real device using the same technique (`get_task_allow`) and provides a web UI with filesystem browser, traffic capture and Frida console【】. The quickest way is to run MobSF in Docker and then plug your iPhone via USB:
Expand All @@ -124,9 +155,8 @@ MobSF will automatically deploy the binary, enable a Frida server inside the app
* Pointer Authentication (PAC) is enforced system-wide on A12+ devices. Frida ≥16 transparently handles PAC stripping — just keep both *frida-server* and the Python/CLI toolchain up-to-date when a new major iOS version ships.

## References

- [https://dvuln.com/blog/modern-ios-pentesting-no-jailbreak-needed](https://dvuln.com/blog/modern-ios-pentesting-no-jailbreak-needed)
- Apple developer documentation – Enabling Developer Mode on a device: <https://developer.apple.com/documentation/xcode/enabling-developer-mode-on-a-device>
- Mobile Security Framework (MobSF): <https://mobsf.github.io/Mobile-Security-Framework-MobSF/>

- [https://github.com/Saurabh221662/GadgetInjector](https://github.com/Saurabh221662/GadgetInjector)
{{#include ../../banners/hacktricks-training.md}}