Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

updated patching IPAs #2907

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

updated patching IPAs #2907

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
8cc3725
updated patching IPAs
Oct 6, 2024
d79f692
update lint error
Oct 6, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,4 +29,5 @@ docs/assets/Images
OWASP_MASVS.yaml
cross_references.yaml
drafts/
Payload/
Payload/
.vscode/settings.json
10 changes: 3 additions & 7 deletions techniques/ios/MASTG-TECH-0090.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
---
title: Patching
title: Patching manually
platform: ios
---

Expand All @@ -11,13 +11,9 @@ unzip UnCrackable-Level1.ipa

## Patching Example: Installing Frida Gadget

IF you want to use Frida on non-jailbroken devices you'll need to include `FridaGadget.dylib`. Download it first:
If you want to use Frida on non-jailbroken devices you'll need to include the `FridaGadget.dylib`. Download it first from the [Github release page](https://github.com/frida/frida/releases). The filename is `frida-gadget-<VERSION>-ios-universal.dylib` and is compressed.

```bash
curl -O https://build.frida.re/frida/ios/lib/FridaGadget.dylib
```

Copy `FridaGadget.dylib` into the app directory and use @MASTG-TOOL-0059 to add a load command to the "UnCrackable Level 1" binary.
Copy the `FridaGadget.dylib` into the app directory and use @MASTG-TOOL-0059 to add a load command to the "UnCrackable Level 1" binary.

```bash
$ unzip UnCrackable_Level1.ipa
Expand Down
33 changes: 13 additions & 20 deletions techniques/ios/MASTG-TECH-0091.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,32 +1,25 @@
---
title: Library Injection
title: Patching automated
platform: ios
---

If you want to use Frida on non-jailbroken devices you'll need to include `FridaGadget.dylib`. Download it first:
If you want to use Frida on non-jailbroken devices you'll need to include the `FridaGadget.dylib` into the IPA.

```bash
curl -O https://build.frida.re/frida/ios/lib/FridaGadget.dylib
```
The tool @MASTG-TOOL-0038 will automate this task for you. Follow the instructions in the wiki for [patching iOS Applications](https://github.com/sensepost/objection/wiki/Patching-iOS-Applications).

Afterwards, you can [run the patched iOS app](https://github.com/sensepost/objection/wiki/Running-Patched-iOS-Applications).

Copy `FridaGadget.dylib` into the app directory and use @MASTG-TOOL-0059 to add a load command to the "UnCrackable Level 1" binary.
If everything went well, the app should start in debugging mode with LLDB attached. Frida should then be able to attach to the app as well. You can verify this via the `frida-ps` command:

```bash
$ unzip UnCrackable-Level1.ipa
$ cp FridaGadget.dylib Payload/UnCrackable\ Level\ 1.app/
$ optool install -c load -p "@executable_path/FridaGadget.dylib" -t Payload/UnCrackable\ Level\ 1.app/UnCrackable\ Level\ 1
Found FAT Header
Found thin header...
Found thin header...
Inserting a LC_LOAD_DYLIB command for architecture: arm
Successfully inserted a LC_LOAD_DYLIB command for arm
Inserting a LC_LOAD_DYLIB command for architecture: arm64
Successfully inserted a LC_LOAD_DYLIB command for arm64
Writing executable to Payload/UnCrackable Level 1.app/UnCrackable Level 1...
$ frida-ps -U
PID Name
--- ------
499 Gadget
```

## Patching Example: Making an App Debuggable
## Starting with iOS 17 and Xcode 15

By default, an app available on the Apple App Store is not debuggable. In order to debug an iOS application, it must have the `get-task-allow` entitlement enabled. This entitlement allows other processes (like a debugger) to attach to the app. Xcode is not adding the `get-task-allow` entitlement in a distribution provisioning profile; it is only whitelisted and added in a development provisioning profile.
Since Xcode 15 and iOS 17 the tool @MASTG-TOOL-0054 will [not work anymore to start an app in debug mode](https://github.com/ios-control/ios-deploy/issues/588).

Thus, to debug an iOS application obtained from the App Store, it needs to be re-signed with a development provisioning profile with the `get-task-allow` entitlement. How to re-sign an application is discussed in the next section.
A workaround to start the re-packaged app with the `FridaGadget.dylib` in debug mode (without using @MASTG-TOOL-0054) can be found [here](https://github.com/ios-control/ios-deploy/issues/588#issuecomment-1907913430).
54 changes: 8 additions & 46 deletions techniques/ios/MASTG-TECH-0092.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,56 +1,18 @@
---
title: Repackaging and Re-Signing
title: Re-Signing
platform: ios
---

Tampering an app invalidates the main executable's code signature, so this won't run on a non-jailbroken device. You'll need to replace the provisioning profile and sign both the main executable and the files you've made include (e.g. `FridaGadget.dylib`) with the certificate listed in the profile.
Tampering an app invalidates the code signature of the main executable, so it won't run on a non-jailbroken device.

## Repackaging
You'll need to re-sign the IPA with your provisioning profile. This can be done in various ways with different tools:

First, let's add our own provisioning profile to the package:
- @MASTG-TOOL-0114
- @MASTG-TOOL-0113
- @MASTG-TOOL-0102

```bash
cp AwesomeRepackaging.mobileprovision Payload/UnCrackable\ Level\ 1.app/embedded.mobileprovision
```

Next, we need to make sure that the Bundle ID in `Info.plist` matches the one specified in the profile because the codesign tool will read the Bundle ID from `Info.plist` during signing; the wrong value will lead to an invalid signature.

```bash
/usr/libexec/PlistBuddy -c "Set :CFBundleIdentifier sg.vantagepoint.repackage" Payload/UnCrackable\ Level\ 1.app/Info.plist
```

## Re-Signing

Finally, we use the @MASTG-TOOL-0114 tool to re-sign both binaries. You need to use _your own_ signing identity (in this example 8004380F331DCA22CC1B47FB1A805890AE41C938), which you can output by executing the command `security find-identity -v`.

```bash
$ rm -rf Payload/UnCrackable\ Level\ 1.app/_CodeSignature
$ /usr/bin/codesign --force --sign 8004380F331DCA22CC1B47FB1A805890AE41C938 Payload/UnCrackable\ Level\ 1.app/FridaGadget.dylib
Payload/UnCrackable Level 1.app/FridaGadget.dylib: replacing existing signature
```

`entitlements.plist` is the file you created for your empty iOS project.

```bash
$ /usr/bin/codesign --force --sign 8004380F331DCA22CC1B47FB1A805890AE41C938 --entitlements entitlements.plist Payload/UnCrackable\ Level\ 1.app/UnCrackable\ Level\ 1
Payload/UnCrackable Level 1.app/UnCrackable Level 1: replacing existing signature
```

Now you should be ready to run the modified app. Deploy and run the app on the device using @MASTG-TOOL-0054:
After re-signing you should be ready to run the modified app. Install the app on the device using @MASTG-TOOL-0054 and start the app by clicking on the app icon:

```bash
ios-deploy --debug --bundle Payload/UnCrackable\ Level\ 1.app/
ios-deploy -b <name>.ipa
```

If everything went well, the app should start in debugging mode with LLDB attached. Frida should then be able to attach to the app as well. You can verify this via the frida-ps command:

```bash
$ frida-ps -U
PID Name
--- ------
499 Gadget
```

<img src="Images/Chapters/0x06b/fridaStockiOS.png" width="100%" />

When something goes wrong (and it usually does), mismatches between the provisioning profile and code-signing header are the most likely causes. Reading the [official documentation](https://developer.apple.com/support/code-signing/ "Code Signing") helps you understand the code-signing process. Apple's [entitlement troubleshooting page](https://developer.apple.com/library/content/technotes/tn2415/_index.html "Entitlements Troubleshooting") is also a useful resource.
59 changes: 59 additions & 0 deletions tools/ios/MASTG-TOOL-0113.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
---
title: fastlane
platform: ios
source: https://github.com/fastlane/fastlane
alternatives:
- MASTG-TOOL-0114
- MASTG-TOOL-0102
---

[fastlane](https://github.com/fastlane/fastlane) is a tool for iOS and Android developers to automate tasks like dealing with provisioning profiles, and releasing mobile apps. Once setup it can be used to resign IPA files with your Xcode provisioning profile.

Before executing fastlane:

- install fastlane via brew (`brew install fastlane`)
- [get a developer provisioning profile and certificate](https://mas.owasp.org/MASTG/techniques/ios/MASTG-TECH-0079/#getting-a-developer-provisioning-profile-and-certificate)
- create a directory `fastlane` and create a `Fastfile` file as described in the documentation for [resigning](https://docs.fastlane.tools/actions/resign/).

Example:

```yaml
lane :resignipa do
resign(
ipa: "<PATH-to-IPA/filename.ipa",
signing_identity: "Apple Development: Foobar (STGXYCETF3)",
provisioning_profile: "~/Library/MobileDevice/Provisioning Profiles/<FILE-NAME>.mobileprovision",
)
end
```

Afterwards execute the `fastlane resignipa` command.

```bash
$ fastlane resignipa
[✔] 🚀
[15:21:51]: Get started using a Gemfile for fastlane https://docs.fastlane.tools/getting-started/ios/setup/#use-a-gemfile
[15:21:52]: Driving the lane 'resignipa' 🚀
[15:21:52]: --------------------
[15:21:52]: --- Step: resign ---
[15:21:52]: --------------------
...
[15:22:03]: Successfully signed /test.ipa!
[15:22:03]: Successfully re-signed .ipa 🔏.

+-----------------------------+
| fastlane summary |
+------+--------+-------------+
| Step | Action | Time (in s) |
+------+--------+-------------+
| 1 | resign | 11 |
+------+--------+-------------+

[15:22:03]: fastlane.tools finished successfully 🎉
```

After having this setup once, you only need to change the path in the `Fastfile` for the IPA you want to resign and execute the command again.

Learn more:

- ["Codesign an existing ipa file with fastlane resign"](https://docs.fastlane.tools/actions/resign/)
1 change: 1 addition & 0 deletions tools/ios/MASTG-TOOL-0114.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ platform: ios
source: https://www.unix.com/man-page/osx/1/codesign/
alternatives:
- MASTG-TOOL-0102
- MASTG-TOOL-0113
---

The codesign tool is primarily used to create, verify, and display code signatures, and to query the dynamic status of signed code in the system. Although Xcode typically automates the process of signing code during builds and before distribution, there are scenarios where manual intervention with codesign is required. This can include inspecting or verifying the details of an app's code signature, or manually re-signing an app. For more detailed tasks such as these, you can use the codesign command line tool directly, as described in Apple's Code Signing Guide.
Expand Down