Join GitHub today
With stable jailbreaks becoming some sort of a rare commodity, anyone who wants to tinker with and understand what's going on with a mobile app may struggle to get a proper setup up and working. Especially if one wants to test the app on newer versions of iOS. Swizzler 2 and the guide in this wiki aims to help by detailing step-by-step on how to go about setting up and analysing a mobile app on a non-jailbroken iOS device.
Tested to work with:
- Frida 8.1 and above
- iOS 9.0, 10.0, 10.1b3
###Table of Contents
- Non-Jailbroken Device Setup
- Modifying The App
- git clone https://github.com/vtky/resign.git
- Install the App
- Running Frida!
There are somethings which you'll need for the setup to work properly,
- iOS Developer Account
- Decrypted .ipa of the app you want to analyse
- FridaGadget dylib or CydiaSubstrate Binary
- CydiaSubstrate - Extract out the CydiaSubstrate binary in the following path of the deb
In order to get Frida or CydiaSubstrate working with the app you'll need to modify the app binary and insert new load commands. In this example I will use Frida, because it is much faster at instrumentation as compared to CydiaSubstrate.
It is possible to use existing tweaks that make use of CydiaSubstrate, however it will require converting them into a dylib for insertion into the app binary. More on how to do that later.
resign is an XCode project that will help easily modify a ipa file, include the new Frida or CydiaSubstrate dylibs and resign everything for you.
- Copy the .ipa that you want to modify into the ipa_to_resign folder.
- Copy dylibs you want inserted into the dylibs_to_insert.
- Change the following to suit your needs,
- Bundle Identifier
- Signing Team
- Deployment Target
- Build it!
Product -> Build or Command-B
- Your build will result in a .app file which can be found in the build folder of the resign project
There are 2 ways of installing the app, either through XCode or via ios-deploy
Window -> Devices
- Select your iOS device
- Drag and drop the .app file into the Installed Apps section of the devices window.
I prefer this because we will still need to use ios-deploy later on to get Frida working
ios-deploy -b /path/to/your/new/resign.app -d
In order for FridaGadget dylib to run properly and perform C/C++ function hooking, the app needs to be run with lldb (unless you have the run-unsigned-code entitlement in your provisioning profile, if so, please ping me, I want to know how you got it)
By installing the app with ios-deploy and the
-d option, you will already be installing and starting the app for debugging. Nothing else needs to be done.
There is another option in ios-deploy
ios-deploy -b /path/to/your/new/resign.app -m.
-m will skip the installation and just start the app for debugging.
If everything worked, you should see a log message
Frida: Listening on TCP port XXXX
⚡ frida-ps -U PID Name ---- ------ 1518 Gadget ⚡ frida -U Gadget ____ / _ | Frida 8.1.0 - A world-class dynamic instrumentation framework | (_| | > _ | Commands: /_/ |_| help -> Displays the help system . . . . object? -> Display information about 'object' . . . . exit/quit -> Exit . . . . . . . . More info at http://www.frida.re/docs/home/ [USB::iPhone::Gadget]->