From 8cc3725238da7011473be91d988bf232e29e4f7a Mon Sep 17 00:00:00 2001 From: Sven Schleier Date: Sun, 6 Oct 2024 16:34:40 +0200 Subject: [PATCH 1/2] updated patching IPAs --- techniques/ios/MASTG-TECH-0090.md | 10 ++---- techniques/ios/MASTG-TECH-0091.md | 33 +++++++---------- techniques/ios/MASTG-TECH-0092.md | 54 +++++----------------------- tools/ios/MASTG-TOOL-0113.md | 59 +++++++++++++++++++++++++++++++ tools/ios/MASTG-TOOL-0114.md | 1 + 5 files changed, 84 insertions(+), 73 deletions(-) create mode 100644 tools/ios/MASTG-TOOL-0113.md diff --git a/techniques/ios/MASTG-TECH-0090.md b/techniques/ios/MASTG-TECH-0090.md index 6fce7b0578..79338305c8 100644 --- a/techniques/ios/MASTG-TECH-0090.md +++ b/techniques/ios/MASTG-TECH-0090.md @@ -1,5 +1,5 @@ --- -title: Patching +title: Patching manually platform: ios --- @@ -11,13 +11,9 @@ unzip UnCrackable-Level1.ipa ## Patching Example: Installing Frida Gadget -IF you want to use Frida on non-jailbroken devices you'll need to include `FridaGadget.dylib`. Download it first: +If you want to use Frida on non-jailbroken devices you'll need to include the `FridaGadget.dylib`. Download it first from the [Github release page](https://github.com/frida/frida/releases). The filename is `frida-gadget--ios-universal.dylib` and is compressed. -```bash -curl -O https://build.frida.re/frida/ios/lib/FridaGadget.dylib -``` - -Copy `FridaGadget.dylib` into the app directory and use @MASTG-TOOL-0059 to add a load command to the "UnCrackable Level 1" binary. +Copy the `FridaGadget.dylib` into the app directory and use @MASTG-TOOL-0059 to add a load command to the "UnCrackable Level 1" binary. ```bash $ unzip UnCrackable_Level1.ipa diff --git a/techniques/ios/MASTG-TECH-0091.md b/techniques/ios/MASTG-TECH-0091.md index 16c98c790e..09bf12ea05 100644 --- a/techniques/ios/MASTG-TECH-0091.md +++ b/techniques/ios/MASTG-TECH-0091.md @@ -1,32 +1,25 @@ --- -title: Library Injection +title: Patching automated platform: ios --- -If you want to use Frida on non-jailbroken devices you'll need to include `FridaGadget.dylib`. Download it first: +If you want to use Frida on non-jailbroken devices you'll need to include the `FridaGadget.dylib` into the IPA. -```bash -curl -O https://build.frida.re/frida/ios/lib/FridaGadget.dylib -``` +The tool @MASTG-TOOL-0038 will automate this task for you. Follow the instructions in the wiki for [patching iOS Applications](https://github.com/sensepost/objection/wiki/Patching-iOS-Applications). + +Afterwards, you can [run the patched iOS app](https://github.com/sensepost/objection/wiki/Running-Patched-iOS-Applications). -Copy `FridaGadget.dylib` into the app directory and use @MASTG-TOOL-0059 to add a load command to the "UnCrackable Level 1" binary. +If everything went well, the app should start in debugging mode with LLDB attached. Frida should then be able to attach to the app as well. You can verify this via the `frida-ps` command: ```bash -$ unzip UnCrackable-Level1.ipa -$ cp FridaGadget.dylib Payload/UnCrackable\ Level\ 1.app/ -$ optool install -c load -p "@executable_path/FridaGadget.dylib" -t Payload/UnCrackable\ Level\ 1.app/UnCrackable\ Level\ 1 -Found FAT Header -Found thin header... -Found thin header... -Inserting a LC_LOAD_DYLIB command for architecture: arm -Successfully inserted a LC_LOAD_DYLIB command for arm -Inserting a LC_LOAD_DYLIB command for architecture: arm64 -Successfully inserted a LC_LOAD_DYLIB command for arm64 -Writing executable to Payload/UnCrackable Level 1.app/UnCrackable Level 1... +$ frida-ps -U +PID Name +--- ------ +499 Gadget ``` -## Patching Example: Making an App Debuggable +## Starting with iOS 17 and Xcode 15 -By default, an app available on the Apple App Store is not debuggable. In order to debug an iOS application, it must have the `get-task-allow` entitlement enabled. This entitlement allows other processes (like a debugger) to attach to the app. Xcode is not adding the `get-task-allow` entitlement in a distribution provisioning profile; it is only whitelisted and added in a development provisioning profile. +Since Xcode 15 and iOS 17 the tool @MASTG-TOOL-0054 will [not work anymore to start an app in debug mode](https://github.com/ios-control/ios-deploy/issues/588). -Thus, to debug an iOS application obtained from the App Store, it needs to be re-signed with a development provisioning profile with the `get-task-allow` entitlement. How to re-sign an application is discussed in the next section. +A workaround to start the re-packaged app with the `FridaGadget.dylib` in debug mode (without using @MASTG-TOOL-0054) can be found [here](https://github.com/ios-control/ios-deploy/issues/588#issuecomment-1907913430). diff --git a/techniques/ios/MASTG-TECH-0092.md b/techniques/ios/MASTG-TECH-0092.md index 8de15ddcad..3f142e603e 100644 --- a/techniques/ios/MASTG-TECH-0092.md +++ b/techniques/ios/MASTG-TECH-0092.md @@ -1,56 +1,18 @@ --- -title: Repackaging and Re-Signing +title: Re-Signing platform: ios --- -Tampering an app invalidates the main executable's code signature, so this won't run on a non-jailbroken device. You'll need to replace the provisioning profile and sign both the main executable and the files you've made include (e.g. `FridaGadget.dylib`) with the certificate listed in the profile. +Tampering an app invalidates the code signature of the main executable, so it won't run on a non-jailbroken device. -## Repackaging +You'll need to re-sign the IPA with your provisioning profile. This can be done in various ways with different tools: -First, let's add our own provisioning profile to the package: +- @MASTG-TOOL-0114 +- @MASTG-TOOL-0113 +- @MASTG-TOOL-0102 -```bash -cp AwesomeRepackaging.mobileprovision Payload/UnCrackable\ Level\ 1.app/embedded.mobileprovision -``` - -Next, we need to make sure that the Bundle ID in `Info.plist` matches the one specified in the profile because the codesign tool will read the Bundle ID from `Info.plist` during signing; the wrong value will lead to an invalid signature. - -```bash -/usr/libexec/PlistBuddy -c "Set :CFBundleIdentifier sg.vantagepoint.repackage" Payload/UnCrackable\ Level\ 1.app/Info.plist -``` - -## Re-Signing - -Finally, we use the @MASTG-TOOL-0114 tool to re-sign both binaries. You need to use _your own_ signing identity (in this example 8004380F331DCA22CC1B47FB1A805890AE41C938), which you can output by executing the command `security find-identity -v`. - -```bash -$ rm -rf Payload/UnCrackable\ Level\ 1.app/_CodeSignature -$ /usr/bin/codesign --force --sign 8004380F331DCA22CC1B47FB1A805890AE41C938 Payload/UnCrackable\ Level\ 1.app/FridaGadget.dylib -Payload/UnCrackable Level 1.app/FridaGadget.dylib: replacing existing signature -``` - -`entitlements.plist` is the file you created for your empty iOS project. - -```bash -$ /usr/bin/codesign --force --sign 8004380F331DCA22CC1B47FB1A805890AE41C938 --entitlements entitlements.plist Payload/UnCrackable\ Level\ 1.app/UnCrackable\ Level\ 1 -Payload/UnCrackable Level 1.app/UnCrackable Level 1: replacing existing signature -``` - -Now you should be ready to run the modified app. Deploy and run the app on the device using @MASTG-TOOL-0054: +After re-signing you should be ready to run the modified app. Install the app on the device using @MASTG-TOOL-0054 and start the app by clicking on the app icon: ```bash -ios-deploy --debug --bundle Payload/UnCrackable\ Level\ 1.app/ +ios-deploy -b .ipa ``` - -If everything went well, the app should start in debugging mode with LLDB attached. Frida should then be able to attach to the app as well. You can verify this via the frida-ps command: - -```bash -$ frida-ps -U -PID Name ---- ------ -499 Gadget -``` - - - -When something goes wrong (and it usually does), mismatches between the provisioning profile and code-signing header are the most likely causes. Reading the [official documentation](https://developer.apple.com/support/code-signing/ "Code Signing") helps you understand the code-signing process. Apple's [entitlement troubleshooting page](https://developer.apple.com/library/content/technotes/tn2415/_index.html "Entitlements Troubleshooting") is also a useful resource. diff --git a/tools/ios/MASTG-TOOL-0113.md b/tools/ios/MASTG-TOOL-0113.md new file mode 100644 index 0000000000..5967f00a1e --- /dev/null +++ b/tools/ios/MASTG-TOOL-0113.md @@ -0,0 +1,59 @@ +--- +title: fastlane +platform: ios +source: https://github.com/fastlane/fastlane +alternatives: +- MASTG-TOOL-0114 +- MASTG-TOOL-0102 +--- + +[fastlane](https://github.com/fastlane/fastlane) is a tool for iOS and Android developers to automate tasks like dealing with provisioning profiles, and releasing mobile apps. Once setup it can be used to resign IPA files with your Xcode provisioning profile. + +Before executing fastlane: + +- install fastlane via brew (`brew install fastlane`) +- [get a developer provisioning profile and certificate](https://mas.owasp.org/MASTG/techniques/ios/MASTG-TECH-0079/#getting-a-developer-provisioning-profile-and-certificate) +- create a directory `fastlane` and create a `Fastfile` file as described in the documentation for [resigning](https://docs.fastlane.tools/actions/resign/). + +Example: + +```yaml +lane :resignipa do + resign( + ipa: ".mobileprovision", + ) +end +``` + +Afterwards execute the `fastlane resignipa` command. + +```bash +$ fastlane resignipa +[✔] 🚀 +[15:21:51]: Get started using a Gemfile for fastlane https://docs.fastlane.tools/getting-started/ios/setup/#use-a-gemfile +[15:21:52]: Driving the lane 'resignipa' 🚀 +[15:21:52]: -------------------- +[15:21:52]: --- Step: resign --- +[15:21:52]: -------------------- +... +[15:22:03]: Successfully signed /test.ipa! +[15:22:03]: Successfully re-signed .ipa 🔏. + ++-----------------------------+ +| fastlane summary | ++------+--------+-------------+ +| Step | Action | Time (in s) | ++------+--------+-------------+ +| 1 | resign | 11 | ++------+--------+-------------+ + +[15:22:03]: fastlane.tools finished successfully 🎉 +``` + +After having this setup once, you only need to change the path in the `Fastfile` for the IPA you want to resign and execute the command again. + +Learn more: + +- ["Codesign an existing ipa file with fastlane resign"](https://docs.fastlane.tools/actions/resign/) diff --git a/tools/ios/MASTG-TOOL-0114.md b/tools/ios/MASTG-TOOL-0114.md index 0d721760ff..f66d27c95f 100644 --- a/tools/ios/MASTG-TOOL-0114.md +++ b/tools/ios/MASTG-TOOL-0114.md @@ -4,6 +4,7 @@ platform: ios source: https://www.unix.com/man-page/osx/1/codesign/ alternatives: - MASTG-TOOL-0102 +- MASTG-TOOL-0113 --- The codesign tool is primarily used to create, verify, and display code signatures, and to query the dynamic status of signed code in the system. Although Xcode typically automates the process of signing code during builds and before distribution, there are scenarios where manual intervention with codesign is required. This can include inspecting or verifying the details of an app's code signature, or manually re-signing an app. For more detailed tasks such as these, you can use the codesign command line tool directly, as described in Apple's Code Signing Guide. From d79f6921bed8c4fd64db453d9fdf787b501d2427 Mon Sep 17 00:00:00 2001 From: Sven Schleier Date: Sun, 6 Oct 2024 16:44:23 +0200 Subject: [PATCH 2/2] update lint error --- .gitignore | 3 ++- tools/ios/MASTG-TOOL-0113.md | 4 ++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index b55c20945b..cb1a234905 100644 --- a/.gitignore +++ b/.gitignore @@ -29,4 +29,5 @@ docs/assets/Images OWASP_MASVS.yaml cross_references.yaml drafts/ -Payload/ \ No newline at end of file +Payload/ +.vscode/settings.json diff --git a/tools/ios/MASTG-TOOL-0113.md b/tools/ios/MASTG-TOOL-0113.md index 5967f00a1e..7f50a68d23 100644 --- a/tools/ios/MASTG-TOOL-0113.md +++ b/tools/ios/MASTG-TOOL-0113.md @@ -15,7 +15,7 @@ Before executing fastlane: - [get a developer provisioning profile and certificate](https://mas.owasp.org/MASTG/techniques/ios/MASTG-TECH-0079/#getting-a-developer-provisioning-profile-and-certificate) - create a directory `fastlane` and create a `Fastfile` file as described in the documentation for [resigning](https://docs.fastlane.tools/actions/resign/). -Example: +Example: ```yaml lane :resignipa do @@ -27,7 +27,7 @@ lane :resignipa do end ``` -Afterwards execute the `fastlane resignipa` command. +Afterwards execute the `fastlane resignipa` command. ```bash $ fastlane resignipa