diff --git a/.gitignore b/.gitignore index b55c20945b..cb1a234905 100644 --- a/.gitignore +++ b/.gitignore @@ -29,4 +29,5 @@ docs/assets/Images OWASP_MASVS.yaml cross_references.yaml drafts/ -Payload/ \ No newline at end of file +Payload/ +.vscode/settings.json diff --git a/Document/Images/Techniques/0091-SideloadlyFrida.png b/Document/Images/Techniques/0091-SideloadlyFrida.png new file mode 100644 index 0000000000..7fc0f458ad Binary files /dev/null and b/Document/Images/Techniques/0091-SideloadlyFrida.png differ diff --git a/techniques/ios/MASTG-TECH-0055.md b/techniques/ios/MASTG-TECH-0055.md index 965c1e3dcc..2fef60e060 100644 --- a/techniques/ios/MASTG-TECH-0055.md +++ b/techniques/ios/MASTG-TECH-0055.md @@ -1,22 +1,21 @@ --- -title: Repackaging Apps +title: Launching a Repackaged App in Debug Mode platform: ios --- -If you need to test on a non-jailbroken device you should learn how to repackage an app to enable dynamic testing on it. - -Use a computer with macOS to perform all the steps indicated in the article ["Patching iOS Applications"](https://github.com/sensepost/objection/wiki/Patching-iOS-Applications) from the objection Wiki. Once you're done you'll be able to patch an IPA by calling the objection command: +After the app has been installed on the device, it needs to be launched in debug mode. This is not the case when launching the app via springboard (the application will crash), but it is possible with various tools as explained in @MASTG-TECH-0056. When the application is running in debug mode, Frida can be injected into the process with name `Gadget`: ```bash -objection patchipa --source my-app.ipa --codesign-signature 0C2E8200Dxxxx -``` - -Finally, the app needs to be installed (sideloaded) and run with debugging communication enabled. Perform the steps from the article ["Running Patched iOS Applications"](https://github.com/sensepost/objection/wiki/Running-Patched-iOS-Applications) from the objection Wiki (using ios-deploy). +idevicedebug -d run sg.vp.UnCrackable1 -```bash -ios-deploy --bundle Payload/my-app.app -W -d +# In a new terminal +frida -U -n Gadget +... +[iPhone::Gadget ]-> ``` -Refer to @MASTG-TECH-0056 to learn about other installation methods. Some of them doesn't require you to have a macOS. +## Starting with iOS 17 and Xcode 15 + +Since Xcode 15 and iOS 17 the tool @MASTG-TOOL-0054 will [not work anymore to start an app in debug mode](https://github.com/ios-control/ios-deploy/issues/588). -> This repackaging method is enough for most use cases. For more advanced repackaging, refer to @MASTG-TECH-0092. +A workaround to start the re-packaged app with the `FridaGadget.dylib` in debug mode (without using @MASTG-TOOL-0054) can be found [here](https://github.com/ios-control/ios-deploy/issues/588#issuecomment-1907913430). diff --git a/techniques/ios/MASTG-TECH-0056.md b/techniques/ios/MASTG-TECH-0056.md index 8ce752c419..6ea4104a83 100644 --- a/techniques/ios/MASTG-TECH-0056.md +++ b/techniques/ios/MASTG-TECH-0056.md @@ -3,7 +3,7 @@ title: Installing Apps platform: ios --- -When you install an application without using Apple's App Store, this is called sideloading. There are various ways of sideloading which are described below. On the iOS device, the actual installation process is then handled by the installd daemon, which will unpack and install the application. To integrate app services or be installed on an iOS device, all applications must be signed with a certificate issued by Apple. This means that the application can be installed only after successful code signature verification. On a jailbroken phone, however, you can circumvent this security feature with [AppSync](http://repo.hackyouriphone.org/appsyncunified "AppSync"), a package available in the Cydia store. It contains numerous useful applications that leverage jailbreak-provided root privileges to execute advanced functionality. AppSync is a tweak that patches installd, allowing the installation of fake-signed IPA packages. +When you install an application without using Apple's App Store, this is called sideloading. There are various ways of sideloading which are described below. On the iOS device, the actual installation process is then handled by the installd daemon, which will unpack and install the application. To integrate app services or be installed on an iOS device, all applications must be signed with a certificate issued by Apple. This means that the application can be installed only after successful code signature verification. On a jailbroken phone, however, you can circumvent this security feature with [AppSync](https://github.com/akemin-dayo/AppSync "AppSync"), a package available in the Cydia store. It contains numerous useful applications that leverage jailbreak-provided root privileges to execute advanced functionality. AppSync is a tweak that patches installd, allowing the installation of fake-signed IPA packages. Different methods exist for installing an IPA package onto an iOS device, which are described in detail below. @@ -11,7 +11,7 @@ Different methods exist for installing an IPA package onto an iOS device, which ## Sideloadly -[Sideloadly](https://sideloadly.io/ "Sideloadly") allows you to obtain a valid signature for a given IPA file and then install it to a connected iOS device. In addition to signing and installing an IPA file, Sideloadly also allows you to inject tweaks, change the App or Bundle name or make other limited modifications to the IPA metadata. Sideloadly is available on both macOS and Windows. +@MASTG-TOOL-0118 is a GUI tool that can automate all required steps for you. It requires valid Apple developer credentials, as it will obtain a valid signature from Apple servers. !!! warning "Do not use your personal Apple account" To sign an IPA file, you will need a valid iOS developer account, either free or paid. Both types come with certain restrictions, as explained on the Sideloadly website. We recommend creating a dedicated developer account for signing test applications, and **not** using your personal Apple account. @@ -27,6 +27,8 @@ brew install libimobiledevice brew install ideviceinstaller ``` +If you have any issues, try installing the libraries from source, as the precompiled version may be outdated. + After the installation you have several new command line tools available, such as `ideviceinfo`, `ideviceinstaller` or `idevicedebug`. Let's install and debug the @MASTG-APP-0028 app with the following commands: ```bash diff --git a/techniques/ios/MASTG-TECH-0064.md b/techniques/ios/MASTG-TECH-0064.md index 302b04b85b..377a571cd2 100644 --- a/techniques/ios/MASTG-TECH-0064.md +++ b/techniques/ios/MASTG-TECH-0064.md @@ -11,7 +11,7 @@ This section describes various ways to bypass SSL Pinning and gives guidance abo ## Methods for Jailbroken and Non-jailbroken Devices -If you have a jailbroken device with frida-server installed, you can bypass SSL pinning by running the following @MASTG-TOOL-0038 command (see @MASTG-TECH-0055 if you're using a non-jailbroken device): +If you have a jailbroken device with frida-server installed, you can bypass SSL pinning by running the following @MASTG-TOOL-0038 command (see @MASTG-TECH-0090 if you're using a non-jailbroken device): ```bash ios sslpinning disable diff --git a/techniques/ios/MASTG-TECH-0079.md b/techniques/ios/MASTG-TECH-0079.md index 700a6825c5..51cfbde2a5 100644 --- a/techniques/ios/MASTG-TECH-0079.md +++ b/techniques/ios/MASTG-TECH-0079.md @@ -1,33 +1,13 @@ --- -title: Dynamic Analysis on Non-Jailbroken Devices +title: Getting a Developer Provisioning Profile platform: ios --- -If you don't have access to a jailbroken device, you can patch and repackage the target app to load a dynamic library at startup (e.g. the [Frida gadget](https://www.frida.re/docs/gadget/ "Frida Gadget") to enable dynamic testing with Frida and related tools such as objection). This way, you can instrument the app and do everything you need to do for dynamic analysis (of course, you can't break out of the sandbox this way). However, this technique only works if the app binary isn't FairPlay-encrypted (i.e., obtained from the App Store). - -## Automated Repackaging - -@MASTG-TOOL-0038 automates the process of app repackaging. You can find exhaustive documentation on the official [wiki pages](https://github.com/sensepost/objection/wiki "Objection - Documentation"). - -Using objection's repackaging feature is sufficient for most of use cases. However, in some complex scenarios you might need more fine-grained control or a more customizable repackaging process. In that case, you can read a detailed explanation of the repackaging and resigning process in ["Manual Repackaging"](#manual-repackaging). - -## Manual Repackaging - -Thanks to Apple's confusing provisioning and code-signing system, re-signing an app is more challenging than you would expect. iOS won't run an app unless you get the provisioning profile and code signature header exactly right. This requires learning many concepts-certificate types, Bundle IDs, application IDs, team identifiers, and how Apple's build tools connect them. Getting the OS to run a binary that hasn't been built via the default method (Xcode) can be a daunting process. - -We'll use @MASTG-TOOL-0059, Apple's build tools, and some shell commands. Our method is inspired by [Vincent Tan's Swizzler project](https://github.com/vtky/Swizzler2/ "Swizzler"). [The NCC group](https://research.nccgroup.com/2016/10/12/ios-instrumentation-without-jailbreak/ "NCC blog - iOS instrumentation without jailbreak") has described an alternative repackaging method. - -To reproduce the steps listed below, download @MASTG-APP-0025. Our goal is to make the UnCrackable app load `FridaGadget.dylib` during startup so we can instrument the app with Frida. - -> Please note that the following steps apply to macOS only, as Xcode is only available for macOS. - -## Getting a Developer Provisioning Profile and Certificate - The _provisioning profile_ is a plist file signed by Apple, which adds your code-signing certificate to its list of accepted certificates on one or more devices. In other words, this represents Apple explicitly allowing your app to run for certain reasons, such as debugging on selected devices (development profile). The provisioning profile also includes the _entitlements_ granted to your app. The _certificate_ contains the private key you'll use to sign. Depending on whether you're registered as an iOS developer, you can obtain a certificate and provisioning profile in one of the following ways: -**With an iOS developer account:** +## With an iOS developer account If you've developed and deployed iOS apps with Xcode before, you already have your own code-signing certificate installed. Use the @MASTG-TOOL-0063 command (macOS only) to list your signing identities: @@ -41,11 +21,13 @@ Log into the Apple Developer portal to issue a new App ID, then issue and downlo In the examples below, I use my signing identity, which is associated with my company's development team. I created the App ID "sg.vp.repackaged" and the provisioning profile "AwesomeRepackaging" for these examples. I ended up with the file `AwesomeRepackaging.mobileprovision`-replace this with your own filename in the shell commands below. -**With a Regular Apple ID:** +## With a Regular Apple ID Apple will issue a free development provisioning profile even if you're not a paying developer. You can obtain the profile via Xcode and your regular Apple account: simply create an empty iOS project and extract `embedded.mobileprovision` from the app container, which is in the Xcode subdirectory of your home directory: `~/Library/Developer/Xcode/DerivedData//Build/Products/Debug-iphoneos/.app/`. The [NCC blog post "iOS instrumentation without jailbreak"](https://research.nccgroup.com/2016/10/12/ios-instrumentation-without-jailbreak/ "iOS instrumentation without jailbreak") explains this process in great detail. -Once you've obtained the provisioning profile, you can check its contents with the @MASTG-TOOL-0063 command. You'll find the entitlements granted to the app in the profile, along with the allowed certificates and devices. You'll need these for code-signing, so extract them to a separate plist file as shown below. Have a look at the file contents to make sure everything is as expected. +## Inspecting the Provisioning Profile + +Once you've obtained the provisioning profile, you can inspect its contents with the @MASTG-TOOL-0063 command. You'll find the entitlements granted to the app in the profile, along with the allowed certificates and devices. You'll need these for code-signing, so extract them to a separate plist file as shown below. Have a look at the file contents to make sure everything is as expected. ```bash $ security cms -D -i AwesomeRepackaging.mobileprovision > profile.plist diff --git a/techniques/ios/MASTG-TECH-0086.md b/techniques/ios/MASTG-TECH-0086.md index 130c002b03..389656b548 100644 --- a/techniques/ios/MASTG-TECH-0086.md +++ b/techniques/ios/MASTG-TECH-0086.md @@ -5,7 +5,7 @@ platform: ios Intercepting Objective-C methods is a useful iOS security testing technique. For example, you may be interested in data storage operations or network requests. In the following example, we'll write a simple tracer for logging HTTP(S) requests made via iOS standard HTTP APIs. We'll also show you how to inject the tracer into the Safari web browser. -In the following examples, we'll assume that you are working on a jailbroken device. If that's not the case, you first need to follow the steps outlined in @MASTG-TECH-0055 to repackage the Safari app. +In the following examples, we'll assume that you are working on a jailbroken device. If that's not the case, you first need to follow the steps outlined in @MASTG-TECH-0090 to repackage the Safari app with the Frida Gadget. Frida comes with `frida-trace`, a function tracing tool. `frida-trace` accepts Objective-C methods via the `-m` flag. You can pass it wildcards as well-given `-[NSURL *]`, for example, `frida-trace` will automatically install hooks on all `NSURL` class selectors. We'll use this to get a rough idea about which library functions Safari calls when the user opens a URL. diff --git a/techniques/ios/MASTG-TECH-0090.md b/techniques/ios/MASTG-TECH-0090.md index 6fce7b0578..cd1512308a 100644 --- a/techniques/ios/MASTG-TECH-0090.md +++ b/techniques/ios/MASTG-TECH-0090.md @@ -1,40 +1,24 @@ --- -title: Patching +title: Injecting Frida Gadget into an IPA Automatically platform: ios --- -IPA files are actually ZIP archives, so you can use any ZIP tool to unpack the archive. +If you want to enable dynamic testing with Frida but don't have access to a jailbroken device, you can patch and repackage the target app to load the [Frida gadget](https://www.frida.re/docs/gadget/). This way, you can instrument the app and do everything you need to do for dynamic analysis (of course, you can't break out of the sandbox this way). However, this technique only works if the app binary isn't FairPlay-encrypted (i.e., obtained from the App Store). -```bash -unzip UnCrackable-Level1.ipa -``` +The easiest way to inject Frida into an installed application is by using frida-server. However, if this is not possible, the Frida Gadget can be injected into a decrypted IPA file. -## Patching Example: Installing Frida Gadget +As an alternative to this automated approach, see @MASTG-TECH-0091. -IF you want to use Frida on non-jailbroken devices you'll need to include `FridaGadget.dylib`. Download it first: +## @MASTG-TOOL-0118 -```bash -curl -O https://build.frida.re/frida/ios/lib/FridaGadget.dylib -``` +Sideloadly can be used to automatically inject libraries while repackaging and signing the app. To do so, click the `Advanced Options`, followed by `Inject dylibs/frameworks` and `+dylib/deb/bundle`: -Copy `FridaGadget.dylib` into the app directory and use @MASTG-TOOL-0059 to add a load command to the "UnCrackable Level 1" binary. + -```bash -$ unzip UnCrackable_Level1.ipa -$ cp FridaGadget.dylib Payload/UnCrackable\ Level\ 1.app/ -$ optool install -c load -p "@executable_path/FridaGadget.dylib" -t Payload/UnCrackable\ Level\ 1.app/UnCrackable\ Level\ 1 -Found FAT Header -Found thin header... -Found thin header... -Inserting a LC_LOAD_DYLIB command for architecture: arm -Successfully inserted a LC_LOAD_DYLIB command for arm -Inserting a LC_LOAD_DYLIB command for architecture: arm64 -Successfully inserted a LC_LOAD_DYLIB command for arm64 -Writing executable to Payload/UnCrackable Level 1.app/UnCrackable Level 1... -``` - -## Patching Example: Making an App Debuggable +## @MASTG-TOOL-0038 -By default, an app available on the Apple App Store is not debuggable. In order to debug an iOS application, it must have the `get-task-allow` entitlement enabled. This entitlement allows other processes (like a debugger) to attach to the app. Xcode is not adding the `get-task-allow` entitlement in a distribution provisioning profile; it is only whitelisted and added in a development provisioning profile. +Objection can inject the Frida Gadget into a given IPA file. Use a computer with macOS to perform all the steps indicated in the article ["Patching iOS Applications"](https://github.com/sensepost/objection/wiki/Patching-iOS-Applications) from the objection Wiki. Once you're done you'll be able to patch an IPA by calling the objection command: -Thus, to debug an iOS application obtained from the App Store, it needs to be re-signed with a development provisioning profile with the `get-task-allow` entitlement. How to re-sign an application is discussed in the next section. +```bash +objection patchipa --source my-app.ipa --codesign-signature 0C2E8200Dxxxx +``` diff --git a/techniques/ios/MASTG-TECH-0091.md b/techniques/ios/MASTG-TECH-0091.md index dda9ae36ab..3d3d99bcdc 100644 --- a/techniques/ios/MASTG-TECH-0091.md +++ b/techniques/ios/MASTG-TECH-0091.md @@ -1,20 +1,44 @@ --- -title: Library Injection +title: Injecting Libraries into an IPA Manually platform: ios --- -If you want to use Frida on non-jailbroken devices you'll need to include `FridaGadget.dylib`. Download it first: +This technique allows you to inject arbitrary libraries into an IPA file. + +This is useful when you want to add additional functionality or testing capabilities to an application. For example, you can inject the Frida Gadget into an IPA file to enable dynamic instrumentation of the application. + +We'll use the Frida Gadget (`FridaGadget.dylib`) as an example but you can use this technique to inject any `.dylib` library you want. + +## Obtaining the Library + +In our example, the library is Frida Gadget, which can be downloaded from the [GitHub release page](https://github.com/frida/frida/releases) of the Frida project. Look for the latest release that matches your target platform and download the `frida-gadget-XX.YY.ZZ-ios-universal.dylib.xz` file. + +Decompress the file using the `xz` tool and save it as `FridaGadget.dylib`: ```bash -curl -O https://build.frida.re/frida/ios/lib/FridaGadget.dylib +xz -d -c > FridaGadget.dylib ``` -Copy `FridaGadget.dylib` into the app directory and use @MASTG-TOOL-0059 to add a load command to the "UnCrackable Level 1" binary. +## Adding the Library to the IPA + +IPA files are ZIP archives, so you can use any ZIP tool to unpack the archive: ```bash -$ unzip UnCrackable-Level1.ipa -$ cp FridaGadget.dylib Payload/UnCrackable\ Level\ 1.app/ -$ optool install -c load -p "@executable_path/FridaGadget.dylib" -t Payload/UnCrackable\ Level\ 1.app/UnCrackable\ Level\ 1 +unzip UnCrackable-Level1.ipa +``` + +Next, copy the target library, in this case `FridaGadget.dylib`, into the `.app/Frameworks` directory (create the directory if it doesn't exist): + +```bash +mkdir -p Payload/UnCrackable\ Level\ 1.app/Frameworks +cp FridaGadget.dylib Payload/UnCrackable\ Level\ 1.app/Frameworks/ +``` + +Use @MASTG-TOOL-0059 to add a `load` command to the binary (`LC_LOAD_DYLIB`). The code below shows how this is done for the @MASTG-APP-0025: + +```bash +optool install -c load -p "@executable_path/Frameworks/FridaGadget.dylib" -t Payload/UnCrackable\ Level\ 1.app/UnCrackable\ Level\ 1 + Found FAT Header Found thin header... Found thin header... @@ -25,8 +49,10 @@ Successfully inserted a LC_LOAD_DYLIB command for arm64 Writing executable to Payload/UnCrackable Level 1.app/UnCrackable Level 1... ``` -## Patching Example: Making an App Debuggable +After injecting the `load` command, you need to repackage the IPA: -By default, an app available on the Apple App Store is not debuggable. In order to debug an iOS application, it must have the `get-task-allow` entitlement enabled. This entitlement allows other processes (like a debugger) to attach to the app. Xcode is not adding the `get-task-allow` entitlement in a distribution provisioning profile; it is only whitelisted and added in a development provisioning profile. +```bash +zip -r patched.ipa Payload +``` -Thus, to debug an iOS application obtained from the App Store, it needs to be re-signed with a development provisioning profile with the `get-task-allow` entitlement. How to re-sign an application is discussed in @MASTG-TECH-0079. +To debug an iOS application obtained from the App Store, it needs to be re-signed with a development provisioning profile with the `get-task-allow` entitlement. How to re-sign an application is discussed in @MASTG-TECH-0079. diff --git a/techniques/ios/MASTG-TECH-0092.md b/techniques/ios/MASTG-TECH-0092.md index 8de15ddcad..541a9c2664 100644 --- a/techniques/ios/MASTG-TECH-0092.md +++ b/techniques/ios/MASTG-TECH-0092.md @@ -3,54 +3,53 @@ title: Repackaging and Re-Signing platform: ios --- -Tampering an app invalidates the main executable's code signature, so this won't run on a non-jailbroken device. You'll need to replace the provisioning profile and sign both the main executable and the files you've made include (e.g. `FridaGadget.dylib`) with the certificate listed in the profile. +Tampering with an app invalidates the code signature of the main executable, so it won't run on a non-jailbroken device. -## Repackaging +Before re-signing and IPA you need to obtain a developer provisioning profile and certificate, see @MASTG-TECH-0079. -First, let's add our own provisioning profile to the package: +The re-signing process can be done manually using @MASTG-TOOL-0102, or by using automated tools like @MASTG-TOOL-0117 or @MASTG-TOOL-0114. -```bash -cp AwesomeRepackaging.mobileprovision Payload/UnCrackable\ Level\ 1.app/embedded.mobileprovision -``` - -Next, we need to make sure that the Bundle ID in `Info.plist` matches the one specified in the profile because the codesign tool will read the Bundle ID from `Info.plist` during signing; the wrong value will lead to an invalid signature. - -```bash -/usr/libexec/PlistBuddy -c "Set :CFBundleIdentifier sg.vantagepoint.repackage" Payload/UnCrackable\ Level\ 1.app/Info.plist -``` +## @MASTG-TOOL-0117 -## Re-Signing +Create a directory `fastlane` and create a `Fastfile` file as described in the documentation for [resigning](https://docs.fastlane.tools/actions/resign/). -Finally, we use the @MASTG-TOOL-0114 tool to re-sign both binaries. You need to use _your own_ signing identity (in this example 8004380F331DCA22CC1B47FB1A805890AE41C938), which you can output by executing the command `security find-identity -v`. +Example: -```bash -$ rm -rf Payload/UnCrackable\ Level\ 1.app/_CodeSignature -$ /usr/bin/codesign --force --sign 8004380F331DCA22CC1B47FB1A805890AE41C938 Payload/UnCrackable\ Level\ 1.app/FridaGadget.dylib -Payload/UnCrackable Level 1.app/FridaGadget.dylib: replacing existing signature -``` - -`entitlements.plist` is the file you created for your empty iOS project. - -```bash -$ /usr/bin/codesign --force --sign 8004380F331DCA22CC1B47FB1A805890AE41C938 --entitlements entitlements.plist Payload/UnCrackable\ Level\ 1.app/UnCrackable\ Level\ 1 -Payload/UnCrackable Level 1.app/UnCrackable Level 1: replacing existing signature -``` - -Now you should be ready to run the modified app. Deploy and run the app on the device using @MASTG-TOOL-0054: - -```bash -ios-deploy --debug --bundle Payload/UnCrackable\ Level\ 1.app/ +```yaml +lane :resignipa do + resign( + ipa: ".mobileprovision", + ) +end ``` -If everything went well, the app should start in debugging mode with LLDB attached. Frida should then be able to attach to the app as well. You can verify this via the frida-ps command: +Afterwards, execute the `fastlane resignipa` command. ```bash -$ frida-ps -U -PID Name ---- ------ -499 Gadget +$ fastlane resignipa +[✔] 🚀 +[15:21:51]: Get started using a Gemfile for fastlane https://docs.fastlane.tools/getting-started/ios/setup/#use-a-gemfile +[15:21:52]: Driving the lane 'resignipa' 🚀 +[15:21:52]: -------------------- +[15:21:52]: --- Step: resign --- +[15:21:52]: -------------------- +... +[15:22:03]: Successfully signed /test.ipa! +[15:22:03]: Successfully re-signed .ipa 🔏. + ++-----------------------------+ +| fastlane summary | ++------+--------+-------------+ +| Step | Action | Time (in s) | ++------+--------+-------------+ +| 1 | resign | 11 | ++------+--------+-------------+ + +[15:22:03]: fastlane.tools finished successfully 🎉 ``` - +After having this set up once, you only need to change the path in the `Fastfile` for the IPA you want to resign and execute the command again. -When something goes wrong (and it usually does), mismatches between the provisioning profile and code-signing header are the most likely causes. Reading the [official documentation](https://developer.apple.com/support/code-signing/ "Code Signing") helps you understand the code-signing process. Apple's [entitlement troubleshooting page](https://developer.apple.com/library/content/technotes/tn2415/_index.html "Entitlements Troubleshooting") is also a useful resource. +More information can be found in the official documentation: ["Codesign an existing ipa file with fastlane resign"](https://docs.fastlane.tools/actions/resign/) diff --git a/techniques/ios/MASTG-TECH-0096.md b/techniques/ios/MASTG-TECH-0096.md index 8d93c8ffcb..6039b34128 100644 --- a/techniques/ios/MASTG-TECH-0096.md +++ b/techniques/ios/MASTG-TECH-0096.md @@ -168,7 +168,7 @@ In-memory search can be very useful to quickly know if certain data is located i ## Memory Dump -You can dump the app's process memory with @MASTG-TOOL-0038 and @MASTG-TOOL-0106. To take advantage of these tools on a non-jailbroken device, the Android app must be repackaged with `frida-gadget.so` and re-signed. A detailed explanation of this process is described in @MASTG-TECH-0079. To use these tools on a jailbroken phone, simply have frida-server installed and running. +You can dump the app's process memory with @MASTG-TOOL-0074 and @MASTG-TOOL-0106. To take advantage of these tools on a non-jailbroken device, the Android app must be repackaged with `frida-gadget.so` and re-signed. A detailed explanation of this process is described in @MASTG-TECH-0090. To use these tools on a jailbroken phone, simply have frida-server installed and running. With objection it is possible to dump all memory of the running process on the device by using the command `memory dump all`. diff --git a/tests/ios/MASVS-PLATFORM/MASTG-TEST-0059.md b/tests/ios/MASVS-PLATFORM/MASTG-TEST-0059.md index 0a9a03c112..2855d7772e 100644 --- a/tests/ios/MASVS-PLATFORM/MASTG-TEST-0059.md +++ b/tests/ios/MASVS-PLATFORM/MASTG-TEST-0059.md @@ -61,7 +61,7 @@ You can use a _visual approach_ to quickly validate this test case using any iOS 2. Background the application by hitting the **Home** button on your iOS device. 3. Verify that a default image is shown as the top view element instead of the view containing the sensitive information. -If required, you may also collect evidence by performing steps 1 to 3 on a jailbroken device or a non-jailbroken device after repackaging the app with the Frida Gadget (@MASTG-TECH-0079). After that, connect to the iOS device with SSH (@MASTG-TECH-0052) or by other means (@MASTG-TECH-0053) and navigate to the Snapshots directory. The location may differ on each iOS version but it's usually inside the app's Library directory. For instance, on iOS 14.5 the Snapshots directory is located at: +If required, you may also collect evidence by performing steps 1 to 3 on a jailbroken device or a non-jailbroken device after repackaging the app with the Frida Gadget (@MASTG-TECH-0090). After that, connect to the iOS device with SSH (@MASTG-TECH-0052) or by other means (@MASTG-TECH-0053) and navigate to the Snapshots directory. The location may differ on each iOS version but it's usually inside the app's Library directory. For instance, on iOS 14.5 the Snapshots directory is located at: ```txt /var/mobile/Containers/Data/Application/$APP_ID/Library/SplashBoard/Snapshots/sceneID:$APP_NAME-default/ diff --git a/tests/ios/MASVS-RESILIENCE/MASTG-TEST-0090.md b/tests/ios/MASVS-RESILIENCE/MASTG-TEST-0090.md index 3ed2fb33b4..f5771d0140 100644 --- a/tests/ios/MASVS-RESILIENCE/MASTG-TEST-0090.md +++ b/tests/ios/MASVS-RESILIENCE/MASTG-TEST-0090.md @@ -14,7 +14,7 @@ masvs_v1_levels: **Application Source Code Integrity Checks:** -Run the app on the device in an unmodified state and make sure that everything works. Then apply patches to the executable using optool, re-sign the app as described in @MASTG-TECH-0090, and run it. +Run the app on the device in an unmodified state and make sure that everything works. Then apply some patches to the executable (e.g. see @MASTG-TECH-0090), re-sign the app (@MASTG-TECH-0092), and run it. The app should respond in some way. For example by: diff --git a/tools/ios/MASTG-TOOL-0102.md b/tools/ios/MASTG-TOOL-0102.md index f849099932..8ce8810d5a 100644 --- a/tools/ios/MASTG-TOOL-0102.md +++ b/tools/ios/MASTG-TOOL-0102.md @@ -2,6 +2,9 @@ title: ios-app-signer platform: ios source: https://github.com/DanTheMan827/ios-app-signer +alternatives: +- MASTG-TOOL-0114 +- MASTG-TOOL-0117 --- [ios-app-signer](https://github.com/DanTheMan827/ios-app-signer) is a GUI-based tool for macOS that allows you to re-sign iOS apps and bundle them into IPA files ready to be installed on an iOS device. It can be installed using the `.app` file from the [GitHub releases](https://github.com/DanTheMan827/ios-app-signer/releases) or via brew on macOS: diff --git a/tools/ios/MASTG-TOOL-0114.md b/tools/ios/MASTG-TOOL-0114.md index 0d721760ff..ce684e8f0a 100644 --- a/tools/ios/MASTG-TOOL-0114.md +++ b/tools/ios/MASTG-TOOL-0114.md @@ -4,6 +4,7 @@ platform: ios source: https://www.unix.com/man-page/osx/1/codesign/ alternatives: - MASTG-TOOL-0102 +- MASTG-TOOL-0117 --- The codesign tool is primarily used to create, verify, and display code signatures, and to query the dynamic status of signed code in the system. Although Xcode typically automates the process of signing code during builds and before distribution, there are scenarios where manual intervention with codesign is required. This can include inspecting or verifying the details of an app's code signature, or manually re-signing an app. For more detailed tasks such as these, you can use the codesign command line tool directly, as described in Apple's Code Signing Guide. @@ -14,4 +15,4 @@ Learn more: - ["Signing Code Manually"](https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Procedures/Procedures.html#//apple_ref/doc/uid/TP40005929-CH4-SW3) in Apple's Code Signing Guide - [Using the latest code signature format](https://developer.apple.com/documentation/xcode/using-the-latest-code-signature-format) - [codesign manpage](https://www.unix.com/man-page/osx/1/codesign/) -- [codesign source code](https://opensource.apple.com/source/Security/Security-55471/sec/Security/Tool/codesign.c.auto.html) +- [codesign source code](https://github.com/apple-oss-distributions/Security/blob/main/SecurityTool/sharedTool/codesign.c) diff --git a/tools/ios/MASTG-TOOL-0117.md b/tools/ios/MASTG-TOOL-0117.md new file mode 100644 index 0000000000..0f6b20b786 --- /dev/null +++ b/tools/ios/MASTG-TOOL-0117.md @@ -0,0 +1,16 @@ +--- +title: fastlane +platform: ios +source: https://github.com/fastlane/fastlane +hosts: +- macOS +- linux +- windows +alternatives: +- MASTG-TOOL-0114 +- MASTG-TOOL-0102 +--- + +[fastlane](https://github.com/fastlane/fastlane) is a tool for iOS and Android developers to automate tasks like dealing with provisioning profiles, and releasing mobile apps. On iOS, it's especially useful to resign IPA files with your Xcode provisioning profile. + +fastlane can be installed via brew (`brew install fastlane`). diff --git a/tools/ios/MASTG-TOOL-0118.md b/tools/ios/MASTG-TOOL-0118.md new file mode 100644 index 0000000000..8963f71746 --- /dev/null +++ b/tools/ios/MASTG-TOOL-0118.md @@ -0,0 +1,10 @@ +--- +title: Sideloadly +platform: ios +hosts: +- windows +- macos +source: https://sideloadly.io/ +--- + +[Sideloadly](https://sideloadly.io/ "Sideloadly") allows you to obtain a valid signature for a given IPA file and then install it to a connected iOS device. In addition to signing and installing an IPA file, Sideloadly also allows you to inject tweaks, change the App or Bundle name or make other limited modifications to the IPA metadata. Sideloadly is available on both macOS and Windows.