Ipa installation by @NVISOSecurity #3100
Conversation
There was a problem hiding this comment.
Great content @TheDauntless! Also the warnings/tips for AppSync and libimobiledevice are spot on! I've reviewed the tools, planning to do the rest today or tomorrow.
| @@ -8,3 +8,6 @@ source: https://sideloadly.io/ | |||
| --- | |||
|
|
|||
| [Sideloadly](https://sideloadly.io/ "Sideloadly") allows you to obtain a valid signature for a given IPA file and then install it to a connected iOS device. In addition to signing and installing an IPA file, Sideloadly also allows you to inject tweaks, change the App or Bundle name or make other limited modifications to the IPA metadata. Sideloadly is available on both macOS and Windows. | |||
|
|
|||
| !!! warning "Do not use your personal Apple account" | |||
| To sign an IPA file, you will need a valid iOS developer account, either free or paid. Both types come with certain restrictions, as explained on the Sideloadly website. We recommend creating a dedicated developer account for signing test applications, and **not** using your personal Apple account. | |||
There was a problem hiding this comment.
What would be the restrictions when using a paid developer account?
There was a problem hiding this comment.
Not sure I understand this comment.
There was a problem hiding this comment.
You are writing:
To sign an IPA file, you will need a valid iOS developer account, either free or paid. Both types come with certain restrictions, as explained on the Sideloadly website.
I don't understand what the restrictions would be for a paid developer account. I also couldn't find anything on the sideloadly website.
A free account has a of course restrictions (7 days valid etc.)
There was a problem hiding this comment.
Oh, right. I've linked to the technique now which explains it. The paid account still has restrictions (365 days), so I think the text still makes sense.
There was a problem hiding this comment.
Ok. But shall we remove this sentence?
"Both types come with certain restrictions, as explained on the Sideloadly website."
If this is explained on the sideloadly website, let's link to it. But I couldn't find it.
Co-authored-by: Sven <[email protected]>
Co-authored-by: Sven <[email protected]>
Co-authored-by: Sven <[email protected]>
Co-authored-by: Sven <[email protected]>
|
Thanks for the review so far! |
There was a problem hiding this comment.
@TheDauntless reviewed more techniques, but not done yet. Thanks for the nice summary!
| After the app has been installed on the device, it needs to be launched in debug mode. This is not the case when launching the app via springboard (the application will crash), but it is possible with various tools as explained in @MASTG-TECH-0056. When the application is running in debug mode, Frida can be injected into the process with name `Gadget`: | ||
| If you've repackaged an application with a Frida Gadget, or if you want to attach @MASTG-TOOL-0057 to the application, you have to launch the application in debug mode. When you launch the application via SpringBoard, it will not launch in debug mode and the application will crash. | ||
|
|
||
| After the application has been installed using @MASTG-TECH-TOOL-0056, you can launch it in debug mode using the following commands: |
There was a problem hiding this comment.
| After the application has been installed using @MASTG-TECH-TOOL-0056, you can launch it in debug mode using the following commands: | |
| After the application has been installed using @MASTG-TECH-0056, you can launch it in debug mode using the following commands. | |
| > Note that the commands that are part of @MASTG-TOOL-0126 refer to the latest version available from Github. If you installed them via brew or other package managers, you may have an older version with different command line flags. |
| @@ -8,3 +8,6 @@ source: https://sideloadly.io/ | |||
| --- | |||
|
|
|||
| [Sideloadly](https://sideloadly.io/ "Sideloadly") allows you to obtain a valid signature for a given IPA file and then install it to a connected iOS device. In addition to signing and installing an IPA file, Sideloadly also allows you to inject tweaks, change the App or Bundle name or make other limited modifications to the IPA metadata. Sideloadly is available on both macOS and Windows. | |||
|
|
|||
| !!! warning "Do not use your personal Apple account" | |||
| To sign an IPA file, you will need a valid iOS developer account, either free or paid. Both types come with certain restrictions, as explained on the Sideloadly website. We recommend creating a dedicated developer account for signing test applications, and **not** using your personal Apple account. | |||
There was a problem hiding this comment.
You are writing:
To sign an IPA file, you will need a valid iOS developer account, either free or paid. Both types come with certain restrictions, as explained on the Sideloadly website.
I don't understand what the restrictions would be for a paid developer account. I also couldn't find anything on the sideloadly website.
A free account has a of course restrictions (7 days valid etc.)
| com.google.Maps, "24.50.0", "Google Maps" | ||
|
|
||
| # Run in debug mode | ||
| $ idevicedebug -d run sg.vp.UnCrackable1.QH868V5764 |
There was a problem hiding this comment.
Unfortunately this always failed for my iOS 15.8.3 device (jailbroken). I couldn't find a DeveloperDiskImage for 15.8.3, but one for 15.7 but couldn't mount it. Were you testing this on macOS? I am using macOS sequoia 15.1.1 and Xcode 16.2
07:42:10 lockdown.c:278 lockdownd_stop_session(): success
07:42:10 idevice.c:1193 idevice_connection_disable_bypass_ssl(): Skipping bidirectional SSL shutdown. SSL error code: 5
07:42:10 idevice.c:1208 idevice_connection_disable_bypass_ssl(): SSL mode disabled
07:42:10 service.c:98 service_client_factory_start_service(): Could not start service com.apple.debugserver!
Could not start com.apple.debugserver!
Please make sure to mount the developer disk image first:
1) Get the iOS version from `ideviceinfo -k ProductVersion`.
2) Find the matching iPhoneOS DeveloperDiskImage.dmg files.
3) Run `ideviceimagemounter` with the above path.
There was a problem hiding this comment.
It works on my machine / device:
- macOS 15.2 (24C101)
- XCode 16.2 (16C5032a)
- iOS 15.8.3 (non-jb)
- idevicedebug 1.3.0-260-gc8cdf20
In installed via Sideloadly
idevicedebug -d run sg.vp.UnCrackable12
working_directory: /private/var/mobile/Containers/Data/Application/9C89C011-33D7-421B-9934-B92488F49486
Setting logging bitmask...
Setting maximum packet size...
Setting working directory...
Setting argv...
app_argv[0] = /private/var/containers/Bundle/Application/F7FDC3A7-2055-46B8-A88B-2764BF84ACD2/UnCrackable Level 1.app/UnCrackable Level 1
Checking if launch succeeded...
Setting thread...
Continue running process...Co-authored-by: Sven <[email protected]>
Co-authored-by: Sven <[email protected]>
Co-authored-by: Sven <[email protected]>
Co-authored-by: Sven <[email protected]>
Co-authored-by: Sven <[email protected]>
Co-authored-by: Sven <[email protected]>
Co-authored-by: Sven <[email protected]>
Co-authored-by: Sven <[email protected]>
Co-authored-by: Sven <[email protected]>
|
|
||
| If you have any issues, try installing the libraries from source, as the precompiled version may be outdated. | ||
| On Linux and also macOS, you can alternatively use @MASTG-TOOL-0126. This allows you to install apps over a USB connection by executing ideviceinstaller. The connection is implemented with the USB multiplexing daemon [usbmuxd](https://www.theiphonewiki.com/wiki/Usbmux "Usbmux"), which provides a TCP tunnel over USB. |
There was a problem hiding this comment.
| On Linux and also macOS, you can alternatively use @MASTG-TOOL-0126. This allows you to install apps over a USB connection by executing ideviceinstaller. The connection is implemented with the USB multiplexing daemon [usbmuxd](https://www.theiphonewiki.com/wiki/Usbmux "Usbmux"), which provides a TCP tunnel over USB. | |
| On Linux and also macOS, you can alternatively use @MASTG-TOOL-0126. This allows you to install apps over a USB connection by executing `ideviceinstaller`. The connection is implemented with the USB multiplexing daemon [usbmuxd](https://www.theiphonewiki.com/wiki/Usbmux "Usbmux"), which provides a TCP tunnel over USB. |
|
|
||
| After the installation you have several new command line tools available, such as `ideviceinfo`, `ideviceinstaller` or `idevicedebug`. Let's install and debug the @MASTG-APP-0028 app with the following commands: | ||
| Let's install and debug the @MASTG-APP-0028 app with the following commands: |
There was a problem hiding this comment.
| Let's install and debug the @MASTG-APP-0028 app with the following commands: | |
| Let's install the @MASTG-APP-0028 app with the following command: |
| @@ -56,18 +43,35 @@ On macOS you can also use the @MASTG-TOOL-0054 tool to install iOS apps from the | |||
|
|
|||
| ```bash | |||
| unzip Name.ipa | |||
There was a problem hiding this comment.
| unzip Name.ipa | |
| $ unzip UnCrackable.ipa |
| @@ -56,18 +43,35 @@ On macOS you can also use the @MASTG-TOOL-0054 tool to install iOS apps from the | |||
|
|
|||
| ```bash | |||
| unzip Name.ipa | |||
| ios-deploy --bundle 'Payload/Name.app' -W -d -v | |||
| ios-deploy --bundle 'Payload/UnCrackable Level 1.app' -W -v | |||
There was a problem hiding this comment.
| ios-deploy --bundle 'Payload/UnCrackable Level 1.app' -W -v | |
| $ ios-deploy --bundle 'Payload/UnCrackable Level 1.app' -W -v |
|
|
||
| ```bash | ||
| ios-deploy --bundle 'Payload/Name.app' -W -d -v -m | ||
| # Get the correct device id | ||
| $ idevice_id |
There was a problem hiding this comment.
| $ idevice_id | |
| $ xcrun devicectl list devices |
Let's use the xcode cli tools if we anyway use them for installing the IPA.
|
|
||
| After following any of the techniques of @MASTG-TECH-0057, your application will be running with the `get-task-allow` entitlement, which means it can be debugged. This means that the `frida` CLI tool can spawn the application and inject the Frida Gadget automatically, even on non-jailbroken devices. | ||
|
|
||
| First, download the latest version of the Frida Gadget and move it to `/Users/<USER>/.cache/frida/gadget-ios.dylib`: |
There was a problem hiding this comment.
| First, download the latest version of the Frida Gadget and move it to `/Users/<USER>/.cache/frida/gadget-ios.dylib`: | |
| First, download the latest version of the Frida Gadget and move it to `/Users/<USER>/.cache/frida/gadget-ios.dylib`. Frida is released frequently, so find the latest version available on the [Github releases page](https://github.com/frida/frida/releases) or download on the command line: |
|
|
||
| ```bash | ||
| wget https://github.com/frida/frida/releases/download/16.5.9/frida-gadget-16.5.9-ios-universal.dylib.gz | ||
| gzip -d frida-gadget-16.5.9-ios-universal.dylib.gz |
There was a problem hiding this comment.
| gzip -d frida-gadget-16.5.9-ios-universal.dylib.gz | |
| $ gzip -d frida-gadget-X.Y.Z-ios-universal.dylib.gz |
| ```bash | ||
| wget https://github.com/frida/frida/releases/download/16.5.9/frida-gadget-16.5.9-ios-universal.dylib.gz | ||
| gzip -d frida-gadget-16.5.9-ios-universal.dylib.gz | ||
| mv frida-gadget-16.5.9-ios-universal.dylib /Users/MAS/.cache/frida/gadget-ios.dylib |
There was a problem hiding this comment.
| mv frida-gadget-16.5.9-ios-universal.dylib /Users/MAS/.cache/frida/gadget-ios.dylib | |
| mv frida-gadget-X.Y.Z-ios-universal.dylib /Users/MAS/.cache/frida/gadget-ios.dylib |
| @@ -50,6 +54,37 @@ $ fastlane resignipa | |||
| [15:22:03]: fastlane.tools finished successfully 🎉 | |||
| ``` | |||
|
|
|||
| After having this set up once, you only need to change the path in the `Fastfile` for the IPA you want to resign and execute the command again. | |||
| After setting this set up, you only need to change the path in the `Fastfile` for the IPA you want to resign and execute the command again. | |||
There was a problem hiding this comment.
| After setting this set up, you only need to change the path in the `Fastfile` for the IPA you want to resign and execute the command again. | |
| Once this is set up, all you need to do is change the path in the `Fastfile' for the IPA you want to resign and run the command again. |
| @@ -8,3 +8,6 @@ source: https://sideloadly.io/ | |||
| --- | |||
|
|
|||
| [Sideloadly](https://sideloadly.io/ "Sideloadly") allows you to obtain a valid signature for a given IPA file and then install it to a connected iOS device. In addition to signing and installing an IPA file, Sideloadly also allows you to inject tweaks, change the App or Bundle name or make other limited modifications to the IPA metadata. Sideloadly is available on both macOS and Windows. | |||
|
|
|||
| !!! warning "Do not use your personal Apple account" | |||
| To sign an IPA file, you will need a valid iOS developer account, either free or paid. Both types come with certain restrictions, as explained on the Sideloadly website. We recommend creating a dedicated developer account for signing test applications, and **not** using your personal Apple account. | |||
There was a problem hiding this comment.
Ok. But shall we remove this sentence?
"Both types come with certain restrictions, as explained on the Sideloadly website."
If this is explained on the sideloadly website, let's link to it. But I couldn't find it.
A cleanup of all the iOS signing / installing / running in debug mode.
I tried to be pragmatic, focussing on different techniques that work (I tested all of them, it was not a fun day) and also focussing on modern solutions rather than keep holding on to outdated ones.
This fixes #3090